2018-08-20 04:37:04 +00:00
|
|
|
package cmd
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
|
|
"github.com/rancher/rke/cluster"
|
|
|
|
|
"github.com/rancher/rke/hosts"
|
|
|
|
|
"github.com/rancher/rke/log"
|
|
|
|
|
"github.com/rancher/rke/pki"
|
|
|
|
|
"github.com/rancher/rke/services"
|
|
|
|
|
"github.com/rancher/types/apis/management.cattle.io/v3"
|
|
|
|
|
"github.com/urfave/cli"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func CertificateCommand() cli.Command {
|
|
|
|
|
return cli.Command{
|
|
|
|
|
Name: "cert",
|
|
|
|
|
Usage: "Certificates management for RKE cluster",
|
|
|
|
|
Subcommands: cli.Commands{
|
|
|
|
|
cli.Command{
|
|
|
|
|
Name: "rotate",
|
|
|
|
|
Usage: "Rotate RKE cluster certificates",
|
|
|
|
|
Action: rotateRKECertificatesFromCli,
|
|
|
|
|
Flags: []cli.Flag{
|
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "config",
|
|
|
|
|
Usage: "Specify an alternate cluster YAML file",
|
|
|
|
|
Value: pki.ClusterConfig,
|
|
|
|
|
EnvVar: "RKE_CONFIG",
|
|
|
|
|
},
|
|
|
|
|
cli.StringSliceFlag{
|
|
|
|
|
Name: "service",
|
|
|
|
|
Usage: fmt.Sprintf("Specify a k8s service to rotate certs, (allowed values: %s, %s, %s, %s, %s, %s)",
|
|
|
|
|
services.KubeAPIContainerName,
|
|
|
|
|
services.KubeControllerContainerName,
|
|
|
|
|
services.SchedulerContainerName,
|
|
|
|
|
services.KubeletContainerName,
|
|
|
|
|
services.KubeproxyContainerName,
|
|
|
|
|
services.EtcdContainerName,
|
|
|
|
|
),
|
|
|
|
|
},
|
|
|
|
|
cli.BoolFlag{
|
|
|
|
|
Name: "rotate-ca",
|
|
|
|
|
Usage: "Rotate all certificates including CA certs",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func rotateRKECertificatesFromCli(ctx *cli.Context) error {
|
|
|
|
|
k8sComponent := ctx.StringSlice("service")
|
|
|
|
|
rotateCACert := ctx.Bool("rotate-ca")
|
|
|
|
|
clusterFile, filePath, err := resolveClusterFile(ctx)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("Failed to resolve cluster file: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rkeConfig, err := cluster.ParseConfig(clusterFile)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("Failed to parse cluster file: %v", err)
|
|
|
|
|
}
|
|
|
|
|
rkeConfig, err = setOptionsFromCLI(ctx, rkeConfig)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2018-11-07 23:54:08 +00:00
|
|
|
// setting up the flags
|
|
|
|
|
flags := cluster.GetExternalFlags(false, rotateCACert, false, false, k8sComponent, "", filePath)
|
2018-08-20 04:37:04 +00:00
|
|
|
|
2018-11-07 23:54:08 +00:00
|
|
|
return RotateRKECertificates(context.Background(), rkeConfig, hosts.DialersOptions{}, flags)
|
2018-08-20 04:37:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func showRKECertificatesFromCli(ctx *cli.Context) error {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 23:54:08 +00:00
|
|
|
func RotateRKECertificates(ctx context.Context, rkeConfig *v3.RancherKubernetesEngineConfig, dialersOptions hosts.DialersOptions, flags cluster.ExternalFlags) error {
|
2018-08-20 04:37:04 +00:00
|
|
|
|
|
|
|
|
log.Infof(ctx, "Rotating Kubernetes cluster certificates")
|
2018-11-07 23:54:08 +00:00
|
|
|
clusterState, err := cluster.ReadStateFile(ctx, cluster.GetStateFilePath(flags.ClusterFilePath, flags.ConfigDir))
|
2018-08-20 04:37:04 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 23:54:08 +00:00
|
|
|
kubeCluster, err := cluster.InitClusterObject(ctx, rkeConfig, flags)
|
2018-11-03 01:45:23 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2018-11-07 23:54:08 +00:00
|
|
|
if err := kubeCluster.SetupDialers(ctx, dialersOptions); err != nil {
|
2018-11-03 01:45:23 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 23:54:08 +00:00
|
|
|
if err := kubeCluster.TunnelHosts(ctx, flags); err != nil {
|
2018-08-20 04:37:04 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 23:54:08 +00:00
|
|
|
currentCluster, err := kubeCluster.GetClusterState(ctx, clusterState)
|
2018-08-20 04:37:04 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-03 01:45:23 +00:00
|
|
|
if err := cluster.SetUpAuthentication(ctx, kubeCluster, currentCluster, clusterState); err != nil {
|
2018-08-20 04:37:04 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 23:54:08 +00:00
|
|
|
if err := cluster.RotateRKECertificates(ctx, kubeCluster, flags); err != nil {
|
2018-08-20 04:37:04 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := kubeCluster.SetUpHosts(ctx, true); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
// Restarting Kubernetes components
|
|
|
|
|
servicesMap := make(map[string]bool)
|
2018-11-07 23:54:08 +00:00
|
|
|
for _, component := range flags.RotateComponents {
|
2018-08-20 04:37:04 +00:00
|
|
|
servicesMap[component] = true
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 23:54:08 +00:00
|
|
|
if len(flags.RotateComponents) == 0 || flags.RotateCACerts || servicesMap[services.EtcdContainerName] {
|
2018-08-20 04:37:04 +00:00
|
|
|
if err := services.RestartEtcdPlane(ctx, kubeCluster.EtcdHosts); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := services.RestartControlPlane(ctx, kubeCluster.ControlPlaneHosts); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
allHosts := hosts.GetUniqueHostList(kubeCluster.EtcdHosts, kubeCluster.ControlPlaneHosts, kubeCluster.WorkerHosts)
|
|
|
|
|
if err := services.RestartWorkerPlane(ctx, allHosts); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 23:54:08 +00:00
|
|
|
if flags.RotateCACerts {
|
2018-08-20 04:37:04 +00:00
|
|
|
return cluster.RestartClusterPods(ctx, kubeCluster)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
