Revision 60cc531d lib/bootstrap.py
b/lib/bootstrap.py | ||
---|---|---|
92 | 92 |
|
93 | 93 |
|
94 | 94 |
def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_spice_cert, |
95 |
new_confd_hmac_key, new_cds, |
|
95 |
new_confd_hmac_key, new_cds, new_node_client_cert,
|
|
96 | 96 |
rapi_cert_pem=None, spice_cert_pem=None, |
97 | 97 |
spice_cacert_pem=None, cds=None, |
98 | 98 |
nodecert_file=pathutils.NODED_CERT_FILE, |
99 |
nodecert_client_file=pathutils.NODED_CLIENT_CERT_FILE, |
|
99 | 100 |
rapicert_file=pathutils.RAPI_CERT_FILE, |
100 | 101 |
spicecert_file=pathutils.SPICE_CERT_FILE, |
101 | 102 |
spicecacert_file=pathutils.SPICE_CACERT_FILE, |
... | ... | |
113 | 114 |
@param new_confd_hmac_key: Whether to generate a new HMAC key |
114 | 115 |
@type new_cds: bool |
115 | 116 |
@param new_cds: Whether to generate a new cluster domain secret |
117 |
@type new_node_client_cert: bool |
|
118 |
@param new_node_client_cert: Whether to generate a new node (SSL) |
|
119 |
client certificate |
|
116 | 120 |
@type rapi_cert_pem: string |
117 | 121 |
@param rapi_cert_pem: New RAPI certificate in PEM format |
118 | 122 |
@type spice_cert_pem: string |
... | ... | |
124 | 128 |
@param cds: New cluster domain secret |
125 | 129 |
@type nodecert_file: string |
126 | 130 |
@param nodecert_file: optional override of the node cert file path |
131 |
@type nodecert_client_file: string |
|
132 |
@param nodecert_client_file: optional override of the node client certificate |
|
133 |
file path |
|
127 | 134 |
@type rapicert_file: string |
128 | 135 |
@param rapicert_file: optional override of the rapi cert file path |
129 | 136 |
@type spicecert_file: string |
... | ... | |
135 | 142 |
|
136 | 143 |
""" |
137 | 144 |
# noded SSL certificate |
138 |
cluster_cert_exists = os.path.exists(nodecert_file) |
|
139 |
if new_cluster_cert or not cluster_cert_exists: |
|
140 |
if cluster_cert_exists: |
|
141 |
utils.CreateBackup(nodecert_file) |
|
145 |
utils.GenerateNewSslCert( |
|
146 |
new_cluster_cert, nodecert_file, |
|
147 |
"Generating new cluster certificate at %s" % nodecert_file) |
|
142 | 148 |
|
143 |
logging.debug("Generating new cluster certificate at %s", nodecert_file) |
|
144 |
utils.GenerateSelfSignedSslCert(nodecert_file) |
|
149 |
# noded client SSL certificate (to be used only by this very node) |
|
150 |
utils.GenerateNewSslCert( |
|
151 |
new_node_client_cert, nodecert_client_file, |
|
152 |
"Generating new node client certificate at %s" % nodecert_client_file) |
|
145 | 153 |
|
146 | 154 |
# confd HMAC key |
147 | 155 |
if new_confd_hmac_key or not os.path.exists(hmackey_file): |
148 | 156 |
logging.debug("Writing new confd HMAC key to %s", hmackey_file) |
149 | 157 |
GenerateHmacKey(hmackey_file) |
150 | 158 |
|
151 |
# RAPI |
|
152 |
rapi_cert_exists = os.path.exists(rapicert_file) |
|
153 |
|
|
154 | 159 |
if rapi_cert_pem: |
155 | 160 |
# Assume rapi_pem contains a valid PEM-formatted certificate and key |
156 | 161 |
logging.debug("Writing RAPI certificate at %s", rapicert_file) |
157 | 162 |
utils.WriteFile(rapicert_file, data=rapi_cert_pem, backup=True) |
158 | 163 |
|
159 |
elif new_rapi_cert or not rapi_cert_exists: |
|
160 |
if rapi_cert_exists: |
|
161 |
utils.CreateBackup(rapicert_file) |
|
162 |
|
|
163 |
logging.debug("Generating new RAPI certificate at %s", rapicert_file) |
|
164 |
utils.GenerateSelfSignedSslCert(rapicert_file) |
|
164 |
else: |
|
165 |
utils.GenerateNewSslCert( |
|
166 |
new_rapi_cert, rapicert_file, |
|
167 |
"Generating new RAPI certificate at %s" % rapicert_file) |
|
165 | 168 |
|
166 | 169 |
# SPICE |
167 | 170 |
spice_cert_exists = os.path.exists(spicecert_file) |
... | ... | |
209 | 212 |
|
210 | 213 |
""" |
211 | 214 |
# Generate cluster secrets |
212 |
GenerateClusterCrypto(True, False, False, False, False) |
|
215 |
GenerateClusterCrypto(True, False, False, False, False, True)
|
|
213 | 216 |
|
214 | 217 |
result = utils.RunCmd([pathutils.DAEMON_UTIL, "start", constants.NODED]) |
215 | 218 |
if result.failed: |
Also available in: Unified diff