Revision 0aee8ee9 lib/bootstrap.py
| b/lib/bootstrap.py | ||
|---|---|---|
| 88 | 88 |
backup=True) |
| 89 | 89 |
|
| 90 | 90 |
|
| 91 |
def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_spice_cert, |
|
| 92 |
new_confd_hmac_key, new_cds, |
|
| 93 |
rapi_cert_pem=None, spice_cert_pem=None, |
|
| 94 |
spice_cacert_pem=None, cds=None, |
|
| 91 |
def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_confd_hmac_key, |
|
| 92 |
new_cds, rapi_cert_pem=None, cds=None, |
|
| 95 | 93 |
nodecert_file=constants.NODED_CERT_FILE, |
| 96 | 94 |
rapicert_file=constants.RAPI_CERT_FILE, |
| 97 |
spicecert_file=constants.SPICE_CERT_FILE, |
|
| 98 |
spicecacert_file=constants.SPICE_CACERT_FILE, |
|
| 99 | 95 |
hmackey_file=constants.CONFD_HMAC_KEY, |
| 100 | 96 |
cds_file=constants.CLUSTER_DOMAIN_SECRET_FILE): |
| 101 | 97 |
"""Updates the cluster certificates, keys and secrets. |
| ... | ... | |
| 104 | 100 |
@param new_cluster_cert: Whether to generate a new cluster certificate |
| 105 | 101 |
@type new_rapi_cert: bool |
| 106 | 102 |
@param new_rapi_cert: Whether to generate a new RAPI certificate |
| 107 |
@type new_spice_cert: bool |
|
| 108 |
@param new_spice_cert: Whether to generate a new SPICE certificate |
|
| 109 | 103 |
@type new_confd_hmac_key: bool |
| 110 | 104 |
@param new_confd_hmac_key: Whether to generate a new HMAC key |
| 111 | 105 |
@type new_cds: bool |
| 112 | 106 |
@param new_cds: Whether to generate a new cluster domain secret |
| 113 | 107 |
@type rapi_cert_pem: string |
| 114 | 108 |
@param rapi_cert_pem: New RAPI certificate in PEM format |
| 115 |
@type spice_cert_pem: string |
|
| 116 |
@param spice_cert_pem: New SPICE certificate in PEM format |
|
| 117 |
@type spice_cacert_pem: string |
|
| 118 |
@param spice_cacert_pem: Certificate of the CA that signed the SPICE |
|
| 119 |
certificate, in PEM format |
|
| 120 | 109 |
@type cds: string |
| 121 | 110 |
@param cds: New cluster domain secret |
| 122 | 111 |
@type nodecert_file: string |
| 123 | 112 |
@param nodecert_file: optional override of the node cert file path |
| 124 | 113 |
@type rapicert_file: string |
| 125 | 114 |
@param rapicert_file: optional override of the rapi cert file path |
| 126 |
@type spicecert_file: string |
|
| 127 |
@param spicecert_file: optional override of the spice cert file path |
|
| 128 |
@type spicecacert_file: string |
|
| 129 |
@param spicecacert_file: optional override of the spice CA cert file path |
|
| 130 | 115 |
@type hmackey_file: string |
| 131 | 116 |
@param hmackey_file: optional override of the hmac key file path |
| 132 | 117 |
|
| ... | ... | |
| 160 | 145 |
logging.debug("Generating new RAPI certificate at %s", rapicert_file)
|
| 161 | 146 |
utils.GenerateSelfSignedSslCert(rapicert_file) |
| 162 | 147 |
|
| 163 |
# SPICE |
|
| 164 |
spice_cert_exists = os.path.exists(spicecert_file) |
|
| 165 |
spice_cacert_exists = os.path.exists(spicecacert_file) |
|
| 166 |
if spice_cert_pem: |
|
| 167 |
# spice_cert_pem implies also spice_cacert_pem |
|
| 168 |
logging.debug("Writing SPICE certificate at %s", spicecert_file)
|
|
| 169 |
utils.WriteFile(spicecert_file, data=spice_cert_pem, backup=True) |
|
| 170 |
logging.debug("Writing SPICE CA certificate at %s", spicecacert_file)
|
|
| 171 |
utils.WriteFile(spicecacert_file, data=spice_cacert_pem, backup=True) |
|
| 172 |
elif new_spice_cert or not spice_cert_exists: |
|
| 173 |
if spice_cert_exists: |
|
| 174 |
utils.CreateBackup(spicecert_file) |
|
| 175 |
if spice_cacert_exists: |
|
| 176 |
utils.CreateBackup(spicecacert_file) |
|
| 177 |
|
|
| 178 |
logging.debug("Generating new self-signed SPICE certificate at %s",
|
|
| 179 |
spicecert_file) |
|
| 180 |
(_, cert_pem) = utils.GenerateSelfSignedSslCert(spicecert_file) |
|
| 181 |
|
|
| 182 |
# Self-signed certificate -> the public certificate is also the CA public |
|
| 183 |
# certificate |
|
| 184 |
logging.debug("Writing the public certificate to %s",
|
|
| 185 |
spicecert_file) |
|
| 186 |
utils.io.WriteFile(spicecacert_file, mode=0400, data=cert_pem) |
|
| 187 |
|
|
| 188 | 148 |
# Cluster domain secret |
| 189 | 149 |
if cds: |
| 190 | 150 |
logging.debug("Writing cluster domain secret to %s", cds_file)
|
| ... | ... | |
| 206 | 166 |
|
| 207 | 167 |
""" |
| 208 | 168 |
# Generate cluster secrets |
| 209 |
GenerateClusterCrypto(True, False, False, False, False)
|
|
| 169 |
GenerateClusterCrypto(True, False, False, False) |
|
| 210 | 170 |
|
| 211 | 171 |
result = utils.RunCmd([constants.DAEMON_UTIL, "start", constants.NODED]) |
| 212 | 172 |
if result.failed: |
Also available in: Unified diff