-
Notifications
You must be signed in to change notification settings - Fork 407
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
change yurthub's protocol from http to https #386
Conversation
@luckymrwang: GitHub didn't allow me to assign the following users: your_reviewer. Note that only openyurtio members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
|
||
func startYurtHubCSRApproverController(ctx ControllerContext) (http.Handler, bool, error) { | ||
clientSet := ctx.ClientBuilder.ClientOrDie("node-controller") | ||
sharedInformerFactory := informers.NewSharedInformerFactory(clientSet, 10*time.Second) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not need to new sharedInformerFactory
, we can use InformerFactory
in ctx parameter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The latest code has been commited.Using InformerFactory in ctx parameter.
pkg/yurthub/server/server.go
Outdated
} | ||
|
||
// NewYurtHubServer creates a Server object | ||
func NewYurtHubServer(cfg *config.YurtHubConfiguration, | ||
certificateMgr interfaces.YurtCertificateManager, | ||
proxyHandler http.Handler) (Server, error) { | ||
proxyHandler http.Handler, stopCh <-chan struct{}) (Server, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
stopCh is not used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The latest code has been commited. stopCh parameter has been removed.
limitations under the License. | ||
*/ | ||
|
||
package yurthub |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
package name yurthub
is component name and maybe makes user confused, so use the function of this package
will be more understandable. so how about rename the package name to certificates
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and file name has a typo error. crsapprover.go
--> csrapprover.go
"k8s.io/client-go/kubernetes" | ||
clicert "k8s.io/client-go/kubernetes/typed/certificates/v1beta1" | ||
"k8s.io/client-go/util/certificate" | ||
"k8s.io/klog/v2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yurthub uses k8s.io/klog
instead of k8s.io/klog/v2
typev1beta1 "k8s.io/client-go/kubernetes/typed/certificates/v1beta1" | ||
"k8s.io/client-go/tools/cache" | ||
"k8s.io/client-go/util/workqueue" | ||
"k8s.io/klog/v2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yurt-controller-manager uses k8s.io/klog instead of k8s.io/klog/v2
certificates.CertificateSigningRequestCondition{ | ||
Type: certificates.CertificateApproved, | ||
Reason: "AutoApproved", | ||
Message: fmt.Sprintf("self-approving %s csr", projectinfo.GetTunnelName()), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
projectinfo.GetTunnelName() --> projectinfo.GetHubName()
} | ||
|
||
if !isYurtHubCSR(csr) { | ||
klog.Infof("csr(%s) is not %s csr", csr.GetName(), projectinfo.GetTunnelName()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
projectinfo.GetTunnelName() --> projectinfo.GetHubName()
klog.Errorf("failed to approve %s csr(%s), %v", projectinfo.GetTunnelName(), csr.GetName(), err) | ||
return err | ||
} | ||
klog.Infof("successfully approve %s csr(%s)", projectinfo.GetTunnelName(), result.Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
projectinfo.GetTunnelName() --> projectinfo.GetHubName()
|
||
result, err := csrClient.UpdateApproval(context.Background(), csr, metav1.UpdateOptions{}) | ||
if err != nil { | ||
klog.Errorf("failed to approve %s csr(%s), %v", projectinfo.GetTunnelName(), csr.GetName(), err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
projectinfo.GetTunnelName() --> projectinfo.GetHubName()
runtime.HandleError(err) | ||
return | ||
} | ||
wq.AddRateLimited(key) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In order to reduce the overhead of csr controller, before add into worker queue, we need to verify the object, like the object is csr, or csr object is yurthub csr, or csr is approved or denied.
you can reference the following link: https://github.com/openyurtio/openyurt/blob/master/pkg/yurttunnel/pki/certmanager/csrapprover.go#L105
@@ -53,3 +54,11 @@ func startNodeLifecycleController(ctx ControllerContext) (http.Handler, bool, er | |||
go lifecycleController.Run(ctx.Stop) | |||
return nil, true, nil | |||
} | |||
|
|||
func startYurtHubCSRApproverController(ctx ControllerContext) (http.Handler, bool, error) { | |||
clientSet := ctx.ClientBuilder.ClientOrDie("node-controller") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
node-controller --> csr-controller?
klog.Infof("subject of yurthub server certificate") | ||
return newCertManager( | ||
clientset, | ||
projectinfo.GetHubName(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
make sure the name of yurthub server certificate is different from yurthub client certificate, so componentName should not use projectinfo.GetHubName()
. maybe ``projectinfo.GetHubName()-server` is more reasonable.
pkg/yurthub/pki/pki.go
Outdated
// Can't use TLSv1.1 because of RC4 cipher usage | ||
MinVersion: tls.VersionTLS12, | ||
RootCAs: root, | ||
ClientAuth: tls.RequireAnyClientCert, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that it's not need to verify the client certificate by yurthub server because pods with InClusterConfig
will not send certificate to server, so ClientAuth
can be setup with tls. NoClientCert
. meanwhile, tlsConfig.RootCAs
setting is not needed.
/assign @kadisi |
|
/lgtm |
@@ -164,7 +173,7 @@ func Run(cfg *config.YurtHubConfiguration, stopCh <-chan struct{}) error { | |||
} | |||
networkMgr.Run(stopCh) | |||
trace++ | |||
klog.Infof("%d. new %s server and begin to serve, dummy proxy server: %s", trace, projectinfo.GetHubName(), cfg.YurtHubProxyServerDummyAddr) | |||
klog.Infof("%d. new %s server and begin to serve, dummy proxy server: %s, secure dummy proxy server: %s", trace, projectinfo.GetHubName(), cfg.YurtHubProxyServerDummyAddr, cfg.YurtHubProxyServerSecureDummyAddr) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please add log info for YurtHubProxyServerSecureAddr
field.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's just dummy proxy log info here. The log info of YurtHubProxyServerSecureAddr is on line 185.
@luckymrwang please merge two commits into one commit. |
I have merged two commits into one commit. |
@luckymrwang Would you be able be upload the detail logs of yurthub that pod uses |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: luckymrwang, rambohe-ch The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #361
Special notes for your reviewer:
Does this PR introduce a user-facing change?
other Note