Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rotate certs on OS nodes with different CN #7815

Merged
merged 5 commits into from
Apr 18, 2023
Merged

Rotate certs on OS nodes with different CN #7815

merged 5 commits into from
Apr 18, 2023

Conversation

sandhi18
Copy link
Collaborator

@sandhi18 sandhi18 commented Apr 12, 2023
edited
Loading

🔩 Description: What code changed, and why?

In the HA cluster, custom certs can be enabled on the OS nodes where different certs can be set for each node with a different CN. To preserve the behaviour after cert rotation as well, the certs should be rotated node wise and all the nodes should be aware of each other's new CN.

PR contains the changes to ensure that all the OS are aware of each others CN post cert-rotation as well.

⛓️ Related Resources

https://chefio.atlassian.net/browse/CHEF-1024

👍 Definition of Done

  • Should be able to rotate the Root cert, the admin cert and the respective nodes cert.
  • Should be able to rotate the certs with different CN on each node

👟 How to Build and Test the Change

  • Checkout this branch
  • rebuild components/automate-ci and upload the hab pkg
  • Install the new cli in the bastion machine
  • Execute the cert-rotate commands as per the doc

✅ Checklist

All PRs must tick these:

With occasional exceptions, all PRs from Progress employees must tick these:

  • Is the code clear? (complicated code or lots of comments--subdivide and use well-named methods, meaningful variable names, etc.)
  • Consistency checked? (user notifications, user prompts, visual patterns, code patterns, variable names)
  • Repeated code blocks eliminated? (adapt and reuse existing components, blocks, functions, etc.)
  • Spelling, grammar, typos checked? (at a minimum use make spell in any component directory)
  • Code well-formatted? (indents, line breaks, etc. improve rather than hinder readability)

All PRs from Progress employees should tick these if appropriate:

  • Tests added/updated? (all new code needs new tests)
  • Docs added/updated? (all customer-facing changes)

Please add a note next to any checkbox above if you are NOT ticking it.

📷 Screenshots, if applicable

image

https://progresssoftware.sharepoint.com/:v:/s/ChefCoreC/EdLDtGycikVOv_YHuj3CT-ABLecYXhQf1Y_aMXi0mhETeQ?e=btGtEh

@netlify
Copy link

netlify bot commented Apr 12, 2023
edited
Loading

👷 Deploy Preview for chef-automate processing.

Name Link
🔨 Latest commit 811581e
🔍 Latest deploy log https://app.netlify.com/sites/chef-automate/deploys/643cd7c23d17cc0007746d04

@sandhi18 sandhi18 requested a review from prasad927 April 13, 2023 09:50
@sandhi18
Changes for cert rotate
99a64a1 
Signed-off-by: sandhi <sagarwal@progress.com>
@sandhi18
Changes fr cert-rotate with different DN
2f0329d 
Signed-off-by: sandhi <sagarwal@progress.com>
@sandhi18
Changes for raotating certs for OS nodes
fca44ab 
Signed-off-by: sandhi <sagarwal@progress.com>
@sandhi18 sandhi18 force-pushed the sandhi/cert-rotate-with-CN-per-node branch from d3e2c87 to fca44ab Compare April 13, 2023 10:30
@sandhi18
Changes for cert rotate on OS nodes
2451822 
Signed-off-by: sandhi <sagarwal@progress.com>
rishabhjhs
rishabhjhs reviewed Apr 17, 2023
View reviewed changes
components/automate-cli/cmd/chef-automate/certRotate.go Outdated
@@ -441,6 +466,27 @@ func (c *certRotateFlow) certRotateOS(sshUtil SSHUtil, certs *certificates, infr
return nil
}

func patchOSNodeDN(flagsObj *certRotateFlags, patchFnParam *patchFnParameters, c *certRotateFlow, nodesDn string) error {

peerconfig := fmt.Sprintf(OPENSEARCH_DN_CONFIG_FOR_PEERS, fmt.Sprintf("%v", nodesDn))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be peerConfig ?

@sandhi18
Changes for rotating certs on OS nodes
811581e 
Signed-off-by: sandhi <sagarwal@progress.com>
@sonarcloud
Copy link

sonarcloud bot commented Apr 17, 2023

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 1 Code Smell

0.0% 0.0% Coverage
0.0% 0.0% Duplication

@vivek-yadav vivek-yadav merged commit 87ca367 into main Apr 18, 2023
@vivek-yadav vivek-yadav deleted the sandhi/cert-rotate-with-CN-per-node branch April 18, 2023 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vivek-yadav vivek-yadav vivek-yadav approved these changes

@rishabhjhs rishabhjhs rishabhjhs approved these changes

@atultherajput atultherajput atultherajput approved these changes

@punitmundra punitmundra punitmundra approved these changes

@shaik80 shaik80 shaik80 approved these changes

@vivekshankar1 vivekshankar1 vivekshankar1 approved these changes

@prasad927 prasad927 prasad927 approved these changes

@vipin230 vipin230 vipin230 approved these changes

@bvtejaswi bvtejaswi bvtejaswi approved these changes

@jayvikramsharma1 jayvikramsharma1 Awaiting requested review from jayvikramsharma1

@ArvinthC3000 ArvinthC3000 Awaiting requested review from ArvinthC3000

@karunesh-tech karunesh-tech Awaiting requested review from karunesh-tech

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@sandhi18 @vivek-yadav @rishabhjhs @atultherajput @punitmundra @shaik80 @vivekshankar1 @prasad927 @vipin230 @bvtejaswi