Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Accept client certs from node, system:admin, and bootstrap SA

During greenfield installs the node's client certificate is generated by
the bootstrap CA. However in certain situations during an upgrade we see
that the client certificate is generated using the node's identity. So
approve those as well.
Scott Dodson 6 years ago
parent
3913d6b7ee
commit
3cf5dbf748
3 changed files with 28 additions and 24 deletions
Split View Show Diff Stats
  1. 14 12
      roles/lib_openshift/library/oc_adm_csr.py
  2. 1 1
      roles/lib_openshift/src/ansible/oc_adm_csr.py
  3. 13 11
      roles/lib_openshift/src/class/oc_adm_csr.py

+ 14 - 12
roles/lib_openshift/library/oc_adm_csr.py
View File 

@@ -1558,13 +1558,14 @@ class OCcsr(OpenShiftCLI):
 
             if node['name'] in self.get_csr_request(csr['spec']['request']):
 
                 node['csrs'][csr['metadata']['name']] = csr
 
 
-                # server: check that the username is the node and type is 'Approved'
 
-                if node['name'] in csr['spec']['username'] and csr['status']:
 
-                    if csr['status']['conditions'][0]['type'] == 'Approved':
 
+                # client certs may come in as either the service_account or as the node during upgrade
 
+                # server certs always come in as the node
 
+                if ((node['name'] in csr['spec']['username'] or
 
+                     csr['spec']['username'] in [self.service_account, 'system:admin']) and
 
+                        csr['status'] and csr['status']['conditions'][0]['type'] == 'Approved'):
 
+                    if 'server auth' in csr['spec']['usages']:
 
                         node['server_accepted'] = True
 
-                # client: check that the username is not the node and type is 'Approved'
 
-                if node['name'] not in csr['spec']['username'] and csr['status']:
 
-                    if csr['status']['conditions'][0]['type'] == 'Approved':
 
+                    if 'client auth' in csr['spec']['usages']:
 
                         node['client_accepted'] = True
 
                 # check type is 'Denied' and mark node as such
 
                 if csr['status'] and csr['status']['conditions'][0]['type'] == 'Denied':
 
@@ -1615,11 +1616,12 @@ class OCcsr(OpenShiftCLI):
 
 
                     # mark node as accepted in our list of nodes
 
                     # we will use {client,server}_accepted fields to determine if we're finished
 
-                    if node['name'] not in csr['spec']['username']:
 
-                        node['client_accepted'] = True
 
-
 
-                    if node['name'] in csr['spec']['username']:
 
-                        node['server_accepted'] = True
 
+                    if (node['name'] in csr['spec']['username'] or
 
+                            csr['spec']['username'] in [self.service_account, 'system:admin']):
 
+                        if 'server auth' in csr['spec']['usages']:
 
+                            node['server_accepted'] = True
 
+                        if 'client auth' in csr['spec']['usages']:
 
+                            node['client_accepted'] = True
 
 
                 results.append(result)
 
 
@@ -1705,7 +1707,7 @@ def main():
 
             nodes=dict(default=None, type='list'),
 
             timeout=dict(default=30, type='int'),
 
             approve_all=dict(default=False, type='bool'),
 
-            service_account=dict(default='node-bootstrapper', type='str'),
 
+            service_account=dict(default='system:serviceaccount:openshift-infra:node-bootstrapper', type='str'),
 
             fail_on_timeout=dict(default=False, type='bool'),
 
         ),
 
         supports_check_mode=True,

+ 1 - 1
roles/lib_openshift/src/ansible/oc_adm_csr.py
View File 

@@ -15,7 +15,7 @@ def main():
 
             nodes=dict(default=None, type='list'),
 
             timeout=dict(default=30, type='int'),
 
             approve_all=dict(default=False, type='bool'),
 
-            service_account=dict(default='node-bootstrapper', type='str'),
 
+            service_account=dict(default='system:serviceaccount:openshift-infra:node-bootstrapper', type='str'),
 
             fail_on_timeout=dict(default=False, type='bool'),
 
         ),
 
         supports_check_mode=True,

+ 13 - 11
roles/lib_openshift/src/class/oc_adm_csr.py
View File 

@@ -89,13 +89,14 @@ class OCcsr(OpenShiftCLI):
 
             if node['name'] in self.get_csr_request(csr['spec']['request']):
 
                 node['csrs'][csr['metadata']['name']] = csr
 
 
-                # server: check that the username is the node and type is 'Approved'
 
-                if node['name'] in csr['spec']['username'] and csr['status']:
 
-                    if csr['status']['conditions'][0]['type'] == 'Approved':
 
+                # client certs may come in as either the service_account or as the node during upgrade
 
+                # server certs always come in as the node
 
+                if ((node['name'] in csr['spec']['username'] or
 
+                     csr['spec']['username'] in [self.service_account, 'system:admin']) and
 
+                        csr['status'] and csr['status']['conditions'][0]['type'] == 'Approved'):
 
+                    if 'server auth' in csr['spec']['usages']:
 
                         node['server_accepted'] = True
 
-                # client: check that the username is not the node and type is 'Approved'
 
-                if node['name'] not in csr['spec']['username'] and csr['status']:
 
-                    if csr['status']['conditions'][0]['type'] == 'Approved':
 
+                    if 'client auth' in csr['spec']['usages']:
 
                         node['client_accepted'] = True
 
                 # check type is 'Denied' and mark node as such
 
                 if csr['status'] and csr['status']['conditions'][0]['type'] == 'Denied':
 
@@ -146,11 +147,12 @@ class OCcsr(OpenShiftCLI):
 
 
                     # mark node as accepted in our list of nodes
 
                     # we will use {client,server}_accepted fields to determine if we're finished
 
-                    if node['name'] not in csr['spec']['username']:
 
-                        node['client_accepted'] = True
 
-
 
-                    if node['name'] in csr['spec']['username']:
 
-                        node['server_accepted'] = True
 
+                    if (node['name'] in csr['spec']['username'] or
 
+                            csr['spec']['username'] in [self.service_account, 'system:admin']):
 
+                        if 'server auth' in csr['spec']['usages']:
 
+                            node['server_accepted'] = True
 
+                        if 'client auth' in csr['spec']['usages']:
 
+                            node['client_accepted'] = True
 
 
                 results.append(result)