Merge pull request #805 from galal-hussein/certificate_rotation

Certificate Rotation
2019-10-01 14:07:45 -07:00 · 2019-10-01 14:07:45 -07:00 · 69645ce12f
parent 2ea7a717d9 2dc5ba5bae
commit 69645ce12f
5 changed files with 41 additions and 16 deletions
--- a/go.mod
+++ b/go.mod
@ -23,7 +23,6 @@ replace (
 	github.com/prometheus/client_model => github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910
 	github.com/prometheus/common => github.com/prometheus/common v0.0.0-20181126121408-4724e9255275
 	github.com/prometheus/procfs => github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a
-	github.com/rancher/dynamiclistener => github.com/erikwilson/rancher-dynamiclistener v0.0.0-20190717164634-c08b499d1719
 	github.com/rancher/kine => github.com/ibuildthecloud/kine v0.1.0
 	k8s.io/api => github.com/rancher/kubernetes/staging/src/k8s.io/api v1.16.0-k3s.1
 	k8s.io/apiextensions-apiserver => github.com/rancher/kubernetes/staging/src/k8s.io/apiextensions-apiserver v1.16.0-k3s.1
@ -92,7 +91,7 @@ require (
 	github.com/opencontainers/runc v1.0.0-rc2.0.20190611121236-6cc515888830
 	github.com/pkg/errors v0.8.1
 	github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 // indirect
-	github.com/rancher/dynamiclistener v0.0.0-20190717164634-c08b499d1719
+	github.com/rancher/dynamiclistener v0.0.0-20190926205813-e2ac9e2c193d
 	github.com/rancher/helm-controller v0.2.2
 	github.com/rancher/kine v0.0.0-00010101000000-000000000000
 	github.com/rancher/remotedialer v0.2.0
--- a/go.sum
+++ b/go.sum
@ -558,6 +558,8 @@ github.com/rancher/containerd v1.3.0-k3s.1 h1:8dz25shb4egTLl0nOXQdtllx20LEXsuOs4
 github.com/rancher/containerd v1.3.0-k3s.1/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM=
 github.com/rancher/cri-tools v1.16.0-k3s.1 h1:cv/iVFkfvDLfpSqGFwgyQbMKLGRzcXo8AALUsd8s5qE=
 github.com/rancher/cri-tools v1.16.0-k3s.1/go.mod h1:TEKhKv2EJIZp+p9jnEy4C63g8CosJzsI4kyKKkHag+8=
+github.com/rancher/dynamiclistener v0.0.0-20190926205813-e2ac9e2c193d h1:BPBA86IVuNX/S2g7Kry+jXcuftCWPRLpad1iyd1nP20=
+github.com/rancher/dynamiclistener v0.0.0-20190926205813-e2ac9e2c193d/go.mod h1:vNqDnGTkrX8tiBUevkvjZoQoiZOjaahVbMaYRIl25l0=
 github.com/rancher/flannel v0.11.0-k3s.1 h1:mIwnfWDafjzQgFkZeJ1AkFrrAT3EdBaA1giE0eLJKo8=
 github.com/rancher/flannel v0.11.0-k3s.1/go.mod h1:Hn4ZV+eq0LhLZP63xZnxdGwXEoRSxs5sxELxu27M3UA=
 github.com/rancher/helm-controller v0.2.2 h1:MUqisy53/Ay1EYOF2uTCYBbGpgtZLNKKrI01BdxIbQo=
--- a/pkg/daemons/control/server.go
+++ b/pkg/daemons/control/server.go
@ -569,7 +569,7 @@ func genClientCerts(config *config.Control, runtime *config.ControlRuntime) erro
 		return err
 	}

-	if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ClientKubeletKey); err != nil {
+	if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ClientKubeletKey, regen); err != nil {
 		return err
 	}

@ -614,7 +614,7 @@ func genServerCerts(config *config.Control, runtime *config.ControlRuntime) erro
 		return err
 	}

-	if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ServingKubeletKey); err != nil {
+	if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ServingKubeletKey, regen); err != nil {
 		return err
 	}

@ -638,6 +638,11 @@ func genRequestHeaderCerts(config *config.Control, runtime *config.ControlRuntim
 }

 func createClientCertKey(regen bool, commonName string, organization []string, altNames *certutil.AltNames, extKeyUsage []x509.ExtKeyUsage, caCertFile, caKeyFile, certFile, keyFile string) (bool, error) {
+	// check for certificate expiration
+	if !regen {
+		regen = expired(certFile)
+	}
+
 	if !regen {
 		if exists(certFile, keyFile) {
 			return false, nil
@ -663,8 +668,7 @@ func createClientCertKey(regen bool, commonName string, organization []string, a
 	if err != nil {
 		return false, err
 	}
-
-	keyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile)
+	keyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile, regen)
 	if err != nil {
 		return false, err
 	}
@ -718,7 +722,7 @@ func createSigningCertKey(prefix, certFile, keyFile string) (bool, error) {
 		return false, nil
 	}

-	caKeyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile)
+	caKeyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile, false)
 	if err != nil {
 		return false, err
 	}
@ -782,3 +786,21 @@ func setupStorageBackend(argsMap map[string]string, cfg *config.Control) {
 		argsMap["etcd-keyfile"] = cfg.Storage.KeyFile
 	}
 }
+
+func expired(certFile string) bool {
+	certBytes, err := ioutil.ReadFile(certFile)
+	if err != nil {
+		return false
+	}
+	certificates, err := certutil.ParseCertsPEM(certBytes)
+	if err != nil {
+		return false
+	}
+	expirationDate := certificates[0].NotAfter
+	diffDays := expirationDate.Sub(time.Now()).Hours() / 24.0
+	if diffDays <= 90 {
+		logrus.Infof("certificate %s is about to expire", certFile)
+		return true
+	}
+	return false
+}
--- a/vendor/github.com/rancher/dynamiclistener/cert/io.go
+++ b/vendor/github.com/rancher/dynamiclistener/cert/io.go
@ -86,14 +86,16 @@ func WriteKey(keyPath string, data []byte) error {

 // LoadOrGenerateKeyFile looks for a key in the file at the given path. If it
 // can't find one, it will generate a new key and store it there.
-func LoadOrGenerateKeyFile(keyPath string) (data []byte, wasGenerated bool, err error) {
-	loadedData, err := ioutil.ReadFile(keyPath)
-	// Call verifyKeyData to ensure the file wasn't empty/corrupt.
-	if err == nil && verifyKeyData(loadedData) {
-		return loadedData, false, err
-	}
-	if !os.IsNotExist(err) {
-		return nil, false, fmt.Errorf("error loading key from %s: %v", keyPath, err)
+func LoadOrGenerateKeyFile(keyPath string, force bool) (data []byte, wasGenerated bool, err error) {
+	if !force {
+		loadedData, err := ioutil.ReadFile(keyPath)
+		// Call verifyKeyData to ensure the file wasn't empty/corrupt.
+		if err == nil && verifyKeyData(loadedData) {
+			return loadedData, false, err
+		}
+		if !os.IsNotExist(err) {
+			return nil, false, fmt.Errorf("error loading key from %s: %v", keyPath, err)
+		}
 	}

 	generatedData, err := MakeEllipticPrivateKeyPEM()
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -742,7 +742,7 @@ github.com/prometheus/procfs/internal/util
 # github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8
 github.com/rakelkar/gonetsh/netroute
 github.com/rakelkar/gonetsh/netsh
-# github.com/rancher/dynamiclistener v0.0.0-20190717164634-c08b499d1719 => github.com/erikwilson/rancher-dynamiclistener v0.0.0-20190717164634-c08b499d1719
+# github.com/rancher/dynamiclistener v0.0.0-20190926205813-e2ac9e2c193d
 github.com/rancher/dynamiclistener
 github.com/rancher/dynamiclistener/cert
 # github.com/rancher/helm-controller v0.2.2