This is an automated email from the ASF dual-hosted git repository.
dahn pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/main by this push:
new e1b6093c64d add 'management.network.cidr' ip to mgmt certificate
(#7728)
e1b6093c64d is described below
commit e1b6093c64d5caaa7b3aac98695dae67140cd62d
Author: João Jandre <[email protected]>
AuthorDate: Thu Nov 2 05:32:27 2023 -0300
add 'management.network.cidr' ip to mgmt certificate (#7728)
---
.../cloudstack/ca/provider/RootCAProvider.java | 35 ++++++++++++++++++++--
1 file changed, 33 insertions(+), 2 deletions(-)
diff --git
a/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java
b/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java
index f71274bbc88..69df700cf60 100644
---
a/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java
+++
b/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java
@@ -21,6 +21,8 @@ import java.io.IOException;
import java.io.StringReader;
import java.math.BigInteger;
import java.net.InetAddress;
+import java.net.NetworkInterface;
+import java.net.SocketException;
import java.security.InvalidKeyException;
import java.security.KeyManagementException;
import java.security.KeyPair;
@@ -37,6 +39,8 @@ import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashSet;
import java.util.List;
import java.util.Map;
@@ -49,6 +53,7 @@ import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.xml.bind.DatatypeConverter;
+import com.cloud.configuration.Config;
import org.apache.cloudstack.ca.CAManager;
import org.apache.cloudstack.framework.ca.CAProvider;
import org.apache.cloudstack.framework.ca.Certificate;
@@ -365,8 +370,12 @@ public final class RootCAProvider extends AdapterBase
implements CAProvider, Con
if (managementKeyStore != null) {
return true;
}
- final Certificate serverCertificate =
issueCertificate(Collections.singletonList(NetUtils.getHostName()),
- NetUtils.getAllDefaultNicIps(), getCaValidityDays());
+ List<String> nicIps = NetUtils.getAllDefaultNicIps();
+ addConfiguredManagementIp(nicIps);
+ nicIps = new ArrayList<>(new HashSet<>(nicIps));
+
+ final Certificate serverCertificate =
issueCertificate(Collections.singletonList(NetUtils.getHostName()), nicIps,
getCaValidityDays());
+
if (serverCertificate == null || serverCertificate.getPrivateKey() ==
null) {
throw new CloudRuntimeException("Failed to generate management
server certificate and load management server keystore");
}
@@ -384,6 +393,28 @@ public final class RootCAProvider extends AdapterBase
implements CAProvider, Con
return managementKeyStore != null;
}
+ protected void addConfiguredManagementIp(List<String> ipList) {
+ String msNetworkCidr =
configDao.getValue(Config.ManagementNetwork.key());
+ try {
+ LOG.debug(String.format("Trying to find management IP in CIDR
range [%s].", msNetworkCidr));
+ Enumeration<NetworkInterface> networkInterfaces =
NetworkInterface.getNetworkInterfaces();
+
+ networkInterfaces.asIterator().forEachRemaining(networkInterface
-> {
+
networkInterface.getInetAddresses().asIterator().forEachRemaining(inetAddress
-> {
+ if
(NetUtils.isIpWithInCidrRange(inetAddress.getHostAddress(), msNetworkCidr)) {
+ ipList.add(inetAddress.getHostAddress());
+ LOG.debug(String.format("Added IP [%s] to the list of
IPs in the management server's certificate.", inetAddress.getHostAddress()));
+ }
+ });
+ });
+ } catch (SocketException e) {
+ String msg = "Exception while trying to gather the management
server's network interfaces.";
+ LOG.error(msg, e);
+ throw new CloudRuntimeException(msg, e);
+ }
+ }
+
+
private boolean setupCA() {
if (!loadRootCAKeyPair() && !saveNewRootCAKeypair()) {
LOG.error("Failed to save and load root CA keypair");
