[pmg-devel] applied-series: [PATCH pmg-api 0/6] add mechanism to update certificate fingerprints in cluster

[Thomas Lamprecht <t.lamprecht@proxmox.com>]

On 15.03.21 23:01, Stoiko Ivanov wrote:
> Currently PMG's cluster synchornization relies mostly on rsync+ssh, but
> does fetch some information via API call.
> Whenever one of the nodes in a cluster changes its api-certificate the
> cluster-synchronization breaks (see [0]).
> 
> This series addresses the issue by adding an api-call (proxied to master),
> which connects to all nodes defined in the cluster via `ssh` and fetches
> the current api-certificate fingerprint (by running `openssl x509`) and
> updating the cluster.conf.
> All nodes in the cluster sync the config (via rsync) at the beginning of
> each synchronization and thus will eventually get the updated fingerprint,
> before trying to connect to another node via API (with pinned certificate
> fingerprint)
> 
> the last patch is the addition of that mechanism to the new PMG certificate
> managment series by Wolfgang.
> 
> [0]
> https://forum.proxmox.com/threads/how-to-lets-encrypt-and-pmg.41493/post-207669
> 
> Stoiko Ivanov (6):
>   cluster: refactor rsync_command
>   cluster: add helper to get remote cert fingerprint
>   api: cluster: add update-fingerprints call
>   cluster: add trigger_update_fingerprints
>   pmgcm: add trigger-update-fingerprint
>   api: certificates: trigger fingerprint update
> 
>  src/PMG/API2/Certificates.pm |  6 ++++
>  src/PMG/API2/Cluster.pm      | 40 +++++++++++++++++++++++
>  src/PMG/CLI/pmgcm.pm         | 21 +++++++++++++
>  src/PMG/Cluster.pm           | 61 ++++++++++++++++++++++++++++++++++--
>  4 files changed, 125 insertions(+), 3 deletions(-)
> 



applied series, much thanks!

FYI: I did some small (whitespace/indenation) and some medium followups:
* dropped the "trigger-" from the pmgcm "update-fingerprints" comand, two
  verbs are just sounding a little weird
* do not make it an error to call that update method if there's no cluster,
  just note that nothing will be done
* in the api call I used $cid instead of $d->{cid}, which is the same FWICT
  from checking cluster config parser and basic sanity expectations I have
  still left; That avoids nested hash access and allows for shorter code.