Skip to content

Commit

Permalink
Merge pull request #106923 from neolit123/automated-cherry-pick-of-#1…
Browse files Browse the repository at this point in the history 
…06891-origin-release-1.20

Automated cherry pick of #106891: kubeadm: validate local etcd certficates during
  • Loading branch information
@k8s-ci-robot
k8s-ci-robot committed Dec 10, 2021
2 parents 05b7435 + 21ddedb commit 8cc1b33
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 1 deletion.
32 changes: 32 additions & 0 deletions cmd/kubeadm/app/phases/certs/certs.go
View file
Expand Up @@ -371,6 +371,38 @@ func UsingExternalFrontProxyCA(cfg *kubeadmapi.ClusterConfiguration) (bool, erro
return true, nil
}

// UsingExternalEtcdCA determines whether the user is relying on an external etcd CA. We currently implicitly determine this is the case
// when the etcd CA Cert is present but the etcd CA Key is not.
// In case we are using an external etcd CA, the function validates the certificates signed by etcd CA that should be provided by the user.
func UsingExternalEtcdCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error) {
if err := validateCACert(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.EtcdCACertAndKeyBaseName, "", "etcd CA"}); err != nil {
return false, err
}

path := filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdCAKeyName)
if _, err := os.Stat(path); !os.IsNotExist(err) {
return false, nil
}

if err := validateSignedCert(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.EtcdCACertAndKeyBaseName, kubeadmconstants.APIServerEtcdClientCertAndKeyBaseName, "apiserver etcd client"}); err != nil {
return true, err
}

if err := validateSignedCert(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.EtcdCACertAndKeyBaseName, kubeadmconstants.EtcdServerCertAndKeyBaseName, "etcd server"}); err != nil {
return true, err
}

if err := validateSignedCert(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.EtcdCACertAndKeyBaseName, kubeadmconstants.EtcdPeerCertAndKeyBaseName, "etcd peer"}); err != nil {
return true, err
}

if err := validateSignedCert(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.EtcdCACertAndKeyBaseName, kubeadmconstants.EtcdHealthcheckClientCertAndKeyBaseName, "etcd health-check client"}); err != nil {
return true, err
}

return true, nil
}

// validateCACert tries to load a x509 certificate from pkiDir and validates that it is a CA
func validateCACert(l certKeyLocation) error {
// Check CA Cert
Expand Down
7 changes: 6 additions & 1 deletion cmd/kubeadm/app/phases/certs/renewal/manager.go
View file
Expand Up @@ -164,6 +164,7 @@ func NewManager(cfg *kubeadmapi.ClusterConfiguration, kubernetesDir string) (*Ma
LongName: kubeConfig.longName,
FileName: kubeConfig.fileName,
CABaseName: kubeadmconstants.CACertAndKeyBaseName, // all certificates in kubeConfig files are signed by the Kubernetes CA
CAName: kubeadmconstants.CACertAndKeyBaseName,
readwriter: kubeConfigReadWriter,
}
}
Expand Down Expand Up @@ -372,7 +373,11 @@ func (rm *Manager) IsExternallyManaged(caBaseName string) (bool, error) {
}
return externallyManaged, nil
case kubeadmconstants.EtcdCACertAndKeyBaseName:
return false, nil
externallyManaged, err := certsphase.UsingExternalEtcdCA(rm.cfg)
if err != nil {
return false, errors.Wrapf(err, "Error checking external CA condition for %s certificate authority", caBaseName)
}
return externallyManaged, nil
default:
return false, errors.Errorf("unknown certificate authority %s", caBaseName)
}
Expand Down

0 comments on commit 8cc1b33

Please sign in to comment.