Skip to content

Commit d2b5dc4

Browse files
huhu0316huhu0316
committed
<fix>[kvm]: update TLS certs via kvmagent on host reconnect
Resolves: ZSTAC-83696 Change-Id: I368cc5af8fb3d553bedc3be5d031015719e68ddc
1 parent e2e0f8f commit d2b5dc4

3 files changed

Lines changed: 88 additions & 0 deletions

File tree

plugin/kvm/src/main/java/org/zstack/kvm/KVMAgentCommands.java

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -455,6 +455,23 @@ public void setFailedInterfaceNames(List<String> failedInterfaceNames) {
455455
public static class HostFactCmd extends AgentCommand {
456456
}
457457

458+
public static class UpdateTlsCertCmd extends AgentCommand {
459+
private String caCert;
460+
@NoLogging
461+
private String caKey;
462+
private String certIps;
463+
464+
public String getCaCert() { return caCert; }
465+
public void setCaCert(String caCert) { this.caCert = caCert; }
466+
public String getCaKey() { return caKey; }
467+
public void setCaKey(String caKey) { this.caKey = caKey; }
468+
public String getCertIps() { return certIps; }
469+
public void setCertIps(String certIps) { this.certIps = certIps; }
470+
}
471+
472+
public static class UpdateTlsCertResponse extends AgentResponse {
473+
}
474+
458475
public static class HostFactResponse extends AgentResponse {
459476
@GrayVersion(value = "5.0.0")
460477
private String osDistribution;

plugin/kvm/src/main/java/org/zstack/kvm/KVMConstant.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -81,6 +81,7 @@ public interface KVMConstant {
8181
String KVM_DELETE_CONSOLE_FIREWALL_PATH = "/vm/console/deletefirewall";
8282
String KVM_UPDATE_HOST_OS_PATH = "/host/updateos";
8383
String KVM_HOST_UPDATE_DEPENDENCY_PATH = "/host/updatedependency";
84+
String KVM_UPDATE_TLS_CERT_PATH = "/host/updateTlsCert";
8485
String HOST_SHUTDOWN = "/host/shutdown";
8586
String HOST_REBOOT = "/host/reboot";
8687
String HOST_UPDATE_SPICE_CHANNEL_CONFIG_PATH = "/host/updateSpiceChannelConfig";

plugin/kvm/src/main/java/org/zstack/kvm/KVMHost.java

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@
3333
import org.zstack.core.db.SQLBatch;
3434
import org.zstack.core.db.SimpleQuery;
3535
import org.zstack.core.db.SimpleQuery.Op;
36+
import org.zstack.core.jsonlabel.JsonLabel;
3637
import org.zstack.core.thread.*;
3738
import org.zstack.core.timeout.ApiTimeoutManager;
3839
import org.zstack.core.timeout.TimeHelper;
@@ -195,6 +196,7 @@ public class KVMHost extends HostBase implements Host {
195196
private String checkSnapshotPath;
196197
private String mergeSnapshotPath;
197198
private String hostFactPath;
199+
private String updateTlsCertPath;
198200
private String hostCheckFilePath;
199201
private String attachIsoPath;
200202
private String detachIsoPath;
@@ -328,6 +330,10 @@ public KVMHost(KVMHostVO self, KVMHostContext context) {
328330
ub.path(KVMConstant.KVM_HOST_FACT_PATH);
329331
hostFactPath = ub.build().toString();
330332

333+
ub = UriComponentsBuilder.fromHttpUrl(baseUrl);
334+
ub.path(KVMConstant.KVM_UPDATE_TLS_CERT_PATH);
335+
updateTlsCertPath = ub.build().toString();
336+
331337
ub = UriComponentsBuilder.fromHttpUrl(baseUrl);
332338
ub.path(KVMConstant.KVM_HOST_CHECK_FILE_PATH);
333339
hostCheckFilePath = ub.build().toString();
@@ -6025,6 +6031,70 @@ public void fail(ErrorCode errorCode) {
60256031

60266032
flow(createCollectHostFactsFlow(info));
60276033

6034+
flow(new NoRollbackFlow() {
6035+
String __name__ = "update-tls-certs-if-needed";
6036+
6037+
@Override
6038+
public boolean skip(Map data) {
6039+
return CoreGlobalProperty.UNIT_TEST_ON
6040+
|| !KVMGlobalConfig.LIBVIRT_TLS_ENABLED.value(Boolean.class);
6041+
}
6042+
6043+
@Override
6044+
public void run(FlowTrigger trigger, Map data) {
6045+
String managementIp = getSelf().getManagementIp();
6046+
String extraIps = HostSystemTags.EXTRA_IPS.getTokenByResourceUuid(
6047+
self.getUuid(), HostSystemTags.EXTRA_IPS_TOKEN);
6048+
6049+
List<String> allIps = new ArrayList<>();
6050+
allIps.add(managementIp);
6051+
if (extraIps != null && !extraIps.isEmpty()) {
6052+
for (String ip : extraIps.split(",")) {
6053+
String trimmed = ip.trim();
6054+
if (!trimmed.isEmpty() && !allIps.contains(trimmed)) {
6055+
allIps.add(trimmed);
6056+
}
6057+
}
6058+
}
6059+
6060+
String certIps = String.join(",", allIps);
6061+
6062+
String caCert = new JsonLabel().get("libvirtTLSCA", String.class);
6063+
String caKey = new JsonLabel().get("libvirtTLSPrivateKey", String.class);
6064+
if (caCert == null || caKey == null) {
6065+
logger.warn("TLS CA cert/key not found in database, skipping cert update");
6066+
trigger.next();
6067+
return;
6068+
}
6069+
6070+
UpdateTlsCertCmd cmd = new UpdateTlsCertCmd();
6071+
cmd.setCaCert(caCert);
6072+
cmd.setCaKey(caKey);
6073+
cmd.setCertIps(certIps);
6074+
6075+
new Http<>(updateTlsCertPath, cmd, UpdateTlsCertResponse.class)
6076+
.call(new ReturnValueCompletion<UpdateTlsCertResponse>(trigger) {
6077+
@Override
6078+
public void success(UpdateTlsCertResponse ret) {
6079+
if (!ret.isSuccess()) {
6080+
logger.warn(String.format("Failed to update TLS certs on host[uuid:%s]: %s",
6081+
self.getUuid(), ret.getError()));
6082+
}
6083+
// cert update failure should not block reconnect
6084+
trigger.next();
6085+
}
6086+
6087+
@Override
6088+
public void fail(ErrorCode errorCode) {
6089+
logger.warn(String.format("Failed to update TLS certs on host[uuid:%s]: %s",
6090+
self.getUuid(), errorCode));
6091+
// cert update failure should not block reconnect
6092+
trigger.next();
6093+
}
6094+
});
6095+
}
6096+
});
6097+
60286098
if (info.isNewAdded()) {
60296099
flow(new NoRollbackFlow() {
60306100
String __name__ = "check-qemu-libvirt-version";

0 commit comments

Comments
 (0)