Do not re-issue certificates on clusters (#2217)

scripts/cluster/agent.py

@@ -24,6 +24,7 @@ from .common.utils import (
     get_cluster_agent_port,
     try_initialise_cni_autodetect_for_clustering,
     service,
+    mark_no_cert_reissue,
 )
 
 from flask import Flask, jsonify, request, Response
@@ -319,6 +320,8 @@ def join_node_etcd():
     else:
         kubelet_args = read_kubelet_args_file()
 
+    mark_no_cert_reissue()
+
     return jsonify(
         ca=ca,
         etcd=etcd_ep,
@@ -608,6 +611,7 @@ def join_node_dqlite():
     cluster_cert, cluster_key = get_cluster_certs()
     # Make sure calico can autodetect the right interface for packet routing
     try_initialise_cni_autodetect_for_clustering(node_addr, apply_cni=True)
+    mark_no_cert_reissue()
 
     return jsonify(
         ca=get_cert("ca.crt"),

scripts/cluster/common/utils.py

@@ -276,3 +276,25 @@ def service(operation, service_name):
         subprocess.check_call(
             "snapctl {} microk8s.daemon-{}".format(operation, service_name).split()
         )
+
+
+def mark_no_cert_reissue():
+    """
+    Mark a node as being part of a cluster that should not re-issue certs
+    on network changes
+    """
+    snap_data = os.environ.get("SNAP_DATA")
+    lock_file = "{}/var/lock/no-cert-reissue".format(snap_data)
+    open(lock_file, "a").close()
+    os.chmod(lock_file, 0o700)
+
+
+def unmark_no_cert_reissue():
+    """
+    Unmark a node as being part of a cluster. The node should now re-issue certs
+    on network changes
+    """
+    snap_data = os.environ.get("SNAP_DATA")
+    lock_file = "{}/var/lock/no-cert-reissue".format(snap_data)
+    if os.path.exists(lock_file):
+        os.unlink(lock_file)

scripts/cluster/join.py

@@ -25,6 +25,8 @@ from common.utils import (
     get_cluster_agent_port,
     try_initialise_cni_autodetect_for_clustering,
     service,
+    mark_no_cert_reissue,
+    unmark_no_cert_reissue,
 )
 
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
@@ -324,9 +326,10 @@ def store_remote_ca(ca):
     try_set_file_permissions(ca_cert_file)
 
 
-def mark_cluster_node():
+def mark_worker_node():
     """
-    Mark a node as being part of a cluster by creating a var/lock/clustered.lock
+    Mark a node as being part of a cluster not running the control plane
+    by creating a var/lock/clustered.lock
     """
     lock_file = "{}/var/lock/clustered.lock".format(snapdata_path)
     open(lock_file, "a").close()
@@ -397,6 +400,8 @@ def reset_current_etcd_installation():
             time.sleep(5)
             waits -= 1
 
+    unmark_no_cert_reissue()
+
 
 def reset_current_dqlite_installation():
     """
@@ -499,6 +504,7 @@ def reset_current_dqlite_installation():
             time.sleep(5)
             waits -= 1
     print(" ")
+    unmark_no_cert_reissue()
     restart_all_services()
 
 
@@ -981,6 +987,7 @@ def join_dqlite(connection_parts, verify=False):
     # We want to update the local CNI yaml but we do not want to apply it.
     # The cni is applied already in the cluster we join
     try_initialise_cni_autodetect_for_clustering(master_ip, apply_cni=False)
+    mark_no_cert_reissue()
 
 
 def join_etcd(connection_parts, verify=True):
@@ -1003,7 +1010,8 @@ def join_etcd(connection_parts, verify=True):
     update_flannel(info["etcd"], master_ip, master_port, token)
     update_kubeproxy(info["kubeproxy"], info["ca"], master_ip, info["apiport"], hostname_override)
     update_kubelet(info["kubelet"], info["ca"], master_ip, info["apiport"])
-    mark_cluster_node()
+    mark_worker_node()
+    mark_no_cert_reissue()
 
 
 if __name__ == "__main__":