github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 06:27:05 +00:00
Code Issues Projects Releases Wiki Activity

Delete the private key for the bootstrap client cert on failure

Browse Source 
Ensures that in a crash loop state we can make forward progress by
generating a new key and hence new CSR. If we do not delete the key, an
expired CSR may block startup.

Also more aggressively delete a bad cert path
This commit is contained in:
Clayton Coleman 2017-09-28 23:50:07 -04:00
parent 74a0abb699
commit 710dfb3427
No known key found for this signature in database
GPG Key ID: 3D16906B4F1C5CB3
1 changed files with 18 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
pkg/kubelet/certificate/bootstrap/bootstrap.go
View File

@ -73,6 +73,17 @@ func LoadClientCert(kubeconfigPath string, bootstrapPath string, certDir string,
if err != nil { if err != nil {
return fmt.Errorf("unable to build bootstrap key path: %v", err) return fmt.Errorf("unable to build bootstrap key path: %v", err)
} }
// If we are unable to generate a CSR, we remove our key file and start fresh.
// This method is used before enabling client rotation and so we must ensure we
// can make forward progress if we crash and exit when a CSR exists but the cert
// it is signed for has expired.
defer func() {
if !success {
if err := os.Remove(keyPath); err != nil && !os.IsNotExist(err) {
glog.Warningf("Cannot clean up the key file %q: %v", keyPath, err)
}
}
}()
keyData, _, err := certutil.LoadOrGenerateKeyFile(keyPath) keyData, _, err := certutil.LoadOrGenerateKeyFile(keyPath)
if err != nil { if err != nil {
return err return err
@ -83,6 +94,13 @@ func LoadClientCert(kubeconfigPath string, bootstrapPath string, certDir string,
if err != nil { if err != nil {
return fmt.Errorf("unable to build bootstrap client cert path: %v", err) return fmt.Errorf("unable to build bootstrap client cert path: %v", err)
} }
defer func() {
if !success {
if err := os.Remove(certPath); err != nil && !os.IsNotExist(err) {
glog.Warningf("Cannot clean up the cert file %q: %v", certPath, err)
}
}
}()
certData, err := csr.RequestNodeCertificate(bootstrapClient.CertificateSigningRequests(), keyData, nodeName) certData, err := csr.RequestNodeCertificate(bootstrapClient.CertificateSigningRequests(), keyData, nodeName)
if err != nil { if err != nil {
return err return err
@ -90,13 +108,6 @@ func LoadClientCert(kubeconfigPath string, bootstrapPath string, certDir string,
if err := certutil.WriteCert(certPath, certData); err != nil { if err := certutil.WriteCert(certPath, certData); err != nil {
return err return err
} }
defer func() {
if !success {
if err := os.Remove(certPath); err != nil {
glog.Warningf("Cannot clean up the cert file %q: %v", certPath, err)
}
}
}()
// Get the CA data from the bootstrap client config. // Get the CA data from the bootstrap client config.
caFile, caData := bootstrapClientConfig.CAFile, []byte{} caFile, caData := bootstrapClientConfig.CAFile, []byte{}