/
rotate.go
100 lines (78 loc) · 3.07 KB
/
rotate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
/*
Copyright 2021 The Cockroach Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package self_signer
import (
"log"
"os"
"time"
"github.com/spf13/cobra"
)
// rotateCmd represents the rotate command
var rotateCmd = &cobra.Command{
Use: "rotate",
Short: "rotates a CA, Node or Client certificate",
Long: `rotate sub-command rotates the CA cert, Node cert and Client certs`,
Run: rotate,
}
var (
clientFlag, caFlag, nodeFlag bool
caCron, nodeAndClientCron string
readinessWait string
podUpdateTimeout string
)
func init() {
rootCmd.AddCommand(rotateCmd)
rotateCmd.Flags().BoolVar(&clientFlag, "client", false, "if set rotates client certificate")
rotateCmd.Flags().BoolVar(&nodeFlag, "node", false, "if set rotates node certificate")
rotateCmd.Flags().BoolVar(&caFlag, "ca", false, "if set rotates ca certificate")
rotateCmd.Flags().StringVar(&caCron, "ca-cron", "", "cron of the CA certificate rotation cron")
rotateCmd.Flags().StringVar(&nodeAndClientCron, "node-client-cron", "", "cron of the node and client certificate rotation cron")
rotateCmd.Flags().StringVar(&readinessWait, "readiness-wait", "30s", "readiness wait for each replica of crdb cluster")
rotateCmd.Flags().StringVar(&podUpdateTimeout, "pod-update-timeout", "2m", "time to wait for statefulset pod to restart and get to running state")
}
func rotate(cmd *cobra.Command, args []string) {
if (clientFlag || nodeFlag) && caFlag {
log.Panic("CA and (Node or client) can't be rotated at the same time. Only CA or (Node and Client) can be " +
"rotated at a time")
}
if !(clientFlag || nodeFlag || caFlag) {
log.Panic("None of the CA, Node and client is provided for cert rotation")
}
genCert, err := getInitialConfig(caDuration, caExpiry, nodeDuration, nodeExpiry, clientDuration, clientExpiry)
if err != nil {
panic(err)
}
namespace, exists := os.LookupEnv("NAMESPACE")
if !exists {
log.Panic("Required NAMESPACE env not found")
}
timeout, err := time.ParseDuration(readinessWait)
if err != nil {
log.Panicf("failed to parse readiness-wait duration %s", err.Error())
}
podTimeout, err := time.ParseDuration(podUpdateTimeout)
if err != nil {
log.Panicf("failed to parse pod-update-timeout duration %s", err.Error())
}
genCert.ReadinessWait = timeout
genCert.PodUpdateTimeout = podTimeout
genCert.CaSecret = caSecret
genCert.RotateCACert = caFlag
genCert.CACronSchedule = caCron
genCert.RotateClientCert = clientFlag
genCert.RotateNodeCert = nodeFlag
genCert.NodeAndClientCronSchedule = nodeAndClientCron
if err := genCert.Do(ctx, namespace); err != nil {
log.Panic(err)
}
}