On Thu, Jun 25, 2015 at 05:31:57PM +0200, 'Helga Velroyen' via ganeti-devel wrote: > This patch extends bootstrap.py to not only create > the cluster certificate but also the master node's > client certificate. > > Signed-off-by: Helga Velroyen <[email protected]> > --- > lib/bootstrap.py | 16 ++++++++++++++-- > lib/client/gnt_cluster.py | 5 ++++- > lib/cmdlib/cluster.py | 2 -- > lib/utils/security.py | 20 +++++++++++++++++++- > tools/cfgupgrade | 9 ++++++++- > 5 files changed, 45 insertions(+), 7 deletions(-)
> if not options.dry_run: > + # This creates the cluster certificate if it does not exist yet. > + # In this case, we do not automatically create a client certificate > + # as well, because if the cluster certificate did not exist before, > + # no client certificate will exist on any node yet. In this case > + # all client certificate should be renewed by 'gnt-cluster > + # renew-crypto --new-node-certificates'. This will be enforced > + # by a nagging warning in 'gnt-cluster verify'. Adding warnings to cluster verify won't work: part of what 'gnt-cluster upgrade' does is running cluster verification and asserting 0 return value---which is not the case in the presence of warnings. So, by adding a warning to 'gnt-cluster verify' you remove any chance of gnt-cluster upgrade ever succeeding, which is probably not a good user experience. -- Klaus Aehlig Google Germany GmbH, Dienerstr. 12, 80331 Muenchen Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschaeftsfuehrer: Graham Law, Christine Elizabeth Flores
