Commit 40c4e5d7 authored by Helga Velroyen's avatar Helga Velroyen

Init: add master client certificate to configuration

This patch adds a few steps to bootstrap.py. After the
creation of the server (cluster) certificate and the
master node's client certificate, the digest of that
client certificate is added to the configuration and
by an update of the configuraiton written to the
ssconf_master_candidates_certs file.
Signed-off-by: default avatarHelga Velroyen <helgav@google.com>
Reviewed-by: default avatarKlaus Aehlig <aehlig@google.com>
parent 096b394e
......@@ -214,7 +214,7 @@ def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_spice_cert,
GenerateHmacKey(cds_file)
def _InitGanetiServerSetup(master_name):
def _InitGanetiServerSetup(master_name, cfg):
"""Setup the necessary configuration for the initial node daemon.
This creates the nodepass file containing the shared password for
......@@ -222,11 +222,21 @@ def _InitGanetiServerSetup(master_name):
@type master_name: str
@param master_name: Name of the master node
@type cfg: ConfigWriter
@param cfg: the configuration writer
"""
# Generate cluster secrets
GenerateClusterCrypto(True, False, False, False, False, False, master_name)
# Add the master's SSL certificate digest to the configuration.
master_uuid = cfg.GetMasterNode()
master_digest = utils.GetCertificateDigest()
cfg.AddNodeToCandidateCerts(master_uuid, master_digest)
cfg.Update(cfg.GetClusterInfo(), logging.error)
ssconf.WriteSsconfFiles(cfg.GetSsconfValues())
# set up the inter-node password and certificate
result = utils.RunCmd([pathutils.DAEMON_UTIL, "start", constants.NODED])
if result.failed:
raise errors.OpExecError("Could not start the node daemon, command %s"
......@@ -894,7 +904,7 @@ def InitCluster(cluster_name, mac_prefix, # pylint: disable=R0913, R0914
ssconf.WriteSsconfFiles(cfg.GetSsconfValues())
# set up the inter-node password and certificate
_InitGanetiServerSetup(hostname.name)
_InitGanetiServerSetup(hostname.name, cfg)
logging.debug("Starting daemons")
result = utils.RunCmd([pathutils.DAEMON_UTIL, "start-all"])
......
......@@ -217,16 +217,7 @@ class TestLUClusterDestroy(CmdlibTestCase):
class TestLUClusterPostInit(CmdlibTestCase):
@testutils.patch_object(cluster, "_UpdateMasterClientCert")
def testExecution(self, update_client_cert_mock):
# mock the client certificate creation as it is tested separately
update_client_cert_mock.return_value = None
# For the purpose of this test, return the same certificate digest for all
# nodes
self.rpc.call_node_crypto_tokens = \
lambda node_uuid, _: self.RpcResultsBuilder() \
.CreateSuccessfulNodeResult(node_uuid,
[(constants.CRYPTO_TYPE_SSL_DIGEST, "IA:MA:FA:KE:DI:GE:ST")])
def testExecution(self):
op = opcodes.OpClusterPostInit()
self.ExecOpCode(op)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment