Configuration Structure For Certificate Renewal (Part 1 of the certificate renewal command feature) #9780
Conversation
|
Hi @howard-junec. Thanks for your PR. I'm waiting for a aws member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
4fa0f09 to
7f3bd53
Compare
cmd/eksctl-anywhere/cmd/renew.go
Outdated
| var renewCmd = &cobra.Command{ | ||
| Use: "renew", | ||
| Short: "renew resources", | ||
| Long: "Use eksctl anywhere renew to renew resources, such as clusters", |
There was a problem hiding this comment.
| Long: "Use eksctl anywhere renew to renew resources, such as clusters", | |
| Long: "Use eksctl anywhere renew to renew cluster resources", |
| var renewCertificatesCmd = &cobra.Command{ | ||
| Use: "certificates", | ||
| Short: "Renew certificates for cluster components", | ||
| Long: `Renew certificates for etcd and control plane nodes in EKS Anywhere cluster. |
There was a problem hiding this comment.
Let's not add these details in the command description. We should add it in our docs.
| Long: `Renew certificates for etcd and control plane nodes in EKS Anywhere cluster. | |
| Long: `Renew external ETCD and control plane certificates. |
|
|
||
| var renewCertificatesCmd = &cobra.Command{ | ||
| Use: "certificates", | ||
| Short: "Renew certificates for cluster components", |
There was a problem hiding this comment.
| Short: "Renew certificates for cluster components", | |
| Short: "Renew certificates", |
| renewCmd.AddCommand(renewCertificatesCmd) | ||
|
|
||
| renewCertificatesCmd.Flags().StringVarP(&rc.configFile, "config", "f", "", "Config file containing node and SSH information") | ||
| renewCertificatesCmd.Flags().StringVarP(&rc.clusterName, "cluster-name", "n", "", "Name of the cluster to renew certificates for") |
There was a problem hiding this comment.
For now, can we focus on a scenario where certificates are already expired? The reason is we would have to take ssh-key for control plane and external etcd both. In this case, I would want to see if we can use the same config file as an input to avoid confusion.
| renewCertificatesCmd.Flags().StringVarP(&rc.configFile, "config", "f", "", "Config file containing node and SSH information") | ||
| renewCertificatesCmd.Flags().StringVarP(&rc.clusterName, "cluster-name", "n", "", "Name of the cluster to renew certificates for") | ||
| renewCertificatesCmd.Flags().StringVarP(&rc.component, "component", "c", "", "Component to renew certificates for (etcd or control-plane). If not specified, renews both.") | ||
| renewCertificatesCmd.Flags().StringVar(&rc.sshKey, "ssh-key", "", "SSH private key file (required when using --cluster-name)") |
There was a problem hiding this comment.
Can we remove this to focus on already expired certificates?
There was a problem hiding this comment.
For renewing already expired certificates, do we still want to keep the --component flag, or should we just rely on the config file approach and remove the options for --component etcd and --component control-plane.
| return nil | ||
| } | ||
|
|
||
| func (rc *renewCertificatesOptions) renewCertificates(cmd *cobra.Command) error { |
There was a problem hiding this comment.
We would have to change below validations based on taking just a config file as an input.
| cluster.Name = config.ClusterName | ||
| } | ||
|
|
||
| renewer, err := certificates.NewRenewer() |
There was a problem hiding this comment.
since these are in a different PR, can we return nil for the scope of this PR?
pkg/certificates/config.go
Outdated
| } | ||
|
|
||
| if err := validateNodeConfig(&config.ControlPlane, "control plane"); err != nil { | ||
| return err |
There was a problem hiding this comment.
| return err | |
| return fmt.Errorf("validating control plane %v, err") |
pkg/certificates/config.go
Outdated
| return fmt.Errorf("at least one control plane node is required") | ||
| } | ||
|
|
||
| if err := validateNodeConfig(&config.ControlPlane, "control plane"); err != nil { |
There was a problem hiding this comment.
Let's not pass "control plane" or "etcd" as another param for error message. We can do something like below.
pkg/certificates/cluster_config.go
Outdated
There was a problem hiding this comment.
let's have this file when we add feature for valid certificates.
|
|
||
| config, err := certificates.ParseConfig(rc.configFile) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to parse config file: %v", err) |
There was a problem hiding this comment.
| return fmt.Errorf("failed to parse config file: %v", err) | |
| return fmt.Errorf("parsing config file: %v", err) |
|
/lgtm |
pkg/certificates/config.go
Outdated
| if config.OS == "" { | ||
| return fmt.Errorf("OS is required") | ||
| } | ||
| if config.OS != "ubuntu" && config.OS != "rhel" && config.OS != "redhat" && config.OS != "bottlerocket" { |
There was a problem hiding this comment.
Not sure if we need "rhel", and can we use the OSFamily variables in our code
https://github.com/aws/eks-anywhere/blob/main/pkg/api/v1alpha1/machine_types.go#L8
There was a problem hiding this comment.
Yes, I delete the "rhel", and use the OSFamily variables.
pkg/certificates/config.go
Outdated
| } | ||
|
|
||
| if _, err := os.Stat(config.SSHKey); err != nil { | ||
| return fmt.Errorf("SSH key file: %v", err) |
There was a problem hiding this comment.
| return fmt.Errorf("SSH key file: %v", err) | |
| return fmt.Errorf("retrieving SSH key file information: %v", err) |
| renewCmd.AddCommand(renewCertificatesCmd) | ||
| renewCertificatesCmd.Flags().StringVarP(&rc.configFile, "config", "f", "", "Config file containing node and SSH information") | ||
| renewCertificatesCmd.Flags().StringVarP(&rc.component, "component", "c", "", "Component to renew certificates for (etcd or control-plane). If not specified, renews both.") | ||
| } |
There was a problem hiding this comment.
| } | |
| if err := renewCertificatesCmd.MarkFlagRequired("config"); err != nil { | |
| log.Fatalf("marking config as required: %s", err) | |
| } | |
| } |
so that we don't need to manually check if config is empty
| return err | ||
| } | ||
|
|
||
| if rc.configFile == "" { |
There was a problem hiding this comment.
can be removed after we mark "config" as required
|
/lgtm |
|
/ok-to-test |
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Codecov ReportAttention: Patch coverage is
❌ Your patch status has failed because the patch coverage (8.10%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## main #9780 +/- ##
==========================================
- Coverage 69.85% 69.76% -0.10%
==========================================
Files 672 675 +3
Lines 50165 50239 +74
==========================================
+ Hits 35045 35051 +6
- Misses 13329 13396 +67
- Partials 1791 1792 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Issue #, if available:
Description of changes:
This PR includes add core configuration structures and validation for the certificate renewal command. This includes:
This is part 1 of the certificate renewal feature, focusing on configuration handling. The actual certificate renewal implementation will follow in a separate PR.
The command now supports input config file
Example:
eksctl anywhere renew certificates [--config <file-path>] [--component <etcd|control-plane>]:user can renew certificates by:
eksctl anywhere renew certificates --config config.yaml(renew by the config file)eksctl anywhere renew certificates --config config.yaml --component etcd(only renew etcd)eksctl anywhere renew certificates --config config.yaml --component control-plane(only renew control-plane)Example Config file:
Testing (if applicable):
Documentation added/planned (if applicable):
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.