diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go index 698ff2c09b..12c6961e96 100644 --- a/pkg/cmd/init.go +++ b/pkg/cmd/init.go @@ -21,7 +21,6 @@ import ( "github.com/openshift/microshift/pkg/config" "github.com/openshift/microshift/pkg/controllers" "github.com/openshift/microshift/pkg/util" - ctrl "k8s.io/kubernetes/pkg/controlplane" ) @@ -42,6 +41,10 @@ func initAll(cfg *config.MicroshiftConfig) error { return nil } +func loadCA(cfg *config.MicroshiftConfig) error { + return util.LoadRootCA(cfg.DataDir+"/certs/ca-bundle", "ca-bundle.crt", "ca-bundle.key") +} + func initCerts(cfg *config.MicroshiftConfig) error { _, svcNet, err := net.ParseCIDR(cfg.Cluster.ServiceCIDR) if err != nil { diff --git a/pkg/cmd/run.go b/pkg/cmd/run.go index f9c76b1fcf..9a058e7ff3 100644 --- a/pkg/cmd/run.go +++ b/pkg/cmd/run.go @@ -20,6 +20,7 @@ import ( "github.com/sirupsen/logrus" "github.com/spf13/cobra" "github.com/spf13/pflag" + "k8s.io/klog/v2" ) const ( @@ -64,6 +65,15 @@ func RunMicroshift(cfg *config.MicroshiftConfig, flags *pflag.FlagSet) error { // TODO: change to only initialize what is strictly necessary for the selected role(s) if _, err := os.Stat(filepath.Join(cfg.DataDir, "certs")); errors.Is(err, os.ErrNotExist) { initAll(cfg) + } else { + err = loadCA(cfg) + if err != nil { + err := os.RemoveAll(filepath.Join(cfg.DataDir, "certs")) + if err != nil { + klog.ErrorS(err, "removing old certs directory") + } + util.Must(initAll(cfg)) + } } m := servicemanager.NewServiceManager() diff --git a/pkg/util/cert.go b/pkg/util/cert.go index e0a5fd1bcb..4d7f1d8a46 100644 --- a/pkg/util/cert.go +++ b/pkg/util/cert.go @@ -36,6 +36,7 @@ import ( "time" "github.com/pkg/errors" + "k8s.io/klog/v2" ) var ( @@ -72,6 +73,36 @@ func GenCA(common string, svcName []string, duration time.Duration) (*rsa.Privat return key, ca, err } +func LoadRootCA(dir, certFilename, keyFilename string) error { + + key, err := ioutil.ReadFile(filepath.Join(dir, keyFilename)) + if err != nil { + return errors.Wrap(err, "error reading CA key") + } + + if rootKey, err = PemToPrivateKey(key); err != nil { + return errors.Wrap(err, "parsing CA key from PEM") + } + + certPath := filepath.Join(dir, certFilename) + cert, err := ioutil.ReadFile(certPath) + if err != nil { + return errors.Wrap(err, "reading CA certificate") + } + + if rootCA, err = PemToCertificate(cert); err != nil { + return errors.Wrap(err, "parsing CA certificate") + } + + now := time.Now() + + if now.After(rootCA.NotAfter) { + klog.ErrorS(nil, "CA has expired: current time %s is after %s", now.Format(time.RFC3339), rootCA.NotAfter.Format(time.RFC3339)) + } + + return nil +} + func StoreRootCA(common, dir, certFilename, keyFilename string, svcName []string) error { if rootCA == nil || rootKey == nil { var err error @@ -186,6 +217,15 @@ func (cfg *CertCfg) GenerateSelfSignedCertificate() (*rsa.PrivateKey, *x509.Cert // GenerateSignedCertificate generate a key and cert defined by CertCfg and signed by CA. func (cfg *CertCfg) GenerateSignedCertificate(caKey *rsa.PrivateKey, caCert *x509.Certificate) (*rsa.PrivateKey, *x509.Certificate, error) { + + if caCert == nil { + return nil, nil, errors.New("Unable to GenerateSignedCertificate with (nil) caCert") + } + + if caKey == nil { + return nil, nil, errors.New("Unable to GenerateSignedCertificate with (nil) caKey") + } + // create a private key key, err := PrivateKey() if err != nil {