github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-08 03:33:56 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #126538 from SataQiu/validate-20240805

Browse Source 
kubeadm: add a validation warning when the certificateValidityPeriod is more than the caCertificateValidityPeriod
This commit is contained in:
Kubernetes Prow Robot 2024-08-13 22:11:03 -07:00 committed by GitHub
commit 62cd87e839
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cmd/kubeadm/app/apis/kubeadm/validation/validation.go
View File

@ -783,7 +783,7 @@ func ValidateUpgradeConfiguration(c *kubeadm.UpgradeConfiguration) field.ErrorLi
return allErrs return allErrs
} }
// ValidateCertValidity validates if the values for cert validity are too big // ValidateCertValidity validates if the values for cert validity are too big or don't match
func ValidateCertValidity(cfg *kubeadm.ClusterConfiguration) []error { func ValidateCertValidity(cfg *kubeadm.ClusterConfiguration) []error {
var allErrs []error var allErrs []error
if cfg.CertificateValidityPeriod != nil && cfg.CertificateValidityPeriod.Duration > constants.CertificateValidityPeriod { if cfg.CertificateValidityPeriod != nil && cfg.CertificateValidityPeriod.Duration > constants.CertificateValidityPeriod {
@ -796,5 +796,12 @@ func ValidateCertValidity(cfg *kubeadm.ClusterConfiguration) []error {
errors.Errorf("caCertificateValidityPeriod: the value %v is more than the recommended default for CA certificate expiration: %v", errors.Errorf("caCertificateValidityPeriod: the value %v is more than the recommended default for CA certificate expiration: %v",
cfg.CACertificateValidityPeriod.Duration, constants.CACertificateValidityPeriod)) cfg.CACertificateValidityPeriod.Duration, constants.CACertificateValidityPeriod))
} }
if cfg.CertificateValidityPeriod != nil && cfg.CACertificateValidityPeriod != nil {
if cfg.CertificateValidityPeriod.Duration > cfg.CACertificateValidityPeriod.Duration {
allErrs = append(allErrs,
errors.Errorf("certificateValidityPeriod: the value %v is more than the caCertificateValidityPeriod: %v",
cfg.CertificateValidityPeriod.Duration, cfg.CACertificateValidityPeriod.Duration))
}
}
return allErrs return allErrs
} }

13
cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go
View File

@ -21,6 +21,7 @@ import (
"os" "os"
"strings" "strings"
"testing" "testing"
"time"
"github.com/spf13/pflag" "github.com/spf13/pflag"
@ -1585,6 +1586,18 @@ func TestValidateCertValidity(t *testing.T) {
}, },
expectedErrors: 2, expectedErrors: 2,
}, },
{
name: "one error from mismatched durations (CertificateValidityPeriod > CACertificateValidityPeriod) ",
cfg: &kubeadmapi.ClusterConfiguration{
CertificateValidityPeriod: &metav1.Duration{
Duration: time.Hour * 2,
},
CACertificateValidityPeriod: &metav1.Duration{
Duration: time.Hour,
},
},
expectedErrors: 1,
},
} }
for _, tc := range tests { for _, tc := range tests {