Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
Hepto
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
ACIDES
Hepto
Commits
e7be7d73
Commit
e7be7d73
authored
1 year ago
by
kaiyou
Browse files
Options
Downloads
Patches
Plain Diff
General rewrite of the certificates code to support renewing certificates
parent
ca0f05a0
No related branches found
No related tags found
No related merge requests found
Pipeline
#29542
failed
1 year ago
Stage: build
Stage: test
Changes
2
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
services/certs.go
+12
-3
12 additions, 3 deletions
services/certs.go
services/meta.go
+49
-34
49 additions, 34 deletions
services/meta.go
with
61 additions
and
37 deletions
services/certs.go
+
12
−
3
View file @
e7be7d73
...
...
@@ -105,10 +105,16 @@ var pkiManager = &Unit{
},
Wake
:
func
(
u
*
Unit
,
c
*
Cluster
)
error
{
for
name
,
certs
:=
range
c
.
state
.
Certificates
{
if
certs
.
TLS
.
Cert
==
nil
||
certs
.
API
.
Cert
==
nil
{
if
certs
==
nil
||
certs
.
TLS
==
nil
||
certs
.
API
==
nil
{
continue
}
if
certs
.
TLS
.
Cert
==
nil
&&
certs
.
TLS
.
CSR
!=
nil
{
c
.
pki
.
TLS
.
Sign
(
certs
.
TLS
,
pekahi
.
NewServerTemplate
([]
string
{
name
},
certs
.
TLS
.
CSR
.
IPAddresses
))
u
.
Manager
.
Logger
.
Info
(
"signed node tls cert"
,
"node"
,
name
)
}
if
certs
.
API
.
Cert
==
nil
&&
certs
.
API
.
CSR
!=
nil
{
c
.
pki
.
API
.
Sign
(
certs
.
API
,
pekahi
.
NewClientTemplate
(
"system:node:"
+
name
,
"system:nodes"
))
u
.
Manager
.
Logger
.
Info
(
"signed node cert"
,
"node"
,
name
)
u
.
Manager
.
Logger
.
Info
(
"signed node
api
cert"
,
"node"
,
name
)
}
}
return
nil
...
...
@@ -223,6 +229,9 @@ var pkiNode = &Unit{
return
nil
},
Ready
:
func
(
u
*
Unit
,
c
*
Cluster
)
bool
{
return
c
.
certs
.
TLS
.
Cert
!=
nil
&&
c
.
certs
.
API
.
Cert
!=
nil
return
(
c
.
certs
.
TLS
.
Cert
!=
nil
&&
c
.
certs
.
API
.
Cert
!=
nil
&&
c
.
certs
.
TLS
.
Key
.
PublicKey
.
Equal
(
c
.
certs
.
TLS
.
Cert
.
PublicKey
))
&&
c
.
certs
.
API
.
Key
.
PublicKey
.
Equal
(
c
.
certs
.
API
.
Cert
.
PublicKey
)
},
}
This diff is collapsed.
Click to expand it.
services/meta.go
+
49
−
34
View file @
e7be7d73
package
services
import
(
"bytes"
"encoding/json"
"net/netip"
...
...
@@ -79,47 +80,61 @@ func (s *HeptoState) String() string {
func
(
s
*
HeptoState
)
Merge
(
b
[]
byte
)
(
bool
,
error
)
{
remote
:=
new
(
HeptoState
)
err
:=
json
.
Unmarshal
(
b
,
remote
)
// If state cannot decode or no pki is shared in state, bail
if
err
!=
nil
{
return
false
,
err
}
if
s
.
PKI
==
nil
||
remote
.
PKI
==
nil
{
return
false
,
nil
// Track changes
changed
:=
false
if
s
.
PKI
!=
nil
&&
remote
.
PKI
!=
nil
{
// Grab CA Certificates
updateCA
:=
func
(
local
,
remote
*
pekahi
.
Certificate
)
{
if
local
==
nil
||
remote
==
nil
{
return
}
if
local
.
Cert
==
nil
&&
remote
.
Cert
!=
nil
{
local
.
Cert
=
remote
.
Cert
local
.
Save
()
changed
=
true
}
}
updateCA
(
s
.
PKI
.
TLS
,
remote
.
PKI
.
TLS
)
updateCA
(
s
.
PKI
.
API
,
remote
.
PKI
.
API
)
updateCA
(
s
.
PKI
.
Kubelet
,
remote
.
PKI
.
Kubelet
)
updateCA
(
s
.
PKI
.
Proxy
,
remote
.
PKI
.
Proxy
)
}
change
:=
false
change
=
mergeCert
(
s
.
PKI
.
TLS
,
remote
.
PKI
.
TLS
)
||
change
change
=
mergeCert
(
s
.
PKI
.
Kubelet
,
remote
.
PKI
.
Kubelet
)
||
change
change
=
mergeCert
(
s
.
PKI
.
API
,
remote
.
PKI
.
API
)
||
change
change
=
mergeCert
(
s
.
PKI
.
Proxy
,
remote
.
PKI
.
Proxy
)
||
change
for
name
,
remoteCerts
:=
range
remote
.
Certificates
{
if
remoteCerts
==
nil
{
continue
}
certs
,
ok
:=
s
.
Certificates
[
name
]
if
ok
{
change
=
mergeCert
(
certs
.
TLS
,
remoteCerts
.
TLS
)
||
change
change
=
mergeCert
(
certs
.
API
,
remoteCerts
.
API
)
||
change
}
else
{
if
!
ok
||
certs
==
nil
{
s
.
Certificates
[
name
]
=
remoteCerts
change
=
true
changed
=
true
continue
}
// Grab a node CSR or our certificates if available
updateCSROrCert
:=
func
(
local
,
remote
*
pekahi
.
Certificate
)
{
if
local
==
nil
||
remote
==
nil
{
return
}
// If this is not our own data, remote is providing a CSR we do not know about yet, save it
if
local
.
Key
==
nil
&&
remote
.
CSR
!=
nil
&&
(
local
.
CSR
==
nil
||
!
bytes
.
Equal
(
local
.
CSR
.
Raw
,
remote
.
CSR
.
Raw
))
{
local
.
Cert
=
remote
.
Cert
local
.
CSR
=
remote
.
CSR
local
.
Save
()
changed
=
true
}
// If remote is providing a cert that matches our key and CSR, save it
if
local
.
Key
!=
nil
&&
local
.
CSR
!=
nil
&&
local
.
Cert
==
nil
&&
remote
.
Cert
!=
nil
&&
local
.
Key
.
PublicKey
.
Equal
(
remote
.
Cert
.
PublicKey
)
{
local
.
Cert
=
remote
.
Cert
local
.
Save
()
changed
=
true
}
}
updateCSROrCert
(
certs
.
API
,
remoteCerts
.
API
)
updateCSROrCert
(
certs
.
TLS
,
remoteCerts
.
TLS
)
}
return
change
,
nil
}
// Merge a single node or master certificate
func
mergeCert
(
local
*
pekahi
.
Certificate
,
remote
*
pekahi
.
Certificate
)
bool
{
change
:=
false
// Do not merge nothing
if
remote
==
nil
{
return
change
}
// Import CSR to master for signing
if
local
.
CSR
==
nil
&&
remote
.
CSR
!=
nil
{
local
.
CSR
=
remote
.
CSR
change
=
true
}
// Import and save cert back to node
if
local
.
Cert
==
nil
&&
remote
.
Cert
!=
nil
{
local
.
Cert
=
remote
.
Cert
local
.
Save
()
change
=
true
}
return
change
// Grab signed ceritificates for the kubelet of current node
return
changed
,
nil
}
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
