From 83ef08336b1a2d23ae9fc4f30a05d3226f0450ba Mon Sep 17 00:00:00 2001 From: SataQiu Date: Wed, 5 Jan 2022 15:08:29 +0800 Subject: [PATCH] kubeadm: remove the restriction that the ca.crt can only contain one certificate --- cmd/kubeadm/app/phases/certs/renewal/readwriter.go | 12 +++++------- cmd/kubeadm/app/util/config/cluster.go | 4 ++-- cmd/kubeadm/app/util/pkiutil/pki_helpers.go | 4 ++-- 3 files changed, 9 insertions(+), 11 deletions(-) diff --git a/cmd/kubeadm/app/phases/certs/renewal/readwriter.go b/cmd/kubeadm/app/phases/certs/renewal/readwriter.go index 9fa1139d731..0ec0ee6ef3d 100644 --- a/cmd/kubeadm/app/phases/certs/renewal/readwriter.go +++ b/cmd/kubeadm/app/phases/certs/renewal/readwriter.go @@ -82,10 +82,8 @@ func (rw *pkiCertificateReadWriter) Read() (*x509.Certificate, error) { return nil, errors.Wrapf(err, "failed to load existing certificate %s", rw.baseName) } - if len(certs) != 1 { - return nil, errors.Errorf("wanted exactly one certificate, got %d", len(certs)) - } - + // Safely pick the first one because the sender's certificate must come first in the list. + // For details, see: https://www.rfc-editor.org/rfc/rfc4346#section-7.4.2 return certs[0], nil } @@ -145,9 +143,9 @@ func (rw *kubeConfigReadWriter) Read() (*x509.Certificate, error) { if err != nil { return nil, errors.Wrapf(err, "failed to load existing certificate %s", rw.baseName) } - if len(caCerts) != 1 { - return nil, errors.Errorf("wanted exactly one certificate, got %d", len(caCerts)) - } + + // Safely pick the first one because the sender's certificate must come first in the list. + // For details, see: https://www.rfc-editor.org/rfc/rfc4346#section-7.4.2 rw.caCert = caCerts[0] // get current context diff --git a/cmd/kubeadm/app/util/config/cluster.go b/cmd/kubeadm/app/util/config/cluster.go index 242d82940b9..eeeb92837ec 100644 --- a/cmd/kubeadm/app/util/config/cluster.go +++ b/cmd/kubeadm/app/util/config/cluster.go @@ -183,8 +183,8 @@ func getNodeNameFromKubeletConfig(fileName string) (string, error) { return "", errors.Errorf("invalid kubeconfig file %s. x509 certificate expected", fileName) } - // We are only putting one certificate in the certificate pem file, so it's safe to just pick the first one - // TODO: Support multiple certs here in order to be able to rotate certs + // Safely pick the first one because the sender's certificate must come first in the list. + // For details, see: https://www.rfc-editor.org/rfc/rfc4346#section-7.4.2 cert := certs[0] // gets the node name from the certificate common name diff --git a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go index 9628aa78a5c..a4398f6ee26 100644 --- a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go +++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go @@ -291,8 +291,8 @@ func TryLoadCertFromDisk(pkiPath, name string) (*x509.Certificate, error) { return nil, errors.Wrapf(err, "couldn't load the certificate file %s", certificatePath) } - // We are only putting one certificate in the certificate pem file, so it's safe to just pick the first one - // TODO: Support multiple certs here in order to be able to rotate certs + // Safely pick the first one because the sender's certificate must come first in the list. + // For details, see: https://www.rfc-editor.org/rfc/rfc4346#section-7.4.2 cert := certs[0] return cert, nil