change yurthub's protocol from http to https #368
Conversation
|
@wangchenglong01: GitHub didn't allow me to assign the following users: your_reviewer. Note that only openyurtio members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: wangchenglong01 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Welcome @wangchenglong01! It looks like this is your first PR to openyurtio/openyurt 🎉 |
|
If use https, the kubelet and other components config should be changed. We can point out how to change config of these components. |
| @@ -94,6 +97,9 @@ func Complete(options *options.YurtHubOptions) (*YurtHubConfiguration, error) { | |||
| HubAgentDummyIfName: options.HubAgentDummyIfName, | |||
| StorageWrapper: storageWrapper, | |||
| SerializerManager: serializerManager, | |||
| CAFile: options.CAFile, | |||
| CertFile: options.CertFile, | |||
| KeyFile: options.KeyFile, | |||
| } | |||
There was a problem hiding this comment.
I think the establishment and configuration of TLS may be better done by yurthub, users do not need to pay attention to the underlying certificate configuration by default.
There was a problem hiding this comment.
It's a good idea. I will improve it later.
Yes, I'm collecting the changed config. |
|
@wangchenglong01 we need to keep |
…enyurt into yurthub-https # Conflicts: # cmd/yurthub/app/config/config.go # pkg/yurthub/server/server.go
The background of support https for yurthub is here: #372 |
cmd/yurthub/app/options/options.go
Outdated
| } | ||
|
|
||
| // NewYurtHubOptions creates a new YurtHubOptions with a default config. | ||
| func NewYurtHubOptions() *YurtHubOptions { | ||
| o := &YurtHubOptions{ | ||
| YurtHubHost: "127.0.0.1", | ||
| YurtHubProxySecurePort: "10260", |
There was a problem hiding this comment.
maybe 10260 is used by k8s, how about 10268?
| @@ -72,28 +76,33 @@ func Complete(options *options.YurtHubOptions) (*YurtHubConfiguration, error) { | |||
|
|
|||
| hubServerAddr := net.JoinHostPort(options.YurtHubHost, options.YurtHubPort) | |||
| proxyServerAddr := net.JoinHostPort(options.YurtHubHost, options.YurtHubProxyPort) | |||
| proxySecureServerAddr := net.JoinHostPort(options.YurtHubHost, options.YurtHubProxySecurePort) | |||
There was a problem hiding this comment.
yurthub's https also need to listen on HubAgentDummyIfIP address
There was a problem hiding this comment.
The latest code has been commited. Yurthub's https also listens on HubAgentDummyIfIP address
cmd/yurthub/app/options/options.go
Outdated
| @@ -130,6 +148,9 @@ func (o *YurtHubOptions) AddFlags(fs *pflag.FlagSet) { | |||
| fs.StringVar(&o.HubAgentDummyIfIP, "dummy-if-ip", o.HubAgentDummyIfIP, "the ip address of dummy interface that used for container connect hub agent(exclusive ips: 169.254.31.0/24, 169.254.1.1/32)") | |||
| fs.StringVar(&o.HubAgentDummyIfName, "dummy-if-name", o.HubAgentDummyIfName, "the name of dummy interface that is used for hub agent") | |||
| fs.StringVar(&o.DiskCachePath, "disk-cache-path", o.DiskCachePath, "the path for kubernetes to storage metadata") | |||
| fs.StringVar(&o.CAFile, "ca-file", "", "the CA for yurthub to verify client") | |||
| fs.StringVar(&o.CertFile, "tls-cert-file", "", "the tls cert of yurthub") | |||
| fs.StringVar(&o.KeyFile, "tls-private-key-file", "", "the tls key of yurthub") | |||
There was a problem hiding this comment.
It's not convenient for user to setup server certifcates. I think Yurthub shoud generate server certificates by itself.
There was a problem hiding this comment.
The latest code has been commited. Yurthub generated server certificates by itself.
pkg/yurthub/server/server.go
Outdated
|
|
||
| // create a certificate manager for the yurthub server and run the csr approver for both yurthub | ||
| // and generate a TLS configuration | ||
| func genUseCertMgrAndTLSConfig(certificateMgr interfaces.YurtCertificateManager, certDir string, stopCh <-chan struct{}) (*tls.Config, error) { |
There was a problem hiding this comment.
It's more readable to prepare tls.config after client certificate ready instead of preparing when start server.
and the client certificate preparation ready is here: https://github.com/openyurtio/openyurt/blob/master/cmd/yurthub/app/start.go#L95
cmd/yurthub/app/start.go
Outdated
| @@ -147,8 +147,8 @@ func Run(cfg *config.YurtHubConfiguration, stopCh <-chan struct{}) error { | |||
| klog.Infof("%d. new %s server and begin to serve, dummy proxy server: %s", trace, projectinfo.GetHubName(), cfg.YurtHubProxyServerDummyAddr) | |||
There was a problem hiding this comment.
please add YurtHubProxyServerSecureDummyAddr here
cmd/yurthub/app/config/config.go
Outdated
| Client *kubernetes.Clientset | ||
| CertDNSNames []string | ||
| CertIPs []net.IP | ||
| SharedInformerFactory informers.SharedInformerFactory |
There was a problem hiding this comment.
The following fields should be deleted?
CertFile string
KeyFile string
KubeConfig string
RootCert *x509.CertPool
Client *kubernetes.Clientset
CertDNSNames []string
CertIPs []net.IP
SharedInformerFactory informers.SharedInformerFactory
|
@luckymrwang Would you be able to upload the detail logs of creating yurthub server certificates successfully when yurthub startup? |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #361
Special notes for your reviewer:
Does this PR introduce a user-facing change?
other Note