diff options
| author | Theodore Ts'o <tytso@mit.edu> | 2023-07-06 17:28:12 -0400 |
|---|---|---|
| committer | Theodore Ts'o <tytso@mit.edu> | 2023-07-06 17:28:12 -0400 |
| commit | 0d8453839cfd28d90589283a3d8257cdf96e645b (patch) | |
| tree | 1ef9e4daac530675416209b29110a0400e250080 | |
| parent | 9c41c531404e286b6356ebdd627c76dcf3274a23 (diff) | |
| download | xfstests-bld-0d8453839cfd28d90589283a3d8257cdf96e645b.tar.gz | |
gce-xfstests: automatically renew certificates close to expiring
Factor out the certificate handling functionality to a new script,
gce-setup-cert. This centralizes the creation of new x.509
certificates, as well as renewing certificates as they approach their
renewal date. Before launching a new test VM, ltm server, or kcs
server, if the certificates are nearing their expiration date, update
the certificate automatically.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
| -rwxr-xr-x | run-fstests/gce-xfstests | 10 | ||||
| -rwxr-xr-x | run-fstests/util/gce-do-setup | 4 | ||||
| -rwxr-xr-x | run-fstests/util/gce-launch-kcs | 15 | ||||
| -rwxr-xr-x | run-fstests/util/gce-launch-ltm | 15 | ||||
| -rwxr-xr-x | run-fstests/util/gce-setup-cert | 84 | ||||
| -rwxr-xr-x | test-appliance/gce-create-image | 1 |
6 files changed, 101 insertions, 28 deletions
diff --git a/run-fstests/gce-xfstests b/run-fstests/gce-xfstests index b85d39fb..187b3bab 100755 --- a/run-fstests/gce-xfstests +++ b/run-fstests/gce-xfstests @@ -1208,6 +1208,15 @@ elif test -n "$RUN_ON_KCS"; then exit 0 fi +cert_file="$DIR/.gce_xfstests_cert_$GCE_PROJECT.pem" +expire_seconds=$((60 * 60 * 24 * 7)) +if test -f "$cert_file" + ! openssl x509 -enddate -noout -in "$cert_file" \ + -checkend $expire_seconds >& /dev/null +then + "$DIR/util/gce-setup-cert" +fi + function launch_vm () { echo "Launching $INSTANCE using $GCE_MACHTYPE..." @@ -1229,6 +1238,7 @@ fi "$IMAGE_FLAG" "$ROOT_FS" err=$? } + ERRFILE=/tmp/gce-xfstests-err-$$ RETRY_COUNTER=0 while true diff --git a/run-fstests/util/gce-do-setup b/run-fstests/util/gce-do-setup index 077b7d99..076ca21e 100755 --- a/run-fstests/util/gce-do-setup +++ b/run-fstests/util/gce-do-setup @@ -281,10 +281,10 @@ unset rule rule_name if [ "$1" == "--regenerate-ssl-cert" ] then echo "Regenerating certificate." - REGEN_CERT="yes" + REGEN_OPTS="--force-regen" fi -gce_gen_cert +$DIR/util/gce-setup-cert $REGEN_OPTS gce_gen_ltm_pass exit 0 diff --git a/run-fstests/util/gce-launch-kcs b/run-fstests/util/gce-launch-kcs index ec16e4e7..19c9faca 100755 --- a/run-fstests/util/gce-launch-kcs +++ b/run-fstests/util/gce-launch-kcs @@ -144,14 +144,6 @@ then ARG="$ARG enable-oslogin-2fa=GCE_OSLOGIN_2FA" fi -if ! gsutil -q stat gs://$GS_BUCKET/gce-xfstests-cert.pem -then - echo "You do not have a generated SSL certificate in your GCS bucket." - echo "It is not possible to communicate with the build server." - echo "Please run gce-xfstests setup and then restart the build server." - exit 1 -fi - if ! gsutil -q stat gs://$GS_BUCKET/gce_xfstests.config then echo "You must run gce-xfstests setup to upload a .config file" @@ -159,6 +151,8 @@ then exit 1 fi +"$DIR/util/gce-setup-cert" + echo "Launching build server..." touch $DIR/.kcs_instance_$GCE_PROJECT LAUNCH_KCS_EXIT_STATUS=1 @@ -182,11 +176,6 @@ then exit 1 fi -if [ ! -f $DIR/.gce_xfstests_cert_$GCE_PROJECT.pem ] -then - gsutil cat gs://$GS_BUCKET/gce-xfstests-cert.pem > $DIR/.gce_xfstests_cert_$GCE_PROJECT.pem -fi - echo "GCE_KCS_SERVER_CERT=$DIR/.gce_xfstests_cert_$GCE_PROJECT.pem" > $DIR/.kcs_instance_$GCE_PROJECT echo "GCE_KCS_NAME=$INSTANCE" >> $DIR/.kcs_instance_$GCE_PROJECT echo -n "GCE_KCS_EXT_IP=" >> $DIR/.kcs_instance_$GCE_PROJECT diff --git a/run-fstests/util/gce-launch-ltm b/run-fstests/util/gce-launch-ltm index b4c39400..b6b0aa3a 100755 --- a/run-fstests/util/gce-launch-ltm +++ b/run-fstests/util/gce-launch-ltm @@ -135,14 +135,6 @@ then ARG="$ARG enable-oslogin-2fa=GCE_OSLOGIN_2FA" fi -if ! gsutil -q stat gs://$GS_BUCKET/gce-xfstests-cert.pem -then - echo "You do not have a generated SSL certificate in your GCS bucket." - echo "It is not possible to communicate with the LTM." - echo "Please run gce-xfstests setup and then restart the LTM." - exit 1 -fi - if ! gsutil -q stat gs://$GS_BUCKET/gce_xfstests.config then echo "You must run gce-xfstests setup to upload a .config file" @@ -150,6 +142,8 @@ then exit 1 fi +"$DIR/util/gce-setup-cert" + echo "Launching LTM server..." touch $DIR/.ltm_instance_$GCE_PROJECT LAUNCH_LTM_EXIT_STATUS=1 @@ -172,11 +166,6 @@ then exit 1 fi -if [ ! -f $DIR/.gce_xfstests_cert_$GCE_PROJECT.pem ] -then - gsutil cat gs://$GS_BUCKET/gce-xfstests-cert.pem > $DIR/.gce_xfstests_cert_$GCE_PROJECT.pem -fi - echo "GCE_LTM_SERVER_CERT=$DIR/.gce_xfstests_cert_$GCE_PROJECT.pem" > $DIR/.ltm_instance_$GCE_PROJECT echo "GCE_LTM_NAME=$INSTANCE" >> $DIR/.ltm_instance_$GCE_PROJECT echo -n "GCE_LTM_EXT_IP=" >> $DIR/.ltm_instance_$GCE_PROJECT diff --git a/run-fstests/util/gce-setup-cert b/run-fstests/util/gce-setup-cert new file mode 100755 index 00000000..fe72f28d --- /dev/null +++ b/run-fstests/util/gce-setup-cert @@ -0,0 +1,84 @@ +#!/bin/bash -e + +XFSTESTS_FLAVOR=gce +if test -n "$GCE_XFSTESTS_DIR" +then + DIR="$GCE_XFSTESTS_DIR" +else + DIR="$(dirname "$(dirname "$0")")" +fi +if test ! -f "$DIR/util/get-config" +then + echo "$(basename "$0"): couldn't find $DIR/util/get-config" + exit 1 +fi + +FORCE_REGEN= +FORCE_RENEW= +UPDATE_COMBINED= +EXPIRE_DAYS=365 +CHECKENDSECS=$((60 * 60 * 24 * 120)) + +. "$DIR/util/get-config" + +while [ "$1" != "" ]; +do + case $1 in + --force-regen|--force-regenerate-certificates) + FORCE_REGEN=yes + ;; + --force-renew) + FORCE_RENEW=yes + ;; + --expire-days) shift + EXPIRE_DAYS="$1" + ;; + *) + echo "unknown option: $1" + exit 1 + ;; + esac + shift +done + +tmpdir=$(mktemp -d) +if test -n "$FORCE_REGEN" || + ! gsutil cp gs://$GS_BUCKET/gce-xfstests-cert.pem $tmpdir/ 2>/dev/null || + ! gsutil cp gs://$GS_BUCKET/gce-xfstests-key.pem $tmpdir/ 2>/dev/null +then + echo "Regenerating GCE certificate files" + + openssl req -x509 -newkey rsa:4096 -keyout "$tmpdir/gce-xfstests-key.pem" \ + -noenc -out "$tmpdir/gce-xfstests-cert.pem" -days $EXPIRE_DAYS \ + -subj "/CN=*.$GCE_PROJECT.gce-xfstests" + + UPDATE_COMBINED=yes +else + if test -n "$FORCE_REGEN" || + ! openssl x509 -enddate -noout -in $tmpdir/gce-xfstests-cert.pem \ + -checkend $CHECKENDSECS >& /dev/null + then + echo "Certificates will expire soon, renewing" + openssl x509 -days 365 -in $tmpdir/gce-xfstests-cert.pem \ + -signkey $tmpdir/gce-xfstests-key.pem \ + -out $tmpdir/gce-xfstests-cert.pem.new + mv $tmpdir/gce-xfstests-cert.pem.new $tmpdir/gce-xfstests-cert.pem + UPDATE_COMBINED=yes + fi +fi + +if test -n "$UPDATE_COMBINED" || + ! gsutil -q stat gs://$GS_BUCKET/gce-xfstests-server.pem +then + cat "$tmpdir/gce-xfstests-key.pem" "$tmpdir/gce-xfstests-cert.pem" \ + > "$tmpdir/gce-xfstests-server.pem" + + gsutil -m cp "$tmpdir/*" gs://$GS_BUCKET/ +fi +if test -n "$UPDATE_COMBINED" -o \ + ! -f $DIR/.gce_xfstests_cert_$GCE_PROJECT.pem +then + cp "$tmpdir/gce-xfstests-cert.pem" $DIR/.gce_xfstests_cert_$GCE_PROJECT.pem +fi +rm -rf "$tmpdir" + diff --git a/test-appliance/gce-create-image b/test-appliance/gce-create-image index fe457708..f70a22ff 100755 --- a/test-appliance/gce-create-image +++ b/test-appliance/gce-create-image @@ -233,6 +233,7 @@ cp ../run-fstests/util/gce-kcs-funcs $kvm_xfs_dir/util/ cp ../run-fstests/util/gce-launch-kcs $kvm_xfs_dir/util/ cp ../run-fstests/util/gce-launch-ltm $kvm_xfs_dir/util/ cp ../run-fstests/util/gce-ltm-funcs $kvm_xfs_dir/util/ +cp ../run-fstests/util/gce-setup-cert $kvm_xfs_dir/util/ cp ../run-fstests/util/get-config $kvm_xfs_dir/util/ cp ../run-fstests/util/parse_cli $kvm_xfs_dir/util/ cp ../run-fstests/util/parse_opt_funcs $kvm_xfs_dir/util/ |