This patch integrates renewing the client certificate of non-master nodes using the new ssl_update tool.
Signed-off-by: Helga Velroyen <[email protected]> --- Makefile.am | 5 ++++- lib/client/gnt_cluster.py | 42 ++++++++++++++++++++++++++++++++++++------ lib/pathutils.py | 1 + 3 files changed, 41 insertions(+), 7 deletions(-) diff --git a/Makefile.am b/Makefile.am index b4fdba0..79c964e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -300,6 +300,7 @@ CLEANFILES = \ tools/vif-ganeti-metad \ tools/net-common \ tools/users-setup \ + tools/ssl-update \ tools/vcluster-setup \ $(python_scripts_shebang) \ stamp-directories \ @@ -1160,6 +1161,7 @@ PYTHON_BOOTSTRAP = \ tools/ensure-dirs \ tools/node-cleanup \ tools/node-daemon-setup \ + tools/ssl-update \ tools/prepare-node-join qa_scripts = \ @@ -1403,7 +1405,8 @@ pkglib_python_scripts = \ nodist_pkglib_python_scripts = \ tools/ensure-dirs \ tools/node-daemon-setup \ - tools/prepare-node-join + tools/prepare-node-join \ + tools/ssl-update pkglib_python_basenames = \ $(patsubst daemons/%,%,$(patsubst tools/%,%,\ diff --git a/lib/client/gnt_cluster.py b/lib/client/gnt_cluster.py index 0c0e165..5afbdda 100644 --- a/lib/client/gnt_cluster.py +++ b/lib/client/gnt_cluster.py @@ -1055,16 +1055,46 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, # pylint: disable=R0911 for file_name in files_to_copy: ctx.ssh.CopyFileToNode(node_name, port, file_name) - RunWhileClusterStopped(ToStdout, _RenewCryptoInner) + def _RenewClientCerts(ctx): + ctx.feedback_fn("Updating client SSL certificates.") + + # TODO: transport those options outside. + debug = True + verbose = True + + cluster_name = ssconf.SimpleStore().GetClusterName() + + for node_name in ctx.nonmaster_nodes: + ssh_port = ctx.ssh_ports[node_name] + data = { + constants.NDS_CLUSTER_NAME: cluster_name, + constants.NDS_NODE_DAEMON_CERTIFICATE: + utils.ReadFile(pathutils.NODED_CERT_FILE), + constants.NDS_NODE_NAME: node_name, + } + + bootstrap.RunNodeSetupCmd( + cluster_name, + node_name, + pathutils.SSL_UPDATE, + debug, + verbose, + True, # use cluster key + False, # ask key + True, # strict host check + ssh_port, + data) + + if new_cluster_cert or new_rapi_cert or new_spice_cert \ + or new_confd_hmac_key or new_cds: + RunWhileClusterStopped(ToStdout, _RenewCryptoInner) + + if new_node_cert: + RunWhileDaemonsStopped(ToStdout, [constants.WCONFD], _RenewClientCerts) ToStdout("All requested certificates and keys have been replaced." " Running \"gnt-cluster verify\" now is recommended.") - if new_node_cert: - cl = GetClient() - renew_op = opcodes.OpClusterRenewCrypto() - SubmitOpCode(renew_op, cl=cl) - return 0 diff --git a/lib/pathutils.py b/lib/pathutils.py index 203df47..e696e87 100644 --- a/lib/pathutils.py +++ b/lib/pathutils.py @@ -65,6 +65,7 @@ KVM_CONSOLE_WRAPPER = _constants.PKGLIBDIR + "/tools/kvm-console-wrapper" KVM_IFUP = _constants.PKGLIBDIR + "/kvm-ifup" PREPARE_NODE_JOIN = _constants.PKGLIBDIR + "/prepare-node-join" NODE_DAEMON_SETUP = _constants.PKGLIBDIR + "/node-daemon-setup" +SSL_UPDATE = _constants.PKGLIBDIR + "/ssl-update" XEN_CONSOLE_WRAPPER = _constants.PKGLIBDIR + "/tools/xen-console-wrapper" CFGUPGRADE = _constants.PKGLIBDIR + "/tools/cfgupgrade" POST_UPGRADE = _constants.PKGLIBDIR + "/tools/post-upgrade" -- 2.4.3.573.g4eafbef
