CORS-3633: Fail the install when there are expired certs

barbacbd · barbacbd · commit d7a7dc07e4d6 · 2025-05-01T16:07:01.000-04:00
** When the user creates the ignition configs and a failure or some time goes by before cluster creation occurs, the
certs could go bad/expire. The installer can warn of expired certs, but it does not fail. These warnings are often
overlooked and pass by too quickly during the installation process. The changes here will cause an immediate failure.
diff --git a/pkg/asset/ignition/bootstrap/common.go b/pkg/asset/ignition/bootstrap/common.go
@@ -709,12 +709,16 @@ func (a *Common) load(f asset.FileFetcher, filename string) (found bool, err err
 	}
 
 	a.File, a.Config = file, config
-	warnIfCertificatesExpired(a.Config)
-	return true, nil
+	err = warnIfCertificatesExpired(a.Config)
+	if err != nil {
+		logrus.Warnf("Please regenerate ignition configuration files in a new directory.")
+	}
+
+	return true, err
 }
 
 // warnIfCertificatesExpired checks for expired certificates and warns if so
-func warnIfCertificatesExpired(config *igntypes.Config) {
+func warnIfCertificatesExpired(config *igntypes.Config) error {
 	expiredCerts := 0
 	for _, file := range config.Storage.Files {
 		if filepath.Ext(file.Path) == ".crt" && file.Contents.Source != nil {
@@ -734,7 +738,7 @@ func warnIfCertificatesExpired(config *igntypes.Config) {
 				cert, err := x509.ParseCertificate(block.Bytes)
 				if err == nil {
 					if time.Now().UTC().After(cert.NotAfter) {
-						logrus.Warnf("Bootstrap Ignition-Config Certificate %s expired at %s.", path.Base(file.Path), cert.NotAfter.Format(time.RFC3339))
+						logrus.Errorf("Bootstrap Ignition-Config Certificate %s expired at %s.", path.Base(file.Path), cert.NotAfter.Format(time.RFC3339))
 						expiredCerts++
 					}
 				} else {
@@ -748,6 +752,7 @@ func warnIfCertificatesExpired(config *igntypes.Config) {
 	}
 
 	if expiredCerts > 0 {
-		logrus.Warnf("Bootstrap Ignition-Config: %d certificates expired. Installation attempts with the created Ignition-Configs will possibly fail.", expiredCerts)
+		return fmt.Errorf("%d certificates expired", expiredCerts)
 	}
+	return nil
 }

Original file line number	Diff line number	Diff line change
`@@ -709,12 +709,16 @@ func (a *Common) load(f asset.FileFetcher, filename string) (found bool, err err`
`709`	`709`	`}`
`710`	`710`
`711`	`711`	`a.File, a.Config = file, config`
`712`		`- warnIfCertificatesExpired(a.Config)`
`713`		`- return true, nil`
	`712`	`+ err = warnIfCertificatesExpired(a.Config)`
	`713`	`+ if err != nil {`
	`714`	`+ logrus.Warnf("Please regenerate ignition configuration files in a new directory.")`
	`715`	`+ }`
	`716`	`+`
	`717`	`+ return true, err`
`714`	`718`	`}`
`715`	`719`
`716`	`720`	`// warnIfCertificatesExpired checks for expired certificates and warns if so`
`717`		`-func warnIfCertificatesExpired(config *igntypes.Config) {`
	`721`	`+func warnIfCertificatesExpired(config *igntypes.Config) error {`
`718`	`722`	`expiredCerts := 0`
`719`	`723`	`for _, file := range config.Storage.Files {`
`720`	`724`	`if filepath.Ext(file.Path) == ".crt" && file.Contents.Source != nil {`
`@@ -734,7 +738,7 @@ func warnIfCertificatesExpired(config *igntypes.Config) {`
`734`	`738`	`cert, err := x509.ParseCertificate(block.Bytes)`
`735`	`739`	`if err == nil {`
`736`	`740`	`if time.Now().UTC().After(cert.NotAfter) {`
`737`		`- logrus.Warnf("Bootstrap Ignition-Config Certificate %s expired at %s.", path.Base(file.Path), cert.NotAfter.Format(time.RFC3339))`
	`741`	`+ logrus.Errorf("Bootstrap Ignition-Config Certificate %s expired at %s.", path.Base(file.Path), cert.NotAfter.Format(time.RFC3339))`
`738`	`742`	`expiredCerts++`
`739`	`743`	`}`
`740`	`744`	`} else {`
`@@ -748,6 +752,7 @@ func warnIfCertificatesExpired(config *igntypes.Config) {`
`748`	`752`	`}`
`749`	`753`
`750`	`754`	`if expiredCerts > 0 {`
`751`		`- logrus.Warnf("Bootstrap Ignition-Config: %d certificates expired. Installation attempts with the created Ignition-Configs will possibly fail.", expiredCerts)`
	`755`	`+ return fmt.Errorf("%d certificates expired", expiredCerts)`
`752`	`756`	`}`
	`757`	`+ return nil`
`753`	`758`	`}`