From d562c08657175cca778f4bf8dac75335d0ce61b3 Mon Sep 17 00:00:00 2001 From: Sheldon Hull Date: Fri, 9 Aug 2024 18:59:01 -0500 Subject: [PATCH] refactor(charts/injector): improve self-signed certificate expiration detection and recreation logic --- charts/dsv-injector/templates/NOTES.txt | 16 +++++++++++- charts/dsv-injector/templates/webhook.yaml | 2 +- cmd/injector/main.go | 29 +++++++++++++++++++++- go.mod | 2 -- 4 files changed, 44 insertions(+), 5 deletions(-) diff --git a/charts/dsv-injector/templates/NOTES.txt b/charts/dsv-injector/templates/NOTES.txt index e0d74dc..73cca24 100644 --- a/charts/dsv-injector/templates/NOTES.txt +++ b/charts/dsv-injector/templates/NOTES.txt @@ -23,4 +23,18 @@ ⚙️ ConfigMap created: {{ include "dsv.fullname" . }}-configmap {{ else }} ➖ no configmap detected, defaults used for logging level and any other configmap values -{{ end }} \ No newline at end of file +{{ end }} + + +{{- $tlsSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" (include "dsv.name" .)) -}} +{{- $recreateSelfSignedCertThreshold := default 90 .Values.recreateSelfSignedCertThreshold | int -}} +{{- $needsRecreate := false -}} +{{- if $tlsSecret }} + {{- $cert := $tlsSecret.data.cert | b64dec | fromYaml -}} + {{- if and $cert (lt (now | date "2006-01-02") (dateModify (now | date "2006-01-02") (printf "+%dh" (mul $recreateSelfSignedCertThreshold 24)))) }} + {{- $needsRecreate = true -}} + ❗❗❗ Cert expiration shows expiring within threshold: [$recreateSelfSignedCertThreshold] days, so will be recreated. + {{- else -}} + ✔️ Cert shows expiration greater than threshold of [$recreateSelfSignedCertThreshold]. + {{- end -}} +{{- end -}} diff --git a/charts/dsv-injector/templates/webhook.yaml b/charts/dsv-injector/templates/webhook.yaml index 1d0e30b..53407aa 100644 --- a/charts/dsv-injector/templates/webhook.yaml +++ b/charts/dsv-injector/templates/webhook.yaml @@ -4,7 +4,7 @@ {{- $needsRecreate := false -}} {{- if $tlsSecret }} {{- $cert := $tlsSecret.data.cert | b64dec | fromYaml -}} - {{- if and $cert (lt (now | date "2006-01-02" | dateAdd (mul $recreateSelfSignedCertThreshold 24h)) ($cert | date "2006-01-02")) }} + {{- if and $cert (lt (now | date "2006-01-02") (dateModify (now | date "2006-01-02") (printf "+%dh" (mul $recreateSelfSignedCertThreshold 24)))) }} {{- $needsRecreate = true -}} {{- end -}} {{- end -}} diff --git a/cmd/injector/main.go b/cmd/injector/main.go index 02b7eca..f11daa9 100644 --- a/cmd/injector/main.go +++ b/cmd/injector/main.go @@ -2,7 +2,9 @@ package main import ( "crypto/tls" + "crypto/x509" "encoding/json" + "encoding/pem" "fmt" "io" "net/http" @@ -96,12 +98,37 @@ func Run(args []string) error { //nolint:funlen,cyclop // ok for Run if cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.KeyFile); err == nil { tlsConfig = &tls.Config{Certificates: []tls.Certificate{cert}} log.Info().Str("cert", cfg.CertFile).Str("key", cfg.KeyFile).Msg("LoadX509KeyPair") + + // Parse the certificate to get the expiration date + certData, err := os.ReadFile(cfg.CertFile) + if err != nil { + log.Error().Err(err).Msg("unable to read certificate file") + return fmt.Errorf("unable to read certificate file: %w", err) + } + block, _ := pem.Decode(certData) + if block == nil { + log.Error().Msg("failed to parse certificate PEM") + return fmt.Errorf("failed to parse certificate PEM") + } + parsedCert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + log.Error().Err(err).Msg("failed to parse certificate") + return fmt.Errorf("failed to parse certificate: %w", err) + } + + // Calculate the number of days until the certificate expires + daysUntilExpiry := int(time.Until(parsedCert.NotAfter).Hours() / 24) + + log.Info(). + Str("cert", cfg.CertFile). + Str("key", cfg.KeyFile). + Int("days_until_expiry", daysUntilExpiry). + Msg("LoadX509KeyPair") } else { log.Error().Err(err).Msgf("unable to load keypair for TLS: %s", err) return fmt.Errorf("unable to load keypair for TLS: %w", err) } log.Info().Msgf("success loading keypair for TLS: [public: '%s', private: '%s']", cfg.CertFile, cfg.KeyFile) - server := http.Server{ Addr: cfg.ServerAddress, TLSConfig: tlsConfig, // optional diff --git a/go.mod b/go.mod index 9a23df7..9dc2e46 100644 --- a/go.mod +++ b/go.mod @@ -2,8 +2,6 @@ module github.com/DelineaXPM/dsv-k8s/v2 go 1.21 -toolchain go1.21.6 - require ( github.com/DelineaXPM/dsv-sdk-go/v2 v2.1.0 github.com/bitfield/script v0.22.0