-
Notifications
You must be signed in to change notification settings - Fork 453
/
flow_check_expired_certificates.go
130 lines (112 loc) · 7.23 KB
/
flow_check_expired_certificates.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
// Copyright (c) 2021 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package controller
import (
"context"
landscaperutils "github.com/gardener/gardener/landscaper/common/utils"
"github.com/gardener/gardener/landscaper/pkg/controlplane/apis/imports/validation"
"k8s.io/apimachinery/pkg/util/validation/field"
)
// certificateRotationThresholdPercentage is the threshold marking when x509 certificates should be rotated.
// For example: 0.8 means that a certificate should be rotated after 80% of its lifetime / validity.
const certificateRotationThresholdPercentage = 0.8
// CheckForExpiringCertificates checks the CA & TLS certificates in the import configuration for expiration
// Does not check etcd certificates as the lifecycle of those certificates is not controlled by this component.
// Deletes (and thus regenerates in a later step) dependent TLS certificates of expiring certificates
// Please note, this checks the validity of certificates independent of their origin
// - detected from an existing installation
// - supplied by secret reference
// - supplied by import file
// This means that also secret references are updated with the rotated certificates!
func (o *operation) CheckForExpiringCertificates(ctx context.Context) error {
// Gardener API Server CA
if o.imports.GardenerAPIServer.ComponentConfiguration.CA != nil && o.imports.GardenerAPIServer.ComponentConfiguration.CA.Crt != nil {
cert, err := landscaperutils.ParseX509Certificate(*o.imports.GardenerAPIServer.ComponentConfiguration.CA.Crt)
if err != nil {
return err
}
if landscaperutils.CertificateNeedsRenewal(cert, certificateRotationThresholdPercentage) {
// regenerate the TLS certificates for the Gardener API Server
o.imports.GardenerAPIServer.ComponentConfiguration.TLS.Crt = nil
o.exports.GardenerAPIServerTLSServing.Rotated = true
o.log.Infof("Gardener API server TLS certificate needs to be regenerated. Reason: Gardener API Server CA certificate will be rotated")
// regenerate the TLS certificates for the GCM
if o.imports.GardenerControllerManager.ComponentConfiguration != nil && o.imports.GardenerControllerManager.ComponentConfiguration.TLS != nil && o.imports.GardenerControllerManager.ComponentConfiguration.TLS.Crt != nil {
if errors := validation.ValidateTLSServingCertificateAgainstCA(*o.imports.GardenerControllerManager.ComponentConfiguration.TLS.Crt, *o.imports.GardenerAPIServer.ComponentConfiguration.CA.Crt, field.NewPath("")); len(errors) == 0 {
// the GCM's TLS serving certificates are signed by the Gardener API Server CA - we also need to regenerate it
o.imports.GardenerControllerManager.ComponentConfiguration.TLS.Crt = nil
o.exports.GardenerControllerManagerTLSServing.Rotated = true
o.log.Infof("Gardener Controller Manager TLS certificate needs to be regenerated. Reason: Gardener API Server CA certificate will be rotated")
}
}
o.imports.GardenerAPIServer.ComponentConfiguration.CA.Crt = nil
o.exports.GardenerAPIServerCA.Rotated = true
o.log.Infof("Gardener API server CA certificate needs to be regenerated. Reason: %d % of certificate's lifetime exceeded", certificateRotationThresholdPercentage)
}
}
// Gardener Admission Controller CA
if o.imports.GardenerAdmissionController.Enabled && (o.imports.GardenerAdmissionController.ComponentConfiguration != nil && o.imports.GardenerAdmissionController.ComponentConfiguration.CA != nil && o.imports.GardenerAdmissionController.ComponentConfiguration.CA.Crt != nil) {
cert, err := landscaperutils.ParseX509Certificate(*o.imports.GardenerAdmissionController.ComponentConfiguration.CA.Crt)
if err != nil {
return err
}
if landscaperutils.CertificateNeedsRenewal(cert, certificateRotationThresholdPercentage) {
o.imports.GardenerAdmissionController.ComponentConfiguration.CA.Crt = nil
o.exports.GardenerAdmissionControllerCA.Rotated = true
o.log.Infof("Gardener Admission Controller CA certificate needs to be regenerated. Reason: %d % of certificate's lifetime exceeded", certificateRotationThresholdPercentage)
// regenerate the TLS certificates for the Gardener Admission Controller
o.imports.GardenerAdmissionController.ComponentConfiguration.TLS.Crt = nil
o.exports.GardenerAdmissionControllerTLSServing.Rotated = true
o.log.Infof("Gardener Admission Controller TLS certificate needs to be regenerated. Reason: Gardener Admission Controller CA certificate will be rotated")
}
}
// check validity of TLS certificates
if o.imports.GardenerAPIServer.ComponentConfiguration.TLS.Crt != nil {
cert, err := landscaperutils.ParseX509Certificate(*o.imports.GardenerAPIServer.ComponentConfiguration.TLS.Crt)
if err != nil {
return err
}
if landscaperutils.CertificateNeedsRenewal(cert, certificateRotationThresholdPercentage) {
// regenerate the TLS certificates for the Gardener API Server
o.imports.GardenerAPIServer.ComponentConfiguration.TLS.Crt = nil
o.exports.GardenerAPIServerTLSServing.Rotated = true
o.log.Infof("Gardener API Server TLS certificate needs to be regenerated. Reason: %d % of certificate's lifetime exceeded", certificateRotationThresholdPercentage)
}
}
if o.imports.GardenerControllerManager.ComponentConfiguration.TLS.Crt != nil {
cert, err := landscaperutils.ParseX509Certificate(*o.imports.GardenerControllerManager.ComponentConfiguration.TLS.Crt)
if err != nil {
return err
}
if landscaperutils.CertificateNeedsRenewal(cert, certificateRotationThresholdPercentage) {
// regenerate the TLS certificates for the Gardener Controller Manager
o.imports.GardenerControllerManager.ComponentConfiguration.TLS.Crt = nil
o.exports.GardenerControllerManagerTLSServing.Rotated = true
o.log.Infof("Gardener Controller Manager TLS certificate needs to be regenerated. Reason: %d % of certificate's lifetime exceeded", certificateRotationThresholdPercentage)
}
}
if o.imports.GardenerAdmissionController.Enabled && o.imports.GardenerAdmissionController.ComponentConfiguration.TLS.Crt != nil {
cert, err := landscaperutils.ParseX509Certificate(*o.imports.GardenerAdmissionController.ComponentConfiguration.TLS.Crt)
if err != nil {
return err
}
if landscaperutils.CertificateNeedsRenewal(cert, certificateRotationThresholdPercentage) {
// regenerate the TLS certificates for the Gardener Admission Controller
o.imports.GardenerAdmissionController.ComponentConfiguration.TLS.Crt = nil
o.exports.GardenerAdmissionControllerTLSServing.Rotated = true
o.log.Infof("Gardener Admission Controller TLS certificate needs to be regenerated. Reason: %d % of certificate's lifetime exceeded", certificateRotationThresholdPercentage)
}
}
return nil
}