mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 20:53:33 +00:00
Switch issued check to inspect certificate length
This commit is contained in:
parent
184b3f81ad
commit
94fd1d76ca
@ -194,13 +194,13 @@ func isOlderThan(t metav1.Time, d time.Duration) bool {
|
|||||||
// 'Issued' status. Implicitly, if there is a certificate associated with the
|
// 'Issued' status. Implicitly, if there is a certificate associated with the
|
||||||
// CSR, the CSR statuses that are visible via `kubectl` will include 'Issued'.
|
// CSR, the CSR statuses that are visible via `kubectl` will include 'Issued'.
|
||||||
func isIssued(csr *capi.CertificateSigningRequest) bool {
|
func isIssued(csr *capi.CertificateSigningRequest) bool {
|
||||||
return csr.Status.Certificate != nil
|
return len(csr.Status.Certificate) > 0
|
||||||
}
|
}
|
||||||
|
|
||||||
// isExpired checks if the CSR has a certificate and the date in the `NotAfter`
|
// isExpired checks if the CSR has a certificate and the date in the `NotAfter`
|
||||||
// field has gone by.
|
// field has gone by.
|
||||||
func isExpired(csr *capi.CertificateSigningRequest) (bool, error) {
|
func isExpired(csr *capi.CertificateSigningRequest) (bool, error) {
|
||||||
if csr.Status.Certificate == nil {
|
if len(csr.Status.Certificate) == 0 {
|
||||||
return false, nil
|
return false, nil
|
||||||
}
|
}
|
||||||
block, _ := pem.Decode(csr.Status.Certificate)
|
block, _ := pem.Decode(csr.Status.Certificate)
|
||||||
@ -211,5 +211,8 @@ func isExpired(csr *capi.CertificateSigningRequest) (bool, error) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return false, fmt.Errorf("unable to parse certificate data: %v", err)
|
return false, fmt.Errorf("unable to parse certificate data: %v", err)
|
||||||
}
|
}
|
||||||
|
if len(certs) == 0 {
|
||||||
|
return false, fmt.Errorf("no certificates found")
|
||||||
|
}
|
||||||
return time.Now().After(certs[0].NotAfter), nil
|
return time.Now().After(certs[0].NotAfter), nil
|
||||||
}
|
}
|
||||||
|
@ -174,6 +174,7 @@ func (c *fakeClient) Watch(_ context.Context, opts metav1.ListOptions) (watch.In
|
|||||||
|
|
||||||
func (c *fakeClient) generateCSR() *certificates.CertificateSigningRequest {
|
func (c *fakeClient) generateCSR() *certificates.CertificateSigningRequest {
|
||||||
var condition certificates.CertificateSigningRequestCondition
|
var condition certificates.CertificateSigningRequestCondition
|
||||||
|
var certificateData []byte
|
||||||
if c.failureType == certificateSigningRequestDenied {
|
if c.failureType == certificateSigningRequestDenied {
|
||||||
condition = certificates.CertificateSigningRequestCondition{
|
condition = certificates.CertificateSigningRequestCondition{
|
||||||
Type: certificates.CertificateDenied,
|
Type: certificates.CertificateDenied,
|
||||||
@ -182,6 +183,7 @@ func (c *fakeClient) generateCSR() *certificates.CertificateSigningRequest {
|
|||||||
condition = certificates.CertificateSigningRequestCondition{
|
condition = certificates.CertificateSigningRequestCondition{
|
||||||
Type: certificates.CertificateApproved,
|
Type: certificates.CertificateApproved,
|
||||||
}
|
}
|
||||||
|
certificateData = []byte(`issued certificate`)
|
||||||
}
|
}
|
||||||
|
|
||||||
csr := certificates.CertificateSigningRequest{
|
csr := certificates.CertificateSigningRequest{
|
||||||
@ -192,7 +194,7 @@ func (c *fakeClient) generateCSR() *certificates.CertificateSigningRequest {
|
|||||||
Conditions: []certificates.CertificateSigningRequestCondition{
|
Conditions: []certificates.CertificateSigningRequestCondition{
|
||||||
condition,
|
condition,
|
||||||
},
|
},
|
||||||
Certificate: []byte{},
|
Certificate: certificateData,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
return &csr
|
return &csr
|
||||||
|
@ -374,6 +374,9 @@ func getCurrentCertificateOrBootstrap(
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, false, fmt.Errorf("unable to parse certificate data: %v", err)
|
return nil, false, fmt.Errorf("unable to parse certificate data: %v", err)
|
||||||
}
|
}
|
||||||
|
if len(certs) < 1 {
|
||||||
|
return nil, false, fmt.Errorf("no cert data found")
|
||||||
|
}
|
||||||
bootstrapCert.Leaf = certs[0]
|
bootstrapCert.Leaf = certs[0]
|
||||||
|
|
||||||
if _, err := store.Update(bootstrapCertificatePEM, bootstrapKeyPEM); err != nil {
|
if _, err := store.Update(bootstrapCertificatePEM, bootstrapKeyPEM); err != nil {
|
||||||
|
@ -125,7 +125,7 @@ func WaitForCertificate(ctx context.Context, client certificatesclient.Certifica
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
if approved {
|
if approved {
|
||||||
if csr.Status.Certificate != nil {
|
if len(csr.Status.Certificate) > 0 {
|
||||||
klog.V(2).Infof("certificate signing request %s is issued", csr.Name)
|
klog.V(2).Infof("certificate signing request %s is issued", csr.Name)
|
||||||
return true, nil
|
return true, nil
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user