Skip to content

Commit c961d79

Browse files
vrutkovsvrutkovs
committed
nodekubeconfig: set not-before/not-after annotations
1 parent fb599ec commit c961d79

File tree

1 file changed

+22
-0
lines changed

1 file changed

+22
-0
lines changed

pkg/operator/nodekubeconfigcontroller/nodekubeconfigcontroller.go

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,10 @@ package nodekubeconfigcontroller
22

33
import (
44
"context"
5+
"crypto/tls"
6+
"crypto/x509"
57
"encoding/base64"
8+
"encoding/pem"
69
"fmt"
710
"strings"
811
"time"
@@ -14,6 +17,7 @@ import (
1417
"github.com/openshift/cluster-kube-apiserver-operator/bindata"
1518
"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/operatorclient"
1619
"github.com/openshift/library-go/pkg/controller/factory"
20+
"github.com/openshift/library-go/pkg/operator/certrotation"
1721
"github.com/openshift/library-go/pkg/operator/events"
1822
"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
1923
"github.com/openshift/library-go/pkg/operator/resource/resourceread"
@@ -112,6 +116,22 @@ func ensureNodeKubeconfigs(ctx context.Context, client coreclientv1.CoreV1Interf
112116
return fmt.Errorf("system:admin client private key missing from secret %s/node-system-admin-client", operatorclient.OperatorNamespace)
113117
}
114118

119+
// Ensure secret key matches the certificate
120+
_, err = tls.X509KeyPair(systemAdminClientCert, systemAdminClientKey)
121+
if err != nil {
122+
return fmt.Errorf("system:admin client private key doesn't match the certificate from secret %s/node-system-admin-client", operatorclient.OperatorNamespace)
123+
}
124+
// extract not-before/not-after timestamps valid x509 certificate
125+
var block *pem.Block
126+
block, _ = pem.Decode(systemAdminClientCert)
127+
if block == nil || block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
128+
return fmt.Errorf("invalid first block found for certificate from secret %s/node-system-admin-client", operatorclient.OperatorNamespace)
129+
}
130+
parsedCert, err := x509.ParseCertificate(block.Bytes)
131+
if err != nil {
132+
return fmt.Errorf("failed to parse the certificate from secret %s/node-system-admin-client", operatorclient.OperatorNamespace)
133+
}
134+
115135
servingCABundleCM, err := configmapLister.ConfigMaps(operatorclient.TargetNamespace).Get("kube-apiserver-server-ca")
116136
if err != nil {
117137
return err
@@ -152,6 +172,8 @@ func ensureNodeKubeconfigs(ctx context.Context, client coreclientv1.CoreV1Interf
152172
requiredSecret.Annotations = map[string]string{}
153173
}
154174
requiredSecret.Annotations[annotations.OpenShiftComponent] = "kube-apiserver"
175+
requiredSecret.Annotations[certrotation.CertificateNotBeforeAnnotation] = parsedCert.NotBefore.Format(time.RFC3339)
176+
requiredSecret.Annotations[certrotation.CertificateNotAfterAnnotation] = parsedCert.NotAfter.Format(time.RFC3339)
155177

156178
_, _, err = resourceapply.ApplySecret(ctx, client, recorder, requiredSecret)
157179
if err != nil {

0 commit comments

Comments
 (0)