From 106c908dab80bb50eaab3cff7b5005af60809329 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?=
 <amartinezfayo@gmail.com>
Date: Thu, 21 Jan 2021 23:02:41 +0000
Subject: [PATCH] Return an error when having an expired SVID when rotating the
 agent SVID
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---
 pkg/agent/svid/rotator.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkg/agent/svid/rotator.go b/pkg/agent/svid/rotator.go
index 1bef0b1310..d9f9cc3bae 100644
--- a/pkg/agent/svid/rotator.go
+++ b/pkg/agent/svid/rotator.go
@@ -67,6 +67,10 @@ func (r *rotator) runRotation(ctx context.Context) error {
 		err := r.rotateSVID(ctx)
 
 		switch {
+		case err != nil && rotationutil.X509Expired(r.clk.Now(), r.state.Value().(State).SVID[0]):
+			r.c.Log.WithError(err).Error("Could not rotate agent SVID")
+			// Since our X509 cert has expired, and we weren't able to carry out a rotation request, we're probably unrecoverable without re-attesting.
+			return fmt.Errorf("current SVID has already expired and rotation failed: %v", err)
 		case err != nil && nodeutil.ShouldAgentReattest(err):
 			r.c.Log.WithError(err).Error("Could not rotate agent SVID")
 			return err