Revert "Revert "Reload existing CA from disk on restart (#499)" (#521)…

…" (#524) This reverts commit e209007.
openshift · Dec 22, 2021 · 6dc34b5 · 6dc34b5
1 parent c6758a8
commit 6dc34b5
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 1 deletion.
diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go
@@ -21,7 +21,6 @@ import (
 	"github.com/openshift/microshift/pkg/config"
 	"github.com/openshift/microshift/pkg/controllers"
 	"github.com/openshift/microshift/pkg/util"
-
 	ctrl "k8s.io/kubernetes/pkg/controlplane"
 )
 
@@ -42,6 +41,10 @@ func initAll(cfg *config.MicroshiftConfig) error {
 	return nil
 }
 
+func loadCA(cfg *config.MicroshiftConfig) error {
+	return util.LoadRootCA(cfg.DataDir+"/certs/ca-bundle", "ca-bundle.crt", "ca-bundle.key")
+}
+
 func initCerts(cfg *config.MicroshiftConfig) error {
 	_, svcNet, err := net.ParseCIDR(cfg.Cluster.ServiceCIDR)
 	if err != nil {

diff --git a/pkg/cmd/run.go b/pkg/cmd/run.go
@@ -20,6 +20,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+	"k8s.io/klog/v2"
 )
 
 const (
@@ -64,6 +65,15 @@ func RunMicroshift(cfg *config.MicroshiftConfig, flags *pflag.FlagSet) error {
 	// TODO: change to only initialize what is strictly necessary for the selected role(s)
 	if _, err := os.Stat(filepath.Join(cfg.DataDir, "certs")); errors.Is(err, os.ErrNotExist) {
 		initAll(cfg)
+	} else {
+		err = loadCA(cfg)
+		if err != nil {
+			err := os.RemoveAll(filepath.Join(cfg.DataDir, "certs"))
+			if err != nil {
+				klog.ErrorS(err, "removing old certs directory")
+			}
+			util.Must(initAll(cfg))
+		}
 	}
 
 	m := servicemanager.NewServiceManager()

diff --git a/pkg/util/cert.go b/pkg/util/cert.go
@@ -36,6 +36,7 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
+	"k8s.io/klog/v2"
 )
 
 var (
@@ -72,6 +73,36 @@ func GenCA(common string, svcName []string, duration time.Duration) (*rsa.Privat
 	return key, ca, err
 }
 
+func LoadRootCA(dir, certFilename, keyFilename string) error {
+
+	key, err := ioutil.ReadFile(filepath.Join(dir, keyFilename))
+	if err != nil {
+		return errors.Wrap(err, "error reading CA key")
+	}
+
+	if rootKey, err = PemToPrivateKey(key); err != nil {
+		return errors.Wrap(err, "parsing CA key from PEM")
+	}
+
+	certPath := filepath.Join(dir, certFilename)
+	cert, err := ioutil.ReadFile(certPath)
+	if err != nil {
+		return errors.Wrap(err, "reading CA certificate")
+	}
+
+	if rootCA, err = PemToCertificate(cert); err != nil {
+		return errors.Wrap(err, "parsing CA certificate")
+	}
+
+	now := time.Now()
+
+	if now.After(rootCA.NotAfter) {
+		klog.ErrorS(nil, "CA has expired: current time %s is after %s", now.Format(time.RFC3339), rootCA.NotAfter.Format(time.RFC3339))
+	}
+
+	return nil
+}
+
 func StoreRootCA(common, dir, certFilename, keyFilename string, svcName []string) error {
 	if rootCA == nil || rootKey == nil {
 		var err error
@@ -186,6 +217,15 @@ func (cfg *CertCfg) GenerateSelfSignedCertificate() (*rsa.PrivateKey, *x509.Cert
 
 // GenerateSignedCertificate generate a key and cert defined by CertCfg and signed by CA.
 func (cfg *CertCfg) GenerateSignedCertificate(caKey *rsa.PrivateKey, caCert *x509.Certificate) (*rsa.PrivateKey, *x509.Certificate, error) {
+
+	if caCert == nil {
+		return nil, nil, errors.New("Unable to GenerateSignedCertificate with (nil) caCert")
+	}
+
+	if caKey == nil {
+		return nil, nil, errors.New("Unable to GenerateSignedCertificate with (nil) caKey")
+	}
+
 	// create a private key
 	key, err := PrivateKey()
 	if err != nil {