[yugabyte] certificates management by the-glu · Pull Request #1186 · interuss/dss

the-glu · 2025-05-07T18:31:50Z

This PR follow #1182

It replace the base scripts of the previous PR with a 'proper' python script, now located in deploy/operation

It support pooling with multiple CA certificate and has been tested locally in a minikube cluster.

It's still missing support for external addresses in the certificate generation, but this shouldn't be something complex to add.

It provide some logging to explain was is beeing done. Examples:

New certificate set

./dss-certs.py --name localpool --cluster-context dss-local-cluster --namespace default init
2025-05-07 20:17:49,607 do_init                   INFO     Initialization of a new cluster
2025-05-07 20:17:49,608 make_directories          INFO     Created directories
2025-05-07 20:17:49,608 generate_ca_config        INFO     Created CA configuration files and database
2025-05-07 20:17:49,842 generate_ca_key           INFO     Generated CA private key
2025-05-07 20:17:49,853 generate_ca_cert          INFO     Generated CA certificate 'SN=5704DDFA, O=generic-dss-organization, CN=CA.localpool'
2025-05-07 20:17:49,853 generate_client_config    INFO     Created client 'yugabytedb' configuration file
2025-05-07 20:17:50,372 generate_client_key       INFO     Generated client 'yugabytedb' private key
2025-05-07 20:17:50,383 generate_client_csr       INFO     Generated client 'yugabytedb' certificate request
2025-05-07 20:17:50,393 generate_client_cert      INFO     Generated client 'yugabytedb' certificate 'SN=01, O=generic-dss-organization, CN=client.yugabytedb'
2025-05-07 20:17:50,393 do_generate_nodes         INFO     Generation of nodes certificates
2025-05-07 20:17:50,393 generate_node_config      INFO     Created master #0 configuration file
2025-05-07 20:17:50,559 generate_node_key         INFO     Generated master #0 private key
2025-05-07 20:17:50,567 generate_node_csr         INFO     Generated master #0 certificate request
2025-05-07 20:17:50,575 generate_node_cert        INFO     Generated master #0 certificate 'SN=02, O=generic-dss-organization, CN=yb-master-0.yb-masters.default.svc.cluster.local'
2025-05-07 20:17:50,575 generate_node_config      INFO     Created master #1 configuration file
2025-05-07 20:17:50,849 generate_node_key         INFO     Generated master #1 private key
2025-05-07 20:17:50,856 generate_node_csr         INFO     Generated master #1 certificate request
2025-05-07 20:17:50,866 generate_node_cert        INFO     Generated master #1 certificate 'SN=03, O=generic-dss-organization, CN=yb-master-1.yb-masters.default.svc.cluster.local'
2025-05-07 20:17:50,866 generate_node_config      INFO     Created master #2 configuration file
2025-05-07 20:17:51,050 generate_node_key         INFO     Generated master #2 private key
2025-05-07 20:17:51,057 generate_node_csr         INFO     Generated master #2 certificate request
2025-05-07 20:17:51,066 generate_node_cert        INFO     Generated master #2 certificate 'SN=04, O=generic-dss-organization, CN=yb-master-2.yb-masters.default.svc.cluster.local'
2025-05-07 20:17:51,066 generate_node_config      INFO     Created tserver #0 configuration file
2025-05-07 20:17:51,606 generate_node_key         INFO     Generated tserver #0 private key
2025-05-07 20:17:51,623 generate_node_csr         INFO     Generated tserver #0 certificate request
2025-05-07 20:17:51,633 generate_node_cert        INFO     Generated tserver #0 certificate 'SN=05, O=generic-dss-organization, CN=yb-tserver-0.yb-tservers.default.svc.cluster.local'
2025-05-07 20:17:51,633 generate_node_config      INFO     Created tserver #1 configuration file
2025-05-07 20:17:52,075 generate_node_key         INFO     Generated tserver #1 private key
2025-05-07 20:17:52,084 generate_node_csr         INFO     Generated tserver #1 certificate request
2025-05-07 20:17:52,092 generate_node_cert        INFO     Generated tserver #1 certificate 'SN=06, O=generic-dss-organization, CN=yb-tserver-1.yb-tservers.default.svc.cluster.local'
2025-05-07 20:17:52,092 generate_node_config      INFO     Created tserver #2 configuration file
2025-05-07 20:17:52,464 generate_node_key         INFO     Generated tserver #2 private key
2025-05-07 20:17:52,474 generate_node_csr         INFO     Generated tserver #2 certificate request
2025-05-07 20:17:52,482 generate_node_cert        INFO     Generated tserver #2 certificate 'SN=07, O=generic-dss-organization, CN=yb-tserver-2.yb-tservers.default.svc.cluster.local'
2025-05-07 20:17:52,482 do_generate_nodes         INFO     All nodes certificates are ready
2025-05-07 20:17:52,483 add_cas                   INFO     Adding CA SN=5704DDFA, O=generic-dss-organization, CN=CA.localpool in the pool
2025-05-07 20:17:52,483 regenerate_ca_files       INFO     Regenerated CA files from the CA pool. Current pool hash: ChcVw-8H2pd
2025-05-07 20:17:52,483 do_init                   INFO     The new cluster certificates are ready! Don't forget to 'apply' the configuration.

Applying config

./dss-certs.py --name localpool --cluster-context dss-local-cluster --namespace default apply
2025-05-07 20:18:17,744 do_apply                  INFO     Deleted old secret 'yb-master-yugabyte-tls-cert'
2025-05-07 20:18:17,807 do_apply                  INFO     Deleted old secret 'yb-tserver-yugabyte-tls-cert'
2025-05-07 20:18:17,869 do_apply                  INFO     Deleted old secret 'yugabyte-tls-client-cert'
2025-05-07 20:18:17,925 do_apply                  INFO     Deleted old secret 'dss.public.certs'
2025-05-07 20:18:17,987 do_apply                  INFO     Created secret 'yb-master-yugabyte-tls-cert'
2025-05-07 20:18:18,044 do_apply                  INFO     Created secret 'yb-tserver-yugabyte-tls-cert'
2025-05-07 20:18:18,102 do_apply                  INFO     Created secret 'yugabyte-tls-client-cert'
2025-05-07 20:18:18,168 do_apply                  INFO     Created secret 'dss.public.certs'

Creating a pool

./dss-certs.py --name localpool2 --cluster-context dss-local-cluster --namespace ns2 get-ca | ./dss-certs.py --name localpool --cluster-context dss-local-cluster --namespace default add-pool-ca
2025-05-07 20:18:03,378 add_cas                   INFO     Adding CA SN=655DEE77, O=generic-dss-organization, CN=CA.localpool2 in the pool
2025-05-07 20:18:03,379 regenerate_ca_files       INFO     Regenerated CA files from the CA pool. Current pool hash: 97HGU-mx5aZ
./dss-certs.py --name localpool3 --cluster-context dss-local-cluster --namespace ns3 get-ca | ./dss-certs.py --name localpool --cluster-context dss-local-cluster --namespace default add-pool-ca
2025-05-07 20:18:07,822 add_cas                   INFO     Adding CA SN=93A29296, O=generic-dss-organization, CN=CA.localpool3 in the pool
2025-05-07 20:18:07,823 regenerate_ca_files       INFO     Regenerated CA files from the CA pool. Current pool hash: ninaT-bAG17
./dss-certs.py --name localpool --cluster-context dss-local-cluster --namespace default get-pool-ca | ./dss-certs.py --name localpool2 --cluster-context dss-local-cluster --namespace ns2 add-pool-ca
2025-05-07 20:18:10,946 add_cas                   INFO     Adding CA SN=5704DDFA, O=generic-dss-organization, CN=CA.localpool in the pool
2025-05-07 20:18:10,946 add_cas                   INFO     Adding CA SN=93A29296, O=generic-dss-organization, CN=CA.localpool3 in the pool
2025-05-07 20:18:10,946 add_cas                   INFO     CA SN=655DEE77, O=generic-dss-organization, CN=CA.localpool2 already present in the pool
2025-05-07 20:18:10,947 regenerate_ca_files       INFO     Regenerated CA files from the CA pool. Current pool hash: ninaT-bAG17
./dss-certs.py --name localpool --cluster-context dss-local-cluster --namespace default get-pool-ca | ./dss-certs.py --name localpool3 --cluster-context dss-local-cluster --namespace ns3 add-pool-ca
2025-05-07 20:18:13,777 add_cas                   INFO     Adding CA SN=5704DDFA, O=generic-dss-organization, CN=CA.localpool in the pool
2025-05-07 20:18:13,777 add_cas                   INFO     CA SN=93A29296, O=generic-dss-organization, CN=CA.localpool3 already present in the pool
2025-05-07 20:18:13,778 add_cas                   INFO     Adding CA SN=655DEE77, O=generic-dss-organization, CN=CA.localpool2 in the pool
2025-05-07 20:18:13,778 regenerate_ca_files       INFO     Regenerated CA files from the CA pool. Current pool hash: ninaT-bAG17

deploy/operations/certificates-management/apply.py

deploy/operations/certificates-management/README.md

deploy/operations/certificates-management/apply.py

barroco

@the-glu, thanks for this contribution. I did a first pass.

deploy/operations/certificates-management/README.md

deploy/operations/certificates-management/ca_pool.py

deploy/operations/certificates-management/README.md

deploy/operations/certificates-management/nodes.py

deploy/operations/certificates-management/init.py

deploy/operations/certificates-management/dss-certs.py

the-glu requested a review from barroco May 7, 2025 18:31

github-advanced-security bot found potential problems May 7, 2025

View reviewed changes

deploy/operations/certificates-management/apply.py Fixed Show fixed Hide fixed

deploy/operations/certificates-management/apply.py Fixed Show fixed Hide fixed

the-glu commented May 13, 2025

View reviewed changes

deploy/operations/certificates-management/README.md Outdated Show resolved Hide resolved

github-advanced-security bot found potential problems May 13, 2025

View reviewed changes

deploy/operations/certificates-management/apply.py Dismissed Show dismissed Hide dismissed

deploy/operations/certificates-management/apply.py Dismissed Show dismissed Hide dismissed

This was referenced May 27, 2025

Yugabyte: Working GCP implementation #1190

Merged

[helm] Add TLS support on yugabyte #1182

Merged

barroco force-pushed the yugabyte_certificates branch 2 times, most recently from aab5a18 to 394bdae Compare May 30, 2025 12:49

barroco reviewed May 30, 2025

View reviewed changes

Certificates management

33d7342

the-glu force-pushed the yugabyte_certificates branch from b9da958 to 33d7342 Compare June 2, 2025 09:02

barroco approved these changes Jun 3, 2025

View reviewed changes

barroco changed the title ~~Yugabyte: certificates~~ [yugabyte certificates Jun 3, 2025

barroco changed the title ~~[yugabyte certificates~~ [yugabyte] certificates management Jun 3, 2025

barroco merged commit 6d2b1e6 into interuss:master Jun 3, 2025
10 checks passed

barroco mentioned this pull request Apr 15, 2025

[yugabyte] Update deployment tooling and practices #1153

Open

8 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[yugabyte] certificates management#1186

[yugabyte] certificates management#1186
barroco merged 1 commit intointeruss:masterfrom
Orbitalize:yugabyte_certificates

the-glu commented May 7, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

barroco left a comment •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

the-glu commented May 7, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

barroco left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

barroco left a comment •

edited

Loading