Skip to content
This repository has been archived by the owner on Jun 25, 2024. It is now read-only.

Commit

Permalink
ensure that cert keys are prefixed by the canonical_hostname
Browse files Browse the repository at this point in the history
previously the cert keys used node.hostname directly

node.hostName could be empty in which case it defaults to the
node name, a hostname or an fqdn

As a result the secret field name of the tls.key, tls.crt and
ca.crt were not stable or predicable.

ansible has 3 possible values it could use to corralate to the
prefix. inventory_hostname which is the the short name
i.e. node.hostname.split('.')[0]

{{ hostvars['inventory_hostname']['canonical_hostname'] }}
This is set to the controlplane network fqdn

{{ ansible_hostname }} this is only aviable after gathering facts
and is the hostname reported by the host as if hostname -f was run
{{ ansible_hostname }} is not always avlaible which leave the first
two options.

we could normalise on the hostname i.e. the short hostname and use
inventory_hostname, this patch uses canonical_hostname instead
to ensure that if we have two nodes with the same shortname but differnt
fqdn that we can support that in the future.
  • Loading branch information
SeanMooney committed Mar 12, 2024
1 parent c672cf9 commit a8a7dd3
Showing 1 changed file with 18 additions and 4 deletions.
22 changes: 18 additions & 4 deletions pkg/deployment/cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package deployment
import (
"context"
"fmt"
"reflect"
"strings"
"time"

Expand Down Expand Up @@ -51,7 +52,7 @@ func EnsureTLSCerts(ctx context.Context, helper *helper.Helper,

// for each node in the nodeset, issue all the TLS certs needed based on the
// ips or DNS Names
for _, node := range instance.Spec.Nodes {
for nodeName, node := range instance.Spec.Nodes {
var dnsNames map[infranetworkv1.NetNameStr]string
var ipsMap map[infranetworkv1.NetNameStr]string
var hosts []string
Expand Down Expand Up @@ -132,10 +133,23 @@ func EnsureTLSCerts(ctx context.Context, helper *helper.Helper,
// TODO(alee) Add an owner reference to the secret so it can be monitored
// We'll do this once stuggi adds a function to do this in libcommon

// NOTE: we are assuming that there will always be a ctlplane network
// that means if you are not using network isolation with multiple networks
// you should still need to have a ctlplane network at a minimum to use tls-e
basename := allHostnames[nodeName][CtlPlaneNetwork]
// in case the control plane network is not present we will fall back to the
// hostname, and log a warning.
field := reflect.ValueOf(basename)
if field.IsZero() {
basename = hostName
helper.GetLogger().Error(fmt.Errorf(
"control plane network not found for node %s, falling back to hostname", nodeName),
"tls-e requires a control plane network to be present")
}
// To use this cert, add it to the relevant service data
certsData[hostName+"-tls.key"] = certSecret.Data["tls.key"]
certsData[hostName+"-tls.crt"] = certSecret.Data["tls.crt"]
certsData[hostName+"-ca.crt"] = certSecret.Data["ca.crt"]
certsData[basename+"-tls.key"] = certSecret.Data["tls.key"]
certsData[basename+"-tls.crt"] = certSecret.Data["tls.crt"]
certsData[basename+"-ca.crt"] = certSecret.Data["ca.crt"]
}

// create a secret to hold the certs for the service
Expand Down

0 comments on commit a8a7dd3

Please sign in to comment.