2023-02-02 22:24:18 +00:00
|
|
|
package troubleshoot
|
|
|
|
|
|
|
|
import (
|
2023-02-07 17:58:00 +00:00
|
|
|
"errors"
|
2023-02-02 22:24:18 +00:00
|
|
|
"fmt"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
envoy_admin_v3 "github.com/envoyproxy/go-control-plane/envoy/admin/v3"
|
|
|
|
"github.com/hashicorp/go-multierror"
|
|
|
|
"google.golang.org/protobuf/encoding/protojson"
|
|
|
|
)
|
|
|
|
|
|
|
|
func (t *Troubleshoot) validateCerts(certs *envoy_admin_v3.Certificates) error {
|
|
|
|
|
|
|
|
// TODO: we can probably warn if the expiration date is close
|
|
|
|
var resultErr error
|
|
|
|
now := time.Now()
|
|
|
|
|
2023-02-07 17:58:00 +00:00
|
|
|
if certs == nil {
|
|
|
|
return errors.New("certs object is nil")
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(certs.GetCertificates()) == 0 {
|
|
|
|
return errors.New("no certificates provided")
|
|
|
|
}
|
|
|
|
|
2023-02-02 22:24:18 +00:00
|
|
|
for _, cert := range certs.GetCertificates() {
|
|
|
|
for _, cacert := range cert.GetCaCert() {
|
|
|
|
if now.After(cacert.GetExpirationTime().AsTime()) {
|
2023-02-06 17:14:35 +00:00
|
|
|
resultErr = multierror.Append(resultErr, fmt.Errorf("Ca cert is expired"))
|
2023-02-02 22:24:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
for _, cc := range cert.GetCertChain() {
|
|
|
|
if now.After(cc.GetExpirationTime().AsTime()) {
|
2023-02-06 17:14:35 +00:00
|
|
|
resultErr = multierror.Append(resultErr, fmt.Errorf("cert chain is expired"))
|
2023-02-02 22:24:18 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return resultErr
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *Troubleshoot) getEnvoyCerts() (*envoy_admin_v3.Certificates, error) {
|
|
|
|
|
|
|
|
certsRaw, err := t.request("certs?format=json")
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("error in requesting Envoy Admin API /certs endpoint: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
certs := &envoy_admin_v3.Certificates{}
|
|
|
|
|
|
|
|
unmarshal := &protojson.UnmarshalOptions{
|
|
|
|
DiscardUnknown: true,
|
|
|
|
}
|
|
|
|
err = unmarshal.Unmarshal(certsRaw, certs)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("error in unmarshalling /certs response: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
t.envoyCerts = certs
|
|
|
|
return certs, nil
|
|
|
|
}
|