Merge pull request #33 from starbops/fix-4511

fix(certs): auto-install ca retrieved from rancher
rancher · Dec 6, 2023 · 1ae847b · 1ae847b
2 parents 07e84b1 + 951e368
commit 1ae847b
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 1 deletion.
diff --git a/pkg/cacerts/cacerts.go b/pkg/cacerts/cacerts.go
@@ -15,6 +15,7 @@ import (
 	"time"
 
 	"github.com/rancher/rancherd/pkg/tpm"
+	"github.com/rancher/system-agent/pkg/applyinator"
 	"github.com/rancher/wrangler/pkg/randomtoken"
 )
 
@@ -161,6 +162,29 @@ func CACerts(server, token string, clusterToken bool) ([]byte, string, error) {
 	return data, hashHex(data), nil
 }
 
+func ToUpdateCACertificatesInstruction() (*applyinator.Instruction, error) {
+	cmd := "update-ca-certificates"
+
+	return &applyinator.Instruction{
+		Name:       "update-ca-certificates",
+		SaveOutput: true,
+		Command:    cmd,
+	}, nil
+}
+
+func ToFile(server, token string) (*applyinator.File, error) {
+	cacert, _, err := CACerts(server, token, true)
+	if err != nil {
+		return nil, err
+	}
+
+	return &applyinator.File{
+		Content:     base64.StdEncoding.EncodeToString(cacert),
+		Path:        "/etc/pki/trust/anchors/embedded-rancher-ca.pem",
+		Permissions: "0644",
+	}, nil
+}
+
 func hashHex(token []byte) string {
 	hash := sha256.Sum256(token)
 	return hex.EncodeToString(hash[:])

diff --git a/pkg/plan/bootstrap.go b/pkg/plan/bootstrap.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/rancher/system-agent/pkg/applyinator"
 
+	"github.com/rancher/rancherd/pkg/cacerts"
 	"github.com/rancher/rancherd/pkg/config"
 	"github.com/rancher/rancherd/pkg/discovery"
 	"github.com/rancher/rancherd/pkg/join"
@@ -50,9 +51,15 @@ func toJoinPlan(cfg *config.Config, dataDir string) (*applyinator.Plan, error) {
 	}
 
 	plan := plan{}
+	if err := plan.addFile(cacerts.ToFile(cfg.Server, cfg.Token)); err != nil {
+		return nil, err
+	}
 	if err := plan.addFile(join.ToScriptFile(cfg, dataDir)); err != nil {
 		return nil, err
 	}
+	if err := plan.addInstruction(cacerts.ToUpdateCACertificatesInstruction()); err != nil {
+		return nil, err
+	}
 	if err := plan.addInstruction(join.ToInstruction(cfg, dataDir)); err != nil {
 		return nil, err
 	}
@@ -202,6 +209,7 @@ func (p *plan) addFiles(cfg *config.Config, dataDir string) error {
 
 	// rancher values.yaml
 	return p.addFile(rancher.ToFile(cfg, dataDir))
+
 }
 
 func (p *plan) addFile(file *applyinator.File, err error) error {

diff --git a/pkg/rancher/wait.go b/pkg/rancher/wait.go
@@ -44,7 +44,7 @@ func ToWaitSUCInstruction(imageOverride, systemDefaultRegistry, k8sVersion strin
 		return nil, fmt.Errorf("resolving location of %s: %w", os.Args[0], err)
 	}
 	return &applyinator.Instruction{
-		Name:       "wait-rancher-webhook",
+		Name:       "wait-system-upgrade-controller",
 		SaveOutput: true,
 		Args:       []string{"retry", kubectl.Command(k8sVersion), "-n", "cattle-system", "rollout", "status", "-w", "deploy/system-upgrade-controller"},
 		Env:        kubectl.Env(k8sVersion),