rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-09-14 06:00:53 +00:00
Code Issues Releases Wiki Activity

Force deploy certificates if kubeapi cert got changed

Browse Source
This commit is contained in:
galal-hussein
2019-04-23 23:42:10 +02:00
committed by Alena Prokharchyk
parent 765746fc77
commit 7744f18d6e
5 changed files with 27 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
cluster/certificates.go
View File

@@ -17,6 +17,7 @@ import (
func SetUpAuthentication(ctx context.Context, kubeCluster, currentCluster *Cluster, fullState *FullState) error {
if kubeCluster.AuthnStrategies[AuthnX509Provider] {
compareKubeAPICerts(ctx, kubeCluster, currentCluster)
kubeCluster.Certificates = fullState.DesiredState.CertificatesBundle
return nil
}
@@ -223,3 +224,16 @@ func GetClusterCertsFromNodes(ctx context.Context, kubeCluster *Cluster) (map[st
// reporting the last error only.
return nil, err
}
func compareKubeAPICerts(ctx context.Context, kubeCluster, currentCluster *Cluster) {
// checking if kubeapi cert got changed then we set force deploy to true
// to force deploying the kubeapi cert with new SANs
if currentCluster != nil {
currentKubeAPICert := currentCluster.Certificates[pki.KubeAPICertName]
desiredKubeAPICert := kubeCluster.Certificates[pki.KubeAPICertName]
if desiredKubeAPICert.CertificatePEM != currentKubeAPICert.CertificatePEM {
log.Infof(ctx, "[certificates] KubeAPI certificate changed, force deploying certs")
kubeCluster.ForceDeployCerts = true
}
}
}