From 7016057ff7a8562829d75e53fe1a719818b4f582 Mon Sep 17 00:00:00 2001 From: xilabao Date: Wed, 9 Nov 2016 10:33:21 +0800 Subject: [PATCH] fix apiserver start failed if lost one of cert and key, add a error message --- cmd/kubelet/app/server.go | 7 ++++++- pkg/genericapiserver/config.go | 9 ++++++++- pkg/util/cert/io.go | 23 +++++++++++++++++------ 3 files changed, 31 insertions(+), 8 deletions(-) diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index 244b92212da..ece05d0cf1d 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -514,7 +514,12 @@ func InitializeTLS(kc *componentconfig.KubeletConfiguration) (*server.TLSOptions if kc.TLSCertFile == "" && kc.TLSPrivateKeyFile == "" { kc.TLSCertFile = path.Join(kc.CertDirectory, "kubelet.crt") kc.TLSPrivateKeyFile = path.Join(kc.CertDirectory, "kubelet.key") - if !certutil.CanReadCertOrKey(kc.TLSCertFile, kc.TLSPrivateKeyFile) { + + canReadCertAndKey, err := certutil.CanReadCertAndKey(kc.TLSCertFile, kc.TLSPrivateKeyFile) + if err != nil { + return nil, err + } + if !canReadCertAndKey { cert, key, err := certutil.GenerateSelfSignedCertKey(nodeutil.GetHostname(kc.HostnameOverride), nil, nil) if err != nil { return nil, fmt.Errorf("unable to generate self signed cert: %v", err) diff --git a/pkg/genericapiserver/config.go b/pkg/genericapiserver/config.go index 9fbca9acbc7..b8232382049 100644 --- a/pkg/genericapiserver/config.go +++ b/pkg/genericapiserver/config.go @@ -406,7 +406,14 @@ func (c completedConfig) New() (*GenericAPIServer, error) { func (c completedConfig) MaybeGenerateServingCerts(alternateIPs ...net.IP) error { // It would be nice to set a fqdn subject alt name, but only the kubelets know, the apiserver is clueless // alternateDNS = append(alternateDNS, "kubernetes.default.svc.CLUSTER.DNS.NAME") - if c.SecureServingInfo != nil && c.SecureServingInfo.ServerCert.Generate && !certutil.CanReadCertOrKey(c.SecureServingInfo.ServerCert.CertFile, c.SecureServingInfo.ServerCert.KeyFile) { + if c.SecureServingInfo != nil && c.SecureServingInfo.ServerCert.Generate { + canReadCertAndKey, err := certutil.CanReadCertAndKey(c.SecureServingInfo.ServerCert.CertFile, c.SecureServingInfo.ServerCert.KeyFile) + if err != nil { + return err + } + if canReadCertAndKey { + return nil + } // TODO (cjcullen): Is ClusterIP the right address to sign a cert with? alternateDNS := []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes", "localhost"} diff --git a/pkg/util/cert/io.go b/pkg/util/cert/io.go index 9a3e1622f37..377b3d5892f 100644 --- a/pkg/util/cert/io.go +++ b/pkg/util/cert/io.go @@ -25,14 +25,25 @@ import ( "path/filepath" ) -// CanReadCertOrKey returns true if the certificate or key files already exists, -// otherwise returns false. -func CanReadCertOrKey(certPath, keyPath string) bool { - if canReadFile(certPath) || canReadFile(keyPath) { - return true +// CanReadCertAndKey returns true if the certificate and key files already exists, +// otherwise returns false. If lost one of cert and key, returns error. +func CanReadCertAndKey(certPath, keyPath string) (bool, error) { + certReadable := canReadFile(certPath) + keyReadable := canReadFile(keyPath) + + if certReadable == false && keyReadable == false { + return false, nil } - return false + if certReadable == false { + return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", certPath) + } + + if keyReadable == false { + return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", keyPath) + } + + return true, nil } // If the file represented by path exists and