Return api and client certs to rotate certs

2025-09-16 06:59:25 +00:00 · 2018-11-19 21:30:45 +02:00
parent 66fb2c4ac0
commit 4d23fb4288
5 changed files with 92 additions and 108 deletions
--- a/cmd/cert.go
+++ b/cmd/cert.go
@@ -11,6 +11,7 @@ import (
 	"github.com/rancher/rke/services"
 	"github.com/rancher/types/apis/management.cattle.io/v3"
 	"github.com/urfave/cli"
+	"k8s.io/client-go/util/cert"
 )

 func CertificateCommand() cli.Command {
@@ -51,8 +52,8 @@ func CertificateCommand() cli.Command {
 }

 func rotateRKECertificatesFromCli(ctx *cli.Context) error {
-	k8sComponent := ctx.StringSlice("service")
-	rotateCACert := ctx.Bool("rotate-ca")
+	k8sComponents := ctx.StringSlice("service")
+	rotateCACerts := ctx.Bool("rotate-ca")
 	clusterFile, filePath, err := resolveClusterFile(ctx)
 	if err != nil {
 		return fmt.Errorf("Failed to resolve cluster file: %v", err)
@@ -68,12 +69,16 @@ func rotateRKECertificatesFromCli(ctx *cli.Context) error {
 	}
 	// setting up the flags
 	externalFlags := cluster.GetExternalFlags(false, false, false, "", filePath)
-	rotateFlags := cluster.GetRotateCertsFlags(rotateCACert, k8sComponent)
-
-	if err := RotateRKECertificates(context.Background(), rkeConfig, hosts.DialersOptions{}, externalFlags, rotateFlags); err != nil {
+	// setting up rotate flags
+	rkeConfig.RotateCertificates = &v3.RotateCertificates{
+		CACertificates: rotateCACerts,
+		Services:       k8sComponents,
+	}
+	if err := ClusterInit(context.Background(), rkeConfig, hosts.DialersOptions{}, externalFlags); err != nil {
 		return err
 	}
-	return RebuildClusterWithRotatedCertificates(context.Background(), rkeConfig, hosts.DialersOptions{}, externalFlags, rotateFlags)
+	_, _, _, _, _, err = RebuildClusterWithRotatedCertificates(context.Background(), hosts.DialersOptions{}, externalFlags)
+	return err
 }

 func showRKECertificatesFromCli(ctx *cli.Context) error {
@@ -81,104 +86,84 @@ func showRKECertificatesFromCli(ctx *cli.Context) error {
 }

 func RebuildClusterWithRotatedCertificates(ctx context.Context,
-	rkeConfig *v3.RancherKubernetesEngineConfig,
 	dialersOptions hosts.DialersOptions,
-	flags cluster.ExternalFlags,
-	rotateFlags cluster.RotateCertificatesFlags) error {
-
+	flags cluster.ExternalFlags) (string, string, string, string, map[string]pki.CertificatePKI, error) {
+	var APIURL, caCrt, clientCert, clientKey string
 	log.Infof(ctx, "Rebuilding Kubernetes cluster with rotated certificates")
 	clusterState, err := cluster.ReadStateFile(ctx, cluster.GetStateFilePath(flags.ClusterFilePath, flags.ConfigDir))
 	if err != nil {
-		return err
+		return APIURL, caCrt, clientCert, clientKey, nil, err
 	}

-	kubeCluster, err := cluster.InitClusterObject(ctx, rkeConfig, flags)
+	kubeCluster, err := cluster.InitClusterObject(ctx, clusterState.DesiredState.RancherKubernetesEngineConfig.DeepCopy(), flags)
 	if err != nil {
-		return err
+		return APIURL, caCrt, clientCert, clientKey, nil, err
 	}
 	if err := kubeCluster.SetupDialers(ctx, dialersOptions); err != nil {
-		return err
+		return APIURL, caCrt, clientCert, clientKey, nil, err
 	}

 	if err := kubeCluster.TunnelHosts(ctx, flags); err != nil {
-		return err
+		return APIURL, caCrt, clientCert, clientKey, nil, err
 	}

 	if err := cluster.SetUpAuthentication(ctx, kubeCluster, nil, clusterState); err != nil {
-		return err
+		return APIURL, caCrt, clientCert, clientKey, nil, err
 	}
+	APIURL = fmt.Sprintf("https://" + kubeCluster.ControlPlaneHosts[0].Address + ":6443")
+	clientCert = string(cert.EncodeCertPEM(kubeCluster.Certificates[pki.KubeAdminCertName].Certificate))
+	clientKey = string(cert.EncodePrivateKeyPEM(kubeCluster.Certificates[pki.KubeAdminCertName].Key))
+	caCrt = string(cert.EncodeCertPEM(kubeCluster.Certificates[pki.CACertName].Certificate))

 	if err := kubeCluster.SetUpHosts(ctx, true); err != nil {
-		return err
+		return APIURL, caCrt, clientCert, clientKey, nil, err
 	}
 	// Save new State
 	if err := kubeCluster.UpdateClusterCurrentState(ctx, clusterState); err != nil {
-		return err
+		return APIURL, caCrt, clientCert, clientKey, nil, err
 	}

 	// Restarting Kubernetes components
 	servicesMap := make(map[string]bool)
-	for _, component := range rotateFlags.RotateComponents {
+	for _, component := range kubeCluster.RotateCertificates.Services {
 		servicesMap[component] = true
 	}

-	if len(rotateFlags.RotateComponents) == 0 || rotateFlags.RotateCACerts || servicesMap[services.EtcdContainerName] {
+	if len(kubeCluster.RotateCertificates.Services) == 0 || kubeCluster.RotateCertificates.CACertificates || servicesMap[services.EtcdContainerName] {
 		if err := services.RestartEtcdPlane(ctx, kubeCluster.EtcdHosts); err != nil {
-			return err
+			return APIURL, caCrt, clientCert, clientKey, nil, err
 		}
 	}

 	if err := services.RestartControlPlane(ctx, kubeCluster.ControlPlaneHosts); err != nil {
-		return err
+		return APIURL, caCrt, clientCert, clientKey, nil, err
 	}

 	allHosts := hosts.GetUniqueHostList(kubeCluster.EtcdHosts, kubeCluster.ControlPlaneHosts, kubeCluster.WorkerHosts)
 	if err := services.RestartWorkerPlane(ctx, allHosts); err != nil {
-		return err
+		return APIURL, caCrt, clientCert, clientKey, nil, err
 	}

-	if rotateFlags.RotateCACerts {
-		return cluster.RestartClusterPods(ctx, kubeCluster)
+	if kubeCluster.RotateCertificates.CACertificates {
+		if err := cluster.RestartClusterPods(ctx, kubeCluster); err != nil {
+			return APIURL, caCrt, clientCert, clientKey, nil, err
+		}
 	}
-	return nil
+	return APIURL, caCrt, clientCert, clientKey, kubeCluster.Certificates, nil
 }

-func RotateRKECertificates(ctx context.Context,
-	rkeConfig *v3.RancherKubernetesEngineConfig,
-	dialersOptions hosts.DialersOptions,
-	flags cluster.ExternalFlags,
-	rotateFlags cluster.RotateCertificatesFlags) error {
+func rotateRKECertificates(ctx context.Context, kubeCluster *cluster.Cluster, flags cluster.ExternalFlags, rkeFullState *cluster.FullState) (*cluster.FullState, error) {
 	log.Infof(ctx, "Rotating Kubernetes cluster certificates")
-	stateFilePath := cluster.GetStateFilePath(flags.ClusterFilePath, flags.ConfigDir)
-	clusterState, _ := cluster.ReadStateFile(ctx, stateFilePath)
-
-	kubeCluster, err := cluster.InitClusterObject(ctx, rkeConfig, flags)
+	currentCluster, err := kubeCluster.GetClusterState(ctx, rkeFullState)
 	if err != nil {
-		return err
-	}
-
-	if err := kubeCluster.SetupDialers(ctx, dialersOptions); err != nil {
-		return err
-	}
-
-	err = doUpgradeLegacyCluster(ctx, kubeCluster, clusterState)
-	if err != nil {
-		log.Warnf(ctx, "[state] can't fetch legacy cluster state from Kubernetes")
-	}
-
-	currentCluster, err := kubeCluster.GetClusterState(ctx, clusterState)
-	if err != nil {
-		return err
+		return nil, err
 	}
 	if currentCluster == nil {
-		return fmt.Errorf("Failed to rotate certificates: can't find old certificates")
+		return nil, fmt.Errorf("Failed to rotate certificates: can't find old certificates")
 	}
-	if err := cluster.RotateRKECertificates(ctx, currentCluster, flags, rotateFlags, clusterState); err != nil {
-		return err
+	currentCluster.RotateCertificates = kubeCluster.RotateCertificates
+	if err := cluster.RotateRKECertificates(ctx, currentCluster, flags, rkeFullState); err != nil {
+		return nil, err
 	}
-	rkeState := cluster.FullState{
-		DesiredState: clusterState.DesiredState,
-		CurrentState: clusterState.CurrentState,
-	}
-	return rkeState.WriteStateFile(ctx, stateFilePath)
+	return rkeFullState, nil
 }