rke/cmd/cert.go

package cmd

import (
	"context"
	"crypto/x509"
	"fmt"
	"time"

	"github.com/rancher/rke/cluster"
	"github.com/rancher/rke/hosts"
	"github.com/rancher/rke/log"
	"github.com/rancher/rke/pki"
	"github.com/rancher/rke/pki/cert"
	"github.com/rancher/rke/services"
	v3 "github.com/rancher/rke/types"
	"github.com/sirupsen/logrus"
	"github.com/urfave/cli"
)

func CertificateCommand() cli.Command {
	rotateFlags := []cli.Flag{
		cli.StringFlag{
			Name:   "config",
			Usage:  "Specify an alternate cluster YAML file",
			Value:  pki.ClusterConfig,
			EnvVar: "RKE_CONFIG",
		},
		cli.StringSliceFlag{
			Name: "service",
			Usage: fmt.Sprintf("Specify a k8s service to rotate certs, (allowed values: %s, %s, %s, %s, %s, %s)",
				services.KubeAPIContainerName,
				services.KubeControllerContainerName,
				services.SchedulerContainerName,
				services.KubeletContainerName,
				services.KubeproxyContainerName,
				services.EtcdContainerName,
			),
		},
		cli.BoolFlag{
			Name:  "rotate-ca",
			Usage: "Rotate all certificates including CA certs",
		},
	}
	rotateFlags = append(rotateFlags, commonFlags...)
	return cli.Command{
		Name:  "cert",
		Usage: "Certificates management for RKE cluster",
		Subcommands: cli.Commands{
			cli.Command{
				Name:   "rotate",
				Usage:  "Rotate RKE cluster certificates",
				Action: rotateRKECertificatesFromCli,
				Flags:  rotateFlags,
			},
			cli.Command{
				Name:   "generate-csr",
				Usage:  "Generate certificate sign requests for k8s components",
				Action: generateCSRFromCli,
				Flags: []cli.Flag{
					cli.StringFlag{
						Name:   "config",
						Usage:  "Specify an alternate cluster YAML file",
						Value:  pki.ClusterConfig,
						EnvVar: "RKE_CONFIG",
					},
					cli.StringFlag{
						Name:  "cert-dir",
						Usage: "Specify a certificate dir path",
					},
				},
			},
		},
	}
}

func rotateRKECertificatesFromCli(ctx *cli.Context) error {
	logrus.Infof("Running RKE version: %v", ctx.App.Version)
	k8sComponents := ctx.StringSlice("service")
	rotateCACerts := ctx.Bool("rotate-ca")
	clusterFile, filePath, err := resolveClusterFile(ctx)
	if err != nil {
		return fmt.Errorf("Failed to resolve cluster file: %v", err)
	}

	rkeConfig, err := cluster.ParseConfig(clusterFile)
	if err != nil {
		return fmt.Errorf("Failed to parse cluster file: %v", err)
	}
	rkeConfig, err = setOptionsFromCLI(ctx, rkeConfig)
	if err != nil {
		return err
	}
	// setting up the flags
	externalFlags := cluster.GetExternalFlags(false, false, false, false, "", filePath)
	// setting up rotate flags
	rkeConfig.RotateCertificates = &v3.RotateCertificates{
		CACertificates: rotateCACerts,
		Services:       k8sComponents,
	}
	if err := ClusterInit(context.Background(), rkeConfig, hosts.DialersOptions{}, externalFlags); err != nil {
		return err
	}
	_, _, _, _, _, err = ClusterUp(context.Background(), hosts.DialersOptions{}, externalFlags, map[string]interface{}{})
	return err
}

func generateCSRFromCli(ctx *cli.Context) error {
	logrus.Infof("Running RKE version: %v", ctx.App.Version)
	clusterFile, filePath, err := resolveClusterFile(ctx)
	if err != nil {
		return fmt.Errorf("Failed to resolve cluster file: %v", err)
	}

	rkeConfig, err := cluster.ParseConfig(clusterFile)
	if err != nil {
		return fmt.Errorf("Failed to parse cluster file: %v", err)
	}
	rkeConfig, err = setOptionsFromCLI(ctx, rkeConfig)
	if err != nil {
		return err
	}
	// setting up the flags
	externalFlags := cluster.GetExternalFlags(false, false, false, false, "", filePath)
	externalFlags.CertificateDir = ctx.String("cert-dir")
	externalFlags.CustomCerts = ctx.Bool("custom-certs")

	return GenerateRKECSRs(context.Background(), rkeConfig, externalFlags)
}

func rebuildClusterWithRotatedCertificates(ctx context.Context,
	dialersOptions hosts.DialersOptions,
	flags cluster.ExternalFlags, svcOptionData map[string]*v3.KubernetesServicesOptions) (string, string, string, string, map[string]pki.CertificatePKI, error) {
	var APIURL, caCrt, clientCert, clientKey string
	log.Infof(ctx, "Rebuilding Kubernetes cluster with rotated certificates")
	clusterState, err := cluster.ReadStateFile(ctx, cluster.GetStateFilePath(flags.ClusterFilePath, flags.ConfigDir))
	if err != nil {
		return APIURL, caCrt, clientCert, clientKey, nil, err
	}

	kubeCluster, err := cluster.InitClusterObject(ctx, clusterState.DesiredState.RancherKubernetesEngineConfig.DeepCopy(), flags, clusterState.DesiredState.EncryptionConfig)
	if err != nil {
		return APIURL, caCrt, clientCert, clientKey, nil, err
	}
	if err := kubeCluster.SetupDialers(ctx, dialersOptions); err != nil {
		return APIURL, caCrt, clientCert, clientKey, nil, err
	}

	if err := kubeCluster.TunnelHosts(ctx, flags); err != nil {
		return APIURL, caCrt, clientCert, clientKey, nil, err
	}

	if err := cluster.SetUpAuthentication(ctx, kubeCluster, nil, clusterState); err != nil {
		return APIURL, caCrt, clientCert, clientKey, nil, err
	}
	if len(kubeCluster.ControlPlaneHosts) > 0 {
		APIURL = fmt.Sprintf("https://%s:6443", kubeCluster.ControlPlaneHosts[0].Address)
	}
	clientCert = string(cert.EncodeCertPEM(kubeCluster.Certificates[pki.KubeAdminCertName].Certificate))
	clientKey = string(cert.EncodePrivateKeyPEM(kubeCluster.Certificates[pki.KubeAdminCertName].Key))
	caCrt = string(cert.EncodeCertPEM(kubeCluster.Certificates[pki.CACertName].Certificate))

	if err := kubeCluster.SetUpHosts(ctx, flags); err != nil {
		return APIURL, caCrt, clientCert, clientKey, nil, err
	}

	// Save new State
	if err := saveClusterState(ctx, kubeCluster, clusterState); err != nil {
		return APIURL, caCrt, clientCert, clientKey, nil, err
	}

	// Restarting Kubernetes components
	servicesMap := make(map[string]bool)
	for _, component := range kubeCluster.RotateCertificates.Services {
		servicesMap[component] = true
	}

	if len(kubeCluster.RotateCertificates.Services) == 0 || kubeCluster.RotateCertificates.CACertificates || servicesMap[services.EtcdContainerName] {
		if err := services.RestartEtcdPlane(ctx, kubeCluster.EtcdHosts); err != nil {
			return APIURL, caCrt, clientCert, clientKey, nil, err
		}
	}
	isLegacyKubeAPI, err := cluster.IsLegacyKubeAPI(ctx, kubeCluster)
	if err != nil {
		return APIURL, caCrt, clientCert, clientKey, nil, err
	}
	if isLegacyKubeAPI {
		log.Infof(ctx, "[controlplane] Redeploying controlplane to update kubeapi parameters")
		if _, err := kubeCluster.DeployControlPlane(ctx, svcOptionData, true); err != nil {
			return APIURL, caCrt, clientCert, clientKey, nil, err
		}
	}
	if err := services.RestartControlPlane(ctx, kubeCluster.ControlPlaneHosts); err != nil {
		return APIURL, caCrt, clientCert, clientKey, nil, err
	}

	allHosts := hosts.GetUniqueHostList(kubeCluster.EtcdHosts, kubeCluster.ControlPlaneHosts, kubeCluster.WorkerHosts)
	if err := services.RestartWorkerPlane(ctx, allHosts); err != nil {
		return APIURL, caCrt, clientCert, clientKey, nil, err
	}

	if kubeCluster.RotateCertificates.CACertificates {
		if err := cluster.RestartClusterPods(ctx, kubeCluster); err != nil {
			return APIURL, caCrt, clientCert, clientKey, nil, err
		}
	}
	return APIURL, caCrt, clientCert, clientKey, kubeCluster.Certificates, nil
}

func saveClusterState(ctx context.Context, kubeCluster *cluster.Cluster, clusterState *cluster.FullState) error {
	var err error
	if err = kubeCluster.UpdateClusterCurrentState(ctx, clusterState); err != nil {
		return err
	}
	// Attempt to store cluster full state to Kubernetes
	for i := 1; i <= 3; i++ {
		err = cluster.SaveFullStateToKubernetes(ctx, kubeCluster, clusterState)
		if err != nil {
			time.Sleep(time.Second * time.Duration(2))
			continue
		}
		break
	}
	if err != nil {
		logrus.Warnf("Failed to save full cluster state to Kubernetes")
	}
	return nil
}

func rotateRKECertificates(ctx context.Context, kubeCluster *cluster.Cluster, flags cluster.ExternalFlags, rkeFullState *cluster.FullState) (*cluster.FullState, error) {
	log.Infof(ctx, "Rotating Kubernetes cluster certificates")
	currentCluster, err := kubeCluster.GetClusterState(ctx, rkeFullState)
	if err != nil {
		return nil, err
	}
	if currentCluster == nil {
		return nil, fmt.Errorf("Failed to rotate certificates: can't find old certificates")
	}
	currentCluster.RotateCertificates = kubeCluster.RotateCertificates
	if !kubeCluster.RotateCertificates.CACertificates {
		caCertPKI, ok := rkeFullState.CurrentState.CertificatesBundle[pki.CACertName]
		if !ok {
			return nil, fmt.Errorf("Failed to rotate certificates: can't find CA certificate")
		}
		caCert := caCertPKI.Certificate
		if caCert == nil {
			return nil, fmt.Errorf("Failed to rotate certificates: CA certificate is nil")
		}
		certPool := x509.NewCertPool()
		certPool.AddCert(caCert)
		if _, err := caCert.Verify(x509.VerifyOptions{Roots: certPool, KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}}); err != nil {
			return nil, fmt.Errorf("Failed to rotate certificates: CA certificate is invalid, please use the --rotate-ca flag to rotate CA certificate, error: %v", err)
		}
	}
	if err := cluster.RotateRKECertificates(ctx, currentCluster, flags, rkeFullState); err != nil {
		return nil, err
	}
	rkeFullState.DesiredState.RancherKubernetesEngineConfig = &kubeCluster.RancherKubernetesEngineConfig
	return rkeFullState, nil
}

func GenerateRKECSRs(ctx context.Context, rkeConfig *v3.RancherKubernetesEngineConfig, flags cluster.ExternalFlags) error {
	log.Infof(ctx, "Generating Kubernetes cluster CSR certificates")
	if len(flags.CertificateDir) == 0 {
		flags.CertificateDir = cluster.GetCertificateDirPath(flags.ClusterFilePath, flags.ConfigDir)
	}

	certBundle, err := pki.ReadCSRsAndKeysFromDir(flags.CertificateDir)
	if err != nil {
		return err
	}

	// initialze the cluster object from the config file
	kubeCluster, err := cluster.InitClusterObject(ctx, rkeConfig, flags, "")
	if err != nil {
		return err
	}

	// Generating csrs for kubernetes components
	if err := pki.GenerateRKEServicesCSRs(ctx, certBundle, kubeCluster.RancherKubernetesEngineConfig); err != nil {
		return err
	}
	return pki.WriteCertificates(kubeCluster.CertificateDir, certBundle)
}
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`package cmd`

			`import (`
			`"context"`
Validate kube-ca cert before rotating certs 2020-03-18 20:12:53 +00:00			`"crypto/x509"`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`"fmt"`
Save cluster state to k8s on cert rotation In addition to storing it on the disk 2019-11-11 22:29:24 +00:00			`"time"`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00
			`"github.com/rancher/rke/cluster"`
			`"github.com/rancher/rke/hosts"`
			`"github.com/rancher/rke/log"`
			`"github.com/rancher/rke/pki"`
Update to new certs package since latest k8s dropped it 2019-08-19 17:53:15 +00:00			`"github.com/rancher/rke/pki/cert"`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`"github.com/rancher/rke/services"`
Remove references to rancher/types 2020-07-11 16:24:19 +00:00			`v3 "github.com/rancher/rke/types"`
Validate kube-ca cert before rotating certs 2020-03-18 20:12:53 +00:00			`"github.com/sirupsen/logrus"`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`"github.com/urfave/cli"`
			`)`

			`func CertificateCommand() cli.Command {`
Make commonflags work with rke cert commands 2019-08-08 18:06:40 +00:00			`rotateFlags := []cli.Flag{`
			`cli.StringFlag{`
			`Name: "config",`
			`Usage: "Specify an alternate cluster YAML file",`
			`Value: pki.ClusterConfig,`
			`EnvVar: "RKE_CONFIG",`
			`},`
			`cli.StringSliceFlag{`
			`Name: "service",`
			`Usage: fmt.Sprintf("Specify a k8s service to rotate certs, (allowed values: %s, %s, %s, %s, %s, %s)",`
			`services.KubeAPIContainerName,`
			`services.KubeControllerContainerName,`
			`services.SchedulerContainerName,`
			`services.KubeletContainerName,`
			`services.KubeproxyContainerName,`
			`services.EtcdContainerName,`
			`),`
			`},`
			`cli.BoolFlag{`
			`Name: "rotate-ca",`
			`Usage: "Rotate all certificates including CA certs",`
			`},`
			`}`
			`rotateFlags = append(rotateFlags, commonFlags...)`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`return cli.Command{`
			`Name: "cert",`
			`Usage: "Certificates management for RKE cluster",`
			`Subcommands: cli.Commands{`
			`cli.Command{`
			`Name: "rotate",`
			`Usage: "Rotate RKE cluster certificates",`
			`Action: rotateRKECertificatesFromCli,`
Make commonflags work with rke cert commands 2019-08-08 18:06:40 +00:00			`Flags: rotateFlags,`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`},`
Adding csr generation and custom certs 2019-01-02 23:02:34 +00:00			`cli.Command{`
			`Name: "generate-csr",`
			`Usage: "Generate certificate sign requests for k8s components",`
			`Action: generateCSRFromCli,`
			`Flags: []cli.Flag{`
			`cli.StringFlag{`
			`Name: "config",`
			`Usage: "Specify an alternate cluster YAML file",`
			`Value: pki.ClusterConfig,`
			`EnvVar: "RKE_CONFIG",`
			`},`
			`cli.StringFlag{`
			`Name: "cert-dir",`
			`Usage: "Specify a certificate dir path",`
			`},`
			`},`
			`},`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`},`
			`}`
			`}`

			`func rotateRKECertificatesFromCli(ctx *cli.Context) error {`
print version 2019-09-03 20:01:22 +00:00			`logrus.Infof("Running RKE version: %v", ctx.App.Version)`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`k8sComponents := ctx.StringSlice("service")`
			`rotateCACerts := ctx.Bool("rotate-ca")`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`clusterFile, filePath, err := resolveClusterFile(ctx)`
			`if err != nil {`
			`return fmt.Errorf("Failed to resolve cluster file: %v", err)`
			`}`

			`rkeConfig, err := cluster.ParseConfig(clusterFile)`
			`if err != nil {`
			`return fmt.Errorf("Failed to parse cluster file: %v", err)`
			`}`
			`rkeConfig, err = setOptionsFromCLI(ctx, rkeConfig)`
			`if err != nil {`
			`return err`
			`}`
Final fixes and cleanup for state management Fix dind and local and etcd snapshots add ExternalFlags and dialer options 2018-11-07 23:54:08 +00:00			`// setting up the flags`
Add restore flag to use local state 2020-08-03 13:35:38 +00:00			`externalFlags := cluster.GetExternalFlags(false, false, false, false, "", filePath)`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`// setting up rotate flags`
			`rkeConfig.RotateCertificates = &v3.RotateCertificates{`
			`CACertificates: rotateCACerts,`
			`Services: k8sComponents,`
			`}`
			`if err := ClusterInit(context.Background(), rkeConfig, hosts.DialersOptions{}, externalFlags); err != nil {`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`return err`
			`}`
rancher pass serviceoptions and addon templates to rke 2019-06-17 20:52:15 +00:00			`_, _, _, _, _, err = ClusterUp(context.Background(), hosts.DialersOptions{}, externalFlags, map[string]interface{}{})`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`return err`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`}`

Adding csr generation and custom certs 2019-01-02 23:02:34 +00:00			`func generateCSRFromCli(ctx *cli.Context) error {`
print version 2019-09-03 20:01:22 +00:00			`logrus.Infof("Running RKE version: %v", ctx.App.Version)`
Adding csr generation and custom certs 2019-01-02 23:02:34 +00:00			`clusterFile, filePath, err := resolveClusterFile(ctx)`
			`if err != nil {`
			`return fmt.Errorf("Failed to resolve cluster file: %v", err)`
			`}`

			`rkeConfig, err := cluster.ParseConfig(clusterFile)`
			`if err != nil {`
			`return fmt.Errorf("Failed to parse cluster file: %v", err)`
			`}`
			`rkeConfig, err = setOptionsFromCLI(ctx, rkeConfig)`
			`if err != nil {`
			`return err`
			`}`
			`// setting up the flags`
Add restore flag to use local state 2020-08-03 13:35:38 +00:00			`externalFlags := cluster.GetExternalFlags(false, false, false, false, "", filePath)`
Adding csr generation and custom certs 2019-01-02 23:02:34 +00:00			`externalFlags.CertificateDir = ctx.String("cert-dir")`
			`externalFlags.CustomCerts = ctx.Bool("custom-certs")`

			`return GenerateRKECSRs(context.Background(), rkeConfig, externalFlags)`
			`}`

Run rebuild cluster certs from clusterup 2018-12-20 22:01:42 +00:00			`func rebuildClusterWithRotatedCertificates(ctx context.Context,`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`dialersOptions hosts.DialersOptions,`
consider service options based on hostOS info 2019-09-06 22:53:14 +00:00			`flags cluster.ExternalFlags, svcOptionData map[string]*v3.KubernetesServicesOptions) (string, string, string, string, map[string]pki.CertificatePKI, error) {`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`var APIURL, caCrt, clientCert, clientKey string`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`log.Infof(ctx, "Rebuilding Kubernetes cluster with rotated certificates")`
Final fixes and cleanup for state management Fix dind and local and etcd snapshots add ExternalFlags and dialer options 2018-11-07 23:54:08 +00:00			`clusterState, err := cluster.ReadStateFile(ctx, cluster.GetStateFilePath(flags.ClusterFilePath, flags.ConfigDir))`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`if err != nil {`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`return APIURL, caCrt, clientCert, clientKey, nil, err`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`}`

Add Secret Encryption Provider Support 2019-10-03 01:56:39 +00:00			`kubeCluster, err := cluster.InitClusterObject(ctx, clusterState.DesiredState.RancherKubernetesEngineConfig.DeepCopy(), flags, clusterState.DesiredState.EncryptionConfig)`
refactor the build state remove extra cert generation for etcd in reconcile fix reconcile and etcd add and remove cluster state with rke remove fix add/remove issues Fix the up command Fix default paths for kubeconfig and rkestate 2018-11-03 01:45:23 +00:00			`if err != nil {`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`return APIURL, caCrt, clientCert, clientKey, nil, err`
refactor the build state remove extra cert generation for etcd in reconcile fix reconcile and etcd add and remove cluster state with rke remove fix add/remove issues Fix the up command Fix default paths for kubeconfig and rkestate 2018-11-03 01:45:23 +00:00			`}`
Final fixes and cleanup for state management Fix dind and local and etcd snapshots add ExternalFlags and dialer options 2018-11-07 23:54:08 +00:00			`if err := kubeCluster.SetupDialers(ctx, dialersOptions); err != nil {`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`return APIURL, caCrt, clientCert, clientKey, nil, err`
refactor the build state remove extra cert generation for etcd in reconcile fix reconcile and etcd add and remove cluster state with rke remove fix add/remove issues Fix the up command Fix default paths for kubeconfig and rkestate 2018-11-03 01:45:23 +00:00			`}`

Final fixes and cleanup for state management Fix dind and local and etcd snapshots add ExternalFlags and dialer options 2018-11-07 23:54:08 +00:00			`if err := kubeCluster.TunnelHosts(ctx, flags); err != nil {`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`return APIURL, caCrt, clientCert, clientKey, nil, err`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`}`

Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`if err := cluster.SetUpAuthentication(ctx, kubeCluster, nil, clusterState); err != nil {`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`return APIURL, caCrt, clientCert, clientKey, nil, err`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`}`
Address panic in cert rotation code 2019-12-04 19:22:23 +00:00			`if len(kubeCluster.ControlPlaneHosts) > 0 {`
			`APIURL = fmt.Sprintf("https://%s:6443", kubeCluster.ControlPlaneHosts[0].Address)`
			`}`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`clientCert = string(cert.EncodeCertPEM(kubeCluster.Certificates[pki.KubeAdminCertName].Certificate))`
			`clientKey = string(cert.EncodePrivateKeyPEM(kubeCluster.Certificates[pki.KubeAdminCertName].Key))`
			`caCrt = string(cert.EncodeCertPEM(kubeCluster.Certificates[pki.CACertName].Certificate))`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00
Add restart components to custom certs 2019-01-14 17:51:20 +00:00			`if err := kubeCluster.SetUpHosts(ctx, flags); err != nil {`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`return APIURL, caCrt, clientCert, clientKey, nil, err`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`}`
Save cluster state to k8s on cert rotation In addition to storing it on the disk 2019-11-11 22:29:24 +00:00
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`// Save new State`
Save cluster state to k8s on cert rotation In addition to storing it on the disk 2019-11-11 22:29:24 +00:00			`if err := saveClusterState(ctx, kubeCluster, clusterState); err != nil {`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`return APIURL, caCrt, clientCert, clientKey, nil, err`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`}`

			`// Restarting Kubernetes components`
			`servicesMap := make(map[string]bool)`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`for _, component := range kubeCluster.RotateCertificates.Services {`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`servicesMap[component] = true`
			`}`

Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`if len(kubeCluster.RotateCertificates.Services) == 0 \|\| kubeCluster.RotateCertificates.CACertificates \|\| servicesMap[services.EtcdContainerName] {`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`if err := services.RestartEtcdPlane(ctx, kubeCluster.EtcdHosts); err != nil {`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`return APIURL, caCrt, clientCert, clientKey, nil, err`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`}`
			`}`
Upgrade legacy kubeapi service 2019-03-09 02:09:16 +00:00			`isLegacyKubeAPI, err := cluster.IsLegacyKubeAPI(ctx, kubeCluster)`
			`if err != nil {`
			`return APIURL, caCrt, clientCert, clientKey, nil, err`
			`}`
			`if isLegacyKubeAPI {`
			`log.Infof(ctx, "[controlplane] Redeploying controlplane to update kubeapi parameters")`
Attempt upgrade on NotReady hosts 2020-02-26 21:33:22 +00:00			`if _, err := kubeCluster.DeployControlPlane(ctx, svcOptionData, true); err != nil {`
Upgrade legacy kubeapi service 2019-03-09 02:09:16 +00:00			`return APIURL, caCrt, clientCert, clientKey, nil, err`
			`}`
			`}`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`if err := services.RestartControlPlane(ctx, kubeCluster.ControlPlaneHosts); err != nil {`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`return APIURL, caCrt, clientCert, clientKey, nil, err`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`}`

			`allHosts := hosts.GetUniqueHostList(kubeCluster.EtcdHosts, kubeCluster.ControlPlaneHosts, kubeCluster.WorkerHosts)`
			`if err := services.RestartWorkerPlane(ctx, allHosts); err != nil {`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`return APIURL, caCrt, clientCert, clientKey, nil, err`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`}`

Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`if kubeCluster.RotateCertificates.CACertificates {`
			`if err := cluster.RestartClusterPods(ctx, kubeCluster); err != nil {`
			`return APIURL, caCrt, clientCert, clientKey, nil, err`
			`}`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`}`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`return APIURL, caCrt, clientCert, clientKey, kubeCluster.Certificates, nil`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`}`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00
Save cluster state to k8s on cert rotation In addition to storing it on the disk 2019-11-11 22:29:24 +00:00			`func saveClusterState(ctx context.Context, kubeCluster cluster.Cluster, clusterState cluster.FullState) error {`
			`var err error`
			`if err = kubeCluster.UpdateClusterCurrentState(ctx, clusterState); err != nil {`
			`return err`
			`}`
			`// Attempt to store cluster full state to Kubernetes`
			`for i := 1; i <= 3; i++ {`
			`err = cluster.SaveFullStateToKubernetes(ctx, kubeCluster, clusterState)`
			`if err != nil {`
			`time.Sleep(time.Second * time.Duration(2))`
			`continue`
			`}`
			`break`
			`}`
			`if err != nil {`
			`logrus.Warnf("Failed to save full cluster state to Kubernetes")`
			`}`
			`return nil`
			`}`

Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`func rotateRKECertificates(ctx context.Context, kubeCluster cluster.Cluster, flags cluster.ExternalFlags, rkeFullState cluster.FullState) (*cluster.FullState, error) {`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`log.Infof(ctx, "Rotating Kubernetes cluster certificates")`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`currentCluster, err := kubeCluster.GetClusterState(ctx, rkeFullState)`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`if err != nil {`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`return nil, err`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`}`
			`if currentCluster == nil {`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`return nil, fmt.Errorf("Failed to rotate certificates: can't find old certificates")`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`}`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`currentCluster.RotateCertificates = kubeCluster.RotateCertificates`
Validate kube-ca cert before rotating certs 2020-03-18 20:12:53 +00:00			`if !kubeCluster.RotateCertificates.CACertificates {`
			`caCertPKI, ok := rkeFullState.CurrentState.CertificatesBundle[pki.CACertName]`
			`if !ok {`
			`return nil, fmt.Errorf("Failed to rotate certificates: can't find CA certificate")`
			`}`
			`caCert := caCertPKI.Certificate`
			`if caCert == nil {`
			`return nil, fmt.Errorf("Failed to rotate certificates: CA certificate is nil")`
			`}`
			`certPool := x509.NewCertPool()`
			`certPool.AddCert(caCert)`
			`if _, err := caCert.Verify(x509.VerifyOptions{Roots: certPool, KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}}); err != nil {`
			`return nil, fmt.Errorf("Failed to rotate certificates: CA certificate is invalid, please use the --rotate-ca flag to rotate CA certificate, error: %v", err)`
			`}`
			`}`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`if err := cluster.RotateRKECertificates(ctx, currentCluster, flags, rkeFullState); err != nil {`
			`return nil, err`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`}`
Fix desired state in rke rotate 2019-04-03 22:25:24 +00:00			`rkeFullState.DesiredState.RancherKubernetesEngineConfig = &kubeCluster.RancherKubernetesEngineConfig`
Return api and client certs to rotate certs 2018-11-19 19:30:45 +00:00			`return rkeFullState, nil`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`}`
Adding csr generation and custom certs 2019-01-02 23:02:34 +00:00
			`func GenerateRKECSRs(ctx context.Context, rkeConfig *v3.RancherKubernetesEngineConfig, flags cluster.ExternalFlags) error {`
			`log.Infof(ctx, "Generating Kubernetes cluster CSR certificates")`
			`if len(flags.CertificateDir) == 0 {`
			`flags.CertificateDir = cluster.GetCertificateDirPath(flags.ClusterFilePath, flags.ConfigDir)`
			`}`

			`certBundle, err := pki.ReadCSRsAndKeysFromDir(flags.CertificateDir)`
			`if err != nil {`
			`return err`
			`}`

			`// initialze the cluster object from the config file`
Add Secret Encryption Provider Support 2019-10-03 01:56:39 +00:00			`kubeCluster, err := cluster.InitClusterObject(ctx, rkeConfig, flags, "")`
Adding csr generation and custom certs 2019-01-02 23:02:34 +00:00			`if err != nil {`
			`return err`
			`}`

			`// Generating csrs for kubernetes components`
			`if err := pki.GenerateRKEServicesCSRs(ctx, certBundle, kubeCluster.RancherKubernetesEngineConfig); err != nil {`
			`return err`
			`}`
			`return pki.WriteCertificates(kubeCluster.CertificateDir, certBundle)`
			`}`