From f1c593f34fbd855923f07c9ccdaf6f8ce3360681 Mon Sep 17 00:00:00 2001 From: Brian Harring Date: Thu, 24 Jan 2019 12:08:00 -0800 Subject: [PATCH 1/3] Add debug statement in command svcmgr to clarify that it's validating the action. --- svcmgr/command.go | 1 + 1 file changed, 1 insertion(+) diff --git a/svcmgr/command.go b/svcmgr/command.go index 3dc8efef..8b03a2db 100644 --- a/svcmgr/command.go +++ b/svcmgr/command.go @@ -32,6 +32,7 @@ func newCommandManager(action string, service string) (Manager, error) { log.Warningf("svcmgr 'command': service '%s' for action '%s' doesn't do anything, ignoring", service, action) } if canCheckSyntax { + log.Debugf("svcmgr 'command': validating the action definition %s", action) err := run(shellBinary, "-n", "-c", action) if err != nil { return nil, fmt.Errorf("svcmgr 'command': action '%s' failed bash -n -c parse checks: %s", action, err) From 2aa756e0fccee2123b80242dd2bfe83b4245eedb Mon Sep 17 00:00:00 2001 From: Brian Harring Date: Thu, 24 Jan 2019 12:51:26 -0800 Subject: [PATCH 2/3] Add `certmgr ensure --forceRegen` to override lifespan checks, and force update. This allows you to pre-emptively force a regen, without having to wipe the materials from disk first. This is useful for certain operational steps. It shouldn't default on, but it should be possible to override the internal calculation without removing PKI material from disk to force the run. From a development and debugging standpoint, this is also useful for when you're iterating on a spec's definition (action in particular) and need to force certmgr to run so you can validate it. Again, one can accomplish the same via wiping the cert/key from disk, but that's a crappy workflow and it has some operational risks that may not be desirable- for example, if the process has an inotify in place for tracking the key/cert. --- cert/cert.go | 7 ++++++- cli/ensure.go | 4 +++- mgr/manager.go | 8 +++++++- 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/cert/cert.go b/cert/cert.go index 6be93978..daa9c7da 100644 --- a/cert/cert.go +++ b/cert/cert.go @@ -419,12 +419,17 @@ func (spec *Spec) Lifespan() time.Duration { } if isTooOld(spec.Key.Path) || isTooOld(spec.Cert.Path) { // This is necessary to essentially force cfssl to regenerate since it's not spec aware. - spec.tr.Provider.Certificate().NotAfter = specStat.ModTime() + spec.ResetLifespan() return 0 } return spec.tr.Lifespan() } +// Reset the lifespan to force cfssl to regenerate +func (spec *Spec) ResetLifespan() { + spec.tr.Provider.Certificate().NotAfter = time.Time{} +} + // Certificate returns the x509.Certificate associated with the spec // if one exists. func (spec *Spec) Certificate() *x509.Certificate { diff --git a/cli/ensure.go b/cli/ensure.go index 3e715b02..caa1e068 100644 --- a/cli/ensure.go +++ b/cli/ensure.go @@ -9,6 +9,7 @@ import ( var ensureTolerance = 3 var enableActions = false +var forceRegen = false var ensureCmd = &cobra.Command{ Use: "ensure", @@ -31,7 +32,7 @@ func Ensure(cmd *cobra.Command, args []string) { os.Exit(1) } - err = mgr.MustCheckCerts(ensureTolerance, enableActions) + err = mgr.MustCheckCerts(ensureTolerance, enableActions, forceRegen) if err != nil { fmt.Fprintf(os.Stderr, "Failed: %s\n", err) os.Exit(1) @@ -44,4 +45,5 @@ func init() { RootCmd.AddCommand(ensureCmd) ensureCmd.Flags().IntVarP(&ensureTolerance, "tries", "n", ensureTolerance, "number of times to retry refreshing a certificate") ensureCmd.Flags().BoolVarP(&enableActions, "enableActions", "", enableActions, "if passed, run the certificates svcmgr actions; defaults to not running them") + ensureCmd.Flags().BoolVarP(&forceRegen, "forceRegen", "", forceRegen, "if passed, ignore TTL checks and force regeneration of all specs") } diff --git a/mgr/manager.go b/mgr/manager.go index e14f9525..a1bccfbd 100644 --- a/mgr/manager.go +++ b/mgr/manager.go @@ -325,7 +325,7 @@ func (m *Manager) CheckCertsSync() int { // MustCheckCerts acts like CheckCerts, except it's synchronous and // has a maxmimum number of failures that are tolerated. If tolerate // is less than 1, it will be set to 1. -func (m *Manager) MustCheckCerts(tolerance int, enableActions bool) error { +func (m *Manager) MustCheckCerts(tolerance int, enableActions bool, forceRegen bool) error { if tolerance < 1 { tolerance = 1 } @@ -344,6 +344,12 @@ func (m *Manager) MustCheckCerts(tolerance int, enableActions bool) error { log.Errorf("manager: the CA for %s has changed, but the service couldn't be notified of the change", m.Certs[i]) } + if forceRegen { + log.Debugf("manager: forcing regeneration of spec %s", m.Certs[i]) + m.Certs[i].ResetLifespan() + queue <- &queuedCert{cert: m.Certs[i]} + continue + } if !m.Certs[i].Ready() && !m.Certs[i].IsQueued() { queue <- &queuedCert{cert: m.Certs[i]} continue From 190c1561b707331205ec67a4afaea8024c22c2e9 Mon Sep 17 00:00:00 2001 From: Brian Harring Date: Thu, 24 Jan 2019 13:28:54 -0800 Subject: [PATCH 3/3] Release v1.6.3 --- cli/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cli/version.go b/cli/version.go index c1fd05aa..ef5e9209 100644 --- a/cli/version.go +++ b/cli/version.go @@ -8,7 +8,7 @@ import ( "github.com/spf13/viper" ) -var currentVersion = "1.6.2" +var currentVersion = "1.6.3" var versionCmd = &cobra.Command{ Use: "version",