github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 14:07:14 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #85092 from fabriziopandini/alpha-certs-skips-missing-certs

Browse Source 
kubeadm: alpha certs should skip missing files
This commit is contained in:
Kubernetes Prow Robot 2019-11-11 14:46:47 -08:00 committed by GitHub
commit e008523f76
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 85 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
cmd/kubeadm/app/cmd/alpha/certs.go
View File

@ -206,6 +206,11 @@ func renewCert(flags *renewFlags, kdir string, handler *renewal.CertificateRenew
return err return err
} }
if ok, _ := rm.CertificateExists(handler.Name); !ok {
fmt.Printf("MISSING! %s\n", handler.LongName)
return nil
}
// if the renewal operation is set to generate CSR request only // if the renewal operation is set to generate CSR request only
if flags.csrOnly { if flags.csrOnly {
// checks a path for storing CSR request is given // checks a path for storing CSR request is given
@ -282,6 +287,7 @@ func newCmdCertsExpiration(out io.Writer, kdir string) *cobra.Command {
w := tabwriter.NewWriter(out, 10, 4, 3, ' ', 0) w := tabwriter.NewWriter(out, 10, 4, 3, ' ', 0)
fmt.Fprintln(w, "CERTIFICATE\tEXPIRES\tRESIDUAL TIME\tCERTIFICATE AUTHORITY\tEXTERNALLY MANAGED") fmt.Fprintln(w, "CERTIFICATE\tEXPIRES\tRESIDUAL TIME\tCERTIFICATE AUTHORITY\tEXTERNALLY MANAGED")
for _, handler := range rm.Certificates() { for _, handler := range rm.Certificates() {
if ok, _ := rm.CertificateExists(handler.Name); ok {
e, err := rm.GetCertificateExpirationInfo(handler.Name) e, err := rm.GetCertificateExpirationInfo(handler.Name)
if err != nil { if err != nil {
return err return err
@ -296,10 +302,19 @@ func newCmdCertsExpiration(out io.Writer, kdir string) *cobra.Command {
) )
fmt.Fprintln(w, s) fmt.Fprintln(w, s)
continue
}
// the certificate does not exist (for any reason)
s := fmt.Sprintf("!MISSING! %s\t\t\t\t",
handler.Name,
)
fmt.Fprintln(w, s)
} }
fmt.Fprintln(w) fmt.Fprintln(w)
fmt.Fprintln(w, "CERTIFICATE AUTHORITY\tEXPIRES\tRESIDUAL TIME\tEXTERNALLY MANAGED") fmt.Fprintln(w, "CERTIFICATE AUTHORITY\tEXPIRES\tRESIDUAL TIME\tEXTERNALLY MANAGED")
for _, handler := range rm.CAs() { for _, handler := range rm.CAs() {
if ok, _ := rm.CAExists(handler.Name); ok {
e, err := rm.GetCAExpirationInfo(handler.Name) e, err := rm.GetCAExpirationInfo(handler.Name)
if err != nil { if err != nil {
return err return err
@ -313,6 +328,14 @@ func newCmdCertsExpiration(out io.Writer, kdir string) *cobra.Command {
) )
fmt.Fprintln(w, s) fmt.Fprintln(w, s)
continue
}
// the CA does not exist (for any reason)
s := fmt.Sprintf("!MISSING! %s\t\t\t",
handler.Name,
)
fmt.Fprintln(w, s)
} }
w.Flush() w.Flush()
return nil return nil

20
cmd/kubeadm/app/phases/certs/renewal/manager.go
View File

@ -315,6 +315,16 @@ func (rm *Manager) CreateRenewCSR(name, outdir string) error {
return nil return nil
} }
// CertificateExists returns true if a certificate exists.
func (rm *Manager) CertificateExists(name string) (bool, error) {
handler, ok := rm.certificates[name]
if !ok {
return false, errors.Errorf("%s is not a known certificate", name)
}
return handler.readwriter.Exists(), nil
}
// GetCertificateExpirationInfo returns certificate expiration info. // GetCertificateExpirationInfo returns certificate expiration info.
// For PKI certificates, use the name defined in the certsphase package, while for certificates // For PKI certificates, use the name defined in the certsphase package, while for certificates
// embedded in the kubeConfig files, use the kubeConfig file name defined in the kubeadm constants package. // embedded in the kubeConfig files, use the kubeConfig file name defined in the kubeadm constants package.
@ -341,6 +351,16 @@ func (rm *Manager) GetCertificateExpirationInfo(name string) (*ExpirationInfo, e
return newExpirationInfo(name, cert, externallyManaged), nil return newExpirationInfo(name, cert, externallyManaged), nil
} }
// CAExists returns true if a certificate authority exists.
func (rm *Manager) CAExists(name string) (bool, error) {
handler, ok := rm.cas[name]
if !ok {
return false, errors.Errorf("%s is not a known certificate", name)
}
return handler.readwriter.Exists(), nil
}
// GetCAExpirationInfo returns CA expiration info. // GetCAExpirationInfo returns CA expiration info.
func (rm *Manager) GetCAExpirationInfo(name string) (*ExpirationInfo, error) { func (rm *Manager) GetCAExpirationInfo(name string) (*ExpirationInfo, error) {
handler, ok := rm.cas[name] handler, ok := rm.cas[name]

23
cmd/kubeadm/app/phases/certs/renewal/readwriter.go
View File

@ -19,6 +19,7 @@ package renewal
import ( import (
"crypto" "crypto"
"crypto/x509" "crypto/x509"
"os"
"path/filepath" "path/filepath"
"github.com/pkg/errors" "github.com/pkg/errors"
@ -33,6 +34,9 @@ import (
// certificateReadWriter defines the behavior of a component that // certificateReadWriter defines the behavior of a component that
// read or write a certificate stored/embedded in a file // read or write a certificate stored/embedded in a file
type certificateReadWriter interface { type certificateReadWriter interface {
//Exists return true if the certificate exists
Exists() bool
// Read a certificate stored/embedded in a file // Read a certificate stored/embedded in a file
Read() (*x509.Certificate, error) Read() (*x509.Certificate, error)
@ -55,6 +59,20 @@ func newPKICertificateReadWriter(certificateDir string, baseName string) *pkiCer
} }
} }
// Exists checks if a certificate exist
func (rw *pkiCertificateReadWriter) Exists() bool {
certificatePath, _ := pkiutil.PathsForCertAndKey(rw.certificateDir, rw.baseName)
return fileExists(certificatePath)
}
func fileExists(filename string) bool {
info, err := os.Stat(filename)
if os.IsNotExist(err) {
return false
}
return !info.IsDir()
}
// Read a certificate from a file the K8s pki managed by kubeadm // Read a certificate from a file the K8s pki managed by kubeadm
func (rw *pkiCertificateReadWriter) Read() (*x509.Certificate, error) { func (rw *pkiCertificateReadWriter) Read() (*x509.Certificate, error) {
certificatePath, _ := pkiutil.PathsForCertAndKey(rw.certificateDir, rw.baseName) certificatePath, _ := pkiutil.PathsForCertAndKey(rw.certificateDir, rw.baseName)
@ -97,6 +115,11 @@ func newKubeconfigReadWriter(kubernetesDir string, kubeConfigFileName string) *k
} }
} }
// Exists checks if a certificate embedded in kubeConfig file exists
func (rw *kubeConfigReadWriter) Exists() bool {
return fileExists(rw.kubeConfigFilePath)
}
// Read a certificate embedded in kubeConfig file managed by kubeadm. // Read a certificate embedded in kubeConfig file managed by kubeadm.
// Please note that the kubeConfig file itself is kept in the ReadWriter state thus allowing // Please note that the kubeConfig file itself is kept in the ReadWriter state thus allowing
// to preserve the attributes (Context, Servers, AuthInfo etc.) // to preserve the attributes (Context, Servers, AuthInfo etc.)