keeping old but still valid CA certs on renewal

2025-01-26 18:59:51 +01:00 · 2025-01-26 18:59:51 +01:00 · 1871eac7bb
commit 1871eac7bb
parent b12ce7299f
1 changed files with 13 additions and 0 deletions
--- a/cmd/dkl-local-server/ws-cluster-cas.go
+++ b/cmd/dkl-local-server/ws-cluster-cas.go
@ -2,7 +2,9 @@ package main

 import (
 	"fmt"
+	"time"

+	"github.com/cloudflare/cfssl/helpers"
 	"github.com/cloudflare/cfssl/log"
 	restful "github.com/emicklei/go-restful"
 )
@ -55,11 +57,22 @@ func getUsableClusterCA(cluster, name string) (ca CA, err error) {
 	if checkErr != nil {
 		log.Infof("cluster %s: CA %s: regenerating certificate: %v", cluster, name, checkErr)

+		prevCerts, _ := helpers.ParseCertificatesPEM(ca.Cert)
+
 		err = ca.RenewCert()
 		if err != nil {
 			err = fmt.Errorf("renew: %w", err)
 		}

+		now := time.Now()
+		for _, cert := range prevCerts {
+			if cert.NotAfter.After(now) {
+				continue
+			}
+			certPEM := helpers.EncodeCertificatePEM(cert)
+			ca.Cert = append(ca.Cert, certPEM...)
+		}
+
 		err = clusterCAs.Put(key, ca)
 	}