Skip to content

Latest commit

 

History

History
58 lines (38 loc) · 1.89 KB

README.md

File metadata and controls

58 lines (38 loc) · 1.89 KB

Recert

A tool to regenerate all cryptographic objects in a cluster (both in the etcd database and filesystem files) before it starts. Works by scanning the existing certificates/keys/jwts, understanding how they relate, and replacing them in an identical structure, but with new randomly generated keys and optional customizations.

Why

The motivation for creating this tool was the effort to allow users to install a SNO cluster once in a lab, then copy its disk image for immediate deployment in many different sites. By running the tool during the first boot of a host from said image, the new cluster will then have its own independent crypto that is separate from other clusters deployed in the same manner.

Documentation

For more information see the design doc

Usage examples

Local Development

You need rust, protoc, podman, openssl, meld, and an IBU seed image. Then Set the pull secret for the seed image under ~/seed-pull-secret run ./run_seed.sh <seed pullspec>

On Fedora a lot of these can be installed using: sudo dnf install protobuf-compiler podman openssl meld

Run on a cluster

See sno-relocation-poc

Syncing assets to skip specific OpenShift rollouts

See hack/assets

Image build

export DOCKER_BUILDKIT=1
docker build . -t recert

TODO

TODO List
  • Remove OLM package server hack
  • Convert from resource YAML to etcd key-value key more gracefully
  • Find proof that root-ca private key is actually missing
  • When shelling out to openssl to check if cert A signed cert B, construct the command in such a way that if A == B, then it will not give a green result when said cert is not self signed
  • Fix all code TODO comments