On Tue, Sep 02, 2014 at 04:19:41PM +0200, 'Helga Velroyen' via ganeti-devel wrote:
In order to be enable to extend the renew-crypot opcode,
s/crypot/crypto/ (actually this typo could be a word :))
we are adding a parameter for renewing the node SSL certificates. This way, it can easily be broadened to renew SSH keys as well, which is done in the following patch. Signed-off-by: Helga Velroyen <[email protected]> --- lib/client/gnt_cluster.py | 2 +- lib/cmdlib/cluster.py | 17 ++++++++++++----- src/Ganeti/OpCodes.hs | 3 ++- src/Ganeti/OpParams.hs | 7 +++++++ 4 files changed, 22 insertions(+), 7 deletions(-) diff --git a/lib/client/gnt_cluster.py b/lib/client/gnt_cluster.py index 69a3fdf..b6c7975 100644 --- a/lib/client/gnt_cluster.py +++ b/lib/client/gnt_cluster.py @@ -1060,7 +1060,7 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, # pylint: disable=R0911 if new_node_cert: cl = GetClient() - renew_op = opcodes.OpClusterRenewCrypto() + renew_op = opcodes.OpClusterRenewCrypto(node_certificates=new_node_cert) SubmitOpCode(renew_op, cl=cl) return 0 diff --git a/lib/cmdlib/cluster.py b/lib/cmdlib/cluster.py index 0836feb..5674b07 100644 --- a/lib/cmdlib/cluster.py +++ b/lib/cmdlib/cluster.py @@ -97,11 +97,15 @@ def _UpdateMasterClientCert( class LUClusterRenewCrypto(NoHooksLU): """Renew the cluster's crypto tokens. - Note that most of this operation is done in gnt_cluster.py, this LU only - takes care of the renewal of the client SSL certificates. - """ - def Exec(self, feedback_fn): + + def _RenewNodeSslCertificates(self): + """Renews the nodes' SSL certificates. + + Note that most of this operation is done in gnt_cluster.py, this LU only + takes care of the renewal of the client SSL certificates. + + """ master_uuid = self.cfg.GetMasterNode() server_digest = utils.GetCertificateDigest( @@ -127,7 +131,10 @@ class LUClusterRenewCrypto(NoHooksLU): self.cfg.AddNodeToCandidateCerts(node_uuid, new_digest) self.cfg.RemoveNodeFromCandidateCerts("%s-SERVER" % master_uuid) self.cfg.RemoveNodeFromCandidateCerts("%s-OLDMASTER" % master_uuid) - # Trigger another update of the config now with the new master cert + + def Exec(self, feedback_fn): + if self.op.node_certificates: + self._RenewNodeSslCertificates() class LUClusterActivateMasterIp(NoHooksLU): diff --git a/src/Ganeti/OpCodes.hs b/src/Ganeti/OpCodes.hs index b5b4991..4ebb222 100644 --- a/src/Ganeti/OpCodes.hs +++ b/src/Ganeti/OpCodes.hs @@ -268,7 +268,8 @@ $(genOpCode "OpCode" , ("OpClusterRenewCrypto", [t| () |], OpDoc.opClusterRenewCrypto, - [], + [ pNodeSslCerts + ], []) , ("OpQuery", [t| QueryResponse |], diff --git a/src/Ganeti/OpParams.hs b/src/Ganeti/OpParams.hs index 2b02280..f277065 100644 --- a/src/Ganeti/OpParams.hs +++ b/src/Ganeti/OpParams.hs @@ -284,6 +284,7 @@ module Ganeti.OpParams , pAdminStateSource , pEnableDataCollectors , pDisableDataCollectors + , pNodeSslCerts ) where import Control.Monad (liftM, mplus) @@ -1843,3 +1844,9 @@ pDisableDataCollectors = withDoc "Deactivate the data collectors" . defaultField [| emptyListSet |] $ simpleField "disable_data_collectors" [t| ListSet String |] + +pNodeSslCerts :: Field +pNodeSslCerts = + withDoc "Whether to renew node SSL certificates" . + defaultField [| False |] $ + simpleField "node_certificates" [t| Bool |] -- 2.1.0.rc2.206.gedb03e5
LGTM, no need to resend
