This commit adds IPsec Cert-Renewal implementation to work
properly when specified by "--opcode" parameter in IPsec
client execution.
This implementation adds to IPsec client a rekey step after
the generated keys and cert are stored and exchanged during
cert-renewal operation. The main goal of this implementation
is to provide new certificates and keys for an IPsec client
host that has already been authenticated by IPsec server host.
Test Plan:
PASS: Full build, system install, bootstrap and unlock DX system w/
unlocked enabled available status.
PASS: Execute "ipsec-client pxecontroller --opcode 2" in controller-1.
Observe the previously created CertificateRequest was deleted and
generated a new one for controller-1's node. The new certificate
is sent to IPsec Client and stored with the swanctl rekey command
executed sucessfully.
PASS: In a DC system with available enabled active status with IPsec
server being executed from controller-0. Change c0 and c1 dates
to expire IPsec certificates. If needed, recover kubernetes
certificates or pods. Execute "sudo ipsec-client pxecontroller
-o 2" command from controller-0 and controller-1. Observe that
certificates and keys were generated and stored in /etc/swanctl/
directory. Observe new SAs have been created between controllers
by executing "sudo swanctl --list-sas" command.
Story: 2010940
Task: 49656
Change-Id: I69383005c2e204fe0a6401b2efaf05e8754f2bc3
Signed-off-by: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
937ce744b0