From 2ba540ab08136d7e8f2a5ff7990308eadc0910c8 Mon Sep 17 00:00:00 2001 From: Alex Stundzia Date: Fri, 2 Feb 2024 21:56:03 -0600 Subject: [PATCH] Validate only the first cert entry in kubeadm --- .../app/phases/kubeconfig/kubeconfig.go | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go b/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go index 53d543310b1ef..436796152040b 100644 --- a/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go +++ b/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go @@ -264,8 +264,26 @@ func validateKubeConfig(outDir, filename string, config *clientcmdapi.Config) er } caExpected := bytes.TrimSpace(config.Clusters[expectedCluster].CertificateAuthorityData) - // If the current CA cert on disk doesn't match the expected CA cert, error out because we have a file, but it's stale - if !bytes.Equal(caCurrent, caExpected) { + // Parse the current certificate authority data + currentCaCerts, err := certutil.ParseCertsPEM(caCurrent) + if err != nil { + return errors.Errorf("the kubeconfig file %q contains an invalid ca cert", kubeConfigFilePath) + } + // only fetch the first certificate in the cacert + currentCaCert := currentCaCerts[0] + + // Parse the expected certificate authority data + expectedCaCerts, err := certutil.ParseCertsPEM(caExpected) + if err != nil { + return errors.Errorf("the expected base64 encoded ca cert %q could not be parsed as a pem", caExpected) + } + + // only fetch the first certificate in the cacert. When this is read from file, only the first entry is considered + expectedCaCert := expectedCaCerts[0] + + // Compare the current CA cert to the expected CA cert (which is only 1 entry). + // If the contents of this certificate do not match then the file is stale. + if !bytes.Equal(currentCaCert.Raw, expectedCaCert.Raw) { return errors.Errorf("a kubeconfig file %q exists already but has got the wrong CA cert", kubeConfigFilePath) } // If the current API Server location on disk doesn't match the expected API server, show a warning