public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [pmg-devel] [PATCH pmg-api 0/6] add mechanism to update certificate fingerprints in cluster
Date: Mon, 15 Mar 2021 23:01:29 +0100	[thread overview]
Message-ID: <20210315220135.25988-1-s.ivanov@proxmox.com> (raw)

Currently PMG's cluster synchornization relies mostly on rsync+ssh, but
does fetch some information via API call.
Whenever one of the nodes in a cluster changes its api-certificate the
cluster-synchronization breaks (see [0]).

This series addresses the issue by adding an api-call (proxied to master),
which connects to all nodes defined in the cluster via `ssh` and fetches
the current api-certificate fingerprint (by running `openssl x509`) and
updating the cluster.conf.
All nodes in the cluster sync the config (via rsync) at the beginning of
each synchronization and thus will eventually get the updated fingerprint,
before trying to connect to another node via API (with pinned certificate
fingerprint)

the last patch is the addition of that mechanism to the new PMG certificate
managment series by Wolfgang.

[0]
https://forum.proxmox.com/threads/how-to-lets-encrypt-and-pmg.41493/post-207669

Stoiko Ivanov (6):
  cluster: refactor rsync_command
  cluster: add helper to get remote cert fingerprint
  api: cluster: add update-fingerprints call
  cluster: add trigger_update_fingerprints
  pmgcm: add trigger-update-fingerprint
  api: certificates: trigger fingerprint update

 src/PMG/API2/Certificates.pm |  6 ++++
 src/PMG/API2/Cluster.pm      | 40 +++++++++++++++++++++++
 src/PMG/CLI/pmgcm.pm         | 21 +++++++++++++
 src/PMG/Cluster.pm           | 61 ++++++++++++++++++++++++++++++++++--
 4 files changed, 125 insertions(+), 3 deletions(-)

-- 
2.20.1





             reply	other threads:[~2021-03-15 22:02 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-15 22:01 Stoiko Ivanov [this message]
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 1/6] cluster: refactor rsync_command Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 2/6] cluster: add helper to get remote cert fingerprint Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 3/6] api: cluster: add update-fingerprints call Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 4/6] cluster: add trigger_update_fingerprints Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 5/6] pmgcm: add trigger-update-fingerprint Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 6/6] api: certificates: trigger fingerprint update Stoiko Ivanov
2021-03-16 18:18 ` [pmg-devel] applied-series: [PATCH pmg-api 0/6] add mechanism to update certificate fingerprints in cluster Thomas Lamprecht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210315220135.25988-1-s.ivanov@proxmox.com \
    --to=s.ivanov@proxmox.com \
    --cc=pmg-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal