Switch issued check to inspect certificate length

This commit is contained in:
Jordan Liggitt 2020-05-28 10:48:49 -04:00
parent 184b3f81ad
commit 94fd1d76ca
4 changed files with 12 additions and 4 deletions

View File

@ -194,13 +194,13 @@ func isOlderThan(t metav1.Time, d time.Duration) bool {
// 'Issued' status. Implicitly, if there is a certificate associated with the // 'Issued' status. Implicitly, if there is a certificate associated with the
// CSR, the CSR statuses that are visible via `kubectl` will include 'Issued'. // CSR, the CSR statuses that are visible via `kubectl` will include 'Issued'.
func isIssued(csr *capi.CertificateSigningRequest) bool { func isIssued(csr *capi.CertificateSigningRequest) bool {
return csr.Status.Certificate != nil return len(csr.Status.Certificate) > 0
} }
// isExpired checks if the CSR has a certificate and the date in the `NotAfter` // isExpired checks if the CSR has a certificate and the date in the `NotAfter`
// field has gone by. // field has gone by.
func isExpired(csr *capi.CertificateSigningRequest) (bool, error) { func isExpired(csr *capi.CertificateSigningRequest) (bool, error) {
if csr.Status.Certificate == nil { if len(csr.Status.Certificate) == 0 {
return false, nil return false, nil
} }
block, _ := pem.Decode(csr.Status.Certificate) block, _ := pem.Decode(csr.Status.Certificate)
@ -211,5 +211,8 @@ func isExpired(csr *capi.CertificateSigningRequest) (bool, error) {
if err != nil { if err != nil {
return false, fmt.Errorf("unable to parse certificate data: %v", err) return false, fmt.Errorf("unable to parse certificate data: %v", err)
} }
if len(certs) == 0 {
return false, fmt.Errorf("no certificates found")
}
return time.Now().After(certs[0].NotAfter), nil return time.Now().After(certs[0].NotAfter), nil
} }

View File

@ -174,6 +174,7 @@ func (c *fakeClient) Watch(_ context.Context, opts metav1.ListOptions) (watch.In
func (c *fakeClient) generateCSR() *certificates.CertificateSigningRequest { func (c *fakeClient) generateCSR() *certificates.CertificateSigningRequest {
var condition certificates.CertificateSigningRequestCondition var condition certificates.CertificateSigningRequestCondition
var certificateData []byte
if c.failureType == certificateSigningRequestDenied { if c.failureType == certificateSigningRequestDenied {
condition = certificates.CertificateSigningRequestCondition{ condition = certificates.CertificateSigningRequestCondition{
Type: certificates.CertificateDenied, Type: certificates.CertificateDenied,
@ -182,6 +183,7 @@ func (c *fakeClient) generateCSR() *certificates.CertificateSigningRequest {
condition = certificates.CertificateSigningRequestCondition{ condition = certificates.CertificateSigningRequestCondition{
Type: certificates.CertificateApproved, Type: certificates.CertificateApproved,
} }
certificateData = []byte(`issued certificate`)
} }
csr := certificates.CertificateSigningRequest{ csr := certificates.CertificateSigningRequest{
@ -192,7 +194,7 @@ func (c *fakeClient) generateCSR() *certificates.CertificateSigningRequest {
Conditions: []certificates.CertificateSigningRequestCondition{ Conditions: []certificates.CertificateSigningRequestCondition{
condition, condition,
}, },
Certificate: []byte{}, Certificate: certificateData,
}, },
} }
return &csr return &csr

View File

@ -374,6 +374,9 @@ func getCurrentCertificateOrBootstrap(
if err != nil { if err != nil {
return nil, false, fmt.Errorf("unable to parse certificate data: %v", err) return nil, false, fmt.Errorf("unable to parse certificate data: %v", err)
} }
if len(certs) < 1 {
return nil, false, fmt.Errorf("no cert data found")
}
bootstrapCert.Leaf = certs[0] bootstrapCert.Leaf = certs[0]
if _, err := store.Update(bootstrapCertificatePEM, bootstrapKeyPEM); err != nil { if _, err := store.Update(bootstrapCertificatePEM, bootstrapKeyPEM); err != nil {

View File

@ -125,7 +125,7 @@ func WaitForCertificate(ctx context.Context, client certificatesclient.Certifica
} }
} }
if approved { if approved {
if csr.Status.Certificate != nil { if len(csr.Status.Certificate) > 0 {
klog.V(2).Infof("certificate signing request %s is issued", csr.Name) klog.V(2).Infof("certificate signing request %s is issued", csr.Name)
return true, nil return true, nil
} }