Merge pull request #15 from nebius/PLATFORMINFRA-218

PLATFORMINFRA-218: always recreate csr
nebius · Apr 5, 2024 · 921a235 · 921a235
2 parents 1a68a23 + d6049f9
commit 921a235
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 5 deletions.
diff --git a/agent/registration/csr.go b/agent/registration/csr.go
@@ -16,6 +16,8 @@ import (
 
 	"github.com/go-logr/logr"
 	certv1 "k8s.io/api/certificates/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	clientset "k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
@@ -118,9 +120,18 @@ func (bcsr *ByohCSR) RequestBYOHClientCert(hostname string) (string, types.UID,
 	}
 	certTimeToExpire := bcsr.expiryDuration
 	bcsr.logger.Info("certTimeToExpire", "duration", certTimeToExpire)
+
+	csrName := fmt.Sprintf(ByohCSRNameFormat, hostname)
+	err = bcsr.bootstrapClient.CertificatesV1().CertificateSigningRequests().Delete(
+		context.TODO(), csrName, metav1.DeleteOptions{})
+
+	if err != nil && !errors.IsNotFound(err) {
+		return "", "", err
+	}
+
 	reqName, reqUID, err := csr.RequestCertificate(bcsr.bootstrapClient,
 		csrData,
-		fmt.Sprintf(ByohCSRNameFormat, hostname),
+		csrName,
 		certv1.KubeAPIServerClientSignerName,
 		&certTimeToExpire,
 		[]certv1.KeyUsage{certv1.UsageClientAuth},

diff --git a/agent/registration/csr_test.go b/agent/registration/csr_test.go
@@ -149,7 +149,7 @@ kovW9X7Ook/tTW0HyX6D6HRciA==
 
 			Expect(os.Remove(registration.TmpPrivateKey)).ShouldNot(HaveOccurred())
 		})
-		It("should fail creating CSR if the private key got changed", func() {
+		It("should create CSR if the private key got changed", func() {
 			byohCSR, err := builder.CertificateSigningRequest(
 				fmt.Sprintf(registration.ByohCSRNameFormat, hostName),
 				fmt.Sprintf(registration.ByohCSRCNFormat, hostName),
@@ -160,8 +160,20 @@ kovW9X7Ook/tTW0HyX6D6HRciA==
 			CSRRegistrar, err := registration.NewByohCSR(cfg, klogr.New(), certExpiryDuration)
 			Expect(err).ShouldNot(HaveOccurred())
 			_, _, err = CSRRegistrar.RequestBYOHClientCert(hostName)
-			Expect(err).Should(HaveOccurred())
-			Expect(err.Error()).Should(ContainSubstring("retrieved csr is not compatible"))
+			Expect(err).NotTo(HaveOccurred())
+			ByohCSR, err := k8sClientSet.CertificatesV1().CertificateSigningRequests().Get(ctx, fmt.Sprintf(registration.ByohCSRNameFormat, hostName), metav1.GetOptions{})
+			Expect(err).ShouldNot(HaveOccurred())
+			// Validate k8s CSR resource
+			Expect(ByohCSR.Spec.SignerName).Should(Equal(certv1.KubeAPIServerClientSignerName))
+			Expect(ByohCSR.Spec.Usages).Should(Equal([]certv1.KeyUsage{certv1.UsageClientAuth}))
+			Expect(*ByohCSR.Spec.ExpirationSeconds).Should(Equal(int32((time.Hour * 24).Seconds())))
+			// Validate Certificate Request
+			pemData, _ := pem.Decode(ByohCSR.Spec.Request)
+			Expect(pemData).ToNot(Equal(nil))
+			csr, err := x509.ParseCertificateRequest(pemData.Bytes)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(csr.Subject.CommonName).To(Equal(fmt.Sprintf(registration.ByohCSRCNFormat, hostName)))
+			Expect(csr.Subject.Organization[0]).To(Equal("byoh:hosts"))
 
 			Expect(os.Remove(registration.TmpPrivateKey)).ShouldNot(HaveOccurred())
 		})

diff --git a/test/e2e/BYOHDockerFile b/test/e2e/BYOHDockerFile
@@ -1,4 +1,4 @@
-ARG BASE_IMAGE=ubuntu:20.04
+ARG BASE_IMAGE=ubuntu:22.04
 FROM $BASE_IMAGE as build
 ARG TARGETARCH