mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-10-15 09:31:19 +02:00
Code Issues Packages Projects Releases Wiki Activity
talos/internal/app/machined/pkg/controllers/etcd/pki.go
Andrey Smirnov 6fc38bae69
fix: iterate over etcd members endpoints for member promotion 
This uses all available (potential) etcd endpoints, which includes the
member being promoted as well. We avoid failures by iterating over the
list of endpoints on each attempt to make sure each and every endpoint
is tried.

Part of #5889

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
2022-08-02 00:16:33 +04:00

149 lines
4.2 KiB
Go
Raw Blame History

// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
package etcd
import (
"context"
"fmt"
"os"
"github.com/cosi-project/runtime/pkg/controller"
"github.com/cosi-project/runtime/pkg/resource"
"github.com/cosi-project/runtime/pkg/safe"
"github.com/cosi-project/runtime/pkg/state"
"github.com/siderolabs/go-pointer"
"github.com/talos-systems/crypto/x509"
"go.uber.org/zap"
"github.com/talos-systems/talos/pkg/filetree"
"github.com/talos-systems/talos/pkg/machinery/constants"
"github.com/talos-systems/talos/pkg/machinery/resources/etcd"
"github.com/talos-systems/talos/pkg/machinery/resources/secrets"
)
// PKIController renders manifests based on templates and config/secrets.
type PKIController struct{}
// Name implements controller.Controller interface.
func (ctrl *PKIController) Name() string {
return "etcd.PKIController"
}
// Inputs implements controller.Controller interface.
func (ctrl *PKIController) Inputs() []controller.Input {
return []controller.Input{
{
Namespace: secrets.NamespaceName,
Type: secrets.EtcdRootType,
ID: pointer.To(secrets.EtcdRootID),
Kind: controller.InputWeak,
},
{
Namespace: secrets.NamespaceName,
Type: secrets.EtcdType,
ID: pointer.To(secrets.EtcdID),
Kind: controller.InputWeak,
},
}
}
// Outputs implements controller.Controller interface.
func (ctrl *PKIController) Outputs() []controller.Output {
return []controller.Output{
{
Type: etcd.PKIStatusType,
Kind: controller.OutputExclusive,
},
}
}
// Run implements controller.Controller interface.
//
//nolint:gocyclo
func (ctrl *PKIController) Run(ctx context.Context, r controller.Runtime, logger *zap.Logger) error {
for {
select {
case <-ctx.Done():
return nil
case <-r.EventCh():
}
rootScrts, err := safe.ReaderGet[*secrets.EtcdRoot](ctx, r, resource.NewMetadata(secrets.NamespaceName, secrets.EtcdRootType, secrets.EtcdRootID, resource.VersionUndefined))
if err != nil {
if state.IsNotFoundError(err) {
continue
}
return fmt.Errorf("error getting root secrets: %w", err)
}
scrts, err := safe.ReaderGet[*secrets.Etcd](ctx, r, resource.NewMetadata(secrets.NamespaceName, secrets.EtcdType, secrets.EtcdID, resource.VersionUndefined))
if err != nil {
if state.IsNotFoundError(err) {
continue
}
return fmt.Errorf("error getting secrets: %w", err)
}
if err = os.MkdirAll(constants.EtcdPKIPath, 0o700); err != nil {
return err
}
if err = os.WriteFile(constants.EtcdCACert, rootScrts.TypedSpec().EtcdCA.Crt, 0o400); err != nil {
return fmt.Errorf("failed to write CA certificate: %w", err)
}
if err = os.WriteFile(constants.EtcdCAKey, rootScrts.TypedSpec().EtcdCA.Key, 0o400); err != nil {
return fmt.Errorf("failed to write CA key: %w", err)
}
etcdCerts := scrts.TypedSpec()
for _, keypair := range []struct {
getter func() *x509.PEMEncodedCertificateAndKey
keyPath string
certPath string
}{
{
getter: func() *x509.PEMEncodedCertificateAndKey { return etcdCerts.Etcd },
keyPath: constants.EtcdKey,
certPath: constants.EtcdCert,
},
{
getter: func() *x509.PEMEncodedCertificateAndKey { return etcdCerts.EtcdPeer },
keyPath: constants.EtcdPeerKey,
certPath: constants.EtcdPeerCert,
},
{
getter: func() *x509.PEMEncodedCertificateAndKey { return etcdCerts.EtcdAdmin },
keyPath: constants.EtcdAdminKey,
certPath: constants.EtcdAdminCert,
},
} {
if err = os.WriteFile(keypair.keyPath, keypair.getter().Key, 0o400); err != nil {
return err
}
if err = os.WriteFile(keypair.certPath, keypair.getter().Crt, 0o400); err != nil {
return err
}
}
if err = filetree.ChownRecursive(constants.EtcdPKIPath, constants.EtcdUserID, constants.EtcdUserID); err != nil {
return nil
}
if err = safe.WriterModify(ctx, r, etcd.NewPKIStatus(etcd.NamespaceName, etcd.PKIID), func(status *etcd.PKIStatus) error {
status.TypedSpec().Ready = true
status.TypedSpec().Version = scrts.Metadata().Version().String()
return nil
}); err != nil {
return fmt.Errorf("error updating PKI status: %w", err)
}
}
}
Reference in New Issue View Git Blame Copy Permalink