github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-14 05:36:12 +00:00
Code Issues Projects Releases Wiki Activity

Aggregate all the errors when the shared certs are validated

Browse Source 
Instead of the individual error and return, it's better to aggregate all
the errors so that we can fix them all at once.

Take the chance to fix some comments, since kubeadm are not checking that
the certs are equal across controlplane.

Signed-off-by: Dave Chen <dave.chen@arm.com>
This commit is contained in:
Dave Chen
2021-11-01 17:25:43 +08:00
parent 6ae9d088c4
commit c85fb0e6ac
3 changed files with 40 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
cmd/kubeadm/app/phases/certs/certs.go
View File

@@ -26,6 +26,7 @@ import (
"github.com/pkg/errors"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/client-go/util/keyutil"
"k8s.io/klog/v2"
@@ -304,30 +305,32 @@ type certKeyLocation struct {
uxName string
}
// SharedCertificateExists verifies if the shared certificates - the certificates that must be
// equal across control-plane nodes: ca.key, ca.crt, sa.key, sa.pub + etcd/ca.key, etcd/ca.crt if local/stacked etcd
// Missing keys are non-fatal and produce warnings.
// SharedCertificateExists verifies if the shared certificates exist and are still valid - the certificates must be
// equal across control-plane nodes: ca.key, ca.crt, sa.key, sa.pub, front-proxy-ca.key, front-proxy-ca.crt and etcd/ca.key, etcd/ca.crt if local/stacked etcd
// Missing private keys of CA are non-fatal and produce warnings.
func SharedCertificateExists(cfg *kubeadmapi.ClusterConfiguration) (bool, error) {
var errs []error
if err := validateCACertAndKey(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName, "", "CA"}); err != nil {
return false, err
errs = append(errs, err)
}
if err := validatePrivatePublicKey(certKeyLocation{cfg.CertificatesDir, "", kubeadmconstants.ServiceAccountKeyBaseName, "service account"}); err != nil {
return false, err
errs = append(errs, err)
}
if err := validateCACertAndKey(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.FrontProxyCACertAndKeyBaseName, "", "front-proxy CA"}); err != nil {
return false, err
errs = append(errs, err)
}
// in case of local/stacked etcd
if cfg.Etcd.External == nil {
if err := validateCACertAndKey(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.EtcdCACertAndKeyBaseName, "", "etcd CA"}); err != nil {
return false, err
errs = append(errs, err)
}
}
if len(errs) != 0 {
return false, utilerrors.NewAggregate(errs)
}
return true, nil
}