MINOR: cluster: add endpoint for cert refresh

POST /cluster/certificate can be used to initiate certificate refresh
in cluster mode

Author: oktalz

configuration/cluster_sync.go

@@ -36,6 +36,8 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
+const DataplaneAPIType = "community"
+
 //Node is structure required for connection to cluster
 type Node struct {
 	Address     string `json:"address"`
@@ -64,6 +66,9 @@ func (c *ClusterSync) Monitor(cfg *Configuration, cli *client_native.HAProxyClie
 	c.cli = cli
 
 	go c.monitorBootstrapKey()
+	if c.cfg.Mode.Load() == "cluster" {
+		go c.monitorCertificateRefresh()
+	}
 
 	c.certFetch = make(chan struct{}, 2)
 	go c.fetchCert()
@@ -76,6 +81,98 @@ func (c *ClusterSync) Monitor(cfg *Configuration, cli *client_native.HAProxyClie
 	}
 }
 
+func (c *ClusterSync) monitorCertificateRefresh() {
+	for range c.cfg.Notify.CertificateRefresh.Subscribe("monitorCertificateRefresh") {
+		log.Info("refreshing certificate")
+
+		key := c.cfg.BootstrapKey.Load()
+		data, err := decodeBootstrapKey(key)
+		if err != nil {
+			log.Warning(err)
+			continue
+		}
+		if len(data) != 8 {
+			log.Warning("bottstrap key in unrecognized format")
+			continue
+		}
+		url := fmt.Sprintf("%s://%s", data[0], data[1])
+
+		csr, key, err := generateCSR()
+		if err != nil {
+			log.Warning(err)
+			continue
+		}
+		err = ioutil.WriteFile(c.cfg.Cluster.CertificateCSR.Load(), []byte(csr), 0644)
+		if err != nil {
+			log.Warning(err)
+			continue
+		}
+		err = c.issueRefreshRequest(url, data[2], data[3], data[4], csr, key)
+		if err != nil {
+			log.Warning(err)
+			continue
+		}
+	}
+}
+
+func (c *ClusterSync) issueRefreshRequest(url, port, basePath string, nodesPath string, csr, key string) error {
+	url = fmt.Sprintf("%s:%s%s/%s/%s", url, port, basePath, nodesPath, c.cfg.Cluster.ID.Load())
+	nodeData := Node{
+		ID:          c.cfg.Cluster.ID.Load(),
+		Address:     c.cfg.Server.Host,
+		Certificate: csr,
+		Status:      cfg.Status.Load(),
+		Type:        DataplaneAPIType,
+	}
+	bytesRepresentation, _ := json.Marshal(nodeData)
+
+	req, err := http.NewRequest("PATCH", url, bytes.NewBuffer(bytesRepresentation))
+	if err != nil {
+		return fmt.Errorf("error creating new POST request for cluster comunication")
+	}
+	req.Header.Add("X-Node-Key", c.cfg.Cluster.Token.Load())
+	req.Header.Add("Content-Type", "application/json")
+	log.Infof("Refreshing certificate %s", url)
+	httpClient := createHTTPClient()
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return err
+	}
+	if resp.StatusCode != 202 {
+		return fmt.Errorf("status code not proper [%d] %s", resp.StatusCode, string(body))
+	}
+	var responseData Node
+	err = json.Unmarshal(body, &responseData)
+	if err != nil {
+		return err
+	}
+	log.Infof("Cluster re joined, status: %s", responseData.Status)
+	err = ioutil.WriteFile(c.cfg.Cluster.CertificatePath.Load(), []byte(responseData.Certificate), 0644)
+	if err != nil {
+		log.Warning(err)
+		return err
+	}
+	err = ioutil.WriteFile(c.cfg.Cluster.CertificateKeyPath.Load(), []byte(key), 0644)
+	if err != nil {
+		log.Warning(err)
+		return err
+	}
+	c.cfg.Cluster.Token.Store(resp.Header.Get("X-Node-Key"))
+	err = c.cfg.Save()
+	if err != nil {
+		log.Warning(err)
+		return err
+	}
+	c.cfg.Notify.Reload.Notify()
+	return nil
+}
+
 func (c *ClusterSync) monitorBootstrapKey() {
 	for range c.cfg.Notify.BootstrapKeyChanged.Subscribe("monitorBootstrapKey") {
 		key := c.cfg.BootstrapKey.Load()
@@ -173,7 +270,7 @@ func (c *ClusterSync) issueJoinRequest(url, port, basePath string, nodesPath str
 		Name:        c.cfg.Name.Load(),
 		Port:        int64(serverCfg.Port),
 		Status:      "waiting_approval",
-		Type:        "community",
+		Type:        DataplaneAPIType,
 	}
 	bytesRepresentation, _ := json.Marshal(nodeData)
 

configuration/configuration.go

@@ -95,6 +95,7 @@ type ServerConfiguration struct {
 
 type NotifyConfiguration struct {
 	BootstrapKeyChanged *ChanNotify `yaml:"-"`
+	CertificateRefresh  *ChanNotify `yaml:"-"`
 	Reload              *ChanNotify `yaml:"-"`
 	Shutdown            *ChanNotify `yaml:"-"`
 }
@@ -117,6 +118,7 @@ func Get() *Configuration {
 		cfg = &Configuration{}
 		cfg.initSignalHandler()
 		cfg.Notify.BootstrapKeyChanged = NewChanNotify()
+		cfg.Notify.CertificateRefresh = NewChanNotify()
 		cfg.Notify.Reload = NewChanNotify()
 		cfg.Notify.Shutdown = NewChanNotify()
 	}
@@ -134,6 +136,7 @@ func (c *Configuration) BotstrapKeyChanged(bootstrapKey string) {
 
 func (c *Configuration) UnSubscribeAll() {
 	c.Notify.BootstrapKeyChanged.UnSubscribeAll()
+	c.Notify.CertificateRefresh.UnSubscribeAll()
 	c.Notify.Reload.UnSubscribeAll()
 	c.Notify.Shutdown.UnSubscribeAll()
 }

configure_data_plane.go

@@ -409,6 +409,7 @@ func configureAPI(api *operations.DataPlaneAPI) http.Handler {
 	// setup cluster handlers
 	api.DiscoveryGetClusterHandler = &handlers.GetClusterHandlerImpl{Config: cfg}
 	api.ClusterPostClusterHandler = &handlers.CreateClusterHandlerImpl{Config: cfg}
+	api.ClusterInitiateCertificateRefreshHandler = &handlers.ClusterInitiateCertificateRefreshHandlerImpl{Config: cfg}
 
 	clusterSync := dataplaneapi_config.ClusterSync{ReloadAgent: ra}
 	go clusterSync.Monitor(cfg, client)

embedded_spec.go

@@ -25,17 +25,30 @@ import (
 	"github.com/haproxytech/models"
 )
 
-//CreateClusterHandlerImpl implementation of the CreateClusterHandler interface using client-native client
+//CreateClusterHandlerImpl implementation of the CreateClusterHandler interface
 type CreateClusterHandlerImpl struct {
 	Config *configuration.Configuration
 }
 
-//GetClusterHandlerImpl implementation of the GetClusterHandler interface using client-native client
+//GetClusterHandlerImpl implementation of the GetClusterHandler interface
 type GetClusterHandlerImpl struct {
 	Config *configuration.Configuration
 }
 
+//ClusterInitiateCertificateRefreshHandlerImpl implementation of the ClusterInitiateCertificateRefreshHandler interface
+type ClusterInitiateCertificateRefreshHandlerImpl struct {
+	Config *configuration.Configuration
+}
+
 //Handle executing the request and returning a response
+func (h *ClusterInitiateCertificateRefreshHandlerImpl) Handle(params cluster.InitiateCertificateRefreshParams, principal interface{}) middleware.Responder {
+	if h.Config.Mode.Load() != "cluster" {
+		return cluster.NewInitiateCertificateRefreshForbidden()
+	}
+	h.Config.Notify.CertificateRefresh.Notify()
+	return cluster.NewInitiateCertificateRefreshOK()
+}
+
 func (h *CreateClusterHandlerImpl) Handle(params cluster.PostClusterParams, principal interface{}) middleware.Responder {
 	key := h.Config.BootstrapKey.Load()
 	if params.Data.BootstrapKey != "" && key != params.Data.BootstrapKey {