Commit 59e3e139 authored by Helga Velroyen's avatar Helga Velroyen

Renew client certs using ssl_update tool

This patch integrates renewing the client certificate
of non-master nodes using the new ssl_update tool.
Signed-off-by: default avatarHelga Velroyen <helgav@google.com>
Reviewed-by: default avatarKlaus Aehlig <aehlig@google.com>
parent ba8e831a
......@@ -300,6 +300,7 @@ CLEANFILES = \
tools/vif-ganeti-metad \
tools/net-common \
tools/users-setup \
tools/ssl-update \
tools/vcluster-setup \
$(python_scripts_shebang) \
stamp-directories \
......@@ -1160,6 +1161,7 @@ PYTHON_BOOTSTRAP = \
tools/ensure-dirs \
tools/node-cleanup \
tools/node-daemon-setup \
tools/ssl-update \
tools/prepare-node-join
qa_scripts = \
......@@ -1403,7 +1405,8 @@ pkglib_python_scripts = \
nodist_pkglib_python_scripts = \
tools/ensure-dirs \
tools/node-daemon-setup \
tools/prepare-node-join
tools/prepare-node-join \
tools/ssl-update
pkglib_python_basenames = \
$(patsubst daemons/%,%,$(patsubst tools/%,%,\
......
......@@ -1055,16 +1055,47 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, # pylint: disable=R0911
for file_name in files_to_copy:
ctx.ssh.CopyFileToNode(node_name, port, file_name)
RunWhileClusterStopped(ToStdout, _RenewCryptoInner)
def _RenewClientCerts(ctx):
ctx.feedback_fn("Updating client SSL certificates.")
# TODO: transport those options outside.
debug = True
verbose = True
cluster_name = ssconf.SimpleStore().GetClusterName()
for node_name in ctx.nonmaster_nodes:
ssh_port = ctx.ssh_ports[node_name]
data = {
constants.NDS_CLUSTER_NAME: cluster_name,
constants.NDS_NODE_DAEMON_CERTIFICATE:
utils.ReadFile(pathutils.NODED_CERT_FILE),
constants.NDS_NODE_NAME: node_name,
}
bootstrap.RunNodeSetupCmd(
cluster_name,
node_name,
pathutils.SSL_UPDATE,
debug,
verbose,
True, # use cluster key
False, # ask key
True, # strict host check
ssh_port,
data)
if new_cluster_cert or new_rapi_cert or new_spice_cert \
or new_confd_hmac_key or new_cds:
RunWhileClusterStopped(ToStdout, _RenewCryptoInner)
if new_node_cert:
RunWhileDaemonsStopped(ToStdout, [constants.NODED, constants.WCONFD],
_RenewClientCerts)
ToStdout("All requested certificates and keys have been replaced."
" Running \"gnt-cluster verify\" now is recommended.")
if new_node_cert:
cl = GetClient()
renew_op = opcodes.OpClusterRenewCrypto()
SubmitOpCode(renew_op, cl=cl)
return 0
......
......@@ -65,6 +65,7 @@ KVM_CONSOLE_WRAPPER = _constants.PKGLIBDIR + "/tools/kvm-console-wrapper"
KVM_IFUP = _constants.PKGLIBDIR + "/kvm-ifup"
PREPARE_NODE_JOIN = _constants.PKGLIBDIR + "/prepare-node-join"
NODE_DAEMON_SETUP = _constants.PKGLIBDIR + "/node-daemon-setup"
SSL_UPDATE = _constants.PKGLIBDIR + "/ssl-update"
XEN_CONSOLE_WRAPPER = _constants.PKGLIBDIR + "/tools/xen-console-wrapper"
CFGUPGRADE = _constants.PKGLIBDIR + "/tools/cfgupgrade"
POST_UPGRADE = _constants.PKGLIBDIR + "/tools/post-upgrade"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment