Renew client certs using ssl_update tool
authorHelga Velroyen <helgav@google.com>
Tue, 9 Jun 2015 12:19:15 +0000 (14:19 +0200)
committerHelga Velroyen <helgav@google.com>
Mon, 6 Jul 2015 10:45:51 +0000 (12:45 +0200)
This patch integrates renewing the client certificate
of non-master nodes using the new ssl_update tool.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

Makefile.am
lib/client/gnt_cluster.py
lib/pathutils.py

index b4fdba0..79c964e 100644 (file)
@@ -300,6 +300,7 @@ CLEANFILES = \
        tools/vif-ganeti-metad \
        tools/net-common \
        tools/users-setup \
+       tools/ssl-update \
        tools/vcluster-setup \
        $(python_scripts_shebang) \
        stamp-directories \
@@ -1160,6 +1161,7 @@ PYTHON_BOOTSTRAP = \
        tools/ensure-dirs \
        tools/node-cleanup \
        tools/node-daemon-setup \
+       tools/ssl-update \
        tools/prepare-node-join
 
 qa_scripts = \
@@ -1403,7 +1405,8 @@ pkglib_python_scripts = \
 nodist_pkglib_python_scripts = \
        tools/ensure-dirs \
        tools/node-daemon-setup \
-       tools/prepare-node-join
+       tools/prepare-node-join \
+       tools/ssl-update
 
 pkglib_python_basenames = \
        $(patsubst daemons/%,%,$(patsubst tools/%,%,\
index 0c0e165..54f0d35 100644 (file)
@@ -1055,16 +1055,47 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, # pylint: disable=R0911
         for file_name in files_to_copy:
           ctx.ssh.CopyFileToNode(node_name, port, file_name)
 
-  RunWhileClusterStopped(ToStdout, _RenewCryptoInner)
+  def _RenewClientCerts(ctx):
+    ctx.feedback_fn("Updating client SSL certificates.")
+
+    # TODO: transport those options outside.
+    debug = True
+    verbose = True
+
+    cluster_name = ssconf.SimpleStore().GetClusterName()
+
+    for node_name in ctx.nonmaster_nodes:
+      ssh_port = ctx.ssh_ports[node_name]
+      data = {
+        constants.NDS_CLUSTER_NAME: cluster_name,
+        constants.NDS_NODE_DAEMON_CERTIFICATE:
+          utils.ReadFile(pathutils.NODED_CERT_FILE),
+        constants.NDS_NODE_NAME: node_name,
+        }
+
+      bootstrap.RunNodeSetupCmd(
+          cluster_name,
+          node_name,
+          pathutils.SSL_UPDATE,
+          debug,
+          verbose,
+          True, # use cluster key
+          False, # ask key
+          True, # strict host check
+          ssh_port,
+          data)
+
+  if new_cluster_cert or new_rapi_cert or new_spice_cert \
+      or new_confd_hmac_key or new_cds:
+    RunWhileClusterStopped(ToStdout, _RenewCryptoInner)
+
+  if new_node_cert:
+    RunWhileDaemonsStopped(ToStdout, [constants.NODED, constants.WCONFD],
+                           _RenewClientCerts)
 
   ToStdout("All requested certificates and keys have been replaced."
            " Running \"gnt-cluster verify\" now is recommended.")
 
-  if new_node_cert:
-    cl = GetClient()
-    renew_op = opcodes.OpClusterRenewCrypto()
-    SubmitOpCode(renew_op, cl=cl)
-
   return 0
 
 
index 203df47..e696e87 100644 (file)
@@ -65,6 +65,7 @@ KVM_CONSOLE_WRAPPER = _constants.PKGLIBDIR + "/tools/kvm-console-wrapper"
 KVM_IFUP = _constants.PKGLIBDIR + "/kvm-ifup"
 PREPARE_NODE_JOIN = _constants.PKGLIBDIR + "/prepare-node-join"
 NODE_DAEMON_SETUP = _constants.PKGLIBDIR + "/node-daemon-setup"
+SSL_UPDATE = _constants.PKGLIBDIR + "/ssl-update"
 XEN_CONSOLE_WRAPPER = _constants.PKGLIBDIR + "/tools/xen-console-wrapper"
 CFGUPGRADE = _constants.PKGLIBDIR + "/tools/cfgupgrade"
 POST_UPGRADE = _constants.PKGLIBDIR + "/tools/post-upgrade"