Merge "Update swanctl.conf cacerts w/ system-local-ca files"

2024-03-28 15:10:34 +00:00 · 2024-03-28 15:10:34 +00:00 · de9d380dc9
parent ecdb0d3b9f abef79e45f
commit de9d380dc9
3 changed files with 16 additions and 6 deletions
--- a/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/client.py
+++ b/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/client.py
@ -98,7 +98,7 @@ class Client(object):
        message = {}

        puk1_data = utils.load_data(constants.TMP_PUK1_FILE)
-        puc_data = utils.load_data(constants.TRUSTED_CA_CERT_PATH)
+        puc_data = utils.load_data(constants.TRUSTED_CA_CERT_1_PATH)

        LOG.info("Generate RSA Private Key (PRK2).")
        prk2 = self._generate_prk2()
@ -154,14 +154,16 @@ class Client(object):
                return False

            utils.save_data(constants.TMP_PUK1_FILE, key)
-            utils.save_data(constants.TRUSTED_CA_CERT_PATH, ca_cert)
+            utils.save_data(constants.TRUSTED_CA_CERT_1_PATH, ca_cert)
+            if self.op_code == constants.OP_CODE_INITIAL_AUTH:
+                utils.save_data(constants.TRUSTED_CA_CERT_0_PATH, ca_cert)

        if self.state == State.STAGE_4:
            LOG.info("Received IPSec Auth CSR Response")
            cert = base64.b64decode(msg['cert'])
            digest = base64.b64decode(msg['hash'])

-            ca_cert = utils.load_data(constants.TRUSTED_CA_CERT_PATH)
+            ca_cert = utils.load_data(constants.TRUSTED_CA_CERT_1_PATH)

            data = msg['cert'].encode('utf-8')
            if self.op_code == constants.OP_CODE_INITIAL_AUTH:
--- a/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/config.py
+++ b/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/config.py
@ -172,7 +172,7 @@ class StrongswanPuppet(object):
        # swanctl.add_remote('id', 'CN=ipsec-*')
        swanctl.add_remote('id', 'CN=*')
        swanctl.add_remote('auth', 'pubkey')
-        swanctl.add_remote('cacerts', constants.TRUSTED_CA_CERT_FILE)
+        swanctl.add_remote('cacerts', constants.TRUSTED_CA_CERT_FILES)

        swanctl.add_node('mode', 'transport')
        swanctl.add_node('start_action', 'trap')
--- a/sysinv/sysinv/sysinv/sysinv/ipsec_auth/common/constants.py
+++ b/sysinv/sysinv/sysinv/sysinv/ipsec_auth/common/constants.py
@ -24,9 +24,17 @@ NAMESPACE_DEPLOYMENT = 'deployment'
 CLUSTER_ISSUER_SYSTEM_LOCAL_CA = 'system-local-ca'
 SECRET_SYSTEM_LOCAL_CA = 'system-local-ca'

-TRUSTED_CA_CERT_FILE = 'system-local-ca.crt'
+# The system-local-ca certificates are stored by IPsec client
+# named w/ 0 or 1 in their names. The system-local-ca-0.crt file represents
+# the last tls certificate associated with system-local-ca,
+# while system-local-ca-1.crt file is the current certificate
+# associated with system-local-ca.
+TRUSTED_CA_CERT_FILE_0 = 'system-local-ca-0.crt'
+TRUSTED_CA_CERT_FILE_1 = 'system-local-ca-1.crt'
+TRUSTED_CA_CERT_FILES = TRUSTED_CA_CERT_FILE_0 + ',' + TRUSTED_CA_CERT_FILE_1
 TRUSTED_CA_CERT_DIR = '/etc/swanctl/x509ca/'
-TRUSTED_CA_CERT_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_CA_CERT_FILE
+TRUSTED_CA_CERT_0_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_CA_CERT_FILE_0
+TRUSTED_CA_CERT_1_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_CA_CERT_FILE_1

 CERT_SYSTEM_LOCAL_DIR = '/etc/swanctl/x509/'
 CERT_SYSTEM_LOCAL_PRIVATE_DIR = '/etc/swanctl/private/'