Changes for cli command to renew certificate

[pravinpushkar]

Signed-off-by: Pravin Pushkar ppushkar@microsoft.com

Description

Adding new commands to renew expiring certificate.

# Generates new root and issuer certificates for kubernetest cluster
dapr mtls renew-certificate -k --valid-until <no of days> --restart

# Uses existing private root.key to generate new root and issuer certificates for kubernetes cluster
dapr mtls renew-certificate -k --certificate-password-file myprivatekey.key --valid-until <no of days>

# Rotates certificate of your kubernetes cluster with provided ca.cert, issuer.crt and issuer.key file path
dapr mtls renew-certificate -k --ca-root-certificate <ca.crt> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.crt> --restart

Issue reference

We strive to have all PR being opened based on an issue, where the problem or feature have been discussed prior to implementation.

Please reference the issue this PR will close: #892

Checklist

Please make sure you've completed the relevant tasks for this PR, out of the following list:

• Code compiles correctly
• Created/updated tests
• Extended the documentation

[shubham1172]

Other mtls commands don't seem to support the -k flag. Is that expected?

dapr mtls expiry -k
Error: unknown shorthand flag: 'k' in -k

[pravinpushkar]

this is expected in case we want to enhance it for standalone.
export and expiry does not make much sense for standalone mode imo.
In general, I think it should be with the specific subcommands whether -k flag is needed or not.

[shubham1172]

If mtls only supports k8s, then the subcommands should also enforce it ideally. Instead of silently failing, we should complain that it's a required flag and only k8s mode is supported. This can be tracked separately, but I think we should do it. Thoughts?

/cc @mukundansundar

[pravinpushkar]

I will be adding RenewCertificateCmd.MarkFlagRequired("kubernetes") in new commit.
We can enforce this flag through all subcommands but it will change the current behavior from dapr mtls expiry to of dapr mts expiry -k
@mukundansundar

[codecov]

Codecov Report

Merging #912 (038f841) into master (ce0af7c) will decrease coverage by 1.41%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master     #912      +/-   ##
==========================================
- Coverage   22.31%   20.90%   -1.42%     
==========================================
  Files          30       32       +2     
  Lines        1734     1851     +117     
==========================================
  Hits          387      387              
- Misses       1293     1410     +117     
  Partials       54       54              

Impacted Files	Coverage Δ
pkg/kubernetes/common.go	0.00% <0.00%> (ø)
pkg/kubernetes/renew_certificate.go	0.00% <0.00%> (ø)
pkg/kubernetes/upgrade.go	21.91% <0.00%> (+3.09%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ce0af7c...038f841. Read the comment docs.

[mukundansundar]

few more changes please ...

[mukundansundar]

Suggested change

	print.InfoStatusEvent(os.Stdout, "Using password file to generate root certificate")
	print.InfoStatusEvent(os.Stdout, "Using existing private key file to generate root certificate")

[mukundansundar]

This change needs to be done?

[mukundansundar]

not like to have a folder created by one test removed by another .... can this be in the Kubernetes_test.go file instead of common ?
A single flow ...

1. create a folder ./certs
2. Run GenerateNewCerts -- export cert to the previously created folder
3. Run the UserProvidedNewCertsAndRenew test ....
4. Remove the ./certs folder that was created in step 1

1 and 4 in the Test function ... and the rest can be what it is now ...

[mukundansundar]

@yaron2 @artursouza Don't we also need to restart sidecar-injector and dashboard as part of certificate rotation ?

[yaron2]

@yaron2 @artursouza Don't we also need to restart sidecar-injector and dashboard as part of certificate rotation ?

Sentry watches certs from the filesystem.

Addressed

[mukundansundar]

During release validations during endgame ... test this against a cluster running apps and validate working.

[mukundansundar]

@pravinpushkar Wait for all containers to be up needs to be added in this PR.

addressed