rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-09-13 21:52:08 +00:00
Code Issues Releases Wiki Activity

Fix rotate certificates with new state

Browse Source
This commit is contained in:
galal-hussein
2018-11-13 01:24:59 +02:00
committed by Alena Prokharchyk
parent b67a67c3bb
commit 11aa0caabc
9 changed files with 110 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
cluster/certificates.go
View File

@@ -19,6 +19,11 @@ import (
"k8s.io/client-go/util/cert"
)
type RotateCertificatesFlags struct {
RotateCACerts bool
RotateComponents []string
}
func SetUpAuthentication(ctx context.Context, kubeCluster, currentCluster *Cluster, fullState *FullState) error {
if kubeCluster.Authentication.Strategy == X509AuthenticationProvider {
kubeCluster.Certificates = fullState.DesiredState.CertificatesBundle
@@ -274,7 +279,7 @@ func regenerateAPIAggregationCerts(c *Cluster, certificates map[string]pki.Certi
return certificates, nil
}
func RotateRKECertificates(ctx context.Context, c *Cluster, flags ExternalFlags) error {
func RotateRKECertificates(ctx context.Context, c *Cluster, flags ExternalFlags, rotateflags RotateCertificatesFlags, clusterState *FullState) error {
var (
serviceAccountTokenKey string
)
@@ -286,27 +291,27 @@ func RotateRKECertificates(ctx context.Context, c *Cluster, flags ExternalFlags)
services.KubeletContainerName: pki.GenerateKubeNodeCertificate,
services.EtcdContainerName: pki.GenerateEtcdCertificates,
}
if flags.RotateCACerts {
if rotateflags.RotateCACerts {
// rotate CA cert and RequestHeader CA cert
if err := pki.GenerateRKECACerts(ctx, c.Certificates, flags.ClusterFilePath, flags.ConfigDir); err != nil {
return err
}
flags.RotateComponents = nil
rotateflags.RotateComponents = nil
}
for _, k8sComponent := range flags.RotateComponents {
for _, k8sComponent := range rotateflags.RotateComponents {
genFunc := componentsCertsFuncMap[k8sComponent]
if genFunc != nil {
if err := genFunc(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir); err != nil {
if err := genFunc(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir, true); err != nil {
return err
}
}
}
if len(flags.RotateComponents) == 0 {
if len(rotateflags.RotateComponents) == 0 {
// do not rotate service account token
if c.Certificates[pki.ServiceAccountTokenKeyName].Key != nil {
serviceAccountTokenKey = string(cert.EncodePrivateKeyPEM(c.Certificates[pki.ServiceAccountTokenKeyName].Key))
}
if err := pki.GenerateRKEServicesCerts(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir); err != nil {
if err := pki.GenerateRKEServicesCerts(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir, true); err != nil {
return err
}
if serviceAccountTokenKey != "" {
@@ -322,5 +327,14 @@ func RotateRKECertificates(ctx context.Context, c *Cluster, flags ExternalFlags)
privateKey.(*rsa.PrivateKey))
}
}
clusterState.DesiredState.CertificatesBundle = c.Certificates
clusterState.DesiredState.RancherKubernetesEngineConfig = &c.RancherKubernetesEngineConfig
return nil
}
func GetRotateCertsFlags(rotateCACerts bool, components []string) RotateCertificatesFlags {
return RotateCertificatesFlags{
RotateCACerts: rotateCACerts,
RotateComponents: components,
}
}