Fix rotate certificates with new state

cluster/certificates.go

@@ -19,6 +19,11 @@ import (
 	"k8s.io/client-go/util/cert"
 )
 
+type RotateCertificatesFlags struct {
+	RotateCACerts    bool
+	RotateComponents []string
+}
+
 func SetUpAuthentication(ctx context.Context, kubeCluster, currentCluster *Cluster, fullState *FullState) error {
 	if kubeCluster.Authentication.Strategy == X509AuthenticationProvider {
 		kubeCluster.Certificates = fullState.DesiredState.CertificatesBundle
@@ -274,7 +279,7 @@ func regenerateAPIAggregationCerts(c *Cluster, certificates map[string]pki.Certi
 	return certificates, nil
 }
 
-func RotateRKECertificates(ctx context.Context, c *Cluster, flags ExternalFlags) error {
+func RotateRKECertificates(ctx context.Context, c *Cluster, flags ExternalFlags, rotateflags RotateCertificatesFlags, clusterState *FullState) error {
 	var (
 		serviceAccountTokenKey string
 	)
@@ -286,27 +291,27 @@ func RotateRKECertificates(ctx context.Context, c *Cluster, flags ExternalFlags)
 		services.KubeletContainerName:        pki.GenerateKubeNodeCertificate,
 		services.EtcdContainerName:           pki.GenerateEtcdCertificates,
 	}
-	if flags.RotateCACerts {
+	if rotateflags.RotateCACerts {
 		// rotate CA cert and RequestHeader CA cert
 		if err := pki.GenerateRKECACerts(ctx, c.Certificates, flags.ClusterFilePath, flags.ConfigDir); err != nil {
 			return err
 		}
-		flags.RotateComponents = nil
+		rotateflags.RotateComponents = nil
 	}
-	for _, k8sComponent := range flags.RotateComponents {
+	for _, k8sComponent := range rotateflags.RotateComponents {
 		genFunc := componentsCertsFuncMap[k8sComponent]
 		if genFunc != nil {
-			if err := genFunc(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir); err != nil {
+			if err := genFunc(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir, true); err != nil {
 				return err
 			}
 		}
 	}
-	if len(flags.RotateComponents) == 0 {
+	if len(rotateflags.RotateComponents) == 0 {
 		// do not rotate service account token
 		if c.Certificates[pki.ServiceAccountTokenKeyName].Key != nil {
 			serviceAccountTokenKey = string(cert.EncodePrivateKeyPEM(c.Certificates[pki.ServiceAccountTokenKeyName].Key))
 		}
-		if err := pki.GenerateRKEServicesCerts(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir); err != nil {
+		if err := pki.GenerateRKEServicesCerts(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir, true); err != nil {
 			return err
 		}
 		if serviceAccountTokenKey != "" {
@@ -322,5 +327,14 @@ func RotateRKECertificates(ctx context.Context, c *Cluster, flags ExternalFlags)
 				privateKey.(*rsa.PrivateKey))
 		}
 	}
+	clusterState.DesiredState.CertificatesBundle = c.Certificates
+	clusterState.DesiredState.RancherKubernetesEngineConfig = &c.RancherKubernetesEngineConfig
 	return nil
 }
+
+func GetRotateCertsFlags(rotateCACerts bool, components []string) RotateCertificatesFlags {
+	return RotateCertificatesFlags{
+		RotateCACerts:    rotateCACerts,
+		RotateComponents: components,
+	}
+}

cluster/defaults.go

@@ -50,8 +50,6 @@ type ExternalFlags struct {
 	ClusterFilePath  string
 	DisablePortCheck bool
 	Local            bool
-	RotateCACerts    bool
-	RotateComponents []string
 	UpdateOnly       bool
 }
 
@@ -292,14 +290,12 @@ func (c *Cluster) setCloudProvider() error {
 	return nil
 }
 
-func GetExternalFlags(local, rotateca, updateOnly, disablePortCheck bool, RotateComponents []string, configDir, clusterFilePath string) ExternalFlags {
+func GetExternalFlags(local, updateOnly, disablePortCheck bool, configDir, clusterFilePath string) ExternalFlags {
 	return ExternalFlags{
 		Local:            local,
 		UpdateOnly:       updateOnly,
 		DisablePortCheck: disablePortCheck,
 		ConfigDir:        configDir,
 		ClusterFilePath:  clusterFilePath,
-		RotateCACerts:    rotateca,
-		RotateComponents: RotateComponents,
 	}
 }

cluster/state.go

@@ -47,7 +47,7 @@ func (c *Cluster) GetClusterState(ctx context.Context, fullState *FullState) (*C
 	}
 
 	// resetup external flags
-	flags := GetExternalFlags(false, false, false, false, nil, c.ConfigDir, c.ConfigPath)
+	flags := GetExternalFlags(false, false, false, c.ConfigDir, c.ConfigPath)
 	currentCluster, err := InitClusterObject(ctx, fullState.CurrentState.RancherKubernetesEngineConfig, flags)
 	if err != nil {
 		return nil, err
@@ -161,15 +161,15 @@ func RebuildState(ctx context.Context, rkeConfig *v3.RancherKubernetesEngineConf
 	} else {
 		// Regenerating etcd certificates for any new etcd nodes
 		pkiCertBundle := oldState.DesiredState.CertificatesBundle
-		if err := pki.GenerateEtcdCertificates(ctx, pkiCertBundle, *rkeConfig, "", ""); err != nil {
+		if err := pki.GenerateEtcdCertificates(ctx, pkiCertBundle, *rkeConfig, "", "", false); err != nil {
 			return nil, err
 		}
 		// Regenerating kubeapi certificates for any new kubeapi nodes
-		if err := pki.GenerateKubeAPICertificate(ctx, pkiCertBundle, *rkeConfig, "", ""); err != nil {
+		if err := pki.GenerateKubeAPICertificate(ctx, pkiCertBundle, *rkeConfig, "", "", false); err != nil {
 			return nil, err
 		}
 		// Regenerating kubeadmin certificates/config
-		if err := pki.GenerateKubeAdminCertificate(ctx, pkiCertBundle, *rkeConfig, flags.ClusterFilePath, flags.ConfigDir); err != nil {
+		if err := pki.GenerateKubeAdminCertificate(ctx, pkiCertBundle, *rkeConfig, flags.ClusterFilePath, flags.ConfigDir, false); err != nil {
 			return nil, err
 		}
 		newState.DesiredState.CertificatesBundle = pkiCertBundle