Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(certs): auto-install ca retrieved from rancher #33

Merged
merged 3 commits into from
Dec 6, 2023
Merged

fix(certs): auto-install ca retrieved from rancher #33

merged 3 commits into from
Dec 6, 2023

Conversation

starbops
Copy link
Member

@starbops starbops commented Oct 12, 2023
edited
Loading

Add the following two items to the existing joining plan of rancherd:

  • File: the CA cert downloaded from the embedded Rancher Manager (the endpoint is https://<VIP/FQDN>/cacerts)
  • Instruction: update-ca-certificates command

During the Harvester bootstrap, rancherd will process the plan, try to get the CA cert, and update the system's trust list.

Related issue: harvester/harvester#4603

@starbops
fix(certs): auto-install ca retrieved from rancher
e3d7fac 
Signed-off-by: Zespre Chang <zespre.chang@suse.com>
@starbops
Avoid name conflict with additional-ca
f5bec64 
Signed-off-by: Zespre Chang <zespre.chang@suse.com>
This was referenced Oct 12, 2023
Closed
Merged
@starbops
Fix instruction name typo
951e368 
Signed-off-by: Zespre Chang <zespre.chang@suse.com>
ibrokethecloud
ibrokethecloud approved these changes Dec 4, 2023
View reviewed changes
Copy link
Contributor

@ibrokethecloud ibrokethecloud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. thanks.

Can confirm that the ssl cert is downloaded and pulled into the ca store

node2:/etc/pki/trust/anchors # ls -alrt
total 12
drwxr-xr-x 4 root root 4096 Apr  8  2021 ..
-rw-r--r-- 1 root root  664 Dec  4 01:47 embedded-rancher-ca.pem
drwxr-xr-x 2 root root 4096 Dec  4 01:47 .
node2:/etc/pki/trust/anchors # more embedded-rancher-ca.pem
-----BEGIN CERTIFICATE-----
MIIBvDCCAWOgAwIBAgIBADAKBggqhkjOPQQDAjBGMRwwGgYDVQQKExNkeW5hbWlj
bGlzdGVuZXItb3JnMSYwJAYDVQQDDB1keW5hbWljbGlzdGVuZXItY2FAMTcwMTY1
MzU3NzAeFw0yMzEyMDQwMTMyNTdaFw0zMzEyMDEwMTMyNTdaMEYxHDAaBgNVBAoT
E2R5bmFtaWNsaXN0ZW5lci1vcmcxJjAkBgNVBAMMHWR5bmFtaWNsaXN0ZW5lci1j
YUAxNzAxNjUzNTc3MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuIUssPqLlLw3
6/n+X9GCZUbel52NCnglFsDSDhGrlkyup6TGfWnGfSUjfzuCGatk71nKHKYDK0g3
eb+d1HFeXaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYD
VR0OBBYEFLc/YDjOu8sfD2UuPbKL+Uu8+wIGMAoGCCqGSM49BAMCA0cAMEQCIBb6
RP/KRjZuU0whKiF5W2myB4wDd6LPXHeYgiSeDDC9AiAe127ZzALWSjFc9rt8ZH33
OBC34dALTHRWJiwAp4+8Xw==
-----END CERTIFICATE-----

node2:/var/lib/ca-certificates/pem # ls -alrt
total 616
-r--r--r-- 1 root root   664 Dec  4 01:47 dynamiclistener-ca_1701653577.pem

bk201
bk201 approved these changes Dec 6, 2023
View reviewed changes
Copy link
Member

@bk201 bk201 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bk201 bk201 merged commit 1ae847b into rancher:harvester-dev Dec 6, 2023
1 check passed
@starbops starbops mentioned this pull request Apr 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bk201 bk201 bk201 approved these changes

@ibrokethecloud ibrokethecloud ibrokethecloud approved these changes

@FrankYang0529 FrankYang0529 Awaiting requested review from FrankYang0529

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@starbops @bk201 @ibrokethecloud