@@ -3,6 +3,7 @@ package csr
33import (
44 "context"
55 "crypto/tls"
6+ "crypto/x509"
67 "crypto/x509/pkix"
78 "fmt"
89 "math/rand"
@@ -166,7 +167,7 @@ func (c *clientCertificateController) sync(ctx context.Context, syncCtx factory.
166167
167168 // reconcile pending csr if exists
168169 if len (c .csrName ) > 0 {
169- newSecretConfig , err := c .syncCSR (secret )
170+ newSecretConfig , leaf , err := c .syncCSR (secret )
170171 if err != nil {
171172 c .reset ()
172173 return err
@@ -179,6 +180,12 @@ func (c *clientCertificateController) sync(ctx context.Context, syncCtx factory.
179180 newSecretConfig [k ] = v
180181 }
181182 secret .Data = newSecretConfig
183+
184+ // Update not-before/not-after annotations
185+ c .AdditionalAnnotations .NotBefore = leaf .NotBefore .Format (time .RFC3339 )
186+ c .AdditionalAnnotations .NotAfter = leaf .NotAfter .Format (time .RFC3339 )
187+ _ = c .AdditionalAnnotations .EnsureTLSMetadataUpdate (& secret .ObjectMeta )
188+
182189 // save the changes into secret
183190 if err := c .saveSecret (secret ); err != nil {
184191 return err
@@ -231,10 +238,10 @@ func (c *clientCertificateController) sync(ctx context.Context, syncCtx factory.
231238 return nil
232239}
233240
234- func (c * clientCertificateController ) syncCSR (secret * corev1.Secret ) (map [string ][]byte , error ) {
241+ func (c * clientCertificateController ) syncCSR (secret * corev1.Secret ) (map [string ][]byte , * x509. Certificate , error ) {
235242 // skip if there is no ongoing csr
236243 if len (c .csrName ) == 0 {
237- return nil , fmt .Errorf ("no ongoing csr" )
244+ return nil , nil , fmt .Errorf ("no ongoing csr" )
238245 }
239246
240247 // skip if csr no longer exists
@@ -244,38 +251,44 @@ func (c *clientCertificateController) syncCSR(secret *corev1.Secret) (map[string
244251 // fallback to fetching csr from hub apiserver in case it is not cached by informer yet
245252 csr , err = c .hubCSRClient .Get (context .Background (), c .csrName , metav1.GetOptions {})
246253 if errors .IsNotFound (err ) {
247- return nil , fmt .Errorf ("unable to get csr %q. It might have already been deleted." , c .csrName )
254+ return nil , nil , fmt .Errorf ("unable to get csr %q. It might have already been deleted." , c .csrName )
248255 }
249256 case err != nil :
250- return nil , err
257+ return nil , nil , err
251258 }
252259
253260 // skip if csr is not approved yet
254261 if ! isCSRApproved (csr ) {
255- return nil , nil
262+ return nil , nil , nil
256263 }
257264
258265 // skip if csr has no certificate in its status yet
259266 if len (csr .Status .Certificate ) == 0 {
260- return nil , nil
267+ return nil , nil , nil
261268 }
262269
263270 klog .V (4 ).Infof ("Sync csr %v" , c .csrName )
264271 // check if cert in csr status matches with the corresponding private key
265272 if c .keyData == nil {
266- return nil , fmt .Errorf ("No private key found for certificate in csr: %s" , c .csrName )
273+ return nil , nil , fmt .Errorf ("No private key found for certificate in csr: %s" , c .csrName )
267274 }
268275 _ , err = tls .X509KeyPair (csr .Status .Certificate , c .keyData )
269276 if err != nil {
270- return nil , fmt .Errorf ("Private key does not match with the certificate in csr: %s" , c .csrName )
277+ return nil , nil , fmt .Errorf ("Private key does not match with the certificate in csr: %s" , c .csrName )
278+ }
279+ parsed , err := x509 .ParseCertificate (csr .Status .Certificate )
280+ if err != nil {
281+ return nil , nil , fmt .Errorf ("failed to parse the certificate in csr %s: %v" , c .csrName , err )
282+ }
283+ if parsed == nil {
284+ return nil , nil , fmt .Errorf ("Empty leaf certificate in csr: %s" , c .csrName )
271285 }
272286
273287 data := map [string ][]byte {
274288 TLSCertFile : csr .Status .Certificate ,
275289 TLSKeyFile : c .keyData ,
276290 }
277-
278- return data , nil
291+ return data , parsed , nil
279292}
280293
281294func (c * clientCertificateController ) createCSR (ctx context.Context ) (string , error ) {
0 commit comments