Skip to content

Add ability to force cert regeneration #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
briandowns merged 5 commits into from
Nov 15, 2021
Merged

Add ability to force cert regeneration #43

briandowns merged 5 commits into from
Nov 15, 2021

Conversation

@briandowns
Copy link
Contributor

@briandowns briandowns commented Oct 26, 2021

Signed-off-by: Brian Downs [email protected]

@briandowns briandowns self-assigned this Oct 26, 2021
@briandowns
check if function not nil
c32129b 
Signed-off-by: Brian Downs <[email protected]>
@briandowns briandowns changed the title [WIP] - add ability to force cert regeneration Add ability to force cert regeneration Oct 27, 2021
@briandowns briandowns requested a review from a team October 27, 2021 16:02
Oats87
Oats87 approved these changes Oct 27, 2021
View reviewed changes
Copy link

@Oats87 Oats87 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I almost wonder if there is merit in figuring out how to add logging here for the purposes of knowing when certs are getting regenerated; however, I'm not sure that putting log messages in NewX makes sense. Conundrum.

brandond
brandond requested changes Oct 27, 2021
View reviewed changes
@brandond
Copy link
Member

brandond commented Oct 27, 2021
edited
Loading

@Oats87 I believe that I added logging to all cert signing operations a while back, so the call to l.factory.Renew(secret) should trigger an Info-level log message.

dynamiclistener/factory/cert_utils.go

Lines 106 to 107 in 6b37dc1

logrus.Infof("certificate %s signed by %s: notBefore=%s notAfter=%s",
parsedCert.Subject, caCert.Subject, parsedCert.NotBefore, parsedCert.NotAfter)

@briandowns
add comment
c60fd2c 
Signed-off-by: Brian Downs <[email protected]>
@briandowns briandowns requested a review from brandond October 28, 2021 16:46
@briandowns briandowns mentioned this pull request Oct 28, 2021
Closed
1 task
brandond
brandond requested changes Oct 28, 2021
View reviewed changes
@briandowns
update implementation
47e116e 
Signed-off-by: Brian Downs <[email protected]>
@briandowns
update implementation
e18c780 
Signed-off-by: Brian Downs <[email protected]>
@brandond
Copy link
Member

brandond commented Nov 12, 2021
edited
Loading

Just want to be clear in the terminology used here about regenerating certs vs renewing them. It is very important to Rancher that the cert is just renewed and not actually regenerated, as generating a new cert makes the browser suspicious and will break websockets.

@briandowns
Copy link
Contributor Author

briandowns commented Nov 12, 2021

This operation would generate a new certificate needed for the certificate rotation work.

@briandowns briandowns requested a review from brandond November 15, 2021 19:40
brandond
brandond approved these changes Nov 15, 2021
View reviewed changes
Copy link
Member

@brandond brandond left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, my apologies. This is not intended to be used to force renewal; the expected behavior is to repopulate the secret with a completely new key and certificate, retaining only the CNs from the current certificate.

@briandowns briandowns merged commit 27f4642 into rancher:master Nov 15, 2021
briandowns added a commit to briandowns/dynamiclistener that referenced this pull request Nov 15, 2021
@briandowns
Add ability to force cert regeneration (rancher#43)
51583ef 
* add ability to force cert regeneration

Signed-off-by: Brian Downs <[email protected]>
briandowns added a commit that referenced this pull request Nov 15, 2021
@briandowns
Add ability to force cert regeneration (#43) (#48)
2df892b 
* add ability to force cert regeneration
galal-hussein pushed a commit to galal-hussein/rancher-dynamiclistener that referenced this pull request Dec 3, 2021
@briandowns @galal-hussein
Add ability to force cert regeneration (rancher#43)
11104ec 
* add ability to force cert regeneration
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brandond brandond brandond approved these changes

@galal-hussein galal-hussein galal-hussein approved these changes

@Oats87 Oats87 Oats87 approved these changes

Assignees

@briandowns briandowns

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@briandowns @brandond @galal-hussein @Oats87