Changes for cli command to renew certificate (#912)

* Changes for cli command to renew certificate

Signed-off-by: Pravin Pushkar <[email protected]>

* adding renew-cert as subcommand to mtls

Signed-off-by: Pravin Pushkar <[email protected]>

* Impl for generating fresh certificates with provided  ttl

Signed-off-by: Pravin Pushkar <[email protected]>

* fix lint and ttl

Signed-off-by: Pravin Pushkar <[email protected]>

* Adding a flag to restart services

Signed-off-by: Pravin Pushkar <[email protected]>

* Adding tests and some refactoring

Signed-off-by: Pravin Pushkar <[email protected]>

* Adding timeout and changing flags detail

Signed-off-by: Pravin Pushkar <[email protected]>

* fixing review comments

Signed-off-by: Pravin Pushkar <[email protected]>

* Fixing review comments and test failures

Signed-off-by: Pravin Pushkar <[email protected]>

* Fixing tests and readme

Signed-off-by: Pravin Pushkar <[email protected]>

* fixing uninstall and other certificate test

Signed-off-by: Pravin Pushkar <[email protected]>

* review comments fixes

Signed-off-by: Pravin Pushkar <[email protected]>

Author: pravinpushkar

README.md

@@ -437,6 +437,23 @@ dapr mtls expiry
 
 This can be used when upgrading to a newer version of Dapr, as it's recommended to carry over the existing certs for a zero downtime upgrade.
 
+### Renew Dapr certificates of a kubernetes cluster with one of the 3 ways mentioned below:
+Renew certificate by generating new root and issuer certificates
+
+```bash
+dapr mtls renew-certificate -k --valid-until <no of days> --restart
+```
+Use existing private root.key to generate new root and issuer certificates
+
+```bash
+dapr mtls renew-certificate -k --private-key myprivatekey.key --valid-until <no of days>
+```
+Use user provided ca.crt, issuer.crt and issuer.key
+
+```bash
+dapr mtls renew-certificate -k --ca-root-certificate <ca.crt> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.crt> --restart
+```
+
 ### List Components
 
 To list all Dapr components on Kubernetes:

cmd/mtls.go

@@ -101,5 +101,6 @@ func init() {
 	MTLSCmd.MarkFlagRequired("kubernetes")
 	MTLSCmd.AddCommand(ExportCMD)
 	MTLSCmd.AddCommand(ExpiryCMD)
+	MTLSCmd.AddCommand(RenewCertificateCmd())
 	RootCmd.AddCommand(MTLSCmd)
 }

cmd/renew_certificate.go

@@ -0,0 +1,154 @@
+/*
+Copyright 2021 The Dapr Authors
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/dapr/cli/pkg/kubernetes"
+	"github.com/dapr/cli/pkg/print"
+	"github.com/dapr/cli/utils"
+)
+
+var (
+	privateKey                  string
+	caRootCertificateFile       string
+	issuerPrivateKeyFile        string
+	issuerPublicCertificateFile string
+	validUntil                  uint
+	restartDaprServices         bool
+)
+
+func RenewCertificateCmd() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "renew-certificate",
+		Short: "Rotates Dapr root certificate of your kubernetes cluster",
+
+		Example: `
+# Generates new root and issuer certificates for kubernetes cluster
+dapr mtls renew-certificate -k --valid-until <no of days> --restart
+
+# Uses existing private root.key to generate new root and issuer certificates for kubernetes cluster
+dapr mtls renew-certificate -k --private-key myprivatekey.key --valid-until <no of days>
+
+# Rotates certificate of your kubernetes cluster with provided ca.cert, issuer.crt and issuer.key file path
+dapr mtls renew-certificate -k --ca-root-certificate <ca.crt> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.crt> --restart
+
+# See more at: https://docs.dapr.io/getting-started/
+`,
+
+		Run: func(cmd *cobra.Command, args []string) {
+			if kubernetesMode {
+				print.PendingStatusEvent(os.Stdout, "Starting certificate rotation")
+				if caRootCertificateFile != "" && issuerPrivateKeyFile != "" && issuerPublicCertificateFile != "" {
+					print.InfoStatusEvent(os.Stdout, "Using provided certificates")
+					err := kubernetes.RenewCertificate(kubernetes.RenewCertificateParams{
+						RootCertificateFilePath:   caRootCertificateFile,
+						IssuerCertificateFilePath: issuerPublicCertificateFile,
+						IssuerPrivateKeyFilePath:  issuerPrivateKeyFile,
+						Timeout:                   timeout,
+					})
+					if err != nil {
+						logErrorAndExit(err)
+					}
+				} else if privateKey != "" {
+					print.InfoStatusEvent(os.Stdout, "Using password file to generate root certificate")
+					err := kubernetes.RenewCertificate(kubernetes.RenewCertificateParams{
+						RootPrivateKeyFilePath: privateKey,
+						ValidUntil:             time.Hour * time.Duration(validUntil*24),
+						Timeout:                timeout,
+					})
+					if err != nil {
+						logErrorAndExit(err)
+					}
+				} else {
+					print.InfoStatusEvent(os.Stdout, "generating fresh certificates")
+					err := kubernetes.RenewCertificate(kubernetes.RenewCertificateParams{
+						ValidUntil: time.Hour * time.Duration(validUntil*24),
+						Timeout:    timeout,
+					})
+					if err != nil {
+						logErrorAndExit(err)
+					}
+				}
+			}
+		},
+		PostRun: func(cmd *cobra.Command, args []string) {
+			expiry, err := kubernetes.Expiry()
+			if err != nil {
+				logErrorAndExit(err)
+			}
+			print.SuccessStatusEvent(os.Stdout,
+				fmt.Sprintf("Certificate rotation is successful! Your new certicate is valid through %s", expiry.Format(time.RFC1123)))
+
+			if restartDaprServices {
+				restartControlPlaneService()
+				if err != nil {
+					print.FailureStatusEvent(os.Stdout, err.Error())
+					os.Exit(1)
+				}
+			}
+		},
+	}
+
+	command.Flags().BoolVarP(&kubernetesMode, "kubernetes", "k", false, "Renews root and issuer certificates of Dapr in a Kubernetes cluster")
+	command.Flags().StringVarP(&privateKey, "private-key", "", "", "The root.key file which is used to generate root certificate")
+	command.Flags().StringVarP(&caRootCertificateFile, "ca-root-certificate", "", "", "The root certificate file")
+	command.Flags().StringVarP(&issuerPrivateKeyFile, "issuer-private-key", "", "", "The issuer certificate private key")
+	command.Flags().StringVarP(&issuerPublicCertificateFile, "issuer-public-certificate", "", "", "The issuer certificate")
+	command.Flags().UintVarP(&validUntil, "valid-until", "", 365, "Max days before certificate expires")
+	command.Flags().BoolVarP(&restartDaprServices, "restart", "", false, "Restart Dapr control plane services")
+	command.Flags().UintVarP(&timeout, "timeout", "", 300, "The timeout for the certificate renewal")
+	command.MarkFlagRequired("kubernetes")
+	return command
+}
+
+func logErrorAndExit(err error) {
+	err = fmt.Errorf("certificate rotation failed %w", err)
+	print.FailureStatusEvent(os.Stderr, err.Error())
+	os.Exit(1)
+}
+
+func restartControlPlaneService() error {
+	controlPlaneServices := []string{"deploy/dapr-sentry", "deploy/dapr-operator", "statefulsets/dapr-placement-server"}
+	namespace, err := getDaprNamespace()
+	if err != nil {
+		print.FailureStatusEvent(os.Stdout, "Failed to fetch Dapr namespace")
+	}
+	for _, name := range controlPlaneServices {
+		print.InfoStatusEvent(os.Stdout, fmt.Sprintf("Restarting %s..", name))
+		_, err := utils.RunCmdAndWait("kubectl", "rollout", "restart", name, "-n", namespace)
+		if err != nil {
+			return fmt.Errorf("error in restarting deployment %s. Error is %w", name, err)
+		}
+		_, err = utils.RunCmdAndWait("kubectl", "rollout", "status", name, "-n", namespace)
+		if err != nil {
+			return fmt.Errorf("error in checking status for deployment %s. Error is %w", name, err)
+		}
+	}
+	print.SuccessStatusEvent(os.Stdout, "All control plane services have restarted successfully!")
+	return nil
+}
+
+func getDaprNamespace() (string, error) {
+	status, err := kubernetes.GetDaprResourcesStatus()
+	if err != nil {
+		return "", err
+	}
+	return status[0].Namespace, nil
+}

pkg/kubernetes/common.go

@@ -0,0 +1,64 @@
+/*
+Copyright 2021 The Dapr Authors
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kubernetes
+
+import (
+	"errors"
+	"strings"
+
+	helm "helm.sh/helm/v3/pkg/action"
+)
+
+func GetDaprResourcesStatus() ([]StatusOutput, error) {
+	sc, err := NewStatusClient()
+	if err != nil {
+		return nil, err
+	}
+
+	status, err := sc.Status()
+	if err != nil {
+		return nil, err
+	}
+
+	if len(status) == 0 {
+		return nil, errors.New("dapr is not installed in your cluster")
+	}
+	return status, nil
+}
+
+func GetDaprHelmChartName(helmConf *helm.Configuration) (string, error) {
+	listClient := helm.NewList(helmConf)
+	releases, err := listClient.Run()
+	if err != nil {
+		return "", err
+	}
+	var chart string
+	for _, r := range releases {
+		if r.Chart != nil && strings.Contains(r.Chart.Name(), "dapr") {
+			chart = r.Name
+			break
+		}
+	}
+	return chart, nil
+}
+
+func GetDaprVersion(status []StatusOutput) string {
+	var daprVersion string
+	for _, s := range status {
+		if s.Name == operatorName {
+			daprVersion = s.Version
+		}
+	}
+	return daprVersion
+}