Merge pull request #9225 from barbacbd/CORS-3633

openshift-merge-bot[bot] · web-flow · commit 3a55840363db · 2025-05-02T02:11:09.000Z
CORS-3633: Fail the install when there are expired certs
diff --git a/pkg/asset/ignition/bootstrap/common.go b/pkg/asset/ignition/bootstrap/common.go
@@ -709,12 +709,16 @@ func (a *Common) load(f asset.FileFetcher, filename string) (found bool, err err
 	}
 
 	a.File, a.Config = file, config
-	warnIfCertificatesExpired(a.Config)
-	return true, nil
+	err = warnIfCertificatesExpired(a.Config)
+	if err != nil {
+		logrus.Warnf("Please regenerate ignition configuration files in a new directory.")
+	}
+
+	return true, err
 }
 
 // warnIfCertificatesExpired checks for expired certificates and warns if so
-func warnIfCertificatesExpired(config *igntypes.Config) {
+func warnIfCertificatesExpired(config *igntypes.Config) error {
 	expiredCerts := 0
 	for _, file := range config.Storage.Files {
 		if filepath.Ext(file.Path) == ".crt" && file.Contents.Source != nil {
@@ -734,7 +738,7 @@ func warnIfCertificatesExpired(config *igntypes.Config) {
 				cert, err := x509.ParseCertificate(block.Bytes)
 				if err == nil {
 					if time.Now().UTC().After(cert.NotAfter) {
-						logrus.Warnf("Bootstrap Ignition-Config Certificate %s expired at %s.", path.Base(file.Path), cert.NotAfter.Format(time.RFC3339))
+						logrus.Errorf("Bootstrap Ignition-Config Certificate %s expired at %s.", path.Base(file.Path), cert.NotAfter.Format(time.RFC3339))
 						expiredCerts++
 					}
 				} else {
@@ -748,6 +752,7 @@ func warnIfCertificatesExpired(config *igntypes.Config) {
 	}
 
 	if expiredCerts > 0 {
-		logrus.Warnf("Bootstrap Ignition-Config: %d certificates expired. Installation attempts with the created Ignition-Configs will possibly fail.", expiredCerts)
+		return fmt.Errorf("%d certificates expired", expiredCerts)
 	}
+	return nil
 }

Original file line number	Diff line number	Diff line change
`@@ -709,12 +709,16 @@ func (a *Common) load(f asset.FileFetcher, filename string) (found bool, err err`
`709`	`709`	`}`
`710`	`710`
`711`	`711`	`a.File, a.Config = file, config`
`712`		`- warnIfCertificatesExpired(a.Config)`
`713`		`- return true, nil`
	`712`	`+ err = warnIfCertificatesExpired(a.Config)`
	`713`	`+ if err != nil {`
	`714`	`+ logrus.Warnf("Please regenerate ignition configuration files in a new directory.")`
	`715`	`+ }`
	`716`	`+`
	`717`	`+ return true, err`
`714`	`718`	`}`
`715`	`719`
`716`	`720`	`// warnIfCertificatesExpired checks for expired certificates and warns if so`
`717`		`-func warnIfCertificatesExpired(config *igntypes.Config) {`
	`721`	`+func warnIfCertificatesExpired(config *igntypes.Config) error {`
`718`	`722`	`expiredCerts := 0`
`719`	`723`	`for _, file := range config.Storage.Files {`
`720`	`724`	`if filepath.Ext(file.Path) == ".crt" && file.Contents.Source != nil {`
`@@ -734,7 +738,7 @@ func warnIfCertificatesExpired(config *igntypes.Config) {`
`734`	`738`	`cert, err := x509.ParseCertificate(block.Bytes)`
`735`	`739`	`if err == nil {`
`736`	`740`	`if time.Now().UTC().After(cert.NotAfter) {`
`737`		`- logrus.Warnf("Bootstrap Ignition-Config Certificate %s expired at %s.", path.Base(file.Path), cert.NotAfter.Format(time.RFC3339))`
	`741`	`+ logrus.Errorf("Bootstrap Ignition-Config Certificate %s expired at %s.", path.Base(file.Path), cert.NotAfter.Format(time.RFC3339))`
`738`	`742`	`expiredCerts++`
`739`	`743`	`}`
`740`	`744`	`} else {`
`@@ -748,6 +752,7 @@ func warnIfCertificatesExpired(config *igntypes.Config) {`
`748`	`752`	`}`
`749`	`753`
`750`	`754`	`if expiredCerts > 0 {`
`751`		`- logrus.Warnf("Bootstrap Ignition-Config: %d certificates expired. Installation attempts with the created Ignition-Configs will possibly fail.", expiredCerts)`
	`755`	`+ return fmt.Errorf("%d certificates expired", expiredCerts)`
`752`	`756`	`}`
	`757`	`+ return nil`
`753`	`758`	`}`