Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package google-guest-agent for
openSUSE:Factory checked in at 2022-10-11 18:03:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/google-guest-agent (Old)
and /work/SRC/openSUSE:Factory/.google-guest-agent.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "google-guest-agent"
Tue Oct 11 18:03:01 2022 rev:16 rq:1009583 version:20220927.00
Changes:
--------
--- /work/SRC/openSUSE:Factory/google-guest-agent/google-guest-agent.changes
2022-09-17 20:10:50.637244094 +0200
+++
/work/SRC/openSUSE:Factory/.google-guest-agent.new.2275/google-guest-agent.changes
2022-10-11 18:05:30.506080794 +0200
@@ -1,0 +2,6 @@
+Mon Oct 10 12:57:39 UTC 2022 - John Paul Adrian Glaubitz
<adrian.glaub...@suse.com>
+
+- Update to version 20220927.00
+ * Workload certificate refresh (#182)
+
+-------------------------------------------------------------------
Old:
----
guest-agent-20220824.00.tar.gz
New:
----
guest-agent-20220927.00.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ google-guest-agent.spec ++++++
--- /var/tmp/diff_new_pack.7SjVr5/_old 2022-10-11 18:05:31.762082824 +0200
+++ /var/tmp/diff_new_pack.7SjVr5/_new 2022-10-11 18:05:31.778082850 +0200
@@ -24,7 +24,7 @@
%global import_path %{provider_prefix}
Name: google-guest-agent
-Version: 20220824.00
+Version: 20220927.00
Release: 0
Summary: Google Cloud Guest Agent
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.7SjVr5/_old 2022-10-11 18:05:31.834082941 +0200
+++ /var/tmp/diff_new_pack.7SjVr5/_new 2022-10-11 18:05:31.838082947 +0200
@@ -3,8 +3,8 @@
<param
name="url">https://github.com/GoogleCloudPlatform/guest-agent/</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="versionformat">20220824.00</param>
- <param name="revision">20220824.00</param>
+ <param name="versionformat">20220927.00</param>
+ <param name="revision">20220927.00</param>
<param name="changesgenerate">enable</param>
</service>
<service name="recompress" mode="disabled">
@@ -15,7 +15,7 @@
<param name="basename">guest-agent</param>
</service>
<service name="go_modules" mode="disabled">
- <param name="archive">guest-agent-20220824.00.tar.gz</param>
+ <param name="archive">guest-agent-20220927.00.tar.gz</param>
</service>
</services>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.7SjVr5/_old 2022-10-11 18:05:31.862082986 +0200
+++ /var/tmp/diff_new_pack.7SjVr5/_new 2022-10-11 18:05:31.870082999 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/GoogleCloudPlatform/guest-agent/</param>
- <param
name="changesrevision">1bdde681dd3b700159392eb87efbef5c1bb5515c</param></service></servicedata>
+ <param
name="changesrevision">1036d38c4ea039b6cd9683c5c9c235c59d08b102</param></service></servicedata>
(No newline at EOF)
++++++ guest-agent-20220824.00.tar.gz -> guest-agent-20220927.00.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-agent-20220824.00/gce-workload-cert-refresh.service
new/guest-agent-20220927.00/gce-workload-cert-refresh.service
--- old/guest-agent-20220824.00/gce-workload-cert-refresh.service
1970-01-01 01:00:00.000000000 +0100
+++ new/guest-agent-20220927.00/gce-workload-cert-refresh.service
2022-09-27 23:29:08.000000000 +0200
@@ -0,0 +1,8 @@
+[Unit]
+Description=GCE Workload Certificate refresh
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/gce_workload_cert_refresh
+
+# No [Install] section - this is controlled by gce-workload-cert.timer
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-agent-20220824.00/gce-workload-cert-refresh.timer
new/guest-agent-20220927.00/gce-workload-cert-refresh.timer
--- old/guest-agent-20220824.00/gce-workload-cert-refresh.timer 1970-01-01
01:00:00.000000000 +0100
+++ new/guest-agent-20220927.00/gce-workload-cert-refresh.timer 2022-09-27
23:29:08.000000000 +0200
@@ -0,0 +1,9 @@
+[Unit]
+Description=GCE Workload Certificate refresh timer
+
+[Timer]
+OnBootSec=5
+OnUnitActiveSec=30m
+
+[Install]
+WantedBy=timers.target
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-agent-20220824.00/gce_workload_cert_refresh/main.go
new/guest-agent-20220927.00/gce_workload_cert_refresh/main.go
--- old/guest-agent-20220824.00/gce_workload_cert_refresh/main.go
1970-01-01 01:00:00.000000000 +0100
+++ new/guest-agent-20220927.00/gce_workload_cert_refresh/main.go
2022-09-27 23:29:08.000000000 +0200
@@ -0,0 +1,309 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// GoogleAuthorizedKeys obtains SSH keys from metadata.
+package main
+
+import (
+ "context"
+ "encoding/json"
+ "fmt"
+ "io"
+ "io/ioutil"
+ "net/http"
+ "os"
+ "time"
+
+ "github.com/GoogleCloudPlatform/guest-logging-go/logger"
+)
+
+const (
+ contentDirPrefix = "/run/secrets/workload-spiffe-contents"
+ tempSymlinkPrefix = "/run/secrets/workload-spiffe-symlink"
+ symlink = "/run/secrets/workload-spiffe-credentials"
+)
+
+var (
+ programName = "gce_workload_certs_refresh"
+ version string
+ metadataURL = "http://169.254.169.254/computeMetadata/v1/";
+ defaultTimeout = 2 * time.Second
+)
+
+func logFormat(e logger.LogEntry) string {
+ now := time.Now().Format("2006/01/02 15:04:05")
+ return fmt.Sprintf("%s: %s", now, e.Message)
+}
+
+func getMetadata(key string) ([]byte, error) {
+ client := &http.Client{
+ Timeout: defaultTimeout,
+ }
+
+ url := metadataURL + key
+ req, err := http.NewRequest("GET", url, nil)
+ if err != nil {
+ return nil, err
+ }
+ req.Header.Add("Metadata-Flavor", "Google")
+
+ var res *http.Response
+
+ // Retry up to 5 times
+ for i := 1; i < 6; i++ {
+ res, err = client.Do(req)
+ if err == nil {
+ break
+ }
+ logger.Errorf("error connecting to metadata server, retrying in
3s, error: %v", err)
+ time.Sleep(time.Duration(3) * time.Second)
+ }
+ if err != nil {
+ return nil, err
+ }
+
+ if res.StatusCode == 404 {
+ return nil, fmt.Errorf("HTTP 404")
+ }
+
+ defer res.Body.Close()
+ md, err := ioutil.ReadAll(res.Body)
+ if err != nil {
+ return nil, err
+ }
+ return md, nil
+}
+
+/*
+metadata key instance/workload-identities
+
+ {
+ "status": "OK",
+ "workloadCredentials": {
+ "PROJECT.svc.id.goog": {
+ "metadata": {
+ "workload_creds_dir_path":
"/var/run/secrets/workload-spiffe-credentials"
+ },
+ "certificatePem": "-----BEGIN CERTIFICATE-----datahere-----END
CERTIFICATE-----",
+ "privateKeyPem": "-----BEGIN PRIVATE KEY-----datahere-----END
PRIVATE KEY-----"
+ }
+ }
+ }
+*/
+
+// WorkloadIdentities represents Workload Identities in metadata.
+type WorkloadIdentities struct {
+ Status string
+ WorkloadCredentials map[string]WorkloadCredential
+}
+
+// UnmarshalJSON is a custom JSON unmarshaller for WorkloadIdentities.
+func (wi *WorkloadIdentities) UnmarshalJSON(b []byte) error {
+ tmp := map[string]json.RawMessage{}
+ err := json.Unmarshal(b, &tmp)
+ if err != nil {
+ return err
+ }
+
+ if err := json.Unmarshal(tmp["status"], &wi.Status); err != nil {
+ return err
+ }
+
+ wi.WorkloadCredentials = map[string]WorkloadCredential{}
+ wcs := map[string]json.RawMessage{}
+ if err := json.Unmarshal(tmp["workloadCredentials"], &wcs); err != nil {
+ return err
+ }
+
+ for domain, value := range wcs {
+ wc := WorkloadCredential{}
+ err := json.Unmarshal(value, &wc)
+ if err != nil {
+ return err
+ }
+ wi.WorkloadCredentials[domain] = wc
+ }
+
+ return nil
+}
+
+// WorkloadCredential represents Workload Credentials in metadata.
+type WorkloadCredential struct {
+ Metadata Metadata
+ CertificatePem string
+ PrivateKeyPem string
+}
+
+/*
+metadata key instance/workload-trusted-root-certs
+
+ {
+ "status": "OK",
+ "rootCertificates": {
+ "PROJECT.svc.id.goog": {
+ "metadata": {
+ "workload_creds_dir_path":
"/var/run/secrets/workload-spiffe-credentials"
+ },
+ "rootCertificatesPem": "-----BEGIN CERTIFICATE-----datahere-----END
CERTIFICATE-----"
+ }
+ }
+ }
+*/
+
+// WorkloadTrustedRootCerts represents Workload Trusted Root Certs in metadata.
+type WorkloadTrustedRootCerts struct {
+ Status string
+ RootCertificates map[string]RootCertificate
+}
+
+// UnmarshalJSON is a custom JSON unmarshaller for WorkloadTrustedRootCerts
+func (wtrc *WorkloadTrustedRootCerts) UnmarshalJSON(b []byte) error {
+ tmp := map[string]json.RawMessage{}
+ err := json.Unmarshal(b, &tmp)
+ if err != nil {
+ return err
+ }
+
+ if err := json.Unmarshal(tmp["status"], &wtrc.Status); err != nil {
+ return err
+ }
+
+ wtrc.RootCertificates = map[string]RootCertificate{}
+ rcs := map[string]json.RawMessage{}
+ if err := json.Unmarshal(tmp["rootCertificates"], &rcs); err != nil {
+ return err
+ }
+
+ for domain, value := range rcs {
+ rc := RootCertificate{}
+ err := json.Unmarshal(value, &rc)
+ if err != nil {
+ return err
+ }
+ wtrc.RootCertificates[domain] = rc
+ }
+
+ return nil
+}
+
+// RootCertificate represents a Root Certificate in metadata
+type RootCertificate struct {
+ Metadata Metadata
+ RootCertificatesPem string
+}
+
+// Metadata represents Metadata in metadata
+type Metadata struct {
+ WorkloadCredsDirPath string
+}
+
+func main() {
+ ctx := context.Background()
+
+ opts := logger.LogOpts{
+ LoggerName: programName,
+ FormatFunction: logFormat,
+ // No need for syslog.
+ DisableLocalLogging: true,
+ }
+
+ opts.Writers = []io.Writer{os.Stderr}
+ logger.Init(ctx, opts)
+ defer logger.Infof("Done")
+
+ // TODO: prune old dirs
+
+ if err := refreshCreds(); err != nil {
+ logger.Fatalf(err.Error())
+ }
+
+}
+
+func refreshCreds() error {
+ project, err := getMetadata("project/project-id")
+ if err != nil {
+ return fmt.Errorf("Error getting project ID: %v", err)
+ }
+
+ wisMd, err := getMetadata("instance/workload-identities")
+ if err != nil {
+ logger.Infof("No workload identities found: %v", err)
+ return nil
+ }
+
+ wtrcsMd, err := getMetadata("instance/workload-trusted-root-certs")
+ if err != nil {
+ return fmt.Errorf("Error getting workload-identities: %v", err)
+ }
+
+ domain := fmt.Sprintf("%s.svc.id.goog", project)
+ logger.Infof("Rotating workload credentials for domain %s", domain)
+
+ wis := WorkloadIdentities{}
+ if err := json.Unmarshal(wisMd, &wis); err != nil {
+ return fmt.Errorf("Error unmarshaling workload trusted root
certs: %v", err)
+ }
+
+ wtrcs := WorkloadTrustedRootCerts{}
+ if err := json.Unmarshal(wtrcsMd, &wtrcs); err != nil {
+ return fmt.Errorf("Error unmarshaling workload trusted root
certs: %v", err)
+ }
+
+ now := time.Now().Format(time.RFC3339)
+ contentDir := fmt.Sprintf("%s-%s", contentDirPrefix, now)
+ tempSymlink := fmt.Sprintf("%s-%s", tempSymlinkPrefix, now)
+
+ logger.Infof("Creating timestamp contents dir %s", contentDir)
+
+ if err := os.MkdirAll(contentDir, 0750); err != nil {
+ return fmt.Errorf("Error creating contents dir: %v", err)
+ }
+
+ if err := os.WriteFile(fmt.Sprintf("%s/certificates.pem", contentDir),
[]byte(wis.WorkloadCredentials[domain].CertificatePem), 0666); err != nil {
+ return fmt.Errorf("Error writing certificates.pem: %v", err)
+ }
+
+ if err := os.WriteFile(fmt.Sprintf("%s/private_key.pem", contentDir),
[]byte(wis.WorkloadCredentials[domain].PrivateKeyPem), 0666); err != nil {
+ return fmt.Errorf("Error writing private_key.pem: %v", err)
+ }
+
+ if err := os.WriteFile(fmt.Sprintf("%s/ca_certificates.pem",
contentDir), []byte(wtrcs.RootCertificates[domain].RootCertificatesPem), 0666);
err != nil {
+ return fmt.Errorf("Error writing ca_certificates.pem: %v", err)
+ }
+
+ if err := os.Symlink(contentDir, tempSymlink); err != nil {
+ return fmt.Errorf("Error creating temporary link: %v", err)
+ }
+
+ oldTarget, err := os.Readlink(symlink)
+ if err != nil {
+ logger.Infof("Error reading existing symlink: %v\n", err)
+ oldTarget = ""
+ }
+
+ logger.Infof("Rotating symlink %s", symlink)
+
+ if err := os.Rename(tempSymlink, symlink); err != nil {
+ return fmt.Errorf("Error rotating target link: %v", err)
+ }
+
+ if oldTarget != "" {
+ logger.Infof("Remove old content dir %s", oldTarget)
+ if err := os.RemoveAll(oldTarget); err != nil {
+ return fmt.Errorf("Failed to remove old symlink target:
%v", err)
+ }
+ }
+
+ return nil
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-agent-20220824.00/gce_workload_certs_refresh/main.go
new/guest-agent-20220927.00/gce_workload_certs_refresh/main.go
--- old/guest-agent-20220824.00/gce_workload_certs_refresh/main.go
2022-08-24 03:13:05.000000000 +0200
+++ new/guest-agent-20220927.00/gce_workload_certs_refresh/main.go
1970-01-01 01:00:00.000000000 +0100
@@ -1,289 +0,0 @@
-// Copyright 2022 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// GoogleAuthorizedKeys obtains SSH keys from metadata.
-package main
-
-import (
- "context"
- "encoding/json"
- "fmt"
- "io"
- "io/ioutil"
- "net/http"
- "os"
- "time"
-
- "github.com/GoogleCloudPlatform/guest-logging-go/logger"
-)
-
-const (
- contentDirPrefix = "/run/secrets/workload-spiffe-contents"
- tempSymlinkPrefix = "/run/secrets/workload-spiffe-symlink"
- symlink = "/run/secrets/workload-spiffe-credentials"
-)
-
-var (
- programName = "gce_workload_certs_refresh"
- version string
- metadataURL = "http://169.254.169.254/computeMetadata/v1/";
- defaultTimeout = 2 * time.Second
-)
-
-func logFormat(e logger.LogEntry) string {
- now := time.Now().Format("2006/01/02 15:04:05")
- return fmt.Sprintf("%s: %s", now, e.Message)
-}
-
-func getMetadata(key string) ([]byte, error) {
- client := &http.Client{
- Timeout: defaultTimeout,
- }
-
- url := metadataURL + key
- req, err := http.NewRequest("GET", url, nil)
- if err != nil {
- return nil, err
- }
- req.Header.Add("Metadata-Flavor", "Google")
-
- var res *http.Response
-
- // Retry up to 5 times
- for i := 1; i < 6; i++ {
- res, err = client.Do(req)
- if err == nil {
- break
- }
- logger.Errorf("error connecting to metadata server, retrying in
3s, error: %v", err)
- time.Sleep(time.Duration(3) * time.Second)
- }
- if err != nil {
- return nil, err
- }
- defer res.Body.Close()
-
- md, err := ioutil.ReadAll(res.Body)
- if err != nil {
- return nil, err
- }
- return md, nil
-}
-
-/*
-metadata key instance/workload-identities
-
- {
- "status": "OK",
- "workloadCredentials": {
- "PROJECT.svc.id.goog": {
- "metadata": {
- "workload_creds_dir_path":
"/var/run/secrets/workload-spiffe-credentials"
- },
- "certificatePem": "-----BEGIN CERTIFICATE-----datahere-----END
CERTIFICATE-----",
- "privateKeyPem": "-----BEGIN PRIVATE KEY-----datahere-----END
PRIVATE KEY-----"
- }
- }
- }
-*/
-
-// WorkloadIdentities represents Workload Identities in metadata.
-type WorkloadIdentities struct {
- Status string
- WorkloadCredentials map[string]WorkloadCredential
-}
-
-// UnmarshalJSON is a custom JSON unmarshaller for WorkloadIdentities.
-func (wi *WorkloadIdentities) UnmarshalJSON(b []byte) error {
- tmp := map[string]json.RawMessage{}
- err := json.Unmarshal(b, &tmp)
- if err != nil {
- return err
- }
-
- if err := json.Unmarshal(tmp["status"], &wi.Status); err != nil {
- return err
- }
-
- wi.WorkloadCredentials = map[string]WorkloadCredential{}
- wcs := map[string]json.RawMessage{}
- if err := json.Unmarshal(tmp["workloadCredentials"], &wcs); err != nil {
- return err
- }
-
- for domain, value := range wcs {
- wc := WorkloadCredential{}
- err := json.Unmarshal(value, &wc)
- if err != nil {
- return err
- }
- wi.WorkloadCredentials[domain] = wc
- }
-
- return nil
-}
-
-// WorkloadCredential represents Workload Credentials in metadata.
-type WorkloadCredential struct {
- Metadata Metadata
- CertificatePem string
- PrivateKeyPem string
-}
-
-/*
-metadata key instance/workload-trusted-root-certs
-
- {
- "status": "OK",
- "rootCertificates": {
- "PROJECT.svc.id.goog": {
- "metadata": {
- "workload_creds_dir_path":
"/var/run/secrets/workload-spiffe-credentials"
- },
- "rootCertificatesPem": "-----BEGIN CERTIFICATE-----datahere-----END
CERTIFICATE-----"
- }
- }
- }
-*/
-
-// WorkloadTrustedRootCerts represents Workload Trusted Root Certs in metadata.
-type WorkloadTrustedRootCerts struct {
- Status string
- RootCertificates map[string]RootCertificate
-}
-
-// UnmarshalJSON is a custom JSON unmarshaller for WorkloadTrustedRootCerts
-func (wtrc *WorkloadTrustedRootCerts) UnmarshalJSON(b []byte) error {
- tmp := map[string]json.RawMessage{}
- err := json.Unmarshal(b, &tmp)
- if err != nil {
- return err
- }
-
- if err := json.Unmarshal(tmp["status"], &wtrc.Status); err != nil {
- return err
- }
-
- wtrc.RootCertificates = map[string]RootCertificate{}
- rcs := map[string]json.RawMessage{}
- if err := json.Unmarshal(tmp["rootCertificates"], &rcs); err != nil {
- return err
- }
-
- for domain, value := range rcs {
- rc := RootCertificate{}
- err := json.Unmarshal(value, &rc)
- if err != nil {
- return err
- }
- wtrc.RootCertificates[domain] = rc
- }
-
- return nil
-}
-
-// RootCertificate represents a Root Certificate in metadata
-type RootCertificate struct {
- Metadata Metadata
- RootCertificatesPem string
-}
-
-// Metadata represents Metadata in metadata
-type Metadata struct {
- WorkloadCredsDirPath string
-}
-
-func main() {
- ctx := context.Background()
-
- opts := logger.LogOpts{
- LoggerName: programName,
- FormatFunction: logFormat,
- }
-
- opts.Writers = []io.Writer{os.Stderr}
- logger.Init(ctx, opts)
- defer logger.Infof("Done")
-
- // TODO: prune old dirs
-
- if err := refreshCreds(); err != nil {
- logger.Fatalf(err.Error())
- }
-
-}
-
-func refreshCreds() error {
- project, err := getMetadata("project/project-id")
- if err != nil {
- return fmt.Errorf("Error getting project ID: %v", err)
- }
- domain := fmt.Sprintf("%s.svc.id.goog", project)
- logger.Infof("Rotating workload credentials for domain %s", domain)
-
- wisMd, err := getMetadata("instance/workload-identities")
- if err != nil {
- return fmt.Errorf("Error getting workload-identities: %v", err)
- }
-
- wtrcsMd, err := getMetadata("instance/workload-trusted-root-certs")
- if err != nil {
- return fmt.Errorf("Error getting workload-identities: %v", err)
- }
-
- wis := WorkloadIdentities{}
- if err := json.Unmarshal(wisMd, &wis); err != nil {
- return fmt.Errorf("Error unmarshaling workload trusted root
certs: %v", err)
- }
-
- wtrcs := WorkloadTrustedRootCerts{}
- if err := json.Unmarshal(wtrcsMd, &wtrcs); err != nil {
- return fmt.Errorf("Error unmarshaling workload trusted root
certs: %v", err)
- }
-
- now := time.Now().Format(time.RFC3339)
- contentDir := fmt.Sprintf("%s-%s", contentDirPrefix, now)
- tempSymlink := fmt.Sprintf("%s-%s", tempSymlinkPrefix, now)
-
- logger.Infof("Creating timestamp contents dir %s", contentDir)
-
- // TODO: validate filesystem permissions
- if err := os.MkdirAll(contentDir, 0750); err != nil {
- return fmt.Errorf("Error creating contents dir: %v", err)
- }
-
- if err := os.WriteFile(fmt.Sprintf("%s/certificates.pem", contentDir),
[]byte(wis.WorkloadCredentials[domain].CertificatePem), 0666); err != nil {
- return fmt.Errorf("Error writing certificates.pem: %v", err)
- }
-
- if err := os.WriteFile(fmt.Sprintf("%s/private_key.pem", contentDir),
[]byte(wis.WorkloadCredentials[domain].PrivateKeyPem), 0666); err != nil {
- return fmt.Errorf("Error writing private_key.pem: %v", err)
- }
-
- if err := os.WriteFile(fmt.Sprintf("%s/ca_certificates.pem",
contentDir), []byte(wtrcs.RootCertificates[domain].RootCertificatesPem), 0666);
err != nil {
- return fmt.Errorf("Error writing ca_certificates.pem: %v", err)
- }
-
- if err := os.Symlink(contentDir, tempSymlink); err != nil {
- return fmt.Errorf("Error creating temporary link: %v", err)
- }
-
- logger.Infof("Rotating symlink %s", symlink)
-
- if err := os.Rename(tempSymlink, symlink); err != nil {
- return fmt.Errorf("Error rotating target link: %v", err)
- }
-
- return nil
-}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-agent-20220824.00/packaging/debian/rules
new/guest-agent-20220927.00/packaging/debian/rules
--- old/guest-agent-20220824.00/packaging/debian/rules 2022-08-24
03:13:05.000000000 +0200
+++ new/guest-agent-20220927.00/packaging/debian/rules 2022-09-27
23:29:08.000000000 +0200
@@ -10,8 +10,7 @@
export GOPROXY := https://proxy.golang.org
export GO111MODULE := on
export GOPATH := /usr/share/gocode
-export DH_GOLANG_BUILDPKG :=
github.com/GoogleCloudPlatform/guest-agent/google_guest_agent
github.com/GoogleCloudPlatform/guest-agent/google_metadata_script_runner
-
+export DH_GOLANG_BUILDPKG :=
github.com/GoogleCloudPlatform/guest-agent/google_guest_agent
github.com/GoogleCloudPlatform/guest-agent/google_metadata_script_runner
github.com/GoogleCloudPlatform/guest-agent/gce_workload_cert_refresh
%:
dh $@ --buildsystem=golang --with=golang,systemd
@@ -21,6 +20,8 @@
dh_auto_install -- --no-source
install -d debian/google-guest-agent/usr/share/google-guest-agent
install -p -m 0644 instance_configs.cfg
debian/google-guest-agent/usr/share/google-guest-agent
+ install -d debian/google-guest-agent/lib/systemd/system
+ install -p -m 0644 gce-workload-cert-refresh.timer
debian/google-guest-agent/lib/systemd/system/
override_dh_golang:
# We don't use any packaged dependencies, so skip dh_golang step.
@@ -36,8 +37,9 @@
install -p -m 0644 *.service
debian/google-guest-agent/lib/systemd/system/
install -d debian/google-guest-agent/lib/systemd/system-preset
install -p -m 0644 *.preset
debian/google-guest-agent/lib/systemd/system-preset/
- dh_systemd_enable google-guest-agent.service
google-startup-scripts.service google-shutdown-scripts.service
+ dh_systemd_enable google-guest-agent.service
google-startup-scripts.service google-shutdown-scripts.service
gce-workload-cert-refresh.timer
override_dh_systemd_start:
- # Only perform start/stop actions for the guest agent.
+ # Only perform start/stop actions for the guest agent and cert refresh
timer.
dh_systemd_start google-guest-agent.service
+ dh_systemd_start gce-workload-cert-refresh.timer
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-agent-20220824.00/packaging/google-guest-agent.spec
new/guest-agent-20220927.00/packaging/google-guest-agent.spec
--- old/guest-agent-20220824.00/packaging/google-guest-agent.spec
2022-08-24 03:13:05.000000000 +0200
+++ new/guest-agent-20220927.00/packaging/google-guest-agent.spec
2022-09-27 23:29:08.000000000 +0200
@@ -38,7 +38,7 @@
%autosetup
%build
-for bin in google_guest_agent google_metadata_script_runner; do
+for bin in google_guest_agent google_metadata_script_runner
gce_workload_cert_refresh; do
pushd "$bin"
GOPATH=%{_gopath} CGO_ENABLED=0 %{_go} build -ldflags="-s -w -X
main.version=%{_version}" -mod=readonly
popd
@@ -51,6 +51,7 @@
install -d %{buildroot}%{_bindir}
install -p -m 0755 google_guest_agent/google_guest_agent
%{buildroot}%{_bindir}/google_guest_agent
install -p -m 0755 google_metadata_script_runner/google_metadata_script_runner
%{buildroot}%{_bindir}/google_metadata_script_runner
+install -p -m 0755 gce_workload_cert_refresh/gce_workload_cert_refresh
%{buildroot}%{_bindir}/gce_workload_cert_refresh
install -d %{buildroot}/usr/share/google-guest-agent
install -p -m 0644 instance_configs.cfg
%{buildroot}/usr/share/google-guest-agent/instance_configs.cfg
%if 0%{?el6}
@@ -64,6 +65,8 @@
install -p -m 0644 %{name}.service %{buildroot}%{_unitdir}
install -p -m 0644 google-startup-scripts.service %{buildroot}%{_unitdir}
install -p -m 0644 google-shutdown-scripts.service %{buildroot}%{_unitdir}
+install -p -m 0644 gce-workload-cert-refresh.service %{buildroot}%{_unitdir}
+install -p -m 0644 gce-workload-cert-refresh.timer %{buildroot}%{_unitdir}
install -p -m 0644 90-%{name}.preset
%{buildroot}%{_presetdir}/90-%{name}.preset
%endif
@@ -73,6 +76,7 @@
/usr/share/google-guest-agent/instance_configs.cfg
%{_bindir}/google_guest_agent
%{_bindir}/google_metadata_script_runner
+%{_bindir}/gce_workload_cert_refresh
%if 0%{?el6}
/etc/init/%{name}.conf
/etc/init/google-startup-scripts.conf
@@ -81,6 +85,8 @@
%{_unitdir}/%{name}.service
%{_unitdir}/google-startup-scripts.service
%{_unitdir}/google-shutdown-scripts.service
+%{_unitdir}/gce-workload-cert-refresh.service
+%{_unitdir}/gce-workload-cert-refresh.timer
%{_presetdir}/90-%{name}.preset
%endif
@@ -99,10 +105,12 @@
systemctl enable google-guest-agent.service >/dev/null 2>&1 || :
systemctl enable google-startup-scripts.service >/dev/null 2>&1 || :
systemctl enable google-shutdown-scripts.service >/dev/null 2>&1 || :
+ systemctl enable gce-workload-cert-refresh.timer >/dev/null 2>&1 || :
if [ -d /run/systemd/system ]; then
systemctl daemon-reload >/dev/null 2>&1 || :
systemctl start google-guest-agent.service >/dev/null 2>&1 || :
+ systemctl start gce-workload-cert-refresh.timer >/dev/null 2>&1 || :
fi
else
# Package upgrade
@@ -117,6 +125,7 @@
systemctl --no-reload disable google-guest-agent.service >/dev/null 2>&1 || :
systemctl --no-reload disable google-startup-scripts.service >/dev/null 2>&1
|| :
systemctl --no-reload disable google-shutdown-scripts.service >/dev/null
2>&1 || :
+ systemctl --no-reload disable gce-workload-cert-refresh.timer >/dev/null
2>&1 || :
if [ -d /run/systemd/system ]; then
systemctl stop google-guest-agent.service >/dev/null 2>&1 || :
fi
++++++ vendor.tar.gz ++++++
