From 74a0abb6992c44e1e0191def21627a350847bd7f Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Mon, 25 Sep 2017 23:49:05 -0400
Subject: [PATCH] An expired certificate is not compatible

If the certificate in the CSR is expired, it's no good to the code.
Error out with the correct message.
---
 pkg/kubelet/util/csr/csr.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/pkg/kubelet/util/csr/csr.go b/pkg/kubelet/util/csr/csr.go
index 316de1abe5f..5c2fb8549f7 100644
--- a/pkg/kubelet/util/csr/csr.go
+++ b/pkg/kubelet/util/csr/csr.go
@@ -203,5 +203,17 @@ func ensureCompatible(new, orig *certificates.CertificateSigningRequest, private
 	if err := newCsr.CheckSignature(); err != nil {
 		return fmt.Errorf("error validating signature new CSR against old key: %v", err)
 	}
+	if len(new.Status.Certificate) > 0 {
+		certs, err := certutil.ParseCertsPEM(new.Status.Certificate)
+		if err != nil {
+			return fmt.Errorf("error parsing signed certificate for CSR: %v", err)
+		}
+		now := time.Now()
+		for _, cert := range certs {
+			if now.After(cert.NotAfter) {
+				return fmt.Errorf("one of the certificates for the CSR has expired: %s", cert.NotAfter)
+			}
+		}
+	}
 	return nil
 }