cluster/clustercfg/cmd_gencerts.go

package main

import (
	"log"
	"path/filepath"
	"strings"

	"github.com/spf13/cobra"

	"code.hackerspace.pl/hscloud/cluster/clustercfg/certs"
	"code.hackerspace.pl/hscloud/go/workspace"
)

var flagFQDNs []string

var gencertsCmd = &cobra.Command{
	Use:   "gencerts",
	Short: "(re)generate keys/certs for k0 cluster",
	Long: `
If you're adding a new cluster node, run this. It will populate //cluster/secrets
and //cluster/certificates with new certs/keys.

By default, the nodes to generate certificates for are automatically discovered
by querying the local Nix machines defined in //ops, looking for anything that
has hscloud.kube.controller.enabled. That can be slow and/or incorrect. To override
node names, set --fqdn (either comma-separate them or repeat flags).
`,
	Run: func(cmd *cobra.Command, args []string) {
		ws, err := workspace.Get()
		if err != nil {
			log.Fatalf("Could not figure out workspace: %v", err)
		}
		path := filepath.Join(ws, "cluster")

		fqdns := flagFQDNs
		if len(fqdns) == 0 {
			log.Printf("--fqdn not set, figuring out machines from Nix...")
			err = workspace.EvalHscloudNix(cmd.Context(), &fqdns, "ops.exports.kubeMachineNames")
			if err != nil {
				log.Fatalf("Could not figure out Kubernetes machine FQDNs: %v", err)
			}
		}

		for _, fqdn := range fqdns {
			parts := strings.Split(fqdn, ".")
			if len(parts) != 3 || parts[1] != "hswaw" || parts[2] != "net" {
				log.Fatalf("Invalid FQDN %q: must be xxx.hswaw.net.", fqdn)
			}
		}

		log.Printf("Machines: --fqdn %s", strings.Join(fqdns, ","))
		c := certs.Prepare(path, fqdns)
		if err := c.Ensure(); err != nil {
			log.Fatalf("Failed: %v", err)
		}
		log.Printf("Done.")
	},
}

func init() {
	gencertsCmd.Flags().StringSliceVar(&flagFQDNs, "fqdn", nil, "List of machine FQDNs to generate certs for. If not set, will be automatically figured out from Nix modules in local checkout (slow).")
	rootCmd.AddCommand(gencertsCmd)
}