From 058f409f5cc21a0166feb888fc2e873c7dfb455d Mon Sep 17 00:00:00 2001 From: rambohe-ch Date: Tue, 25 May 2021 21:56:32 +0800 Subject: [PATCH] bugfix: update clusterrole and certificate for yurt-tunnel-server and fix kubeconfig path error for yurtctl --- config/setup/yurt-tunnel-server.yaml | 28 ++++++++++++- config/yaml-template/yurt-tunnel-server.yaml | 42 +++++++++++++++---- pkg/yurtctl/cmd/revert/revert.go | 2 +- .../constants/yurt-tunnel-server-tmpl.go | 28 ++++++++++++- pkg/yurtctl/util/edgenode/util.go | 2 +- pkg/yurttunnel/pki/certmanager/certmanager.go | 23 +++++----- pkg/yurttunnel/server/serveraddr/addr.go | 4 +- pkg/yurttunnel/server/serveraddr/addr_test.go | 4 +- 8 files changed, 104 insertions(+), 29 deletions(-) diff --git a/config/setup/yurt-tunnel-server.yaml b/config/setup/yurt-tunnel-server.yaml index a91193e744f..99b5fe03638 100644 --- a/config/setup/yurt-tunnel-server.yaml +++ b/config/setup/yurt-tunnel-server.yaml @@ -29,9 +29,7 @@ rules: - apiGroups: - "" resources: - - services - endpoints - - configmaps verbs: - get - apiGroups: @@ -41,6 +39,32 @@ rules: verbs: - list - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - watch + - get + - create + - update +- apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - create + - get + - update --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/config/yaml-template/yurt-tunnel-server.yaml b/config/yaml-template/yurt-tunnel-server.yaml index 3becb4f8612..2a1ba79b0f7 100644 --- a/config/yaml-template/yurt-tunnel-server.yaml +++ b/config/yaml-template/yurt-tunnel-server.yaml @@ -27,20 +27,44 @@ rules: verbs: - approve - apiGroups: - - "" + - "" resources: - - services - - endpoints - - configmaps + - endpoints verbs: - - get + - get - apiGroups: - - "" + - "" resources: - - nodes + - nodes verbs: - - list - - watch + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - watch + - get + - create + - update +- apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - create + - get + - update --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/pkg/yurtctl/cmd/revert/revert.go b/pkg/yurtctl/cmd/revert/revert.go index 2e7292a87f9..18e22d7a8bc 100644 --- a/pkg/yurtctl/cmd/revert/revert.go +++ b/pkg/yurtctl/cmd/revert/revert.go @@ -263,7 +263,7 @@ func removeYurtTunnelServer(client *kubernetes.Clientset) error { return fmt.Errorf("fail to delete the daemonset/%s: %s", constants.YurttunnelServerComponentName, err) } - klog.V(4).Infof("daemonset/%s is deleted", constants.YurttunnelServerComponentName) + klog.V(4).Infof("deployment/%s is deleted", constants.YurttunnelServerComponentName) // 2.1 remove the Service if err := client.CoreV1().Services(constants.YurttunnelNamespace). diff --git a/pkg/yurtctl/constants/yurt-tunnel-server-tmpl.go b/pkg/yurtctl/constants/yurt-tunnel-server-tmpl.go index f8b3c958b4d..b413c37fa72 100644 --- a/pkg/yurtctl/constants/yurt-tunnel-server-tmpl.go +++ b/pkg/yurtctl/constants/yurt-tunnel-server-tmpl.go @@ -49,9 +49,7 @@ rules: - apiGroups: - "" resources: - - services - endpoints - - configmaps verbs: - get - apiGroups: @@ -61,6 +59,32 @@ rules: verbs: - list - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - watch + - get + - create + - update +- apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - create + - get + - update ` YurttunnelServerServiceAccount = ` apiVersion: v1 diff --git a/pkg/yurtctl/util/edgenode/util.go b/pkg/yurtctl/util/edgenode/util.go index 754677355be..8954387b88a 100644 --- a/pkg/yurtctl/util/edgenode/util.go +++ b/pkg/yurtctl/util/edgenode/util.go @@ -177,7 +177,7 @@ func PrepareKubeConfigPath(flags *pflag.FlagSet) (string, error) { if kbCfgPath == "" { if home := homedir.HomeDir(); home != "" { homeKbCfg := filepath.Join(home, ".kube", "config") - if ok, _ := FileExists(kbCfgPath); ok { + if ok, _ := FileExists(homeKbCfg); ok { kbCfgPath = homeKbCfg } } diff --git a/pkg/yurttunnel/pki/certmanager/certmanager.go b/pkg/yurttunnel/pki/certmanager/certmanager.go index 864220997c0..f912ee728fe 100644 --- a/pkg/yurttunnel/pki/certmanager/certmanager.go +++ b/pkg/yurttunnel/pki/certmanager/certmanager.go @@ -55,23 +55,25 @@ func NewYurttunnelServerCertManager( ) _ = wait.PollUntil(5*time.Second, func() (bool, error) { dnsNames, ips, err = serveraddr.GetYurttunelServerDNSandIP(clientset) - if err == nil { - return true, nil + if err != nil { + return false, err } // get clusterIP for tunnel server internal service svc, err := clientset.CoreV1().Services(constants.YurttunnelServerServiceNs).Get(context.Background(), constants.YurttunnelServerInternalServiceName, metav1.GetOptions{}) - if err == nil { - if svc.Spec.ClusterIP != "" && net.ParseIP(svc.Spec.ClusterIP) != nil { - ips = append(ips, net.ParseIP(svc.Spec.ClusterIP)) - } - } else if errors.IsNotFound(err) { - // compatible with versions that not supported dns + if errors.IsNotFound(err) { + // compatible with versions that not supported x-tunnel-server-internal-svc return true, nil + } else if err != nil { + return false, err + } + + if svc.Spec.ClusterIP != "" && net.ParseIP(svc.Spec.ClusterIP) != nil { + ips = append(ips, net.ParseIP(svc.Spec.ClusterIP)) + dnsNames = append(dnsNames, serveraddr.GetDefaultDomainsForSvc(svc.Namespace, svc.Name)...) } - klog.Errorf("failed to get DNS names and ips: %s", err) - return false, nil + return true, nil }, stopCh) // add user specified DNS anems and IP addresses dnsNames = append(dnsNames, clCertNames...) @@ -139,6 +141,7 @@ func newCertManager( ClientFn: func(current *tls.Certificate) (clicert.CertificateSigningRequestInterface, error) { return clientset.CertificatesV1beta1().CertificateSigningRequests(), nil }, + SignerName: certificates.LegacyUnknownSignerName, GetTemplate: getTemplate, Usages: []certificates.KeyUsage{ certificates.UsageAny, diff --git a/pkg/yurttunnel/server/serveraddr/addr.go b/pkg/yurttunnel/server/serveraddr/addr.go index 8ad09c4cf24..9eb9635499c 100644 --- a/pkg/yurttunnel/server/serveraddr/addr.go +++ b/pkg/yurttunnel/server/serveraddr/addr.go @@ -169,7 +169,7 @@ func extractTunnelServerDNSandIPs(svc *v1.Service, eps *v1.Endpoints, nodeLst *v } // extract dns and ip from ClusterIP info - dnsNames = append(dnsNames, getDefaultDomainsForSvc(svc.Namespace, svc.Name)...) + dnsNames = append(dnsNames, GetDefaultDomainsForSvc(svc.Namespace, svc.Name)...) if svc.Spec.ClusterIP != "None" { ips = append(ips, net.ParseIP(svc.Spec.ClusterIP)) } @@ -266,7 +266,7 @@ func getNodePortDNSandIP(nodeLst *v1.NodeList) ([]string, []net.IP, error) { } // getDefaultDomainsForSvc get default domains for specified service -func getDefaultDomainsForSvc(ns, name string) []string { +func GetDefaultDomainsForSvc(ns, name string) []string { domains := make([]string, 0) if len(ns) == 0 || len(name) == 0 { return domains diff --git a/pkg/yurttunnel/server/serveraddr/addr_test.go b/pkg/yurttunnel/server/serveraddr/addr_test.go index 650df5fb446..e31266ebc93 100644 --- a/pkg/yurttunnel/server/serveraddr/addr_test.go +++ b/pkg/yurttunnel/server/serveraddr/addr_test.go @@ -28,7 +28,7 @@ import ( ) func TestGetDefaultDomainsForSvcInputParamEmptyChar(t *testing.T) { - domains := getDefaultDomainsForSvc("", "") + domains := GetDefaultDomainsForSvc("", "") if len(domains) != 0 { t.Error("domains len is not equal zero") } @@ -37,7 +37,7 @@ func TestGetDefaultDomainsForSvcInputParamEmptyChar(t *testing.T) { func TestGetDefaultDomainsForSvc(t *testing.T) { ns := "hello" name := "world" - domains := getDefaultDomainsForSvc(ns, name) + domains := GetDefaultDomainsForSvc(ns, name) if len(domains) == 0 { t.Log("domains len is zero") } else {