[pmg-devel] [PATCH pmg-api 0/6] add mechanism to update certificate fingerprints in cluster

Stoiko Ivanov s.ivanov at proxmox.com
Mon Mar 15 23:01:29 CET 2021


Currently PMG's cluster synchornization relies mostly on rsync+ssh, but
does fetch some information via API call.
Whenever one of the nodes in a cluster changes its api-certificate the
cluster-synchronization breaks (see [0]).

This series addresses the issue by adding an api-call (proxied to master),
which connects to all nodes defined in the cluster via `ssh` and fetches
the current api-certificate fingerprint (by running `openssl x509`) and
updating the cluster.conf.
All nodes in the cluster sync the config (via rsync) at the beginning of
each synchronization and thus will eventually get the updated fingerprint,
before trying to connect to another node via API (with pinned certificate
fingerprint)

the last patch is the addition of that mechanism to the new PMG certificate
managment series by Wolfgang.

[0]
https://forum.proxmox.com/threads/how-to-lets-encrypt-and-pmg.41493/post-207669

Stoiko Ivanov (6):
  cluster: refactor rsync_command
  cluster: add helper to get remote cert fingerprint
  api: cluster: add update-fingerprints call
  cluster: add trigger_update_fingerprints
  pmgcm: add trigger-update-fingerprint
  api: certificates: trigger fingerprint update

 src/PMG/API2/Certificates.pm |  6 ++++
 src/PMG/API2/Cluster.pm      | 40 +++++++++++++++++++++++
 src/PMG/CLI/pmgcm.pm         | 21 +++++++++++++
 src/PMG/Cluster.pm           | 61 ++++++++++++++++++++++++++++++++++--
 4 files changed, 125 insertions(+), 3 deletions(-)

-- 
2.20.1





More information about the pmg-devel mailing list