public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pmg-devel] [PATCH pmg-api 0/6] add mechanism to update certificate fingerprints in cluster
@ 2021-03-15 22:01 Stoiko Ivanov
  2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 1/6] cluster: refactor rsync_command Stoiko Ivanov
                   ` (6 more replies)
  0 siblings, 7 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2021-03-15 22:01 UTC (permalink / raw)
  To: pmg-devel

Currently PMG's cluster synchornization relies mostly on rsync+ssh, but
does fetch some information via API call.
Whenever one of the nodes in a cluster changes its api-certificate the
cluster-synchronization breaks (see [0]).

This series addresses the issue by adding an api-call (proxied to master),
which connects to all nodes defined in the cluster via `ssh` and fetches
the current api-certificate fingerprint (by running `openssl x509`) and
updating the cluster.conf.
All nodes in the cluster sync the config (via rsync) at the beginning of
each synchronization and thus will eventually get the updated fingerprint,
before trying to connect to another node via API (with pinned certificate
fingerprint)

the last patch is the addition of that mechanism to the new PMG certificate
managment series by Wolfgang.

[0]
https://forum.proxmox.com/threads/how-to-lets-encrypt-and-pmg.41493/post-207669

Stoiko Ivanov (6):
  cluster: refactor rsync_command
  cluster: add helper to get remote cert fingerprint
  api: cluster: add update-fingerprints call
  cluster: add trigger_update_fingerprints
  pmgcm: add trigger-update-fingerprint
  api: certificates: trigger fingerprint update

 src/PMG/API2/Certificates.pm |  6 ++++
 src/PMG/API2/Cluster.pm      | 40 +++++++++++++++++++++++
 src/PMG/CLI/pmgcm.pm         | 21 +++++++++++++
 src/PMG/Cluster.pm           | 61 ++++++++++++++++++++++++++++++++++--
 4 files changed, 125 insertions(+), 3 deletions(-)

-- 
2.20.1





^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2021-03-16 18:19 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-15 22:01 [pmg-devel] [PATCH pmg-api 0/6] add mechanism to update certificate fingerprints in cluster Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 1/6] cluster: refactor rsync_command Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 2/6] cluster: add helper to get remote cert fingerprint Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 3/6] api: cluster: add update-fingerprints call Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 4/6] cluster: add trigger_update_fingerprints Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 5/6] pmgcm: add trigger-update-fingerprint Stoiko Ivanov
2021-03-15 22:01 ` [pmg-devel] [PATCH pmg-api 6/6] api: certificates: trigger fingerprint update Stoiko Ivanov
2021-03-16 18:18 ` [pmg-devel] applied-series: [PATCH pmg-api 0/6] add mechanism to update certificate fingerprints in cluster Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal