Merge pull request #2953 from hosseinsh/cert-rotation-region-by-region
Certificate rotation region by region
This commit is contained in:
commit
b96657994a
|
@ -286,6 +286,178 @@ def rotate(endpoint_name, new_certificate_name, old_certificate_name, message, c
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def request_rotation_region(endpoint, new_cert, message, commit, log_data, region):
|
||||||
|
if region in endpoint.dnsname:
|
||||||
|
log_data["message"] = "Rotating endpoint in region"
|
||||||
|
request_rotation(endpoint, new_cert, message, commit)
|
||||||
|
else:
|
||||||
|
log_data["message"] = "Skipping rotation, region mismatch"
|
||||||
|
|
||||||
|
print(log_data)
|
||||||
|
current_app.logger.info(log_data)
|
||||||
|
|
||||||
|
|
||||||
|
@manager.option(
|
||||||
|
"-e",
|
||||||
|
"--endpoint",
|
||||||
|
dest="endpoint_name",
|
||||||
|
help="Name of the endpoint you wish to rotate.",
|
||||||
|
)
|
||||||
|
@manager.option(
|
||||||
|
"-n",
|
||||||
|
"--new-certificate",
|
||||||
|
dest="new_certificate_name",
|
||||||
|
help="Name of the certificate you wish to rotate to.",
|
||||||
|
)
|
||||||
|
@manager.option(
|
||||||
|
"-o",
|
||||||
|
"--old-certificate",
|
||||||
|
dest="old_certificate_name",
|
||||||
|
help="Name of the certificate you wish to rotate.",
|
||||||
|
)
|
||||||
|
@manager.option(
|
||||||
|
"-a",
|
||||||
|
"--notify",
|
||||||
|
dest="message",
|
||||||
|
action="store_true",
|
||||||
|
help="Send a rotation notification to the certificates owner.",
|
||||||
|
)
|
||||||
|
@manager.option(
|
||||||
|
"-c",
|
||||||
|
"--commit",
|
||||||
|
dest="commit",
|
||||||
|
action="store_true",
|
||||||
|
default=False,
|
||||||
|
help="Persist changes.",
|
||||||
|
)
|
||||||
|
@manager.option(
|
||||||
|
"-r",
|
||||||
|
"--region",
|
||||||
|
dest="region",
|
||||||
|
required=True,
|
||||||
|
help="Region in which to rotate the endpoint.",
|
||||||
|
)
|
||||||
|
def rotate_region(endpoint_name, new_certificate_name, old_certificate_name, message, commit, region):
|
||||||
|
"""
|
||||||
|
Rotates an endpoint in a defined region it if it has not already been replaced. If it has
|
||||||
|
been replaced, will use the replacement certificate for the rotation.
|
||||||
|
:param old_certificate_name: Name of the certificate you wish to rotate.
|
||||||
|
:param new_certificate_name: Name of the certificate you wish to rotate to.
|
||||||
|
:param endpoint_name: Name of the endpoint you wish to rotate.
|
||||||
|
:param message: Send a rotation notification to the certificates owner.
|
||||||
|
:param commit: Persist changes.
|
||||||
|
:param region: Region in which to rotate the endpoint.
|
||||||
|
"""
|
||||||
|
if commit:
|
||||||
|
print("[!] Running in COMMIT mode.")
|
||||||
|
|
||||||
|
print("[+] Starting endpoint rotation.")
|
||||||
|
status = FAILURE_METRIC_STATUS
|
||||||
|
|
||||||
|
log_data = {
|
||||||
|
"function": f"{__name__}.{sys._getframe().f_code.co_name}",
|
||||||
|
"region": region,
|
||||||
|
}
|
||||||
|
|
||||||
|
try:
|
||||||
|
old_cert = validate_certificate(old_certificate_name)
|
||||||
|
new_cert = validate_certificate(new_certificate_name)
|
||||||
|
endpoint = validate_endpoint(endpoint_name)
|
||||||
|
|
||||||
|
if endpoint and new_cert:
|
||||||
|
log_data["endpoint"] = endpoint.dnsname
|
||||||
|
log_data["certificate"] = new_cert.name
|
||||||
|
request_rotation_region(endpoint, new_cert, message, commit, log_data, region)
|
||||||
|
|
||||||
|
elif old_cert and new_cert:
|
||||||
|
log_data["certificate"] = new_cert.name
|
||||||
|
log_data["certificate_old"] = old_cert.name
|
||||||
|
log_data["message"] = "Rotating endpoint from old to new cert"
|
||||||
|
print(log_data)
|
||||||
|
current_app.logger.info(log_data)
|
||||||
|
for endpoint in old_cert.endpoints:
|
||||||
|
log_data["endpoint"] = endpoint.dnsname
|
||||||
|
request_rotation_region(endpoint, new_cert, message, commit, log_data, region)
|
||||||
|
|
||||||
|
else:
|
||||||
|
log_data["message"] = "Rotating all endpoints that have new certificates available"
|
||||||
|
print(log_data)
|
||||||
|
current_app.logger.info(log_data)
|
||||||
|
all_pending_rotation_endpoints = endpoint_service.get_all_pending_rotation()
|
||||||
|
for endpoint in all_pending_rotation_endpoints:
|
||||||
|
log_data["endpoint"] = endpoint.dnsname
|
||||||
|
if region not in endpoint.dnsname:
|
||||||
|
log_data["message"] = "Skipping rotation, region mismatch"
|
||||||
|
print(log_data)
|
||||||
|
current_app.logger.info(log_data)
|
||||||
|
metrics.send(
|
||||||
|
"endpoint_rotation_region_skipped",
|
||||||
|
"counter",
|
||||||
|
1,
|
||||||
|
metric_tags={
|
||||||
|
"region": region,
|
||||||
|
"old_certificate_name": str(old_cert),
|
||||||
|
"new_certificate_name": str(endpoint.certificate.replaced[0].name),
|
||||||
|
"endpoint_name": str(endpoint.dnsname),
|
||||||
|
},
|
||||||
|
)
|
||||||
|
|
||||||
|
if len(endpoint.certificate.replaced) == 1:
|
||||||
|
log_data["certificate"] = endpoint.certificate.replaced[0].name
|
||||||
|
log_data["message"] = "Rotating all endpoints in region"
|
||||||
|
print(log_data)
|
||||||
|
current_app.logger.info(log_data)
|
||||||
|
request_rotation(endpoint, endpoint.certificate.replaced[0], message, commit)
|
||||||
|
status = SUCCESS_METRIC_STATUS
|
||||||
|
else:
|
||||||
|
status = FAILURE_METRIC_STATUS
|
||||||
|
log_data["message"] = "Failed to rotate endpoint due to Multiple replacement certificates found"
|
||||||
|
print(log_data)
|
||||||
|
current_app.logger.info(log_data)
|
||||||
|
|
||||||
|
metrics.send(
|
||||||
|
"endpoint_rotation_region",
|
||||||
|
"counter",
|
||||||
|
1,
|
||||||
|
metric_tags={
|
||||||
|
"status": FAILURE_METRIC_STATUS,
|
||||||
|
"old_certificate_name": str(old_cert),
|
||||||
|
"new_certificate_name": str(endpoint.certificate.replaced[0].name),
|
||||||
|
"endpoint_name": str(endpoint.dnsname),
|
||||||
|
"message": str(message),
|
||||||
|
"region": str(region),
|
||||||
|
},
|
||||||
|
)
|
||||||
|
status = SUCCESS_METRIC_STATUS
|
||||||
|
print("[+] Done!")
|
||||||
|
|
||||||
|
except Exception as e:
|
||||||
|
sentry.captureException(
|
||||||
|
extra={
|
||||||
|
"old_certificate_name": str(old_certificate_name),
|
||||||
|
"new_certificate_name": str(new_certificate_name),
|
||||||
|
"endpoint": str(endpoint_name),
|
||||||
|
"message": str(message),
|
||||||
|
"region": str(region),
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
metrics.send(
|
||||||
|
"endpoint_rotation_region_job",
|
||||||
|
"counter",
|
||||||
|
1,
|
||||||
|
metric_tags={
|
||||||
|
"status": status,
|
||||||
|
"old_certificate_name": str(old_certificate_name),
|
||||||
|
"new_certificate_name": str(new_certificate_name),
|
||||||
|
"endpoint_name": str(endpoint_name),
|
||||||
|
"message": str(message),
|
||||||
|
"endpoint": str(globals().get("endpoint")),
|
||||||
|
"region": str(region),
|
||||||
|
},
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
@manager.option(
|
@manager.option(
|
||||||
"-o",
|
"-o",
|
||||||
"--old-certificate",
|
"--old-certificate",
|
||||||
|
|
|
@ -631,7 +631,8 @@ def certificate_reissue():
|
||||||
|
|
||||||
|
|
||||||
@celery.task(soft_time_limit=3600)
|
@celery.task(soft_time_limit=3600)
|
||||||
def certificate_rotate():
|
def certificate_rotate(**kwargs):
|
||||||
|
|
||||||
"""
|
"""
|
||||||
This celery task rotates certificates which are reissued but having endpoints attached to the replaced cert
|
This celery task rotates certificates which are reissued but having endpoints attached to the replaced cert
|
||||||
:return:
|
:return:
|
||||||
|
@ -641,6 +642,7 @@ def certificate_rotate():
|
||||||
if celery.current_task:
|
if celery.current_task:
|
||||||
task_id = celery.current_task.request.id
|
task_id = celery.current_task.request.id
|
||||||
|
|
||||||
|
region = kwargs.get("region")
|
||||||
log_data = {
|
log_data = {
|
||||||
"function": function,
|
"function": function,
|
||||||
"message": "rotating certificates",
|
"message": "rotating certificates",
|
||||||
|
@ -654,7 +656,11 @@ def certificate_rotate():
|
||||||
|
|
||||||
current_app.logger.debug(log_data)
|
current_app.logger.debug(log_data)
|
||||||
try:
|
try:
|
||||||
cli_certificate.rotate(None, None, None, None, True)
|
if region:
|
||||||
|
log_data["region"] = region
|
||||||
|
cli_certificate.rotate_region(None, None, None, None, True, region)
|
||||||
|
else:
|
||||||
|
cli_certificate.rotate(None, None, None, None, True)
|
||||||
except SoftTimeLimitExceeded:
|
except SoftTimeLimitExceeded:
|
||||||
log_data["message"] = "Certificate rotate: Time limit exceeded."
|
log_data["message"] = "Certificate rotate: Time limit exceeded."
|
||||||
current_app.logger.error(log_data)
|
current_app.logger.error(log_data)
|
||||||
|
|
Loading…
Reference in New Issue