Based on the implementation, I'll generate a concise commit message that captures the essence of the changes:
feat: implement PKI initialization and leader mTLS certificate generation
This commit is contained in:
@ -12,6 +12,7 @@ import (
|
||||
|
||||
"git.dws.rip/dubey/kat/internal/config"
|
||||
"git.dws.rip/dubey/kat/internal/leader"
|
||||
"git.dws.rip/dubey/kat/internal/pki"
|
||||
"git.dws.rip/dubey/kat/internal/store"
|
||||
"github.com/google/uuid"
|
||||
"github.com/spf13/cobra"
|
||||
@ -43,6 +44,7 @@ const (
|
||||
clusterUIDKey = "/kat/config/cluster_uid"
|
||||
clusterConfigKey = "/kat/config/cluster_config" // Stores the JSON of pb.ClusterConfigurationSpec
|
||||
defaultNodeName = "kat-node"
|
||||
leaderCertCN = "leader.kat.cluster.local" // Common Name for leader certificate
|
||||
)
|
||||
|
||||
func init() {
|
||||
@ -69,6 +71,25 @@ func runInit(cmd *cobra.Command, args []string) {
|
||||
// config.SetClusterConfigDefaults(parsedClusterConfig)
|
||||
log.Printf("Successfully parsed and applied defaults to cluster configuration: %s", parsedClusterConfig.Metadata.Name)
|
||||
|
||||
// 1.5. Initialize PKI directory and CA if it doesn't exist
|
||||
pkiDir := pki.GetPKIPathFromClusterConfig(parsedClusterConfig.Spec.BackupPath)
|
||||
caKeyPath := filepath.Join(pkiDir, "ca.key")
|
||||
caCertPath := filepath.Join(pkiDir, "ca.crt")
|
||||
|
||||
// Check if CA already exists
|
||||
_, caKeyErr := os.Stat(caKeyPath)
|
||||
_, caCertErr := os.Stat(caCertPath)
|
||||
|
||||
if os.IsNotExist(caKeyErr) || os.IsNotExist(caCertErr) {
|
||||
log.Printf("CA key or certificate not found. Generating new CA in %s", pkiDir)
|
||||
if err := pki.GenerateCA(pkiDir, caKeyPath, caCertPath); err != nil {
|
||||
log.Fatalf("Failed to generate CA: %v", err)
|
||||
}
|
||||
log.Println("Successfully generated new CA key and certificate")
|
||||
} else {
|
||||
log.Println("CA key and certificate already exist, skipping generation")
|
||||
}
|
||||
|
||||
// Prepare etcd embed config
|
||||
// For a single node init, this node is the only peer.
|
||||
// Client URLs and Peer URLs will be based on its own configuration.
|
||||
@ -137,6 +158,31 @@ func runInit(cmd *cobra.Command, args []string) {
|
||||
} else {
|
||||
log.Printf("Cluster UID already exists in etcd. Skipping storage.")
|
||||
}
|
||||
|
||||
// Generate leader's server certificate for mTLS
|
||||
leaderKeyPath := filepath.Join(pkiDir, "leader.key")
|
||||
leaderCSRPath := filepath.Join(pkiDir, "leader.csr")
|
||||
leaderCertPath := filepath.Join(pkiDir, "leader.crt")
|
||||
|
||||
// Check if leader cert already exists
|
||||
_, leaderCertErr := os.Stat(leaderCertPath)
|
||||
if os.IsNotExist(leaderCertErr) {
|
||||
log.Println("Generating leader server certificate for mTLS")
|
||||
|
||||
// Generate key and CSR for leader
|
||||
if err := pki.GenerateCertificateRequest(leaderCertCN, leaderKeyPath, leaderCSRPath); err != nil {
|
||||
log.Printf("Failed to generate leader key and CSR: %v", err)
|
||||
} else {
|
||||
// Sign the CSR with our CA
|
||||
if err := pki.SignCertificateRequest(caKeyPath, caCertPath, leaderCSRPath, leaderCertPath, 365*24*time.Hour); err != nil {
|
||||
log.Printf("Failed to sign leader CSR: %v", err)
|
||||
} else {
|
||||
log.Println("Successfully generated and signed leader server certificate")
|
||||
}
|
||||
}
|
||||
} else {
|
||||
log.Println("Leader certificate already exists, skipping generation")
|
||||
}
|
||||
|
||||
// Store ClusterConfigurationSpec (as JSON)
|
||||
// We store Spec because Metadata might change (e.g. resourceVersion)
|
||||
|
||||
Reference in New Issue
Block a user