In order to be enable to extend the renew-crypot opcode, we are adding a parameter for renewing the node SSL certificates. This way, it can easily be broadened to renew SSH keys as well, which is done in the following patch.
Signed-off-by: Helga Velroyen <[email protected]> --- lib/client/gnt_cluster.py | 2 +- lib/cmdlib/cluster.py | 17 ++++++++++++----- src/Ganeti/OpCodes.hs | 3 ++- src/Ganeti/OpParams.hs | 7 +++++++ 4 files changed, 22 insertions(+), 7 deletions(-) diff --git a/lib/client/gnt_cluster.py b/lib/client/gnt_cluster.py index 962adbb..daa64d6 100644 --- a/lib/client/gnt_cluster.py +++ b/lib/client/gnt_cluster.py @@ -1049,7 +1049,7 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, # pylint: disable=R0911 if new_node_cert: cl = GetClient() - renew_op = opcodes.OpClusterRenewCrypto() + renew_op = opcodes.OpClusterRenewCrypto(node_certificates=new_node_cert) SubmitOpCode(renew_op, cl=cl) return 0 diff --git a/lib/cmdlib/cluster.py b/lib/cmdlib/cluster.py index 5e48855..9b2e155 100644 --- a/lib/cmdlib/cluster.py +++ b/lib/cmdlib/cluster.py @@ -97,11 +97,15 @@ def _UpdateMasterClientCert( class LUClusterRenewCrypto(NoHooksLU): """Renew the cluster's crypto tokens. - Note that most of this operation is done in gnt_cluster.py, this LU only - takes care of the renewal of the client SSL certificates. - """ - def Exec(self, feedback_fn): + + def _RenewNodeSslCertificates(self): + """Renews the nodes' SSL certificates. + + Note that most of this operation is done in gnt_cluster.py, this LU only + takes care of the renewal of the client SSL certificates. + + """ master_uuid = self.cfg.GetMasterNode() server_digest = utils.GetCertificateDigest( @@ -127,7 +131,10 @@ class LUClusterRenewCrypto(NoHooksLU): self.cfg.AddNodeToCandidateCerts(node_uuid, new_digest) self.cfg.RemoveNodeFromCandidateCerts("%s-SERVER" % master_uuid) self.cfg.RemoveNodeFromCandidateCerts("%s-OLDMASTER" % master_uuid) - # Trigger another update of the config now with the new master cert + + def Exec(self, feedback_fn): + if self.op.node_certificates: + self._RenewNodeSslCertificates() class LUClusterActivateMasterIp(NoHooksLU): diff --git a/src/Ganeti/OpCodes.hs b/src/Ganeti/OpCodes.hs index ac2fc0c..0fdcc05 100644 --- a/src/Ganeti/OpCodes.hs +++ b/src/Ganeti/OpCodes.hs @@ -266,7 +266,8 @@ $(genOpCode "OpCode" , ("OpClusterRenewCrypto", [t| () |], OpDoc.opClusterRenewCrypto, - [], + [ pNodeSslCerts + ], []) , ("OpQuery", [t| QueryResponse |], diff --git a/src/Ganeti/OpParams.hs b/src/Ganeti/OpParams.hs index 58c3c17..8bb7f70 100644 --- a/src/Ganeti/OpParams.hs +++ b/src/Ganeti/OpParams.hs @@ -282,6 +282,7 @@ module Ganeti.OpParams , pEnabledDiskTemplates , pEnabledUserShutdown , pAdminStateSource + , pNodeSslCerts ) where import Control.Monad (liftM, mplus) @@ -1825,3 +1826,9 @@ pNetworkVlan :: Field pNetworkVlan = withDoc "Network vlan when connecting to a group" . defaultField [| "" |] $ stringField "network_vlan" + +pNodeSslCerts :: Field +pNodeSslCerts = + withDoc "Whether to renew node SSL certificates" . + defaultField [| False |] $ + simpleField "node_certificates" [t| Bool |] -- 2.0.0.526.g5318336
