Skip to content

Commit

Permalink
Fix renewal logic (#6)
Browse files Browse the repository at this point in the history
Signed-off-by: Sam Shen <[email protected]>
  • Loading branch information
slshen authored Jun 27, 2020
1 parent bc981e4 commit db1f2bd
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 18 deletions.
7 changes: 7 additions & 0 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,13 @@ jobs:
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
- name: Caching go modules
uses: actions/cache@v1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Installing golangci-lint
run: wget -O - -q https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s v1.23.8
- run: ./hack/build.sh
Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
.vscode/
1 change: 0 additions & 1 deletion cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@ import (
type CertificateKeyPair struct {
CertPem []byte
KeyPem []byte
Source interface{}
parsedCertifcate *x509.Certificate
}

Expand Down
10 changes: 10 additions & 0 deletions cert_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,3 +46,13 @@ func TestGenerateCerts(t *testing.T) {
t.Error("could not get CA cert pem")
}
}

func TestRenewal(t *testing.T) {
cackp, err := GenerateCert("Test Inc", nil, nil, time.Minute)
if err != nil {
t.Error(err)
}
if cackp.IsValid(2 * time.Minute) {
t.Error("certificate should require renewal")
}
}
33 changes: 16 additions & 17 deletions ktls.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,6 @@ type TLSSecret struct {
kubeClientError error
}

const renewalDenomintor = 5

func (t *TLSSecret) logf(format string, values ...interface{}) {
if t.Log != nil {
t.Log(format, values...)
Expand Down Expand Up @@ -145,7 +143,7 @@ func (t *TLSSecret) getSecret(name string) (*corev1.Secret, error) {
}

func (t *TLSSecret) GetCertificateKeyPair() (*CertificateKeyPair, error) {
ckp, err := t.getSecretCertificate(t.Name, t.getCertDuration()/renewalDenomintor)
ckp, _, err := t.getSecretCertificate(t.Name, 10*time.Minute)
if err != nil {
return nil, err
}
Expand All @@ -165,23 +163,22 @@ func (t *TLSSecret) GetCertificateKeyPair() (*CertificateKeyPair, error) {
return ckp, nil
}

func (t *TLSSecret) getSecretCertificate(name string, d time.Duration) (*CertificateKeyPair, error) {
func (t *TLSSecret) getSecretCertificate(name string, d time.Duration) (*CertificateKeyPair, *corev1.Secret, error) {
secret, err := t.getSecret(name)
if err != nil {
return nil, err
return nil, nil, err
}
if secret != nil && secret.Data != nil {
ckp := &CertificateKeyPair{
KeyPem: getSecretData(secret, corev1.TLSPrivateKeyKey),
CertPem: getSecretData(secret, corev1.TLSCertKey),
Source: secret,
}
if ckp.IsValid(d) {
t.logf("Using TLS secret from %s/%s", t.GetNamespace(), t.Name)
return ckp, nil
t.logf("Using TLS secret from %s/%s valid for at least %s", t.GetNamespace(), name, d)
return ckp, secret, nil
}
}
return nil, nil
return nil, secret, nil
}

func (t *TLSSecret) getCertDuration() time.Duration {
Expand All @@ -208,11 +205,17 @@ func (t *TLSSecret) generateCert() (*CertificateKeyPair, error) {
}
var caCert *CertificateKeyPair
var cert *CertificateKeyPair
caCert, err = t.getSecretCertificate(caName, t.getCACertDuration()/renewalDenomintor)
caCert, _, err = t.getSecretCertificate(caName, time.Hour)
caDuration := t.getCACertDuration()
if caDuration < 8*time.Hour {
return nil, fmt.Errorf("CA duration must be at least 8 hours")
}
certDuration := t.getCertDuration()
if certDuration < 30*time.Minute {
return nil, fmt.Errorf("cert duration must be at least 30 minutes")
}
if err == nil {
if caCert == nil || caCert.IsValid(caDuration/renewalDenomintor) {
if caCert == nil || !caCert.IsValid(time.Hour) {
t.logf("Generating new CA certificate %s/%s", t.GetNamespace(), caName)
caCert, err = GenerateCert(caName, nil, nil, caDuration)
if err == nil {
Expand All @@ -235,19 +238,15 @@ func (t *TLSSecret) generateCert() (*CertificateKeyPair, error) {

func (t *TLSSecret) persistCert(ckp *CertificateKeyPair, name string) error {
err := retry.RetryOnConflict(retry.DefaultBackoff, func() error {
c, err := t.getSecretCertificate(name, time.Minute)
c, secret, err := t.getSecretCertificate(name, time.Minute)
if err != nil {
return err
}
if c.IsValid(time.Minute) {
if c != nil {
t.logf("Updated certificate is now valid")
ckp.CopyFrom(c)
return nil
}
var secret *corev1.Secret
if c != nil {
secret = c.Source.(*corev1.Secret)
}
secretData := map[string][]byte{
corev1.TLSCertKey: ckp.CertPem,
corev1.TLSPrivateKeyKey: ckp.KeyPem,
Expand Down

0 comments on commit db1f2bd

Please sign in to comment.