Commit 43575108 authored by Michael Hanselmann's avatar Michael Hanselmann

bootstrap: Add new function to create cluster certs and keys

The code to generate cluster certificates, keys and secrets is currently
spread over several places. It makes sense to move it to a separate
function as we want to provide the user with the ability to automatically
replace all cluster certificates and keys.
Signed-off-by: default avatarMichael Hanselmann <hansmi@google.com>
Reviewed-by: default avatarIustin Pop <iustin@google.com>
parent 1d466a4f
......@@ -107,7 +107,55 @@ def GenerateHmacKey(file_name):
@param file_name: Path to output file
"""
utils.WriteFile(file_name, data="%s\n" % utils.GenerateSecret(), mode=0400)
utils.WriteFile(file_name, data="%s\n" % utils.GenerateSecret(), mode=0400,
backup=True)
def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_hmac_key,
rapi_cert_pem=None):
"""Updates the cluster certificates, keys and secrets.
@type new_cluster_cert: bool
@param new_cluster_cert: Whether to generate a new cluster certificate
@type new_rapi_cert: bool
@param new_rapi_cert: Whether to generate a new RAPI certificate
@type new_hmac_key: bool
@param new_hmac_key: Whether to generate a new HMAC key
@type rapi_cert_pem: string
@param rapi_cert_pem: New RAPI certificate in PEM format
"""
# SSL certificate
cluster_cert_exists = os.path.exists(constants.SSL_CERT_FILE)
if new_cluster_cert or not cluster_cert_exists:
if cluster_cert_exists:
utils.CreateBackup(constants.SSL_CERT_FILE)
logging.debug("Generating new cluster certificate at %s",
constants.SSL_CERT_FILE)
GenerateSelfSignedSslCert(constants.SSL_CERT_FILE)
# HMAC key
if new_hmac_key or not os.path.exists(constants.HMAC_CLUSTER_KEY):
logging.debug("Writing new HMAC key to %s", constants.HMAC_CLUSTER_KEY)
GenerateHmacKey(constants.HMAC_CLUSTER_KEY)
# RAPI
rapi_cert_exists = os.path.exists(constants.RAPI_CERT_FILE)
if rapi_cert_pem:
# Assume rapi_pem contains a valid PEM-formatted certificate and key
logging.debug("Writing RAPI certificate at %s",
constants.RAPI_CERT_FILE)
utils.WriteFile(constants.RAPI_CERT_FILE, data=rapi_cert_pem, backup=True)
elif new_rapi_cert or not rapi_cert_exists:
if rapi_cert_exists:
utils.CreateBackup(constants.RAPI_CERT_FILE)
logging.debug("Generating new RAPI certificate at %s",
constants.RAPI_CERT_FILE)
GenerateSelfSignedSslCert(constants.RAPI_CERT_FILE)
def _InitGanetiServerSetup(master_name):
......@@ -117,14 +165,8 @@ def _InitGanetiServerSetup(master_name):
the cluster and also generates the SSL certificate.
"""
GenerateSelfSignedSslCert(constants.SSL_CERT_FILE)
# Don't overwrite existing file
if not os.path.exists(constants.RAPI_CERT_FILE):
GenerateSelfSignedSslCert(constants.RAPI_CERT_FILE)
if not os.path.exists(constants.HMAC_CLUSTER_KEY):
GenerateHmacKey(constants.HMAC_CLUSTER_KEY)
# Generate cluster secrets
GenerateClusterCrypto(True, False, False)
result = utils.RunCmd([constants.DAEMON_UTIL, "start", constants.NODED])
if result.failed:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment