Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

yurthub verify bootstrap ca on start #631

Merged
merged 1 commit into from
Dec 29, 2021
Merged

yurthub verify bootstrap ca on start #631

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 62 additions & 2 deletions pkg/yurthub/certificate/hubself/cert_mgr.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,15 @@ limitations under the License.
package hubself

import (
"bytes"
"context"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"fmt"
"io/ioutil"
"net/url"
"os"
"path/filepath"
"strings"
"time"
Expand Down Expand Up @@ -118,8 +120,46 @@ func NewYurtHubCertManager(cfg *config.YurtHubConfiguration) (interfaces.YurtCer
return ycm, nil
}

func removeDirContents(dir string) error {
files, err := ioutil.ReadDir(dir)
if err != nil {
return err
}
for _, d := range files {
err = os.RemoveAll(filepath.Join(dir, d.Name()))
if err != nil {
return err
}
}
return nil
}

func (ycm *yurtHubCertManager) verifyServerAddrOrCleanup() {
nServer := ycm.remoteServers[0].String()

bcf := ycm.getBootstrapConfFile()
if existed, _ := util.FileExists(bcf); existed {
curKubeConfig, err := util.LoadKubeConfig(bcf)
if err == nil && curKubeConfig != nil {
oServer := curKubeConfig.Clusters[defaultClusterName].Server
if nServer == oServer {
klog.Infof("apiServer name %s not changed", oServer)
return
} else {
klog.Infof("config for apiServer %s found, need to recycle for new server %s", oServer, nServer)
}
}
}

klog.Infof("clean up any stale files")
removeDirContents(ycm.rootDir)
}

// Start init certificate manager and certs for hub agent
func (ycm *yurtHubCertManager) Start() {
// 0. verify, cleanup if needed
ycm.verifyServerAddrOrCleanup()

// 1. create ca file for hub certificate manager
err := ycm.initCaCert()
if err != nil {
Expand Down Expand Up @@ -211,10 +251,11 @@ func (ycm *yurtHubCertManager) NotExpired() bool {
func (ycm *yurtHubCertManager) initCaCert() error {
caFile := ycm.getCaFile()
ycm.caFile = caFile
caExisted := false

if exists, err := util.FileExists(caFile); exists {
klog.Infof("%s file already exists, so skip to create ca file", caFile)
return nil
caExisted = true
klog.Infof("%s file already exists, check with server", caFile)
} else if err != nil {
klog.Errorf("could not stat ca file %s, %v", caFile, err)
return err
Expand All @@ -237,6 +278,10 @@ func (ycm *yurtHubCertManager) initCaCert() error {
// make sure configMap kube-public/cluster-info in k8s cluster beforehand
insecureClusterInfo, err := insecureClient.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(context.Background(), clusterInfoName, metav1.GetOptions{})
if err != nil {
if caExisted {
klog.Errorf("couldn't reach server, use existed %s file", caFile)
return nil
}
klog.Errorf("failed to get cluster-info configmap, %v", err)
return err
}
Expand All @@ -260,6 +305,21 @@ func (ycm *yurtHubCertManager) initCaCert() error {
clusterCABytes = cluster.CertificateAuthorityData
}

if caExisted {
var curCABytes []byte
if curCABytes, err = ioutil.ReadFile(caFile); err != nil {
klog.Infof("could not read existed %s file, %v, ", caFile, err)
}

if bytes.Equal(clusterCABytes, curCABytes) {
klog.Infof("%s file matched with server's, reuse it", caFile)
return nil
} else {
klog.Infof("%s file is outdated, need to create a new one", caFile)
removeDirContents(ycm.rootDir)
}
}

if err := certutil.WriteCert(caFile, clusterCABytes); err != nil {
klog.Errorf("could not write %s ca cert, %v", ycm.hubName, err)
return err
Expand Down