on upgrade, set existing cluster certificates to renew every 90 days

2020-05-26 17:15:12 -05:00 · 2020-05-26 17:15:12 -05:00 · 5bc7c918f6
--- a/pkg/install/install.go
+++ b/pkg/install/install.go
@ -155,12 +155,10 @@ func (i *Installer) AdminUpgrade(ctx context.Context) error {
 		action(i.fixLBProbes),
 		action(i.fixPullSecret),
 		action(i.ensureGenevaLogging),
+		action(i.upgradeCertificates),
+		action(i.configureAPIServerCertificate),
+		action(i.configureIngressCertificate),
 		action(i.upgradeCluster),
-
-		// TODO: later could use this flow to refresh certificates
-		// action(i.createCertificates),
-		// action(i.configureAPIServerCertificate),
-		// action(i.configureIngressCertificate),
 	}

 	return i.runSteps(ctx, steps)
--- a/pkg/install/tls.go
+++ b/pkg/install/tls.go
@ -67,6 +67,31 @@ func (i *Installer) createCertificates(ctx context.Context) error {
 	return nil
 }

+func (i *Installer) upgradeCertificates(ctx context.Context) error {
+	if _, ok := i.env.(env.Dev); ok {
+		return nil
+	}
+
+	managedDomain, err := i.env.ManagedDomain(i.doc.OpenShiftCluster.Properties.ClusterProfile.Domain)
+	if err != nil {
+		return err
+	}
+
+	if managedDomain == "" {
+		return nil
+	}
+
+	for _, c := range []string{i.doc.ID + "-apiserver", i.doc.ID + "-ingress"} {
+		i.log.Printf("upgrading certificate %s", c)
+		err = i.keyvault.UpgradeCertificatePolicy(ctx, i.env.ClustersKeyvaultURI(), c)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 func (i *Installer) ensureSecret(ctx context.Context, secrets coreclient.SecretInterface, certificateName string) error {
 	bundle, err := i.keyvault.GetSecret(ctx, i.env.ClustersKeyvaultURI(), certificateName, "")
 	if err != nil {
--- a/pkg/util/azureclient/keyvault/base.go
+++ b/pkg/util/azureclient/keyvault/base.go
@ -18,8 +18,9 @@ type BaseClient interface {
 	GetSecret(ctx context.Context, vaultBaseURL string, secretName string, secretVersion string) (result keyvault.SecretBundle, err error)
 	GetCertificates(ctx context.Context, vaultBaseURL string, maxresults *int32, includePending *bool) (result keyvault.CertificateListResultPage, err error)
 	ImportCertificate(ctx context.Context, vaultBaseURL string, certificateName string, parameters keyvault.CertificateImportParameters) (result keyvault.CertificateBundle, err error)
-	SetCertificateIssuer(ctx context.Context, vaultBaseURL string, issuerName string, parameter keyvault.CertificateIssuerSetParameters) (result keyvault.IssuerBundle, err error)
 	SetSecret(ctx context.Context, vaultBaseURL string, secretName string, parameters keyvault.SecretSetParameters) (result keyvault.SecretBundle, err error)
+	GetCertificatePolicy(ctx context.Context, vaultBaseURL string, certificateName string) (result keyvault.CertificatePolicy, err error)
+	UpdateCertificatePolicy(ctx context.Context, vaultBaseURL string, certificateName string, certificatePolicy keyvault.CertificatePolicy) (result keyvault.CertificatePolicy, err error)
 	BaseClientAddons
 }

--- a/pkg/util/keyvault/keyvault.go
+++ b/pkg/util/keyvault/keyvault.go
@ -37,6 +37,7 @@ type Manager interface {

 	CreateSignedCertificate(ctx context.Context, keyvaultURI string, issuer Issuer, certificateName, commonName string, eku Eku) error
 	EnsureCertificateDeleted(ctx context.Context, keyvaultURI, certificateName string) error
+	UpgradeCertificatePolicy(ctx context.Context, keyvaultURI, certificateName string) error
 	WaitForCertificateOperation(ctx context.Context, keyvaultURI, certificateName string) error
 }

@ -123,6 +124,27 @@ func (m *manager) WaitForCertificateOperation(ctx context.Context, keyvaultURI,
 	return err
 }

+func (m *manager) UpgradeCertificatePolicy(ctx context.Context, keyvaultURI, certificateName string) error {
+	policy, err := m.BaseClient.GetCertificatePolicy(ctx, keyvaultURI, certificateName)
+	if err != nil {
+		return err
+	}
+
+	policy.LifetimeActions = &[]keyvault.LifetimeAction{
+		{
+			Trigger: &keyvault.Trigger{
+				DaysBeforeExpiry: to.Int32Ptr(365 - 90),
+			},
+			Action: &keyvault.Action{
+				ActionType: keyvault.AutoRenew,
+			},
+		},
+	}
+
+	_, err = m.BaseClient.UpdateCertificatePolicy(ctx, keyvaultURI, certificateName, policy)
+	return err
+}
+
 func keyvaultError(err *keyvault.Error) string {
 	if err == nil {
 		return ""
--- a/pkg/util/mocks/azureclient/keyvault/keyvault.go
+++ b/pkg/util/mocks/azureclient/keyvault/keyvault.go
@ -80,6 +80,21 @@ func (mr *MockBaseClientMockRecorder) GetCertificateOperation(arg0, arg1, arg2 i
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificateOperation", reflect.TypeOf((*MockBaseClient)(nil).GetCertificateOperation), arg0, arg1, arg2)
 }

+// GetCertificatePolicy mocks base method
+func (m *MockBaseClient) GetCertificatePolicy(arg0 context.Context, arg1, arg2 string) (keyvault.CertificatePolicy, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetCertificatePolicy", arg0, arg1, arg2)
+	ret0, _ := ret[0].(keyvault.CertificatePolicy)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetCertificatePolicy indicates an expected call of GetCertificatePolicy
+func (mr *MockBaseClientMockRecorder) GetCertificatePolicy(arg0, arg1, arg2 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificatePolicy", reflect.TypeOf((*MockBaseClient)(nil).GetCertificatePolicy), arg0, arg1, arg2)
+}
+
 // GetCertificates mocks base method
 func (m *MockBaseClient) GetCertificates(arg0 context.Context, arg1 string, arg2 *int32, arg3 *bool) (keyvault.CertificateListResultPage, error) {
 	m.ctrl.T.Helper()
@ -140,21 +155,6 @@ func (mr *MockBaseClientMockRecorder) ImportCertificate(arg0, arg1, arg2, arg3 i
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImportCertificate", reflect.TypeOf((*MockBaseClient)(nil).ImportCertificate), arg0, arg1, arg2, arg3)
 }

-// SetCertificateIssuer mocks base method
-func (m *MockBaseClient) SetCertificateIssuer(arg0 context.Context, arg1, arg2 string, arg3 keyvault.CertificateIssuerSetParameters) (keyvault.IssuerBundle, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "SetCertificateIssuer", arg0, arg1, arg2, arg3)
-	ret0, _ := ret[0].(keyvault.IssuerBundle)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SetCertificateIssuer indicates an expected call of SetCertificateIssuer
-func (mr *MockBaseClientMockRecorder) SetCertificateIssuer(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetCertificateIssuer", reflect.TypeOf((*MockBaseClient)(nil).SetCertificateIssuer), arg0, arg1, arg2, arg3)
-}
-
 // SetSecret mocks base method
 func (m *MockBaseClient) SetSecret(arg0 context.Context, arg1, arg2 string, arg3 keyvault.SecretSetParameters) (keyvault.SecretBundle, error) {
 	m.ctrl.T.Helper()
@ -169,3 +169,18 @@ func (mr *MockBaseClientMockRecorder) SetSecret(arg0, arg1, arg2, arg3 interface
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetSecret", reflect.TypeOf((*MockBaseClient)(nil).SetSecret), arg0, arg1, arg2, arg3)
 }
+
+// UpdateCertificatePolicy mocks base method
+func (m *MockBaseClient) UpdateCertificatePolicy(arg0 context.Context, arg1, arg2 string, arg3 keyvault.CertificatePolicy) (keyvault.CertificatePolicy, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateCertificatePolicy", arg0, arg1, arg2, arg3)
+	ret0, _ := ret[0].(keyvault.CertificatePolicy)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// UpdateCertificatePolicy indicates an expected call of UpdateCertificatePolicy
+func (mr *MockBaseClientMockRecorder) UpdateCertificatePolicy(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateCertificatePolicy", reflect.TypeOf((*MockBaseClient)(nil).UpdateCertificatePolicy), arg0, arg1, arg2, arg3)
+}