github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #805 from galal-hussein/certificate_rotation 

Certificate Rotation
pull/851/head
Erik Wilson 2019-10-01 14:07:45 -07:00 committed by GitHub
parent 2ea7a717d9 2dc5ba5bae
commit 69645ce12f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 41 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
go.mod
View File

@ -23,7 +23,6 @@ replace (
github.com/prometheus/client_model => github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910 github.com/prometheus/client_model => github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910
github.com/prometheus/common => github.com/prometheus/common v0.0.0-20181126121408-4724e9255275 github.com/prometheus/common => github.com/prometheus/common v0.0.0-20181126121408-4724e9255275
github.com/prometheus/procfs => github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a github.com/prometheus/procfs => github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a
github.com/rancher/dynamiclistener => github.com/erikwilson/rancher-dynamiclistener v0.0.0-20190717164634-c08b499d1719
github.com/rancher/kine => github.com/ibuildthecloud/kine v0.1.0 github.com/rancher/kine => github.com/ibuildthecloud/kine v0.1.0
k8s.io/api => github.com/rancher/kubernetes/staging/src/k8s.io/api v1.16.0-k3s.1 k8s.io/api => github.com/rancher/kubernetes/staging/src/k8s.io/api v1.16.0-k3s.1
k8s.io/apiextensions-apiserver => github.com/rancher/kubernetes/staging/src/k8s.io/apiextensions-apiserver v1.16.0-k3s.1 k8s.io/apiextensions-apiserver => github.com/rancher/kubernetes/staging/src/k8s.io/apiextensions-apiserver v1.16.0-k3s.1
@ -92,7 +91,7 @@ require (
github.com/opencontainers/runc v1.0.0-rc2.0.20190611121236-6cc515888830 github.com/opencontainers/runc v1.0.0-rc2.0.20190611121236-6cc515888830
github.com/pkg/errors v0.8.1 github.com/pkg/errors v0.8.1
github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 // indirect github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 // indirect
github.com/rancher/dynamiclistener v0.0.0-20190717164634-c08b499d1719 github.com/rancher/dynamiclistener v0.0.0-20190926205813-e2ac9e2c193d
github.com/rancher/helm-controller v0.2.2 github.com/rancher/helm-controller v0.2.2
github.com/rancher/kine v0.0.0-00010101000000-000000000000 github.com/rancher/kine v0.0.0-00010101000000-000000000000
github.com/rancher/remotedialer v0.2.0 github.com/rancher/remotedialer v0.2.0

2
go.sum
View File

@ -558,6 +558,8 @@ github.com/rancher/containerd v1.3.0-k3s.1 h1:8dz25shb4egTLl0nOXQdtllx20LEXsuOs4
github.com/rancher/containerd v1.3.0-k3s.1/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM= github.com/rancher/containerd v1.3.0-k3s.1/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM=
github.com/rancher/cri-tools v1.16.0-k3s.1 h1:cv/iVFkfvDLfpSqGFwgyQbMKLGRzcXo8AALUsd8s5qE= github.com/rancher/cri-tools v1.16.0-k3s.1 h1:cv/iVFkfvDLfpSqGFwgyQbMKLGRzcXo8AALUsd8s5qE=
github.com/rancher/cri-tools v1.16.0-k3s.1/go.mod h1:TEKhKv2EJIZp+p9jnEy4C63g8CosJzsI4kyKKkHag+8= github.com/rancher/cri-tools v1.16.0-k3s.1/go.mod h1:TEKhKv2EJIZp+p9jnEy4C63g8CosJzsI4kyKKkHag+8=
github.com/rancher/dynamiclistener v0.0.0-20190926205813-e2ac9e2c193d h1:BPBA86IVuNX/S2g7Kry+jXcuftCWPRLpad1iyd1nP20=
github.com/rancher/dynamiclistener v0.0.0-20190926205813-e2ac9e2c193d/go.mod h1:vNqDnGTkrX8tiBUevkvjZoQoiZOjaahVbMaYRIl25l0=
github.com/rancher/flannel v0.11.0-k3s.1 h1:mIwnfWDafjzQgFkZeJ1AkFrrAT3EdBaA1giE0eLJKo8= github.com/rancher/flannel v0.11.0-k3s.1 h1:mIwnfWDafjzQgFkZeJ1AkFrrAT3EdBaA1giE0eLJKo8=
github.com/rancher/flannel v0.11.0-k3s.1/go.mod h1:Hn4ZV+eq0LhLZP63xZnxdGwXEoRSxs5sxELxu27M3UA= github.com/rancher/flannel v0.11.0-k3s.1/go.mod h1:Hn4ZV+eq0LhLZP63xZnxdGwXEoRSxs5sxELxu27M3UA=
github.com/rancher/helm-controller v0.2.2 h1:MUqisy53/Ay1EYOF2uTCYBbGpgtZLNKKrI01BdxIbQo= github.com/rancher/helm-controller v0.2.2 h1:MUqisy53/Ay1EYOF2uTCYBbGpgtZLNKKrI01BdxIbQo=

32
pkg/daemons/control/server.go
View File

@ -569,7 +569,7 @@ func genClientCerts(config *config.Control, runtime *config.ControlRuntime) erro
return err return err
} }
if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ClientKubeletKey); err != nil { if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ClientKubeletKey, regen); err != nil {
return err return err
} }
@ -614,7 +614,7 @@ func genServerCerts(config *config.Control, runtime *config.ControlRuntime) erro
return err return err
} }
if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ServingKubeletKey); err != nil { if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ServingKubeletKey, regen); err != nil {
return err return err
} }
@ -638,6 +638,11 @@ func genRequestHeaderCerts(config *config.Control, runtime *config.ControlRuntim
} }
func createClientCertKey(regen bool, commonName string, organization []string, altNames *certutil.AltNames, extKeyUsage []x509.ExtKeyUsage, caCertFile, caKeyFile, certFile, keyFile string) (bool, error) { func createClientCertKey(regen bool, commonName string, organization []string, altNames *certutil.AltNames, extKeyUsage []x509.ExtKeyUsage, caCertFile, caKeyFile, certFile, keyFile string) (bool, error) {
// check for certificate expiration
if !regen {
regen = expired(certFile)
}
if !regen { if !regen {
if exists(certFile, keyFile) { if exists(certFile, keyFile) {
return false, nil return false, nil
@ -663,8 +668,7 @@ func createClientCertKey(regen bool, commonName string, organization []string, a
if err != nil { if err != nil {
return false, err return false, err
} }
keyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile, regen)
keyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile)
if err != nil { if err != nil {
return false, err return false, err
} }
@ -718,7 +722,7 @@ func createSigningCertKey(prefix, certFile, keyFile string) (bool, error) {
return false, nil return false, nil
} }
caKeyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile) caKeyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile, false)
if err != nil { if err != nil {
return false, err return false, err
} }
@ -782,3 +786,21 @@ func setupStorageBackend(argsMap map[string]string, cfg *config.Control) {
argsMap["etcd-keyfile"] = cfg.Storage.KeyFile argsMap["etcd-keyfile"] = cfg.Storage.KeyFile
} }
} }
func expired(certFile string) bool {
certBytes, err := ioutil.ReadFile(certFile)
if err != nil {
return false
}
certificates, err := certutil.ParseCertsPEM(certBytes)
if err != nil {
return false
}
expirationDate := certificates[0].NotAfter
diffDays := expirationDate.Sub(time.Now()).Hours() / 24.0
if diffDays <= 90 {
logrus.Infof("certificate %s is about to expire", certFile)
return true
}
return false
}

18
vendor/github.com/rancher/dynamiclistener/cert/io.go generated vendored
View File

@ -86,14 +86,16 @@ func WriteKey(keyPath string, data []byte) error {
// LoadOrGenerateKeyFile looks for a key in the file at the given path. If it // LoadOrGenerateKeyFile looks for a key in the file at the given path. If it
// can't find one, it will generate a new key and store it there. // can't find one, it will generate a new key and store it there.
func LoadOrGenerateKeyFile(keyPath string) (data []byte, wasGenerated bool, err error) { func LoadOrGenerateKeyFile(keyPath string, force bool) (data []byte, wasGenerated bool, err error) {
loadedData, err := ioutil.ReadFile(keyPath) if !force {
// Call verifyKeyData to ensure the file wasn't empty/corrupt. loadedData, err := ioutil.ReadFile(keyPath)
if err == nil && verifyKeyData(loadedData) { // Call verifyKeyData to ensure the file wasn't empty/corrupt.
return loadedData, false, err if err == nil && verifyKeyData(loadedData) {
} return loadedData, false, err
if !os.IsNotExist(err) { }
return nil, false, fmt.Errorf("error loading key from %s: %v", keyPath, err) if !os.IsNotExist(err) {
return nil, false, fmt.Errorf("error loading key from %s: %v", keyPath, err)
}
} }
generatedData, err := MakeEllipticPrivateKeyPEM() generatedData, err := MakeEllipticPrivateKeyPEM()

2
vendor/modules.txt vendored
View File

@ -742,7 +742,7 @@ github.com/prometheus/procfs/internal/util
# github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 # github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8
github.com/rakelkar/gonetsh/netroute github.com/rakelkar/gonetsh/netroute
github.com/rakelkar/gonetsh/netsh github.com/rakelkar/gonetsh/netsh
# github.com/rancher/dynamiclistener v0.0.0-20190717164634-c08b499d1719 => github.com/erikwilson/rancher-dynamiclistener v0.0.0-20190717164634-c08b499d1719 # github.com/rancher/dynamiclistener v0.0.0-20190926205813-e2ac9e2c193d
github.com/rancher/dynamiclistener github.com/rancher/dynamiclistener
github.com/rancher/dynamiclistener/cert github.com/rancher/dynamiclistener/cert
# github.com/rancher/helm-controller v0.2.2 # github.com/rancher/helm-controller v0.2.2