Skip to content
This repository has been archived by the owner on Aug 7, 2023. It is now read-only.

Commit

Permalink
feature: renewal process implemented
Browse files Browse the repository at this point in the history
  • Loading branch information
@developer-guy
developer-guy committed Oct 30, 2020
1 parent 6dd6bd9 commit 334050b
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 4 deletions.
45 changes: 41 additions & 4 deletions cmd/root.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ import (

var (
kubeconfig, namespace, secret, service string
days int
forceRenewal bool
csrNameTemplate0 = "${service}"
csrNameTemplate1 = "${service}.${namespace}"
csrNameTemplate2 = "${service}.${namespace}.svc"
Expand Down Expand Up @@ -128,12 +130,45 @@ Usage:
},
}

log.Println("Certificate signing request, status: Deleting")
err = certificateSigningRequestsClient.Delete(context.TODO(), csrNameWithServiceAndNamespace, metav1.DeleteOptions{})
log.Println("Certificate signing request, status: Retrieving")
csExistInCluster, err := certificateSigningRequestsClient.Get(context.TODO(), csrNameWithServiceAndNamespace, metav1.GetOptions{})
if err != nil {
log.Printf("Delete CertificateSigningRequest - error occurred, detail: %v, but ignored", err)
log.Printf("Get CertificateSigningRequest - error occurred, detail: %v, but ignored", err)
}

if csExistInCluster.Status.Certificate != nil {
log.Println("Certificate signing request, status: Retrieved")
certificateAlreadyCreated := csExistInCluster.Status.Certificate
block, _ := pem.Decode(certificateAlreadyCreated)
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
log.Fatalf("x509.ParseCertificate - error occurred, detail: %v", err)
}
log.Println("Certificate signing request, status: Checking NotAfter date")

validForDays := int(cert.NotAfter.Sub(time.Now()).Hours() / 24)
log.Printf("Certificate signing request - status: This certificate valid for %d days", validForDays)

expired := validForDays <= days
log.Printf("Certificate signing request - status: Renewal necessary %t", expired || forceRenewal)

log.Printf("Certificate signing request, status: Expired %t", expired)
log.Printf("Certificate signing request, status: Force renewal %t", forceRenewal)
if expired || forceRenewal {
log.Println("Certificate signing request, status: Renewal process started")
log.Println("Certificate signing request, status: Deleting")
err = certificateSigningRequestsClient.Delete(context.TODO(), csrNameWithServiceAndNamespace, metav1.DeleteOptions{})
if err != nil {
log.Fatalf("Delete CertificateSigningRequest - error occurred, detail: %v, but ignored", err)
}
log.Println("Certificate signing request, status: Deleted")
} else {
log.Println("Certificate signing request, status: Renewal process is not necessary, skipped")
os.Exit(0)
}
}
log.Println("Certificate signing request, status: Not Retrieved")

log.Println("Certificate signing request, status: Creating")
csr, err := certificateSigningRequestsClient.Create(context.TODO(), certificateSigningRequest, metav1.CreateOptions{})
if err != nil {
Expand Down Expand Up @@ -213,7 +248,7 @@ Usage:
} else {
log.Println("Secret, status: Updated")
}

log.Printf("Done in %d milliseconds", time.Since(start).Milliseconds())
},
}
Expand Down Expand Up @@ -243,6 +278,8 @@ func init() {
rootCmd.Flags().StringVarP(&service, "service", "s", "", "Service name of webhook.")
rootCmd.Flags().StringVarP(&secret, "secret", "t", "tls-secret", "Secret name for CA certificate and server certificate/key pair.")
rootCmd.Flags().StringVarP(&kubeconfig, "kubeconfig", "k", "", "kubeconfig path")
rootCmd.Flags().IntVarP(&days, "days", "d", 1, "the number of days remaining for certificate renewal")
rootCmd.Flags().BoolVarP(&forceRenewal, "force", "f", false, "enable force renewal before expiration time")

_ = rootCmd.MarkFlagRequired("service")
}
Expand Down
Binary file added k8s-webhook-certificator
View file
Binary file not shown.

0 comments on commit 334050b

Please sign in to comment.