From c751f1de588cc81aa31b9f2e77903b4b448b04f9 Mon Sep 17 00:00:00 2001 From: shuting Date: Sat, 26 Aug 2023 00:15:14 +0800 Subject: [PATCH] fix: renew tls cert when ca cert is deleted (#8114) Signed-off-by: ShutingZhao --- pkg/tls/renewer.go | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/pkg/tls/renewer.go b/pkg/tls/renewer.go index 937a5e646a..40b07f2745 100644 --- a/pkg/tls/renewer.go +++ b/pkg/tls/renewer.go @@ -8,6 +8,7 @@ import ( "time" "github.com/kyverno/kyverno/api/kyverno" + "github.com/kyverno/kyverno/pkg/config" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -123,7 +124,21 @@ func (c *certRenewer) RenewCA(ctx context.Context) error { logger.Error(err, "failed to write CA") return err } + logger.Info("CA was renewed") + valid, err := c.ValidateCert(ctx) + if err != nil { + logger.Error(err, "failed to validate certs") + return err + } + if !valid { + logger.Info("mismatched certs chain, renewing", "CA certificate", config.GenerateRootCASecretName(), "TLS certificate", config.GenerateTLSPairSecretName()) + if err := c.RenewTLS(ctx); err != nil { + logger.Error(err, "failed to renew TLS certificate", "name", config.GenerateTLSPairSecretName()) + return err + } + } + return nil } @@ -140,10 +155,16 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error { return err } now := time.Now() - if cert != nil && !allCertificatesExpired(now.Add(5*c.certRenewalInterval), cert) { - logger.V(4).Info("TLS certificate does not need to be renewed") - return nil + if cert != nil { + valid, err := c.ValidateCert(ctx) + if err != nil || !valid { + logger.Info("invalid cert chain, renewing TLS certificate", "name", config.GenerateTLSPairSecretName(), "error", err.Error()) + } else if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), cert) { + logger.V(4).Info("TLS certificate does not need to be renewed") + return nil + } } + if !isSecretManagedByKyverno(secret) { err := fmt.Errorf("tls is not valid but certificates are not managed by kyverno, we can't renew them") logger.Error(err, "tls is not valid but certificates are not managed by kyverno, we can't renew them")