github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 12:15:52 +00:00
Code Issues Projects Releases Wiki Activity

An expired certificate is not compatible

Browse Source 
If the certificate in the CSR is expired, it's no good to the code.
Error out with the correct message.
This commit is contained in:
Clayton Coleman 2017-09-25 23:49:05 -04:00
parent ae6ee96b36
commit 74a0abb699
No known key found for this signature in database
GPG Key ID: 3D16906B4F1C5CB3
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/kubelet/util/csr/csr.go
View File

@ -203,5 +203,17 @@ func ensureCompatible(new, orig *certificates.CertificateSigningRequest, private
if err := newCsr.CheckSignature(); err != nil {
return fmt.Errorf("error validating signature new CSR against old key: %v", err)
}
if len(new.Status.Certificate) > 0 {
certs, err := certutil.ParseCertsPEM(new.Status.Certificate)
if err != nil {
return fmt.Errorf("error parsing signed certificate for CSR: %v", err)
}
now := time.Now()
for _, cert := range certs {
if now.After(cert.NotAfter) {
return fmt.Errorf("one of the certificates for the CSR has expired: %s", cert.NotAfter)
}
}
}
return nil
}