In order to be enable to extend the renew-crypot opcode,
we are adding a parameter for renewing the node SSL
certificates. This way, it can easily be broadened to
renew SSH keys as well, which is done in the following
patch.
Signed-off-by: Helga Velroyen <hel...@google.com>
---
lib/client/gnt_cluster.py | 2 +-
lib/cmdlib/cluster.py | 17 ++++++++++++-----
src/Ganeti/OpCodes.hs | 3 ++-
src/Ganeti/OpParams.hs | 7 +++++++
4 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/lib/client/gnt_cluster.py b/lib/client/gnt_cluster.py
index 69a3fdf..b6c7975 100644
--- a/lib/client/gnt_cluster.py
+++ b/lib/client/gnt_cluster.py
@@ -1060,7 +1060,7 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, #
pylint: disable=R0911
if new_node_cert:
cl = GetClient()
- renew_op = opcodes.OpClusterRenewCrypto()
+ renew_op = opcodes.OpClusterRenewCrypto(node_certificates=new_node_cert)
SubmitOpCode(renew_op, cl=cl)
return 0
diff --git a/lib/cmdlib/cluster.py b/lib/cmdlib/cluster.py
index 0836feb..5674b07 100644
--- a/lib/cmdlib/cluster.py
+++ b/lib/cmdlib/cluster.py
@@ -97,11 +97,15 @@ def _UpdateMasterClientCert(
class LUClusterRenewCrypto(NoHooksLU):
"""Renew the cluster's crypto tokens.
- Note that most of this operation is done in gnt_cluster.py, this LU only
- takes care of the renewal of the client SSL certificates.
-
"""
- def Exec(self, feedback_fn):
+
+ def _RenewNodeSslCertificates(self):
+ """Renews the nodes' SSL certificates.
+
+ Note that most of this operation is done in gnt_cluster.py, this LU only
+ takes care of the renewal of the client SSL certificates.
+
+ """
master_uuid = self.cfg.GetMasterNode()
server_digest = utils.GetCertificateDigest(
@@ -127,7 +131,10 @@ class LUClusterRenewCrypto(NoHooksLU):
self.cfg.AddNodeToCandidateCerts(node_uuid, new_digest)
self.cfg.RemoveNodeFromCandidateCerts("%s-SERVER" % master_uuid)
self.cfg.RemoveNodeFromCandidateCerts("%s-OLDMASTER" % master_uuid)
- # Trigger another update of the config now with the new master cert
+
+ def Exec(self, feedback_fn):
+ if self.op.node_certificates:
+ self._RenewNodeSslCertificates()
class LUClusterActivateMasterIp(NoHooksLU):
diff --git a/src/Ganeti/OpCodes.hs b/src/Ganeti/OpCodes.hs
index b5b4991..4ebb222 100644
--- a/src/Ganeti/OpCodes.hs
+++ b/src/Ganeti/OpCodes.hs
@@ -268,7 +268,8 @@ $(genOpCode "OpCode"
, ("OpClusterRenewCrypto",
[t| () |],
OpDoc.opClusterRenewCrypto,
- [],
+ [ pNodeSslCerts
+ ],
[])
, ("OpQuery",
[t| QueryResponse |],
diff --git a/src/Ganeti/OpParams.hs b/src/Ganeti/OpParams.hs
index 2b02280..f277065 100644
--- a/src/Ganeti/OpParams.hs
+++ b/src/Ganeti/OpParams.hs
@@ -284,6 +284,7 @@ module Ganeti.OpParams
, pAdminStateSource
, pEnableDataCollectors
, pDisableDataCollectors
+ , pNodeSslCerts
) where
import Control.Monad (liftM, mplus)
@@ -1843,3 +1844,9 @@ pDisableDataCollectors =
withDoc "Deactivate the data collectors" .
defaultField [| emptyListSet |] $
simpleField "disable_data_collectors" [t| ListSet String |]
+
+pNodeSslCerts :: Field
+pNodeSslCerts =
+ withDoc "Whether to renew node SSL certificates" .
+ defaultField [| False |] $
+ simpleField "node_certificates" [t| Bool |]
--
2.1.0.rc2.206.gedb03e5
