Git Product home page Git Product logo

recert-1's Introduction

Recert

A tool to regenerate all cryptographic objects in a cluster (both in the etcd database and filesystem files) before it starts. Works by scanning the existing certificates/keys/jwts, understanding how they relate, and replacing them in an identical structure, but with new randomly generated keys and optional customizations.

Why

The motivation for creating this tool was the effort to allow users to install a SNO cluster once in a lab, then copy its disk image for immediate deployment in many different sites. By running the tool during the first boot of a host from said image, the new cluster will then have its own independent crypto that is separate from other clusters deployed in the same manner.

Documentation

For more information see the design doc

Usage examples

Local Development

You need rust, protoc, podman, openssl, meld, and an IBU seed image. Then Set the pull secret for the seed image under ~/seed-pull-secret run ./run_seed.sh <seed pullspec>

On Fedora a lot of these can be installed using: sudo dnf install protobuf-compiler podman openssl meld

Run on a cluster

See sno-relocation-poc

Image build

export DOCKER_BUILDKIT=1
docker build . -t recert

TODO

TODO List
  • Remove OLM package server hack
  • Convert from resource YAML to etcd key-value key more gracefully
  • Find proof that root-ca private key is actually missing
  • When shelling out to openssl to check if cert A signed cert B, construct the command in such a way that if A == B, then it will not give a green result when said cert is not self signed
  • Fix all code TODO comments

recert-1's People

Contributors

omertuc avatar mresvanis avatar tsorya avatar carbonin avatar eranco74 avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.