package hybrid import ( "crypto/x509" "encoding/pem" "fmt" "os" "path/filepath" "time" "go.uber.org/zap" "github.com/aws/eks-hybrid/internal/kubelet" ) // ValidateKubeletCert checks if there is an existing kubelet certificate and validates it against the cluster's CA func ValidateKubeletCert(logger *zap.Logger, installRoot string, ca []byte) error { logger.Info("Validating kubelet certificate...") certPath := filepath.Join(installRoot, kubelet.KubeletCurrentCertPath) if _, err := os.Stat(certPath); os.IsNotExist(err) { // No existing cert, validation passes return nil } else if err != nil { return fmt.Errorf("checking kubelet certificate: %v", err) } certData, err := os.ReadFile(certPath) if err != nil { return fmt.Errorf("reading kubelet certificate: %v", err) } block, _ := pem.Decode(certData) if block == nil { return fmt.Errorf("parsing kubelet certificate") } cert, err := x509.ParseCertificate(block.Bytes) if err != nil { return fmt.Errorf("parsing kubelet certificate: %v", err) } now := time.Now() if now.After(cert.NotAfter) { // expired certs will be regenerated by kubelet, no need to fail return nil } caPool := x509.NewCertPool() if !caPool.AppendCertsFromPEM(ca) { return fmt.Errorf("parsing cluster CA certificate") } // Verify the certificate against the cluster's CA opts := x509.VerifyOptions{ Roots: caPool, CurrentTime: now, } if _, err := cert.Verify(opts); err != nil { return fmt.Errorf("kubelet certificate is not valid for the current cluster. Please remove the kubelet server certificate file %s or use \"--skip kubelet-cert-validation\" if this is expected", certPath) } return nil }