From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [pmg-devel] [PATCH pmg-api 0/6] add mechanism to update certificate fingerprints in cluster
Date: Mon, 15 Mar 2021 23:01:29 +0100 [thread overview]
Message-ID: <20210315220135.25988-1-s.ivanov@proxmox.com> (raw)
Currently PMG's cluster synchornization relies mostly on rsync+ssh, but
does fetch some information via API call.
Whenever one of the nodes in a cluster changes its api-certificate the
cluster-synchronization breaks (see [0]).
This series addresses the issue by adding an api-call (proxied to master),
which connects to all nodes defined in the cluster via `ssh` and fetches
the current api-certificate fingerprint (by running `openssl x509`) and
updating the cluster.conf.
All nodes in the cluster sync the config (via rsync) at the beginning of
each synchronization and thus will eventually get the updated fingerprint,
before trying to connect to another node via API (with pinned certificate
fingerprint)
the last patch is the addition of that mechanism to the new PMG certificate
managment series by Wolfgang.
[0]
https://forum.proxmox.com/threads/how-to-lets-encrypt-and-pmg.41493/post-207669
Stoiko Ivanov (6):
cluster: refactor rsync_command
cluster: add helper to get remote cert fingerprint
api: cluster: add update-fingerprints call
cluster: add trigger_update_fingerprints
pmgcm: add trigger-update-fingerprint
api: certificates: trigger fingerprint update
src/PMG/API2/Certificates.pm | 6 ++++
src/PMG/API2/Cluster.pm | 40 +++++++++++++++++++++++
src/PMG/CLI/pmgcm.pm | 21 +++++++++++++
src/PMG/Cluster.pm | 61 ++++++++++++++++++++++++++++++++++--
4 files changed, 125 insertions(+), 3 deletions(-)
--
2.20.1
next reply other threads:[~2021-03-15 22:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-15 22:01 Stoiko Ivanov [this message]
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 1/6] cluster: refactor rsync_command Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 2/6] cluster: add helper to get remote cert fingerprint Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 3/6] api: cluster: add update-fingerprints call Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 4/6] cluster: add trigger_update_fingerprints Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 5/6] pmgcm: add trigger-update-fingerprint Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 6/6] api: certificates: trigger fingerprint update Stoiko Ivanov
2021-03-16 18:18 ` [pmg-devel] applied-series: [PATCH pmg-api 0/6] add mechanism to update certificate fingerprints in cluster Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210315220135.25988-1-s.ivanov@proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=pmg-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox