-
Notifications
You must be signed in to change notification settings - Fork 109
Forward port RPC credentials rotation on upgrade #2595
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this need to go to 8.0.x too? 7.0 -> 9.0 isn't possible with a HA config, based on my understanding.
Code looks reasonable -- but I'm not familiar with the original patches.
Testing?
lib/blob/fs/fs.go
Outdated
if path == "" { | ||
return nil, trace.BadParameter("missing Path parameter") | ||
// New creates a new instance of the local fs blob service | ||
// rooted as the given path |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// rooted as the given path | |
// rooted at the given path |
return p.HostLocalBackend.SetServiceUser(p.ServiceUser.OSUser()) | ||
} | ||
|
||
func (p *updatePhaseBootstrap) pullSystemUpdates(ctx context.Context) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ctx
seems unused?
66d1f35
to
c2f520d
Compare
Update the PR description with test steps performed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just looked through quickly.
lib/storage/keyval/system.go
Outdated
return b.upsertVal(b.key(systemP, nodeAddrP), addr, forever) | ||
} | ||
|
||
// GetServiceUser returns the current serviceo user |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// GetServiceUser returns the current serviceo user | |
// GetServiceUser returns the current service user |
@@ -50,3 +50,33 @@ func (b *backend) GetSELinux() (enabled bool, err error) { | |||
func (b *backend) SetSELinux(enabled bool) error { | |||
return b.upsertVal(b.key(systemP, seLinuxP), &enabled, forever) | |||
} | |||
|
|||
// GetNodeAddr returns the current node advertise IP | |||
func (b *backend) GetNodeAddr() (addr string, err error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I realize this is probably just part of the port and already this way on other branches, I imagine it applies to just the local backend. I just find it funny, because the other backend is etcd, in which case each node would clobber others writes.
Not asking for any changes, just something I found interesting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree - moved the system metadata APIs to a separate interface in c059b97e
c2f520d
to
c059b97
Compare
c059b97
to
5e87bbb
Compare
Description
Forward port of #1749 to bring feature parity with 7.x.
Part of a bigger attempt to forward-port intermediate version support to 9.x.
Type of change
Linked tickets and other PRs
TODOs
Implementation
Performance/Scaling
Testing done
2.1. Trigger manual upgrade
2.2. Step over /init to rotate RPC credentials
2.3. Roll back the operation (to also restore credenetials)
Additional information