On Thu, Dec 19, 2013 at 3:49 PM, Helga Velroyen <[email protected]> wrote:
> At the end of this patch series, incoming RPC calls are > legitimized against a map of master candidate nodes' > SSL certificate digests. This patch adds the map itself > to the cluster's configuration. > > Signed-off-by: Helga Velroyen <[email protected]> > --- > lib/bootstrap.py | 4 ++++ > lib/objects.py | 4 ++++ > src/Ganeti/Objects.hs | 4 ++++ > test/py/cfgupgrade_unittest.py | 3 ++- > 4 files changed, 14 insertions(+), 1 deletion(-) > > diff --git a/lib/bootstrap.py b/lib/bootstrap.py > index 748ab48..3fe91ca 100644 > --- a/lib/bootstrap.py > +++ b/lib/bootstrap.py > @@ -749,6 +749,8 @@ def InitCluster(cluster_name, mac_prefix, # pylint: > disable=R0913, R0914 > os.path.isfile): > default_iallocator = constants.IALLOC_HAIL > > + candidate_certs = {} > + > now = time.time() > > # init of cluster config file > @@ -790,6 +792,7 @@ def InitCluster(cluster_name, mac_prefix, # pylint: > disable=R0913, R0914 > hv_state_static=hv_state, > disk_state_static=disk_state, > enabled_disk_templates=enabled_disk_templates, > + candidate_certs=candidate_certs, > ) > master_node_config = objects.Node(name=hostname.name, > primary_ip=hostname.ip, > @@ -803,6 +806,7 @@ def InitCluster(cluster_name, mac_prefix, # pylint: > disable=R0913, R0914 > cfg = config.ConfigWriter(offline=True) > ssh.WriteKnownHostsFile(cfg, pathutils.SSH_KNOWN_HOSTS_FILE) > cfg.Update(cfg.GetClusterInfo(), logging.error) > + > ssconf.WriteSsconfFiles(cfg.GetSsconfValues()) > > # set up the inter-node password and certificate > diff --git a/lib/objects.py b/lib/objects.py > index 4307488..565ba4e 100644 > --- a/lib/objects.py > +++ b/lib/objects.py > @@ -1576,6 +1576,7 @@ class Cluster(TaggableObject): > "hv_state_static", > "disk_state_static", > "enabled_disk_templates", > + "candidate_certs", > ] + _TIMESTAMPS + _UUID > > def UpgradeConfig(self): > @@ -1698,6 +1699,9 @@ class Cluster(TaggableObject): > raise errors.ConfigurationError(msg) > self.ipolicy = FillIPolicy(constants.IPOLICY_DEFAULTS, self.ipolicy) > > + if self.candidate_certs is None: > + self.candidate_certs = {} > + > @property > def primary_hypervisor(self): > """The first hypervisor is the primary. > diff --git a/src/Ganeti/Objects.hs b/src/Ganeti/Objects.hs > index b1a0747..93f3322 100644 > --- a/src/Ganeti/Objects.hs > +++ b/src/Ganeti/Objects.hs > @@ -659,6 +659,9 @@ type UidPool = [(Int, Int)] > -- | The iallocator parameters type. > type IAllocatorParams = Container JSValue > > +-- | The master candidate client certificate digests > +type CandidateCertificates = Container JSValue > Unless additional metadata is to be used, why not Container String? > + > -- * Cluster definitions > $(buildObject "Cluster" "cluster" $ > [ simpleField "rsahostkeypub" [t| String |] > @@ -702,6 +705,7 @@ $(buildObject "Cluster" "cluster" $ > , simpleField "prealloc_wipe_disks" [t| Bool |] > , simpleField "ipolicy" [t| FilledIPolicy |] > , simpleField "enabled_disk_templates" [t| [DiskTemplate] |] > + , simpleField "candidate_certs" [t| CandidateCertificates |] > ] > ++ timeStampFields > ++ uuidFields > diff --git a/test/py/cfgupgrade_unittest.py > b/test/py/cfgupgrade_unittest.py > index 24b0667..b56a8c5 100755 > --- a/test/py/cfgupgrade_unittest.py > +++ b/test/py/cfgupgrade_unittest.py > @@ -45,7 +45,8 @@ def GetMinimalConfig(): > "master_node": "node1-uuid", > "ipolicy": None, > "default_iallocator_params": {}, > - "ndparams": {} > + "ndparams": {}, > + "candidate_certs": {}, > }, > "instances": {}, > "networks": {}, > -- > 1.8.5.1 > >
