rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-06-28 08:18:58 +00:00
Code Issues Releases Wiki Activity

Handle missing request header ca in rotate certificate

Browse Source
This commit is contained in:
galal-hussein 2019-08-29 20:59:47 +02:00 committed by Alena Prokharchyk
parent a569f2e81c
commit 798632b3a4
3 changed files with 25 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cluster/certificates.go
View File

@ -184,6 +184,12 @@ func RotateRKECertificates(ctx context.Context, c *Cluster, flags ExternalFlags,
if c.Certificates[pki.ServiceAccountTokenKeyName].Key != nil { if c.Certificates[pki.ServiceAccountTokenKeyName].Key != nil {
serviceAccountTokenKey = string(cert.EncodePrivateKeyPEM(c.Certificates[pki.ServiceAccountTokenKeyName].Key)) serviceAccountTokenKey = string(cert.EncodePrivateKeyPEM(c.Certificates[pki.ServiceAccountTokenKeyName].Key))
} }
// check for legacy clusters prior to requestheaderca
if c.Certificates[pki.RequestHeaderCACertName].Certificate == nil {
if err := pki.GenerateRKERequestHeaderCACert(ctx, c.Certificates, flags.ClusterFilePath, flags.ConfigDir); err != nil {
return err
}
}
if err := pki.GenerateRKEServicesCerts(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir, true); err != nil { if err := pki.GenerateRKEServicesCerts(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir, true); err != nil {
return err return err
} }

2
cmd/common.go
View File

@ -201,7 +201,7 @@ func fetchAndUpdateStateFromLegacyCluster(ctx context.Context, kubeCluster *clus
// try to fetch certs from nodes // try to fetch certs from nodes
recoveredCerts, err = cluster.GetClusterCertsFromNodes(ctx, kubeCluster) recoveredCerts, err = cluster.GetClusterCertsFromNodes(ctx, kubeCluster)
if err != nil { if err != nil {
return err return fmt.Errorf("Failed to fetch cluster certs from nodes, aborting upgrade: %v", err)
} }
} }
fullState.CurrentState.RancherKubernetesEngineConfig = kubeCluster.RancherKubernetesEngineConfig.DeepCopy() fullState.CurrentState.RancherKubernetesEngineConfig = kubeCluster.RancherKubernetesEngineConfig.DeepCopy()

24
pki/deploy.go
View File

@ -198,25 +198,37 @@ func FetchCertificatesFromHost(ctx context.Context, extraHosts []*hosts.Host, ho
for certName, config := range crtList { for certName, config := range crtList {
certificate := CertificatePKI{} certificate := CertificatePKI{}
crt, err := FetchFileFromHost(ctx, GetCertTempPath(certName), image, host, prsMap, CertFetcherContainer, "certificates") crt, err := FetchFileFromHost(ctx, GetCertTempPath(certName), image, host, prsMap, CertFetcherContainer, "certificates")
// I will only exit with an error if it's not a not-found-error and this is not an etcd certificate // Return error if the certificate file is not found but only if its not etcd or request header certificate
if err != nil && !strings.HasPrefix(certName, "kube-etcd") { if err != nil && !strings.HasPrefix(certName, "kube-etcd") &&
certName != RequestHeaderCACertName &&
certName != APIProxyClientCertName {
// IsErrNotFound doesn't catch this because it's a custom error // IsErrNotFound doesn't catch this because it's a custom error
if isFileNotFoundErr(err) { if isFileNotFoundErr(err) {
return nil, nil return nil, fmt.Errorf("Certificate %s is not found", GetCertTempPath(certName))
} }
return nil, err return nil, err
} }
// If I can't find an etcd I will not fail and will create it later. // If I can't find an etcd or request header ca I will not fail and will create it later.
if crt == "" && strings.HasPrefix(certName, "kube-etcd") { if crt == "" && (strings.HasPrefix(certName, "kube-etcd") ||
certName == RequestHeaderCACertName ||
certName == APIProxyClientCertName) {
tmpCerts[certName] = CertificatePKI{} tmpCerts[certName] = CertificatePKI{}
continue continue
} }
key, err := FetchFileFromHost(ctx, GetKeyTempPath(certName), image, host, prsMap, CertFetcherContainer, "certificate") key, err := FetchFileFromHost(ctx, GetKeyTempPath(certName), image, host, prsMap, CertFetcherContainer, "certificate")
if err != nil {
if isFileNotFoundErr(err) {
return nil, fmt.Errorf("Key %s is not found", GetKeyTempPath(certName))
}
return nil, err
}
if config { if config {
config, err := FetchFileFromHost(ctx, GetConfigTempPath(certName), image, host, prsMap, CertFetcherContainer, "certificate") config, err := FetchFileFromHost(ctx, GetConfigTempPath(certName), image, host, prsMap, CertFetcherContainer, "certificate")
if err != nil { if err != nil {
if isFileNotFoundErr(err) {
return nil, fmt.Errorf("Config %s is not found", GetConfigTempPath(certName))
}
return nil, err return nil, err
} }
certificate.Config = config certificate.Config = config