125 lines
3.8 KiB
Bash
125 lines
3.8 KiB
Bash
#!/bin/bash
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
# Copyright (c) 2024 Wind River Systems, Inc.
|
|
#
|
|
|
|
#
|
|
# This script checks validation of IPsec certificates, and call
|
|
# ipsec-client to renew them if necessary.
|
|
#
|
|
|
|
# Renew certificates 15 days before expiration
|
|
declare -r CUTOFF_DAYS=15
|
|
declare -r CUTOFF_DAYS_S=$((${CUTOFF_DAYS}*24*3600))
|
|
|
|
NAME=$(basename $0)
|
|
KUBE_CONFIG=/etc/kubernetes/admin.conf
|
|
IPSEC_CERT_DIR=/etc/swanctl/x509
|
|
IPSEC_CERT_PATH="$IPSEC_CERT_DIR/system-ipsec-certificate-${HOSTNAME}.crt"
|
|
#IPSEC_CERT_PATH="$IPSEC_CERT_DIR/system-ipsec-certificate-${HOSTNAME}.crt-fake"
|
|
ERR_CA=0
|
|
ERR_CERT=0
|
|
ERR_RENEW=0
|
|
RENEWAL_REQUIRED=0
|
|
|
|
# Log info message to /var/log/cron.log
|
|
function LOG_info {
|
|
logger -p cron.info -t "${NAME}($$): " "${@}"
|
|
}
|
|
|
|
# Log error message to /var/log/cron.log
|
|
function LOG_error {
|
|
logger -p cron.error -t "${NAME}($$): " "${@}"
|
|
}
|
|
|
|
# Retrieve a certificate's valid time by openssl
|
|
time_left_s_by_openssl() {
|
|
local time_left_s=""
|
|
local exp_date=""
|
|
exp_date=$(openssl x509 -in "$1" -enddate -noout| awk -F"=" '{print $2}')
|
|
if [ "x${exp_date}" != "x" ]; then
|
|
exp_date_s=$(date -d "${exp_date}" +%s)
|
|
current_date_s=$(date +%s)
|
|
time_left_s=$((${exp_date_s}-${current_date_s}))
|
|
else
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
# Check if the trusted CA cert is consistent with system-local-ca
|
|
# in kubernetes. If it's not consistent, call ipsec-client to renew.
|
|
# This is for cases such as a node is offline and misses a system-local-ca
|
|
# update.
|
|
|
|
# Retrieve the serial number of system-local-ca cert.
|
|
if [ ${ERR_CA} -eq 0 ]; then
|
|
serial_in_secret=$(kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret system-local-ca -n cert-manager -o jsonpath='{.data.tls\.crt}' | base64 --decode | openssl x509 -noout -serial)
|
|
|
|
if [ "x${serial_in_secret}" = "x" ]; then
|
|
LOG_error "Failed to retrieve system-local-ca from secret."
|
|
ERR_CA=1
|
|
fi
|
|
fi
|
|
|
|
# Retrieve the serial number of the IPsec trusted CA cert.
|
|
if [ ${ERR_CA} -eq 0 ]; then
|
|
serial_in_file=$(openssl x509 -in /etc/swanctl/x509ca/system-local-ca.crt -noout -serial)
|
|
|
|
if [ "x${serial_in_file}" = "x" ]; then
|
|
LOG_error "Failed to retrieve serial number from CA cert file."
|
|
ERR_CA=1
|
|
fi
|
|
fi
|
|
|
|
# Compare to decide if they are consistent.
|
|
if [ ${ERR_CA} -eq 0 ]; then
|
|
if [ "${serial_in_secret}" != "${serial_in_file}" ]; then
|
|
LOG_info "IPsec trusted CA is diverse from system-local-ca."
|
|
RENEWAL_REQUIRED=1
|
|
fi
|
|
fi
|
|
|
|
# Check if it's time to renew IPsec certificate.
|
|
if [ ${ERR_CERT} -eq 0 ]; then
|
|
time_left_s=$(time_left_s_by_openssl "${IPSEC_CERT_PATH}")
|
|
if [ $? -ne 0 ]; then
|
|
LOG_error "Failed to retrieve expiry date from ${IPSEC_CERT_PATH}"
|
|
ERR_CERT=1
|
|
fi
|
|
fi
|
|
|
|
if [ ${ERR_CERT} -eq 0 ]; then
|
|
if [ "${time_left_s}" -lt "${CUTOFF_DAYS_S}" ]; then
|
|
LOG_info "IPsec certificate will expire in ${time_left_s}s, will be renewed."
|
|
RENEWAL_REQUIRED=1
|
|
fi
|
|
fi
|
|
|
|
# Call ipsec-client to renew IPsec certificates if trusted CA and/or
|
|
# IPsec cert renewal is required.
|
|
if [ $RENEWAL_REQUIRED -eq 1 ]; then
|
|
ipsec-client -o 2 pxecontroller
|
|
if [ $? -ne 0 ]; then
|
|
LOG_error "ipsec-client failed to renew IPsec certificates."
|
|
ERR_RENEW=1
|
|
else
|
|
LOG_info "IPsec certificate successfully renewed."
|
|
fi
|
|
else
|
|
if [ ${ERR_CA} -ne 0 ] || [ ${ERR_CERT} -ne 0 ]; then
|
|
ERR_RENEW=1
|
|
fi
|
|
fi
|
|
|
|
# Raise alarm if anyting goes wrong.
|
|
if [ ${ERR_RENEW} -ne 0 ]; then
|
|
/usr/local/bin/fmClientCli -c "### ###250.004###set###host###host=${HOSTNAME}### ###major###IPsec certificates renewal failed.###operational-violation### ###Check cron.log and ipsec-auth.log, fix the issue and rerun $NAME.### ### ###"
|
|
else
|
|
/usr/local/bin/fmClientCli -A "250.004" &> /dev/null
|
|
if [ $? -eq 0 ]; then
|
|
/usr/local/bin/fmClientCli -d "###250.004###host=${HOSTNAME}###"
|
|
fi
|
|
fi
|