From a5999e68c826079b54f9e0ab61780b05f7cf065a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8F=A9=E8=BD=A9?= Date: Mon, 13 Nov 2023 14:16:39 +0800 Subject: [PATCH 1/2] Remove the dependency on the openyurt project and rely on the openyurt api, and optimize raven agent --- charts/raven-agent/Chart.yaml | 4 +- charts/raven-agent/templates/config.yaml | 4 +- charts/raven-agent/templates/daemonset.yaml | 11 +- charts/raven-agent/templates/rbac.yaml | 1 + charts/raven-agent/values.yaml | 45 +-- cmd/agent/app/options/options.go | 32 +- go.mod | 2 +- go.sum | 4 +- pkg/engine/engine.go | 4 +- pkg/engine/proxy.go | 298 +++++++++------ pkg/engine/tunnel.go | 52 ++- pkg/engine/utils.go | 21 +- pkg/metrics/metrics.go | 6 +- pkg/networkengine/routedriver/driver.go | 16 + pkg/networkengine/routedriver/vxlan/vxlan.go | 2 +- .../routedriver/vxlan/vxlan_test.go | 2 +- pkg/networkengine/vpndriver/driver.go | 16 + pkg/networkengine/vpndriver/driver_test.go | 2 +- .../vpndriver/libreswan/libreswan.go | 2 +- .../vpndriver/wireguard/wireguard.go | 2 +- pkg/proxyengine/proxyclient/proxyclient.go | 4 +- pkg/proxyengine/proxyserver/interceptor.go | 2 +- pkg/proxyengine/proxyserver/manageheader.go | 16 +- pkg/proxyengine/proxyserver/proxyserver.go | 105 +++--- pkg/proxyengine/proxyserver/servers.go | 6 +- pkg/tunnelengine/tunnelagent.go | 11 +- pkg/types/network.go | 2 +- pkg/types/network_test.go | 2 +- pkg/utils/certmanager/factory/factory.go | 175 +++++++++ pkg/utils/certmanager/pki.go | 187 ++++++++++ pkg/utils/certmanager/pki_test.go | 347 ++++++++++++++++++ .../certmanager/store/filestore_wrapper.go | 54 +++ .../store/filestore_wrapper_test.go | 105 ++++++ pkg/utils/constants.go | 10 +- pkg/utils/metaserver.go | 22 +- pkg/utils/utils.go | 2 +- 36 files changed, 1268 insertions(+), 308 deletions(-) create mode 100644 pkg/utils/certmanager/factory/factory.go create mode 100644 pkg/utils/certmanager/pki.go create mode 100644 pkg/utils/certmanager/pki_test.go create mode 100644 pkg/utils/certmanager/store/filestore_wrapper.go create mode 100644 pkg/utils/certmanager/store/filestore_wrapper_test.go diff --git a/charts/raven-agent/Chart.yaml b/charts/raven-agent/Chart.yaml index 24574f6..8963737 100644 --- a/charts/raven-agent/Chart.yaml +++ b/charts/raven-agent/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1 +version: 0.4.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.2.0" +appVersion: "0.4.0" diff --git a/charts/raven-agent/templates/config.yaml b/charts/raven-agent/templates/config.yaml index 3b1c536..6108bdc 100644 --- a/charts/raven-agent/templates/config.yaml +++ b/charts/raven-agent/templates/config.yaml @@ -1,7 +1,7 @@ apiVersion: v1 data: - enable-l3-tunnel: "true" - enable-l7-proxy: "false" + enable-l3-tunnel: {{.Values.controller.enableTunnel | quote}} + enable-l7-proxy: {{.Values.controller.enableProxy | quote}} kind: ConfigMap metadata: name: raven-cfg diff --git a/charts/raven-agent/templates/daemonset.yaml b/charts/raven-agent/templates/daemonset.yaml index a0d05a5..d12b966 100644 --- a/charts/raven-agent/templates/daemonset.yaml +++ b/charts/raven-agent/templates/daemonset.yaml @@ -27,7 +27,16 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} args: - - --v=4 + - --v=2 + - --vpn-driver={{.Values.vpn.driver}} + - --forward-node-ip={{.Values.vpn.forwardNodeIP}} + - --metric-bind-addr={{.Values.vpn.metricBindAddr}} + - --vpn-bind-port={{.Values.vpn.tunnelAddr}} + - --proxy-metric-bind-addr={{.Values.proxy.metricsBindAddr}} + - --proxy-internal-secure-addr={{.Values.proxy.internalSecureAddr}} + - --proxy-internal-insecure-addr={{.Values.proxy.internalInsecureAddr}} + - --proxy-external-addr={{.Values.proxy.externalAddr}} + hostNetwork: true {{- with .Values.nodeSelector }} nodeSelector: diff --git a/charts/raven-agent/templates/rbac.yaml b/charts/raven-agent/templates/rbac.yaml index 7d5ce61..4430c7e 100644 --- a/charts/raven-agent/templates/rbac.yaml +++ b/charts/raven-agent/templates/rbac.yaml @@ -25,6 +25,7 @@ rules: - configmaps - services - nodes + - pods verbs: - get - list diff --git a/charts/raven-agent/values.yaml b/charts/raven-agent/values.yaml index 92a7a27..fef15f4 100644 --- a/charts/raven-agent/values.yaml +++ b/charts/raven-agent/values.yaml @@ -6,7 +6,7 @@ image: repository: openyurt/raven-agent pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: latest + tag: v0.4.0 imagePullSecrets: [] nameOverride: "" @@ -58,41 +58,7 @@ containerEnv: secretKeyRef: key: vpn-connection-psk name: raven-agent-secret - - name: VPN_DRIVER - valueFrom: - configMapKeyRef: - key: vpn-driver - name: raven-agent-config - - name: FORWARD_NODE_IP - valueFrom: - configMapKeyRef: - key: forward-node-ip - name: raven-agent-config - - name: METRIC_BIND_ADDR - valueFrom: - configMapKeyRef: - key: metric-bind-addr - name: raven-agent-config - - name: VPN_BIND_ADDRESS - valueFrom: - configMapKeyRef: - key: tunnel-bind-addr - name: raven-agent-config - - name: PROXY_SERVER_INTERNAL_SECURE_ADDRESS - valueFrom: - configMapKeyRef: - key: proxy-internal-secure-addr - name: raven-agent-config - - name: PROXY_SERVER_INTERNAL_INSECURE_ADDRESS - valueFrom: - configMapKeyRef: - key: proxy-internal-insecure-addr - name: raven-agent-config - - name: PROXY_SERVER_EXTERNAL_ADDRESS - valueFrom: - configMapKeyRef: - key: proxy-external-addr - name: raven-agent-config + vpn: driver: libreswan forwardNodeIP: true @@ -104,11 +70,16 @@ vpn: psk: OPENYURT-RAVEN-AGENT-VPN-PSK metricBindAddr: ":10265" tunnelAddr: ":4500" + +controller: + enableProxy: true + enableTunnel: true + proxy: externalAddr: ":10262" internalInsecureAddr: ":10264" internalSecureAddr: ":10263" - + metricsBindAddr: ":10266" rollingUpdate: maxUnavailable: 5% \ No newline at end of file diff --git a/cmd/agent/app/options/options.go b/cmd/agent/app/options/options.go index 05aa1f9..bfe0e64 100644 --- a/cmd/agent/app/options/options.go +++ b/cmd/agent/app/options/options.go @@ -18,7 +18,7 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/manager" - "github.com/openyurtio/openyurt/pkg/apis/raven/v1beta1" + "github.com/openyurtio/api/raven/v1beta1" "github.com/openyurtio/raven/cmd/agent/app/config" "github.com/openyurtio/raven/pkg/networkengine/routedriver/vxlan" "github.com/openyurtio/raven/pkg/networkengine/vpndriver" @@ -73,30 +73,6 @@ func (o *AgentOptions) Validate() error { return errors.New("either --node-name or $NODE_NAME has to be set") } } - if o.VPNPort == "" { - o.VPNPort = os.Getenv("VPN_BIND_ADDRESS") - if o.VPNPort == "" { - return errors.New("either --vpn-bind-address or $VPN_BIND_PORT has to be set") - } - } - if o.InternalSecureAddress == "" { - o.InternalSecureAddress = os.Getenv("PROXY_SERVER_INTERNAL_SECURE_ADDRESS") - if o.InternalSecureAddress == "" { - return errors.New("either --proxy-internal-secure-address or PROXY_SERVER_INTERNAL_SECURE_ADDRESS has to be set") - } - } - if o.InternalInsecureAddress == "" { - o.InternalInsecureAddress = os.Getenv("PROXY_SERVER_INTERNAL_INSECURE_ADDRESS") - if o.InternalInsecureAddress == "" { - return errors.New("either --proxy-internal-insecure-address or PROXY_SERVER_INTERNAL_INSECURE_ADDRESS has to be set") - } - } - if o.ExternalAddress == "" { - o.ExternalAddress = os.Getenv("PROXY_SERVER_EXTERNAL_ADDRESS") - if o.ExternalAddress == "" { - return errors.New("either --proxy-external-address or $PROXY_SERVER_EXTERNAL_ADDRESS has to be set") - } - } return nil } @@ -154,6 +130,12 @@ func (o *AgentOptions) Config() (*config.Config, error) { InternalInsecureAddress: o.InternalInsecureAddress, InternalSecureAddress: o.InternalSecureAddress, ExternalAddress: o.ExternalAddress, + + ProxyServerCertDNSNames: o.ProxyServerCertDNSNames, + ProxyServerCertIPs: o.ProxyServerCertIPs, + ProxyClientCertDir: o.ProxyClientCertDir, + ProxyServerCertDir: o.ProxyServerCertDir, + InterceptorServerUDSFile: o.InterceptorServerUDSFile, } if err != nil { return nil, fmt.Errorf("failed to create manager: %s", err) diff --git a/go.mod b/go.mod index dacc6f5..33ed13c 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/coreos/go-iptables v0.6.0 github.com/gorilla/mux v1.8.0 github.com/lorenzosaino/go-sysctl v0.3.1 - github.com/openyurtio/openyurt v1.3.1-0.20230920090905-424dcc283167 + github.com/openyurtio/api v0.0.0-20231116122426-dfc46506cdb0 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.15.1 github.com/spf13/cobra v1.7.0 diff --git a/go.sum b/go.sum index 7171522..1e47f96 100644 --- a/go.sum +++ b/go.sum @@ -439,10 +439,10 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.19.0 h1:4ieX6qQjPP/BfC3mpsAtIGGlxTWPeA3Inl/7DtXw1tw= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= +github.com/openyurtio/api v0.0.0-20231116122426-dfc46506cdb0 h1:zH7jnLVvAKVPr8WleYOhGG5yAiXoUYu2M2nqqk10/yM= +github.com/openyurtio/api v0.0.0-20231116122426-dfc46506cdb0/go.mod h1:IIVOJ8bnLSzqPB3VHBuQ3wELW4gjRKJ2aSyLhaLxdOA= github.com/openyurtio/apiserver-network-proxy v0.1.1-0.20231007082056-cecf4c454651 h1:pBjrj95WZ7NkaIQvvb7hveI5fd8fXxlX7OtKRcciamY= github.com/openyurtio/apiserver-network-proxy v0.1.1-0.20231007082056-cecf4c454651/go.mod h1:yPrw5zKs7BVVCuQUaY4MzSmsYPKXWnZsrjKUWQrZX3w= -github.com/openyurtio/openyurt v1.3.1-0.20230920090905-424dcc283167 h1:gbjh0njlthM0mM9Z6LHURdKpovLXReleT5GUwaksyFE= -github.com/openyurtio/openyurt v1.3.1-0.20230920090905-424dcc283167/go.mod h1:c77rs9s+ztXyyHNf2EB+lMHuDfSWwel6dhP2ZVi5cvM= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= diff --git a/pkg/engine/engine.go b/pkg/engine/engine.go index 34208e5..4e7bd07 100644 --- a/pkg/engine/engine.go +++ b/pkg/engine/engine.go @@ -16,7 +16,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/predicate" "sigs.k8s.io/controller-runtime/pkg/reconcile" - "github.com/openyurtio/openyurt/pkg/apis/raven/v1beta1" + "github.com/openyurtio/api/raven/v1beta1" "github.com/openyurtio/raven/cmd/agent/app/config" "github.com/openyurtio/raven/pkg/utils" ) @@ -27,7 +27,7 @@ type Engine struct { context context.Context manager manager.Manager client client.Client - option StatusOption + option *Option tunnelQueue workqueue.RateLimitingInterface tunnelEngine *TunnelEngine diff --git a/pkg/engine/proxy.go b/pkg/engine/proxy.go index 12d5170..c7ca132 100644 --- a/pkg/engine/proxy.go +++ b/pkg/engine/proxy.go @@ -15,8 +15,7 @@ import ( "k8s.io/klog/v2" "sigs.k8s.io/controller-runtime/pkg/client" - "github.com/openyurtio/openyurt/pkg/apis/raven/v1beta1" - ravenutil "github.com/openyurtio/openyurt/pkg/yurtmanager/controller/raven/utils" + "github.com/openyurtio/api/raven/v1beta1" "github.com/openyurtio/raven/cmd/agent/app/config" "github.com/openyurtio/raven/pkg/proxyengine" "github.com/openyurtio/raven/pkg/proxyengine/proxyclient" @@ -24,31 +23,55 @@ import ( "github.com/openyurtio/raven/pkg/utils" ) +type ActionType string + +const ( + StartType ActionType = "Start" + StopType ActionType = "Stop" + RestartType ActionType = "Restart" + SkipType ActionType = "Skip" +) + +func JudgeType(curr, spec bool) ActionType { + if curr && spec { + return RestartType + } + if curr && !spec { + return StopType + } + if !curr && spec { + return StartType + } + return SkipType +} + type ProxyEngine struct { - nodeName string - nodeIP string - proxyServerAddresses []string - gateway *v1beta1.Gateway - config *config.Config - client client.Client - engineOption StatusOption - proxyOption *proxyOption - ravenContext context.Context - proxyContext ProxyContext - queue workqueue.RateLimitingInterface + nodeName string + nodeIP string + serverLocalEndpoints []string + clientRemoteEndpoints []string + gateway *v1beta1.Gateway + config *config.Config + client client.Client + + ctx context.Context + option *Option + proxyCtx ProxyContext + proxyOption *proxyOption + queue workqueue.RateLimitingInterface } -func newProxyEngine(ctx context.Context, cfg *config.Config, client client.Client, opt StatusOption, queue workqueue.RateLimitingInterface) *ProxyEngine { +func newProxyEngine(ctx context.Context, cfg *config.Config, client client.Client, opt *Option, queue workqueue.RateLimitingInterface) *ProxyEngine { return &ProxyEngine{ - nodeName: cfg.NodeName, - nodeIP: cfg.NodeIP, - config: cfg, - client: client, - engineOption: opt, - ravenContext: ctx, - proxyOption: newProxyOption(), - proxyContext: newProxyContext(ctx), - queue: queue, + nodeName: cfg.NodeName, + nodeIP: cfg.NodeIP, + config: cfg, + client: client, + option: opt, + ctx: ctx, + proxyCtx: newProxyContext(ctx), + proxyOption: newProxyOption(), + queue: queue, } } @@ -74,119 +97,166 @@ func (p *ProxyEngine) processNextWorkItem() bool { } func (p *ProxyEngine) handler(gw *v1beta1.Gateway) error { - curServer := p.proxyOption.GetServerStatus() - curClient := p.proxyOption.GetClientStatus() - specServer, specClient := p.getRole(enableProxy(gw)) + proxyStatus := enableProxy(gw) + p.option.SetProxyStatus(proxyStatus) + specServer, specClient := p.getRole(proxyStatus) var err error p.gateway, err = utils.GetOwnGateway(p.client, p.nodeName) if err != nil { - klog.Errorf("failed get gateway for %s, can not start proxy server", p.nodeName) - return fmt.Errorf("failed get gateway name for %s, can not start proxy server", p.nodeName) + klog.Errorf(utils.FormatProxyServer("failed get gateway for %s, can not start proxy server", p.nodeName)) + return err } - if !curServer && specServer { - klog.Infoln(utils.FormatProxyServer("start raven l7 proxy server")) - if p.gateway == nil { - klog.Errorf("unknown gateway for node %s, can not start proxy server", p.nodeName) - } - pe := &proxyengine.EnginConfig{ - Name: p.nodeName, - IP: p.nodeIP, - GatewayName: p.gateway.Name, - CertDir: p.config.Proxy.ProxyServerCertDir, - MetaAddress: p.config.Proxy.ProxyMetricsAddress, - CertIPs: p.config.Proxy.ProxyServerCertIPs, - CertDNSNames: p.config.Proxy.ProxyServerCertDNSNames, - InterceptorUDSFile: p.config.Proxy.InterceptorServerUDSFile, - InternalSecureAddress: p.config.Proxy.InternalSecureAddress, - InternalInsecureAddress: p.config.Proxy.InternalInsecureAddress, - ExposedAddress: p.config.Proxy.ExternalAddress, - } - ctx := p.proxyContext.GetServerContext() - ps, err := proxyserver.NewProxyServer(pe, p.client, p.config.Manager.GetConfig(), p.gateway.DeepCopy()) + + switch JudgeType(p.proxyOption.GetServerStatus(), specServer) { + case StartType: + err = p.startProxyServer() if err != nil { - klog.Errorf("failed to new proxy server, error %s", err.Error()) + klog.Errorf(utils.FormatProxyServer("failed to start proxy server, error %s", err.Error())) return err } - err = ps.Start(ctx) - if err != nil { - klog.Errorf("failed to start proxy server, error %s", err.Error()) + case StopType: + p.stopProxyServer() + case RestartType: + srcAddr := getSrcAddressForProxyServer(p.client, p.nodeName) + if computeHash(strings.Join(p.serverLocalEndpoints, ",")) != computeHash(strings.Join(srcAddr, ",")) { + p.stopProxyServer() + time.Sleep(time.Second) + err = p.startProxyServer() + if err != nil { + klog.Errorf(utils.FormatProxyServer("failed to start proxy server, error %s", err.Error())) + return err + } + p.serverLocalEndpoints = srcAddr } - p.proxyOption.SetServerStatus(specServer) - } else if curServer && !specServer { - klog.Infoln(utils.FormatProxyServer("Stop raven l7 proxy server")) - cancel := p.proxyContext.GetServerCancelFunc() - cancel() - p.proxyOption.SetServerStatus(specServer) - p.proxyContext.ReloadServerContext(p.ravenContext) + default: + } - if !curClient && specClient { - klog.Infoln(utils.FormatProxyClient("start raven l7 proxy client")) - var err error - dstAddr := getDestAddressForProxyClient(p.client, p.gateway) - if len(dstAddr) < 1 { - klog.Infoln(utils.FormatProxyClient("dest address is empty, will not connected it")) - return nil - } - p.proxyServerAddresses = dstAddr - pe := &proxyengine.EnginConfig{ - Name: p.nodeName, - IP: p.nodeIP, - CertDir: p.config.Proxy.ProxyClientCertDir, - MetaAddress: p.config.Proxy.ProxyMetricsAddress, - } - pc, err := proxyclient.NewProxyClient(pe, p.proxyServerAddresses, p.config.KubeConfig) + switch JudgeType(p.proxyOption.GetClientStatus(), specClient) { + case StartType: + err = p.startProxyClient() if err != nil { - klog.Errorf("failed to new proxy client, error %s", err.Error()) + klog.Errorf(utils.FormatProxyServer("failed to start proxy client, error %s", err.Error())) return err } - ctx := p.proxyContext.GetClientContext() - err = pc.Start(ctx) - if err != nil { - klog.Errorf("failed to start proxy client, error %s", err.Error()) - } - p.proxyOption.SetClientStatus(specClient) - return nil - } else if curClient && !specClient { - klog.Infoln(utils.FormatProxyClient("stop raven l7 proxy client")) - cancel := p.proxyContext.GetClientCancelFunc() - cancel() - p.proxyOption.SetClientStatus(specClient) - p.proxyContext.ReloadClientContext(p.ravenContext) - } else if curClient && specClient { + case StopType: + p.stopProxyClient() + case RestartType: dstAddr := getDestAddressForProxyClient(p.client, p.gateway) if len(dstAddr) < 1 { klog.Infoln(utils.FormatProxyClient("dest address is empty, will not connected it")) return nil } - if computeHash(strings.Join(p.proxyServerAddresses, ",")) != computeHash(strings.Join(dstAddr, ",")) { - klog.Infoln(utils.FormatProxyClient("Update raven l7 proxy client")) - cancel := p.proxyContext.GetClientCancelFunc() - cancel() - time.Sleep(2 * time.Second) - p.proxyContext.ReloadClientContext(p.ravenContext) - p.proxyServerAddresses = dstAddr - pe := &proxyengine.EnginConfig{ - Name: p.nodeName, - IP: p.nodeIP, - CertDir: p.config.Proxy.ProxyClientCertDir, - MetaAddress: p.config.Proxy.ProxyMetricsAddress, - } - pc, err := proxyclient.NewProxyClient(pe, p.proxyServerAddresses, p.config.KubeConfig) + if computeHash(strings.Join(p.clientRemoteEndpoints, ",")) != computeHash(strings.Join(dstAddr, ",")) { + p.stopProxyClient() + time.Sleep(time.Second) + err = p.startProxyClient() if err != nil { - klog.Errorf("failed to new proxy server, error %s", err.Error()) + klog.Errorf(utils.FormatProxyServer("failed to start proxy client, error %s", err.Error())) return err } - ctx := p.proxyContext.GetClientContext() - err = pc.Start(ctx) - if err != nil { - klog.Errorf("failed to start proxy client, error %s", err.Error()) - } } + default: + } return nil } +func (p *ProxyEngine) startProxyServer() error { + klog.Infoln(utils.FormatProxyServer("start raven l7 proxy server")) + if p.gateway == nil { + return fmt.Errorf("unknown gateway for node %s, can not start proxy server", p.nodeName) + } + pe := &proxyengine.EnginConfig{ + Name: p.nodeName, + IP: p.nodeIP, + GatewayName: p.gateway.Name, + CertDir: p.config.Proxy.ProxyServerCertDir, + MetaAddress: p.config.Proxy.ProxyMetricsAddress, + CertIPs: p.config.Proxy.ProxyServerCertIPs, + CertDNSNames: p.config.Proxy.ProxyServerCertDNSNames, + InterceptorUDSFile: p.config.Proxy.InterceptorServerUDSFile, + InternalSecureAddress: p.config.Proxy.InternalSecureAddress, + InternalInsecureAddress: p.config.Proxy.InternalInsecureAddress, + ExposedAddress: p.config.Proxy.ExternalAddress, + } + ctx := p.proxyCtx.GetServerContext() + ps, err := proxyserver.NewProxyServer(pe, p.client, p.config.Manager.GetConfig(), p.gateway.DeepCopy()) + if err != nil { + return fmt.Errorf("failed to new proxy server, error %s", err.Error()) + } + err = ps.Start(ctx) + if err != nil { + return fmt.Errorf("failed to start proxy server, error %s", err.Error()) + } + p.proxyOption.SetServerStatus(true) + return nil +} + +func (p *ProxyEngine) stopProxyServer() { + klog.Infoln(utils.FormatProxyServer("Stop raven l7 proxy server")) + cancel := p.proxyCtx.GetServerCancelFunc() + cancel() + p.proxyOption.SetServerStatus(false) + p.proxyCtx.ReloadServerContext(p.ctx) +} + +func (p *ProxyEngine) startProxyClient() error { + klog.Infoln(utils.FormatProxyClient("start raven l7 proxy client")) + var err error + dstAddr := getDestAddressForProxyClient(p.client, p.gateway) + if len(dstAddr) < 1 { + klog.Infoln(utils.FormatProxyClient("dest address is empty, will not connected it")) + return nil + } + p.clientRemoteEndpoints = dstAddr + pe := &proxyengine.EnginConfig{ + Name: p.nodeName, + IP: p.nodeIP, + CertDir: p.config.Proxy.ProxyClientCertDir, + MetaAddress: p.config.Proxy.ProxyMetricsAddress, + } + pc, err := proxyclient.NewProxyClient(pe, p.clientRemoteEndpoints, p.config.KubeConfig) + if err != nil { + klog.Errorf("failed to new proxy client, error %s", err.Error()) + return err + } + ctx := p.proxyCtx.GetClientContext() + err = pc.Start(ctx) + if err != nil { + klog.Errorf("failed to start proxy client, error %s", err.Error()) + } + p.proxyOption.SetClientStatus(true) + return nil +} + +func (p *ProxyEngine) stopProxyClient() { + klog.Infoln(utils.FormatProxyClient("stop raven l7 proxy client")) + cancel := p.proxyCtx.GetClientCancelFunc() + cancel() + p.proxyOption.SetClientStatus(false) + p.proxyCtx.ReloadClientContext(p.ctx) +} +func getSrcAddressForProxyServer(client client.Client, nodeName string) []string { + srcAddr := make([]string, 0) + var gwList v1beta1.GatewayList + err := client.List(context.TODO(), &gwList) + if err != nil { + return srcAddr + } + for _, gw := range gwList.Items { + if gw.Spec.ExposeType == "" { + continue + } + for _, aep := range gw.Status.ActiveEndpoints { + if aep.NodeName == nodeName && aep.Type == v1beta1.Proxy { + srcAddr = append(srcAddr, aep.PublicIP) + } + } + } + return srcAddr +} + func getDestAddressForProxyClient(client client.Client, ownGateway *v1beta1.Gateway) []string { destAddr := make([]string, 0) var gwList v1beta1.GatewayList @@ -218,7 +288,7 @@ func (p *ProxyEngine) getRole(enableProxy bool) (enableServer, enableClient bool return } var gwList v1beta1.GatewayList - err := p.client.List(p.ravenContext, &gwList) + err := p.client.List(p.ctx, &gwList) if err != nil { return } @@ -250,11 +320,11 @@ func (p *ProxyEngine) getRole(enableProxy bool) (enableServer, enableClient bool func (p *ProxyEngine) stopServers() { if p.proxyOption.GetServerStatus() { - cancelServer := p.proxyContext.GetServerCancelFunc() + cancelServer := p.proxyCtx.GetServerCancelFunc() cancelServer() } if p.proxyOption.GetClientStatus() { - cancelClient := p.proxyContext.GetClientCancelFunc() + cancelClient := p.proxyCtx.GetClientCancelFunc() cancelClient() } } @@ -267,7 +337,7 @@ func enableProxy(gw *v1beta1.Gateway) (enable bool) { enable = false return } - start, ok := aep.Config[ravenutil.RavenEnableProxy] + start, ok := aep.Config[utils.RavenEnableProxy] if !ok { enable = false return diff --git a/pkg/engine/tunnel.go b/pkg/engine/tunnel.go index 9b39558..afade72 100644 --- a/pkg/engine/tunnel.go +++ b/pkg/engine/tunnel.go @@ -2,12 +2,13 @@ package engine import ( "fmt" + "strings" "k8s.io/client-go/util/workqueue" "k8s.io/klog/v2" "sigs.k8s.io/controller-runtime/pkg/client" - "github.com/openyurtio/openyurt/pkg/apis/raven/v1beta1" + "github.com/openyurtio/api/raven/v1beta1" "github.com/openyurtio/raven/cmd/agent/app/config" "github.com/openyurtio/raven/pkg/networkengine/routedriver" "github.com/openyurtio/raven/pkg/networkengine/vpndriver" @@ -19,14 +20,14 @@ type TunnelEngine struct { nodeName string config *config.Config client client.Client - option StatusOption + option *Option queue workqueue.RateLimitingInterface routeDriver routedriver.Driver vpnDriver vpndriver.Driver tunnelHandler *tunnelengine.TunnelHandler } -func newTunnelEngine(cfg *config.Config, client client.Client, opt StatusOption, queue workqueue.RateLimitingInterface) *TunnelEngine { +func newTunnelEngine(cfg *config.Config, client client.Client, opt *Option, queue workqueue.RateLimitingInterface) *TunnelEngine { return &TunnelEngine{nodeName: cfg.NodeName, config: cfg, client: client, option: opt, queue: queue} } @@ -52,11 +53,17 @@ func (t *TunnelEngine) processNextWorkItem() bool { func (t *TunnelEngine) handler(gw *v1beta1.Gateway) error { klog.Info(utils.FormatRavenEngine("update raven l3 tunnel config for gateway %s", gw.GetName())) - err := t.reconcile() + if t.routeDriver == nil || t.vpnDriver == nil { + err := t.initDriver() + if err != nil { + klog.Errorf(utils.FormatRavenEngine("failed to init raven l3 tunnel engine")) + } + } + err := t.tunnelHandler.Handler() if err != nil { - klog.Errorf("failed update tunnel driver, error %s", err.Error()) return err } + t.option.SetTunnelStatus(enableTunnel(gw)) return nil } @@ -97,20 +104,6 @@ func (t *TunnelEngine) clearDriver() error { return nil } -func (t *TunnelEngine) reconcile() error { - if t.routeDriver == nil || t.vpnDriver == nil { - err := t.initDriver() - if err != nil { - klog.Errorf(utils.FormatRavenEngine("failed to init raven l3 tunnel engine")) - } - } - err := t.tunnelHandler.Handler() - if err != nil { - return err - } - return nil -} - func (t *TunnelEngine) handleEventErr(err error, event interface{}) { if err == nil { t.queue.Forget(event) @@ -124,3 +117,24 @@ func (t *TunnelEngine) handleEventErr(err error, event interface{}) { klog.Info(utils.FormatRavenEngine("dropping event %q out of the queue: %v", event, err)) t.queue.Forget(event) } + +func enableTunnel(gw *v1beta1.Gateway) (enable bool) { + enable = false + for _, aep := range gw.Status.ActiveEndpoints { + if aep.Type == v1beta1.Tunnel { + if aep.Config == nil { + enable = false + return + } + start, ok := aep.Config[utils.RavenEnableTunnel] + if !ok { + enable = false + return + } + if strings.ToLower(start) == "true" { + enable = true + } + } + } + return +} diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index de9e829..7b72dd1 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -5,42 +5,35 @@ import ( "sync" ) -type StatusOption interface { - GetProxyStatus() bool - GetTunnelStatus() bool - SetProxyStatus(status bool) - SetTunnelStatus(status bool) -} - -type engineOption struct { +type Option struct { mu sync.Mutex enableProxy bool enableTunnel bool } -func NewEngineOption() StatusOption { - return &engineOption{enableTunnel: false, enableProxy: false} +func NewEngineOption() *Option { + return &Option{enableTunnel: false, enableProxy: false} } -func (s *engineOption) GetProxyStatus() bool { +func (s *Option) GetProxyStatus() bool { s.mu.Lock() defer s.mu.Unlock() return s.enableProxy } -func (s *engineOption) GetTunnelStatus() bool { +func (s *Option) GetTunnelStatus() bool { s.mu.Lock() defer s.mu.Unlock() return s.enableTunnel } -func (s *engineOption) SetProxyStatus(status bool) { +func (s *Option) SetProxyStatus(status bool) { s.mu.Lock() defer s.mu.Unlock() s.enableProxy = status } -func (s *engineOption) SetTunnelStatus(status bool) { +func (s *Option) SetTunnelStatus(status bool) { s.mu.Lock() defer s.mu.Unlock() s.enableTunnel = status diff --git a/pkg/metrics/metrics.go b/pkg/metrics/metrics.go index d3534b4..0315668 100644 --- a/pkg/metrics/metrics.go +++ b/pkg/metrics/metrics.go @@ -17,15 +17,11 @@ limitations under the License. package metrics import ( - "strings" - "github.com/prometheus/client_golang/prometheus" - - "github.com/openyurtio/openyurt/pkg/projectinfo" ) var ( - namespace = strings.ReplaceAll(projectinfo.GetTunnelName(), "-", "_") + namespace = "raven_agent" subsystem = "server" ) diff --git a/pkg/networkengine/routedriver/driver.go b/pkg/networkengine/routedriver/driver.go index 65cf526..2a49148 100644 --- a/pkg/networkengine/routedriver/driver.go +++ b/pkg/networkengine/routedriver/driver.go @@ -1,3 +1,19 @@ +/* +Copyright 2023 The OpenYurt Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package routedriver import ( diff --git a/pkg/networkengine/routedriver/vxlan/vxlan.go b/pkg/networkengine/routedriver/vxlan/vxlan.go index 811029b..d071751 100644 --- a/pkg/networkengine/routedriver/vxlan/vxlan.go +++ b/pkg/networkengine/routedriver/vxlan/vxlan.go @@ -28,7 +28,7 @@ import ( "github.com/vishvananda/netlink" "k8s.io/klog/v2" - "github.com/openyurtio/openyurt/pkg/apis/raven/v1beta1" + "github.com/openyurtio/api/raven/v1beta1" "github.com/openyurtio/raven/cmd/agent/app/config" "github.com/openyurtio/raven/pkg/networkengine/routedriver" networkutil "github.com/openyurtio/raven/pkg/networkengine/util" diff --git a/pkg/networkengine/routedriver/vxlan/vxlan_test.go b/pkg/networkengine/routedriver/vxlan/vxlan_test.go index 37878c0..018b0a8 100644 --- a/pkg/networkengine/routedriver/vxlan/vxlan_test.go +++ b/pkg/networkengine/routedriver/vxlan/vxlan_test.go @@ -23,7 +23,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/vishvananda/netlink" - "github.com/openyurtio/openyurt/pkg/apis/raven/v1beta1" + "github.com/openyurtio/api/raven/v1beta1" networkutil "github.com/openyurtio/raven/pkg/networkengine/util" netlinkutil "github.com/openyurtio/raven/pkg/networkengine/util/netlink" "github.com/openyurtio/raven/pkg/types" diff --git a/pkg/networkengine/vpndriver/driver.go b/pkg/networkengine/vpndriver/driver.go index f377025..7eca5e7 100644 --- a/pkg/networkengine/vpndriver/driver.go +++ b/pkg/networkengine/vpndriver/driver.go @@ -1,3 +1,19 @@ +/* +Copyright 2023 The OpenYurt Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package vpndriver import ( diff --git a/pkg/networkengine/vpndriver/driver_test.go b/pkg/networkengine/vpndriver/driver_test.go index 1ac9f10..4707f83 100644 --- a/pkg/networkengine/vpndriver/driver_test.go +++ b/pkg/networkengine/vpndriver/driver_test.go @@ -4,7 +4,7 @@ import ( "reflect" "testing" - "github.com/openyurtio/openyurt/pkg/apis/raven/v1beta1" + "github.com/openyurtio/api/raven/v1beta1" "github.com/openyurtio/raven/cmd/agent/app/config" "github.com/openyurtio/raven/pkg/types" diff --git a/pkg/networkengine/vpndriver/libreswan/libreswan.go b/pkg/networkengine/vpndriver/libreswan/libreswan.go index 8a4098a..9db1802 100644 --- a/pkg/networkengine/vpndriver/libreswan/libreswan.go +++ b/pkg/networkengine/vpndriver/libreswan/libreswan.go @@ -319,7 +319,7 @@ func whackCmdFn(args ...string) error { time.Sleep(1 * time.Second) } if err != nil { - return fmt.Errorf("error whacking with %v: %v", args, err) + return fmt.Errorf("error whacking with %v: status code %v, error %s", args, err, string(output)) } return nil } diff --git a/pkg/networkengine/vpndriver/wireguard/wireguard.go b/pkg/networkengine/vpndriver/wireguard/wireguard.go index 6c640ae..9cdadb8 100644 --- a/pkg/networkengine/vpndriver/wireguard/wireguard.go +++ b/pkg/networkengine/vpndriver/wireguard/wireguard.go @@ -26,7 +26,7 @@ import ( "strconv" "time" - "github.com/openyurtio/openyurt/pkg/apis/raven/v1beta1" + "github.com/openyurtio/api/raven/v1beta1" "github.com/pkg/errors" "github.com/vdobler/ht/errorlist" "github.com/vishvananda/netlink" diff --git a/pkg/proxyengine/proxyclient/proxyclient.go b/pkg/proxyengine/proxyclient/proxyclient.go index cbf73e8..9cb3bf6 100644 --- a/pkg/proxyengine/proxyclient/proxyclient.go +++ b/pkg/proxyengine/proxyclient/proxyclient.go @@ -32,10 +32,10 @@ import ( "k8s.io/klog/v2" anp "sigs.k8s.io/apiserver-network-proxy/pkg/agent" - "github.com/openyurtio/openyurt/pkg/util/certmanager" - "github.com/openyurtio/openyurt/pkg/util/certmanager/factory" "github.com/openyurtio/raven/pkg/proxyengine" "github.com/openyurtio/raven/pkg/utils" + "github.com/openyurtio/raven/pkg/utils/certmanager" + "github.com/openyurtio/raven/pkg/utils/certmanager/factory" ) type ProxyClient struct { diff --git a/pkg/proxyengine/proxyserver/interceptor.go b/pkg/proxyengine/proxyserver/interceptor.go index ad988a3..03b9dac 100644 --- a/pkg/proxyengine/proxyserver/interceptor.go +++ b/pkg/proxyengine/proxyserver/interceptor.go @@ -118,7 +118,7 @@ func NewInterceptor(udsFile string, cfg *tls.Config) http.Handler { return nil, fmt.Errorf("unrecognize the proxy forwarding mode") } if isTLS { - cfg.InsecureSkipVerify = false + cfg.InsecureSkipVerify = true tlsConn := tls.Client(conn, cfg) if err := tlsConn.Handshake(); err != nil { conn.Close() diff --git a/pkg/proxyengine/proxyserver/manageheader.go b/pkg/proxyengine/proxyserver/manageheader.go index e07e4e0..4ecceed 100644 --- a/pkg/proxyengine/proxyserver/manageheader.go +++ b/pkg/proxyengine/proxyserver/manageheader.go @@ -19,22 +19,21 @@ package proxyserver import ( "context" "fmt" + "math/rand" "net" "net/http" "strconv" "strings" "time" - "math/rand" - v1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/types" "k8s.io/klog/v2" "sigs.k8s.io/controller-runtime/pkg/client" - "github.com/openyurtio/openyurt/pkg/apis/raven" - "github.com/openyurtio/openyurt/pkg/apis/raven/v1beta1" + "github.com/openyurtio/api/raven" + "github.com/openyurtio/api/raven/v1beta1" "github.com/openyurtio/raven/pkg/metrics" "github.com/openyurtio/raven/pkg/utils" ) @@ -89,7 +88,7 @@ func (h *headerManger) Handler(handler http.Handler) http.Handler { } } if host == "" || ip == "" || port == "" { - logAndHTTPError(w, http.StatusBadRequest, "request host %s and url %s is invalid, %s", r.Host, r.URL.String(), err.Error()) + logAndHTTPError(w, http.StatusBadRequest, "request host %s and url %s is invalid", r.Host, r.URL.String()) return } // Complete request header information @@ -143,18 +142,19 @@ func (h *headerManger) getAPIServerRequestDestAddress(r *http.Request) (name, ip if err != nil { return "", "", "", err } - name, err = h.getGatewayNodeName(&node) if err != nil { return "", "", "", fmt.Errorf("gateway include node %s, has no active endpoints, error %s", node.Name, err.Error()) } - ip = getNodeIP(&node) if ip == "" { return "", "", "", fmt.Errorf("node %s ip is empty", node.Name) } - port = strconv.Itoa(int(node.Status.DaemonEndpoints.KubeletEndpoint.Port)) + _, port, _ = net.SplitHostPort(r.Header.Get(utils.RavenProxyDestHeaderKey)) + if port == "" { + port = strconv.Itoa(int(node.Status.DaemonEndpoints.KubeletEndpoint.Port)) + } return name, ip, port, nil } diff --git a/pkg/proxyengine/proxyserver/proxyserver.go b/pkg/proxyengine/proxyserver/proxyserver.go index 6359851..a3047fb 100644 --- a/pkg/proxyengine/proxyserver/proxyserver.go +++ b/pkg/proxyengine/proxyserver/proxyserver.go @@ -38,13 +38,12 @@ import ( anpserver "sigs.k8s.io/apiserver-network-proxy/pkg/server" "sigs.k8s.io/controller-runtime/pkg/client" - "github.com/openyurtio/openyurt/pkg/apis/raven" - "github.com/openyurtio/openyurt/pkg/apis/raven/v1beta1" - "github.com/openyurtio/openyurt/pkg/util/certmanager" - "github.com/openyurtio/openyurt/pkg/util/certmanager/factory" - ravenutils "github.com/openyurtio/openyurt/pkg/yurtmanager/controller/raven/utils" + "github.com/openyurtio/api/raven" + "github.com/openyurtio/api/raven/v1beta1" "github.com/openyurtio/raven/pkg/proxyengine" "github.com/openyurtio/raven/pkg/utils" + "github.com/openyurtio/raven/pkg/utils/certmanager" + "github.com/openyurtio/raven/pkg/utils/certmanager/factory" ) type ProxyServer struct { @@ -110,12 +109,12 @@ func NewProxyServer(cfg *proxyengine.EnginConfig, client client.Client, kubeCfg } func (c *ProxyServer) Start(ctx context.Context) error { - dnsNames, IPs := c.getProxyServerIPsAndDNSName(ctx) + dnsNames, IPs := c.getProxyServerIPsAndDNSName() certFactory := factory.NewCertManagerFactory(c.clientSet) serverCertCfg := &factory.CertManagerConfig{ IPs: append(c.certIPs, IPs...), IPGetter: func() ([]net.IP, error) { - _, ips := c.getProxyServerIPsAndDNSName(ctx) + _, ips := c.getProxyServerIPsAndDNSName() return ips, nil }, DNSNames: append(c.certDNSNames, dnsNames...), @@ -128,10 +127,10 @@ func (c *ProxyServer) Start(ctx context.Context) error { } serverCertMgr, err := certFactory.New(serverCertCfg) if err != nil { - klog.Errorf(utils.FormatProxyServer("failed to new server cert manager factory for proxy server %s, error %s", c.nodeName, err.Error())) return fmt.Errorf("failed to new server cert manager factory for proxy server %s, error %s", c.nodeName, err.Error()) } serverCertMgr.Start() + defer serverCertMgr.Stop() proxyCertCfg := &factory.CertManagerConfig{ CertDir: c.certDir, @@ -142,7 +141,6 @@ func (c *ProxyServer) Start(ctx context.Context) error { } proxyCertMgr, err := certFactory.New(proxyCertCfg) if err != nil { - klog.Errorf(utils.FormatProxyServer("failed to new proxy cert manager factory for proxy server %s, error %s", c.nodeName, err.Error())) return fmt.Errorf("failed to new proxy cert manager factory for proxy server %s, error %s", c.nodeName, err.Error()) } proxyCertMgr.Start() @@ -165,11 +163,14 @@ func (c *ProxyServer) Start(ctx context.Context) error { return err } utils.RunMetaServer(ctx, c.metaAddress) - c.runServers(ctx) + err = c.runServers(ctx) + if err != nil { + return fmt.Errorf("failed to run proxy servers, error %s", err.Error()) + } return nil } -func (c *ProxyServer) runServers(ctx context.Context) { +func (c *ProxyServer) runServers(ctx context.Context) error { klog.Info(utils.FormatProxyServer("start proxy server")) strategy := []anpserver.ProxyStrategy{anpserver.ProxyStrategyDestHost} proxyServer := anpserver.NewProxyServer(c.nodeName, strategy, 1, &anpserver.AgentTokenAuthenticationOptions{}) @@ -178,58 +179,60 @@ func (c *ProxyServer) runServers(ctx context.Context) { headerMgr := NewHeaderManager(c.client, c.gateway.GetName(), utilnet.IsIPv4String(c.nodeIP)) NewMaster(headerMgr.Handler(interceptor), c.serverTLSConfig, c.internalSecureAddress, c.internalInsecureAddress).Run(ctx) NewAgent(c.serverTLSConfig, proxyServer, c.exposedAddress).Run(ctx) + return nil } -func (c *ProxyServer) getProxyServerIPsAndDNSName(ctx context.Context) (dnsName []string, ipAddr []net.IP) { +func (c *ProxyServer) getProxyServerIPsAndDNSName() (dnsName []string, ipAddr []net.IP) { + ipAddr = append(ipAddr, net.ParseIP(c.nodeIP)) ipAddr = append(ipAddr, net.ParseIP(utils.DefaultLoopBackIP4)) + ipAddr = append(ipAddr, c.certIPs...) dnsName = append(dnsName, c.nodeName) - _ = wait.PollImmediateWithContext(ctx, 10*time.Second, 10*time.Minute, func(ctx context.Context) (done bool, err error) { - var svc v1.Service - err = c.client.Get(ctx, types.NamespacedName{Namespace: ravenutils.WorkingNamespace, Name: ravenutils.GatewayProxyInternalService}, &svc) - if err != nil { - klog.Errorf(utils.FormatProxyServer("failed to get internal service %s/%s to get proxy server IPs and DNSNames, error %s", - svc.GetNamespace(), svc.GetName(), err.Error())) - return false, nil - } + + var svc v1.Service + err := c.client.Get(context.TODO(), types.NamespacedName{Namespace: utils.WorkingNamespace, Name: utils.GatewayProxyInternalService}, &svc) + if err != nil { + klog.Errorf(utils.FormatProxyServer("failed to get internal service %s/%s to get proxy server IPs and DNSNames, error %s", + svc.GetNamespace(), svc.GetName(), err.Error())) + return + } + dnsName = append(dnsName, getDefaultDomainsForSvc(svc.GetNamespace(), svc.GetName())...) + if svc.Spec.ClusterIP != "" { + ipAddr = append(ipAddr, net.ParseIP(svc.Spec.ClusterIP)) + } + var svcList v1.ServiceList + err = c.client.List(context.TODO(), &svcList, &client.ListOptions{ + LabelSelector: labels.Set{ + raven.LabelCurrentGateway: c.gateway.GetName(), + utils.LabelCurrentGatewayType: v1beta1.Proxy, + utils.LabelCurrentGatewayEndpoints: c.nodeName, + }.AsSelector(), + }) + if err != nil { + klog.Errorf(utils.FormatProxyServer("failed to get public serivce for gateway %s, node %s to get proxy server IPs and DNSNames, error %s", + c.gateway.GetName(), c.nodeName, err.Error())) + return + } + + for _, svc = range svcList.Items { dnsName = append(dnsName, getDefaultDomainsForSvc(svc.GetNamespace(), svc.GetName())...) + dnsName = append(dnsName, getExternalDNSName(&svc)...) + ipAddr = append(ipAddr, getExternalIPForSvc(&svc)...) if svc.Spec.ClusterIP != "" { ipAddr = append(ipAddr, net.ParseIP(svc.Spec.ClusterIP)) } - var svcList v1.ServiceList - err = c.client.List(ctx, &svcList, &client.ListOptions{ - LabelSelector: labels.Set{ - raven.LabelCurrentGateway: c.gateway.GetName(), - raven.LabelCurrentGatewayType: v1beta1.Proxy, - ravenutils.LabelCurrentGatewayEndpoints: c.nodeName, - }.AsSelector(), - }) - if err != nil { - klog.Errorf(utils.FormatProxyServer("failed to get public service for gateway %s, node %s to get proxy server IPs and DNSNames, error %s", - c.gateway.GetName(), c.nodeName, err.Error())) - return false, nil - } - - for _, svc = range svcList.Items { - dnsName = append(dnsName, getDefaultDomainsForSvc(svc.GetNamespace(), svc.GetName())...) - dnsName = append(dnsName, getExternalDNSName(&svc)...) - ipAddr = append(ipAddr, getExternalIPForSvc(&svc)...) - if svc.Spec.ClusterIP != "" { - ipAddr = append(ipAddr, net.ParseIP(svc.Spec.ClusterIP)) - } - if svc.Status.LoadBalancer.Ingress != nil { - for _, ing := range svc.Status.LoadBalancer.Ingress { - if ing.IP != "" { - ipAddr = append(ipAddr, net.ParseIP(ing.IP)) - } - if ing.Hostname != "" { - dnsName = append(dnsName, ing.Hostname) - } + if svc.Status.LoadBalancer.Ingress != nil { + for _, ing := range svc.Status.LoadBalancer.Ingress { + if ing.IP != "" { + ipAddr = append(ipAddr, net.ParseIP(ing.IP)) + } + if ing.Hostname != "" { + dnsName = append(dnsName, ing.Hostname) } } } - return true, nil - }) + } + klog.V(3).Info("cert address is %v", ipAddr) return } diff --git a/pkg/proxyengine/proxyserver/servers.go b/pkg/proxyengine/proxyserver/servers.go index 52c41e4..3d7b668 100644 --- a/pkg/proxyengine/proxyserver/servers.go +++ b/pkg/proxyengine/proxyserver/servers.go @@ -60,7 +60,7 @@ func (p *proxies) Run(ctx context.Context) { defer listen.Close() go func(ctx context.Context) { <-ctx.Done() - err = server.Shutdown(ctx) + err := server.Shutdown(context.TODO()) if err != nil { klog.Errorf("failed to shutdown proxies server, error %s", err.Error()) } @@ -96,7 +96,7 @@ func (m *master) Run(ctx context.Context) { } go func(ctx context.Context) { <-ctx.Done() - err := server.Shutdown(ctx) + err := server.Shutdown(context.TODO()) if err != nil { klog.Errorf("failed to shutdown master secure server, error %s", err.Error()) } @@ -117,7 +117,7 @@ func (m *master) Run(ctx context.Context) { } go func(ctx context.Context) { <-ctx.Done() - err := server.Shutdown(ctx) + err := server.Shutdown(context.TODO()) if err != nil { klog.Errorf("failed to shutdown master insecure server, error %s", err.Error()) } diff --git a/pkg/tunnelengine/tunnelagent.go b/pkg/tunnelengine/tunnelagent.go index ab87d17..aa5559a 100644 --- a/pkg/tunnelengine/tunnelagent.go +++ b/pkg/tunnelengine/tunnelagent.go @@ -30,9 +30,8 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "github.com/EvilSuperstars/go-cidrman" - "github.com/openyurtio/openyurt/pkg/apis/raven" - "github.com/openyurtio/openyurt/pkg/apis/raven/v1beta1" - ravenutils "github.com/openyurtio/openyurt/pkg/yurtmanager/controller/raven/utils" + "github.com/openyurtio/api/raven" + "github.com/openyurtio/api/raven/v1beta1" "github.com/openyurtio/raven/pkg/networkengine/routedriver" "github.com/openyurtio/raven/pkg/networkengine/vpndriver" "github.com/openyurtio/raven/pkg/types" @@ -255,9 +254,9 @@ func (c *TunnelHandler) getLoadBalancerPublicIP(gwName string) (string, error) { var svcList v1.ServiceList err := c.ravenClient.List(context.TODO(), &svcList, &client.ListOptions{ LabelSelector: labels.Set{ - raven.LabelCurrentGateway: gwName, - raven.LabelCurrentGatewayType: v1beta1.Tunnel, - ravenutils.LabelCurrentGatewayEndpoints: c.nodeName, + raven.LabelCurrentGateway: gwName, + utils.LabelCurrentGatewayType: v1beta1.Tunnel, + utils.LabelCurrentGatewayEndpoints: c.nodeName, }.AsSelector(), }) if err != nil { diff --git a/pkg/types/network.go b/pkg/types/network.go index 0c53ea6..cc80538 100644 --- a/pkg/types/network.go +++ b/pkg/types/network.go @@ -17,7 +17,7 @@ package types import ( - "github.com/openyurtio/openyurt/pkg/apis/raven/v1beta1" + "github.com/openyurtio/api/raven/v1beta1" ) // GatewayName is the type representing the name of Gateway. diff --git a/pkg/types/network_test.go b/pkg/types/network_test.go index 9efc71a..40892e4 100644 --- a/pkg/types/network_test.go +++ b/pkg/types/network_test.go @@ -20,7 +20,7 @@ import ( "reflect" "testing" - "github.com/openyurtio/openyurt/pkg/apis/raven/v1beta1" + "github.com/openyurtio/api/raven/v1beta1" ) const ( diff --git a/pkg/utils/certmanager/factory/factory.go b/pkg/utils/certmanager/factory/factory.go new file mode 100644 index 0000000..13a9b01 --- /dev/null +++ b/pkg/utils/certmanager/factory/factory.go @@ -0,0 +1,175 @@ +/* +Copyright 2022 The OpenYurt Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package factory + +import ( + "crypto/tls" + "crypto/x509" + "crypto/x509/pkix" + "fmt" + "net" + "reflect" + + certificatesv1 "k8s.io/api/certificates/v1" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/util/certificate" + "k8s.io/klog/v2" + + "github.com/openyurtio/raven/pkg/utils/certmanager/store" +) + +type IPGetter func() ([]net.IP, error) +type DNSGetter func() ([]string, error) + +// CertManagerConfig specifies the attributes of the created CertManager +type CertManagerConfig struct { + // ComponentName represents the name of the component which will use this CertManager. + ComponentName string + // CommonName is CN of cert. + CommonName string + // CertDir represents the dir of local file system where the cert related files will be stored. + CertDir string + // Organizations is O of cert. + Organizations []string + // DNSNames contain a list of DNS names this component will use. + // Note: + // If DNSGetter is set and it can get dns names with no error returned, + // DNSNames will be ignored and what got from DNSGetter will be used. + DNSNames []string + // DNSGetter can get dns names at runtime. If no error returned when getting dns names, + // these dns names will be used in the cert instead of the DNSNames. + DNSGetter + // IPs contain a list of IP this component will use. + // Note: + // If IPGetter is set and it can get ips with no error returned, + // IPs will be ignored and what got from IPGetter will be used. + IPs []net.IP + // IPGetter can get ips at runtime. If no error returned when getting ips, + // these ips will be used in the cert instead of the IPs. + IPGetter + // SignerName can specified the signer of Kubernetes, which can be one of + // 1. "kubernetes.io/kube-apiserver-client" + // 2. "kubernetes.io/kube-apiserver-client-kubelet" + // 3. "kubernetes.io/kubelet-serving" + // More details can be found at k8s.io/api/certificates/v1 + SignerName string + // ForServerUsage indicates the usage of this cert. + // If set, UsageServerAuth will be used, otherwise UsageClientAuth will be used. + // Additionally, UsageKeyEncipherment and UsageDigitalSignature are always used. + ForServerUsage bool +} + +// CertManagerFactory knows how to create CertManager for OpenYurt Components. +type CertManagerFactory interface { + // New function will create the CertManager as what CertManagerConfig specified. + New(*CertManagerConfig) (certificate.Manager, error) +} + +type factory struct { + clientsetFn certificate.ClientsetFunc + fileStore certificate.FileStore +} + +func NewCertManagerFactory(clientSet kubernetes.Interface) CertManagerFactory { + return &factory{ + clientsetFn: func(current *tls.Certificate) (kubernetes.Interface, error) { + return clientSet, nil + }, + } +} + +func NewCertManagerFactoryWithFnAndStore(clientsetFn certificate.ClientsetFunc, store certificate.FileStore) CertManagerFactory { + return &factory{ + clientsetFn: clientsetFn, + fileStore: store, + } +} + +func (f *factory) New(cfg *CertManagerConfig) (certificate.Manager, error) { + var err error + if IsNil(f.fileStore) { + f.fileStore, err = store.NewFileStoreWrapper(cfg.ComponentName, cfg.CertDir, cfg.CertDir, "", "") + if err != nil { + return nil, fmt.Errorf("failed to initialize the server certificate store: %w", err) + } + } + + ips, dnsNames := cfg.IPs, cfg.DNSNames + getTemplate := func() *x509.CertificateRequest { + if cfg.IPGetter != nil { + newIPs, err := cfg.IPGetter() + if err == nil && len(newIPs) != 0 { + klog.V(4).Infof("cr template of %s uses ips=%#+v", cfg.ComponentName, newIPs) + ips = newIPs + } + if err != nil { + klog.Errorf("failed to get ips for %s when preparing cr template, %v", cfg.ComponentName, err) + return nil + } + } + if cfg.DNSGetter != nil { + newDNSNames, err := cfg.DNSGetter() + if err == nil && len(newDNSNames) != 0 { + klog.V(4).Infof("cr template of %s uses dns names=%#+v", cfg.ComponentName, newDNSNames) + dnsNames = newDNSNames + } + if err != nil { + klog.Errorf("failed to get dns names for %s when preparing cr template, %v", cfg.ComponentName, err) + return nil + } + } + return &x509.CertificateRequest{ + Subject: pkix.Name{ + CommonName: cfg.CommonName, + Organization: cfg.Organizations, + }, + DNSNames: dnsNames, + IPAddresses: ips, + } + } + + usages := []certificatesv1.KeyUsage{ + certificatesv1.UsageKeyEncipherment, + certificatesv1.UsageDigitalSignature, + } + if cfg.ForServerUsage { + usages = append(usages, certificatesv1.UsageServerAuth) + } else { + usages = append(usages, certificatesv1.UsageClientAuth) + } + + return certificate.NewManager(&certificate.Config{ + ClientsetFn: f.clientsetFn, + SignerName: cfg.SignerName, + GetTemplate: getTemplate, + Usages: usages, + CertificateStore: f.fileStore, + Logf: klog.Infof, + }) +} + +func IsNil(i interface{}) bool { + if i == nil { + return true + } + + switch reflect.TypeOf(i).Kind() { + case reflect.Ptr, reflect.Slice, reflect.Array, reflect.Chan, reflect.Map: + return reflect.ValueOf(i).IsNil() + } + return false +} diff --git a/pkg/utils/certmanager/pki.go b/pkg/utils/certmanager/pki.go new file mode 100644 index 0000000..d114c8e --- /dev/null +++ b/pkg/utils/certmanager/pki.go @@ -0,0 +1,187 @@ +/* +Copyright 2020 The OpenYurt Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package certmanager + +import ( + "crypto/tls" + "crypto/x509" + "errors" + "fmt" + "net" + "os" + + "k8s.io/client-go/tools/clientcmd" + "k8s.io/client-go/util/certificate" +) + +// GenTLSConfigUseCurrentCertAndCertPool generates a TLS configuration +// using the given current certificate and x509 CertPool +func GenTLSConfigUseCurrentCertAndCertPool( + current func() *tls.Certificate, + root *x509.CertPool, + mode string) (*tls.Config, error) { + tlsConfig := &tls.Config{ + // Can't use SSLv3 because of POODLE and BEAST + // Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher + // Can't use TLSv1.1 because of RC4 cipher usage + MinVersion: tls.VersionTLS12, + } + + switch mode { + case "server": + tlsConfig.ClientCAs = root + tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven + if current != nil { + tlsConfig.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) { + cert := current() + if cert == nil { + return &tls.Certificate{Certificate: nil}, nil + } + return cert, nil + } + } + case "client": + tlsConfig.RootCAs = root + if current != nil { + tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { + cert := current() + if cert == nil { + return &tls.Certificate{Certificate: nil}, nil + } + return cert, nil + } + } + default: + return nil, fmt.Errorf("unsupported cert manager mode(only server or client), %s", mode) + } + + return tlsConfig, nil +} + +// GenRootCertPool generates a x509 CertPool based on the given kubeconfig, +// if the kubeConfig is empty, it will creates the CertPool using the CA file +func GenRootCertPool(kubeConfig, caFile string) (*x509.CertPool, error) { + if kubeConfig != "" { + // kubeconfig is given, generate the clientset based on it + if _, err := os.Stat(kubeConfig); os.IsNotExist(err) { + return nil, err + } + + // load the root ca from the given kubeconfig file + config, err := clientcmd.LoadFromFile(kubeConfig) + if err != nil || config == nil { + return nil, fmt.Errorf("failed to load the kubeconfig file(%s), %w", + kubeConfig, err) + } + + if len(config.CurrentContext) == 0 { + return nil, fmt.Errorf("'current context' is not set in %s", + kubeConfig) + } + + ctx, ok := config.Contexts[config.CurrentContext] + if !ok || ctx == nil { + return nil, fmt.Errorf("'current context(%s)' is not found in %s", + config.CurrentContext, kubeConfig) + } + + cluster, ok := config.Clusters[ctx.Cluster] + if !ok || cluster == nil { + return nil, fmt.Errorf("'cluster(%s)' is not found in %s", + ctx.Cluster, kubeConfig) + } + + if len(cluster.CertificateAuthorityData) == 0 { + return nil, fmt.Errorf("'certificate authority data of the cluster(%s) is not set in %s", + ctx.Cluster, kubeConfig) + } + + rootCertPool := x509.NewCertPool() + rootCertPool.AppendCertsFromPEM(cluster.CertificateAuthorityData) + return rootCertPool, nil + } + + // kubeConfig is missing, generate the cluster root ca based on the given ca file + return GenCertPoolUseCA(caFile) +} + +// GenTLSConfigUseCertMgrAndCA generates a TLS configuration based on the +// given certificate manager and the CA file +func GenTLSConfigUseCertMgrAndCA( + m certificate.Manager, + serverAddr, caFile string) (*tls.Config, error) { + root, err := GenCertPoolUseCA(caFile) + if err != nil { + return nil, err + } + + host, _, err := net.SplitHostPort(serverAddr) + if err != nil { + return nil, err + } + + tlsConfig := &tls.Config{ + // Can't use SSLv3 because of POODLE and BEAST + // Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher + // Can't use TLSv1.1 because of RC4 cipher usage + MinVersion: tls.VersionTLS12, + ServerName: host, + RootCAs: root, + } + + tlsConfig.GetClientCertificate = + func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { + cert := m.Current() + if cert == nil { + return &tls.Certificate{Certificate: nil}, nil + } + return cert, nil + } + tlsConfig.GetCertificate = + func(*tls.ClientHelloInfo) (*tls.Certificate, error) { + cert := m.Current() + if cert == nil { + return &tls.Certificate{Certificate: nil}, nil + } + return cert, nil + } + + return tlsConfig, nil +} + +// GenCertPoolUseCA generates a x509 CertPool based on the given CA file +func GenCertPoolUseCA(caFile string) (*x509.CertPool, error) { + if caFile == "" { + return nil, errors.New("CA file is not set") + } + + if _, err := os.Stat(caFile); err != nil { + if os.IsNotExist(err) { + return nil, fmt.Errorf("CA file(%s) doesn't exist", caFile) + } + return nil, fmt.Errorf("fail to stat the CA file(%s): %w", caFile, err) + } + + caData, err := os.ReadFile(caFile) + if err != nil { + return nil, err + } + + certPool := x509.NewCertPool() + certPool.AppendCertsFromPEM(caData) + return certPool, nil +} diff --git a/pkg/utils/certmanager/pki_test.go b/pkg/utils/certmanager/pki_test.go new file mode 100644 index 0000000..800fac3 --- /dev/null +++ b/pkg/utils/certmanager/pki_test.go @@ -0,0 +1,347 @@ +/* +Copyright 2020 The OpenYurt Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package certmanager + +import ( + "bytes" + "crypto/tls" + "crypto/x509" + "fmt" + "reflect" + "testing" + "time" + + certificatesv1 "k8s.io/api/certificates/v1" + "k8s.io/client-go/util/certificate" +) + +const ( + failed = "\u2717" + succeed = "\u2713" +) + +type certificateData struct { + keyPEM []byte + certificatePEM []byte + certificate *tls.Certificate +} + +func newCertificateData(certificatePEM string, keyPEM string) *certificateData { + certificate, err := tls.X509KeyPair([]byte(certificatePEM), []byte(keyPEM)) + if err != nil { + panic(fmt.Sprintf("Unable to initialize certificate: %v", err)) + } + certs, err := x509.ParseCertificates(certificate.Certificate[0]) + if err != nil { + panic(fmt.Sprintf("Unable to initialize certificate leaf: %v", err)) + } + certificate.Leaf = certs[0] + return &certificateData{ + keyPEM: []byte(keyPEM), + certificatePEM: []byte(certificatePEM), + certificate: &certificate, + } +} + +var storeCertData = newCertificateData(`-----BEGIN CERTIFICATE----- +MIICRzCCAfGgAwIBAgIJALMb7ecMIk3MMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNV +BAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYGA1UE +CgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MRswGQYD +VQQDDBJ0ZXN0LWNlcnRpZmljYXRlLTAwIBcNMTcwNDI2MjMyNjUyWhgPMjExNzA0 +MDIyMzI2NTJaMH4xCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNV +BAcMBkxvbmRvbjEYMBYGA1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1J +VCBEZXBhcnRtZW50MRswGQYDVQQDDBJ0ZXN0LWNlcnRpZmljYXRlLTAwXDANBgkq +hkiG9w0BAQEFAANLADBIAkEAtBMa7NWpv3BVlKTCPGO/LEsguKqWHBtKzweMY2CV +tAL1rQm913huhxF9w+ai76KQ3MHK5IVnLJjYYA5MzP2H5QIDAQABo1AwTjAdBgNV +HQ4EFgQU22iy8aWkNSxv0nBxFxerfsvnZVMwHwYDVR0jBBgwFoAU22iy8aWkNSxv +0nBxFxerfsvnZVMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAANBAEOefGbV +NcHxklaW06w6OBYJPwpIhCVozC1qdxGX1dg8VkEKzjOzjgqVD30m59OFmSlBmHsl +nkVA6wyOSDYBf3o= +-----END CERTIFICATE-----`, `-----BEGIN RSA PRIVATE KEY----- +MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAtBMa7NWpv3BVlKTC +PGO/LEsguKqWHBtKzweMY2CVtAL1rQm913huhxF9w+ai76KQ3MHK5IVnLJjYYA5M +zP2H5QIDAQABAkAS9BfXab3OKpK3bIgNNyp+DQJKrZnTJ4Q+OjsqkpXvNltPJosf +G8GsiKu/vAt4HGqI3eU77NvRI+mL4MnHRmXBAiEA3qM4FAtKSRBbcJzPxxLEUSwg +XSCcosCktbkXvpYrS30CIQDPDxgqlwDEJQ0uKuHkZI38/SPWWqfUmkecwlbpXABK +iQIgZX08DA8VfvcA5/Xj1Zjdey9FVY6POLXen6RPiabE97UCICp6eUW7ht+2jjar +e35EltCRCjoejRHTuN9TC0uCoVipAiAXaJIx/Q47vGwiw6Y8KXsNU6y54gTbOSxX +54LzHNk/+Q== +-----END RSA PRIVATE KEY-----`) +var bootstrapCertData = newCertificateData( + `-----BEGIN CERTIFICATE----- +MIICRzCCAfGgAwIBAgIJANXr+UzRFq4TMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNV +BAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYGA1UE +CgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MRswGQYD +VQQDDBJ0ZXN0LWNlcnRpZmljYXRlLTEwIBcNMTcwNDI2MjMyNzMyWhgPMjExNzA0 +MDIyMzI3MzJaMH4xCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNV +BAcMBkxvbmRvbjEYMBYGA1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1J +VCBEZXBhcnRtZW50MRswGQYDVQQDDBJ0ZXN0LWNlcnRpZmljYXRlLTEwXDANBgkq +hkiG9w0BAQEFAANLADBIAkEAqvbkN4RShH1rL37JFp4fZPnn0JUhVWWsrP8NOomJ +pXdBDUMGWuEQIsZ1Gf9JrCQLu6ooRyHSKRFpAVbMQ3ABJwIDAQABo1AwTjAdBgNV +HQ4EFgQUEGBc6YYheEZ/5MhwqSUYYPYRj2MwHwYDVR0jBBgwFoAUEGBc6YYheEZ/ +5MhwqSUYYPYRj2MwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAANBAIyNmznk +5dgJY52FppEEcfQRdS5k4XFPc22SHPcz77AHf5oWZ1WG9VezOZZPp8NCiFDDlDL8 +yma33a5eMyTjLD8= +-----END CERTIFICATE-----`, `-----BEGIN RSA PRIVATE KEY----- +MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAqvbkN4RShH1rL37J +Fp4fZPnn0JUhVWWsrP8NOomJpXdBDUMGWuEQIsZ1Gf9JrCQLu6ooRyHSKRFpAVbM +Q3ABJwIDAQABAkBC2OBpGLMPHN8BJijIUDFkURakBvuOoX+/8MYiYk7QxEmfLCk6 +L6r+GLNFMfXwXcBmXtMKfZKAIKutKf098JaBAiEA10azfqt3G/5owrNA00plSyT6 +ZmHPzY9Uq1p/QTR/uOcCIQDLTkfBkLHm0UKeobbO/fSm6ZflhyBRDINy4FvwmZMt +wQIgYV/tmQJeIh91q3wBepFQOClFykG8CTMoDUol/YyNqUkCIHfp6Rr7fGL3JIMq +QQgf9DCK8SPZqq8DYXjdan0kKBJBAiEAyDb+07o2gpggo8BYUKSaiRCiyXfaq87f +eVqgpBq/QN4= +-----END RSA PRIVATE KEY-----`) +var apiServerCertData = newCertificateData( + `-----BEGIN CERTIFICATE----- +MIICRzCCAfGgAwIBAgIJAIydTIADd+yqMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNV +BAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYGA1UE +CgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MRswGQYD +VQQDDBJ0ZXN0LWNlcnRpZmljYXRlLTIwIBcNMTcwNDI2MjMyNDU4WhgPMjExNzA0 +MDIyMzI0NThaMH4xCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNV +BAcMBkxvbmRvbjEYMBYGA1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1J +VCBEZXBhcnRtZW50MRswGQYDVQQDDBJ0ZXN0LWNlcnRpZmljYXRlLTIwXDANBgkq +hkiG9w0BAQEFAANLADBIAkEAuiRet28DV68Dk4A8eqCaqgXmymamUEjW/DxvIQqH +3lbhtm8BwSnS9wUAajSLSWiq3fci2RbRgaSPjUrnbOHCLQIDAQABo1AwTjAdBgNV +HQ4EFgQU0vhI4OPGEOqT+VAWwxdhVvcmgdIwHwYDVR0jBBgwFoAU0vhI4OPGEOqT ++VAWwxdhVvcmgdIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAANBALNeJGDe +nV5cXbp9W1bC12Tc8nnNXn4ypLE2JTQAvyp51zoZ8hQoSnRVx/VCY55Yu+br8gQZ ++tW+O/PoE7B3tuY= +-----END CERTIFICATE-----`, `-----BEGIN RSA PRIVATE KEY----- +MIIBVgIBADANBgkqhkiG9w0BAQEFAASCAUAwggE8AgEAAkEAuiRet28DV68Dk4A8 +eqCaqgXmymamUEjW/DxvIQqH3lbhtm8BwSnS9wUAajSLSWiq3fci2RbRgaSPjUrn +bOHCLQIDAQABAkEArDR1g9IqD3aUImNikDgAngbzqpAokOGyMoxeavzpEaFOgCzi +gi7HF7yHRmZkUt8CzdEvnHSqRjFuaaB0gGA+AQIhAOc8Z1h8ElLRSqaZGgI3jCTp +Izx9HNY//U5NGrXD2+ttAiEAzhOqkqI4+nDab7FpiD7MXI6fO549mEXeVBPvPtsS +OcECIQCIfkpOm+ZBBpO3JXaJynoqK4gGI6ALA/ik6LSUiIlfPQIhAISjd9hlfZME +bDQT1r8Q3Gx+h9LRqQeHgPBQ3F5ylqqBAiBaJ0hkYvrIdWxNlcLqD3065bJpHQ4S +WQkuZUQN1M/Xvg== +-----END RSA PRIVATE KEY-----`) + +type fakeStore struct { + cert *tls.Certificate +} + +func (s *fakeStore) Current() (*tls.Certificate, error) { + if s.cert == nil { + noKeyErr := certificate.NoCertKeyError("") + return nil, &noKeyErr + } + return s.cert, nil +} + +// Accepts the PEM data for the cert/key pair and makes the new cert/key +// pair the 'current' pair, that will be returned by future calls to +// Current(). +func (s *fakeStore) Update(certPEM, keyPEM []byte) (*tls.Certificate, error) { + // In order to make the mocking work, whenever a cert/key pair is passed in + // to be updated in the mock store, assume that the certificate manager + // generated the key, and then asked the mock CertificateSigningRequest API + // to sign it, then the faked API returned a canned response. The canned + // signing response will not match the generated key. In order to make + // things work out, search here for the correct matching key and use that + // instead of the passed in key. That way this file of test code doesn't + // have to implement an actual certificate signing process. + for _, tc := range []*certificateData{storeCertData, bootstrapCertData, apiServerCertData} { + if bytes.Equal(tc.certificatePEM, certPEM) { + keyPEM = tc.keyPEM + } + } + cert, err := tls.X509KeyPair(certPEM, keyPEM) + if err != nil { + return nil, err + } + now := time.Now() + s.cert = &cert + s.cert.Leaf = &x509.Certificate{ + NotBefore: now.Add(-24 * time.Hour), + NotAfter: now.Add(24 * time.Hour), + } + return s.cert, nil +} + +func TestGenTLSConfigUseCurrentCertAndCertPool(t *testing.T) { + store := &fakeStore{ + cert: storeCertData.certificate, + } + cm, err := certificate.NewManager(&certificate.Config{ + Template: &x509.CertificateRequest{}, + Usages: []certificatesv1.KeyUsage{}, + CertificateStore: store, + }) + if err != nil { + t.Fatalf("Failed to initialize the certificate manager: %v", err) + } + + tests := []struct { + name string + m certificate.Manager + root *x509.CertPool + mode string + expect error + }{ + { + "server mode", + cm, + &x509.CertPool{}, + "server", + nil, + }, + { + "client mode", + cm, + &x509.CertPool{}, + "client", + nil, + }, + { + "default mode", + cm, + &x509.CertPool{}, + "ran", + fmt.Errorf("unsupported cert manager mode(only server or client), ran"), + }, + } + + for _, tt := range tests { + tf := func(t *testing.T) { + t.Parallel() + t.Logf("\tTestCase: %s", tt.name) + { + _, get := GenTLSConfigUseCurrentCertAndCertPool(tt.m.Current, tt.root, tt.mode) + + if !reflect.DeepEqual(get, tt.expect) { + t.Fatalf("\t%s\texpect %v, but get %v", failed, tt.expect, get) + } + t.Logf("\t%s\texpect %v, get %v", succeed, tt.expect, get) + + } + } + t.Run(tt.name, tf) + } +} + +func TestGenRootCertPool(t *testing.T) { + tests := []struct { + name string + kubeConfig string + caFile string + expect *x509.CertPool + }{ + { + "empty kubeconfig caFile", + "", + "", + nil, + }, + } + + for _, tt := range tests { + tf := func(t *testing.T) { + t.Parallel() + t.Logf("\tTestCase: %s", tt.name) + { + get, _ := GenRootCertPool(tt.kubeConfig, tt.caFile) + + if !reflect.DeepEqual(tt.expect, get) { + t.Fatalf("\t%s\texpect %v, but get %v", failed, tt.expect, get) + } + t.Logf("\t%s\texpect %v, get %v", succeed, tt.expect, get) + + } + } + t.Run(tt.name, tf) + } +} + +func TestGenTLSConfigUseCertMgrAndCA(t *testing.T) { + store := &fakeStore{ + cert: storeCertData.certificate, + } + cm, err := certificate.NewManager(&certificate.Config{ + Template: &x509.CertificateRequest{}, + Usages: []certificatesv1.KeyUsage{}, + CertificateStore: store, + }) + if err != nil { + t.Fatalf("Failed to initialize the certificate manager: %v", err) + } + + tests := []struct { + name string + m certificate.Manager + serverAddr string + caFile string + expect *tls.Config + }{ + { + "empty caFile", + cm, + "127.0.0.1:80", + "", + nil, + }, + } + + for _, tt := range tests { + tf := func(t *testing.T) { + t.Parallel() + t.Logf("\tTestCase: %s", tt.name) + { + get, _ := GenTLSConfigUseCertMgrAndCA(tt.m, tt.serverAddr, tt.caFile) + + if !reflect.DeepEqual(tt.expect, get) { + t.Fatalf("\t%s\texpect %v, but get %v", failed, tt.expect, get) + } + t.Logf("\t%s\texpect %v, get %v", succeed, tt.expect, get) + + } + } + t.Run(tt.name, tf) + } +} + +func TestGenCertPoolUseCA(t *testing.T) { + tests := []struct { + name string + caFile string + expect *x509.CertPool + }{ + { + "empty caFIle", + "", + nil, + }, + } + + for _, tt := range tests { + tf := func(t *testing.T) { + t.Parallel() + t.Logf("\tTestCase: %s", tt.name) + { + get, _ := GenCertPoolUseCA(tt.caFile) + + if !reflect.DeepEqual(tt.expect, get) { + t.Fatalf("\t%s\texpect %v, but get %v", failed, tt.expect, get) + } + t.Logf("\t%s\texpect %v, get %v", succeed, tt.expect, get) + + } + } + t.Run(tt.name, tf) + } +} diff --git a/pkg/utils/certmanager/store/filestore_wrapper.go b/pkg/utils/certmanager/store/filestore_wrapper.go new file mode 100644 index 0000000..542fdde --- /dev/null +++ b/pkg/utils/certmanager/store/filestore_wrapper.go @@ -0,0 +1,54 @@ +/* +Copyright 2021 The OpenYurt Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package store + +import ( + "crypto/tls" + + "k8s.io/client-go/util/certificate" + "k8s.io/klog/v2" +) + +// fileStoreWrapper is a wrapper for "k8s.io/client-go/util/certificate#FileStore" +// This wrapper increases tolerance for unexpected situations and is more robust. +type fileStoreWrapper struct { + certificate.FileStore +} + +// NewFileStoreWrapper returns a wrapper for "k8s.io/client-go/util/certificate#FileStore" +// This wrapper increases tolerance for unexpected situations and is more robust. +func NewFileStoreWrapper(pairNamePrefix, certDirectory, keyDirectory, certFile, keyFile string) (certificate.FileStore, error) { + fileStore, err := certificate.NewFileStore(pairNamePrefix, certDirectory, keyDirectory, certFile, keyFile) + if err != nil { + return nil, err + } + return &fileStoreWrapper{ + FileStore: fileStore, + }, nil +} + +func (s *fileStoreWrapper) Current() (*tls.Certificate, error) { + cert, err := s.FileStore.Current() + // If an error occurs, just return the NoCertKeyError. + // The cert-manager will regenerate the related certificates when it receives the NoCertKeyError. + if err != nil { + klog.Warningf("unexpected error occurred when loading the certificate: %v, will regenerate it", err) + noCertKeyErr := certificate.NoCertKeyError("NO_VALID_CERT") + return nil, &noCertKeyErr + } + return cert, nil +} diff --git a/pkg/utils/certmanager/store/filestore_wrapper_test.go b/pkg/utils/certmanager/store/filestore_wrapper_test.go new file mode 100644 index 0000000..b5b7f99 --- /dev/null +++ b/pkg/utils/certmanager/store/filestore_wrapper_test.go @@ -0,0 +1,105 @@ +/* +Copyright 2021 The OpenYurt Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package store + +import ( + "reflect" + "testing" + + "k8s.io/client-go/util/certificate" +) + +const ( + failed = "\u2717" + succeed = "\u2713" +) + +var fw, _ = NewFileStoreWrapper("", "", "", "", "") + +func TestNewFileStoreWrapper(t *testing.T) { + tests := []struct { + name string + pairNamePrefix string + certDirectory string + keyDirectory string + certFile string + keyFile string + expect error + }{ + { + "normal", + "", + "", + "", + "", + "", + nil, + }, + } + + for _, tt := range tests { + tf := func(t *testing.T) { + t.Parallel() + t.Logf("\tTestCase: %s", tt.name) + { + _, get := NewFileStoreWrapper( + tt.pairNamePrefix, + tt.certDirectory, + tt.keyDirectory, + tt.certFile, + tt.keyFile) + + if !reflect.DeepEqual(get, tt.expect) { + t.Fatalf("\t%s\texpect %v, but get %v", failed, tt.expect, get) + } + t.Logf("\t%s\texpect %v, get %v", succeed, tt.expect, get) + + } + } + t.Run(tt.name, tf) + } +} + +func TestCurrent(t *testing.T) { + noCertKeyErr := certificate.NoCertKeyError("NO_VALID_CERT") + tests := []struct { + name string + expect error + }{ + { + "normal", + &noCertKeyErr, + }, + } + + for _, tt := range tests { + tf := func(t *testing.T) { + t.Parallel() + t.Logf("\tTestCase: %s", tt.name) + { + _, get := fw.Current() + + if !reflect.DeepEqual(get, tt.expect) { + t.Fatalf("\t%s\texpect %v, but get %v", failed, tt.expect, get) + } + t.Logf("\t%s\texpect %v, get %v", succeed, tt.expect, get) + + } + } + t.Run(tt.name, tf) + } +} diff --git a/pkg/utils/constants.go b/pkg/utils/constants.go index a7b5d0e..a4b59fd 100644 --- a/pkg/utils/constants.go +++ b/pkg/utils/constants.go @@ -43,6 +43,12 @@ const ( RavenProxyServerForwardLocalMode = "Local" RavenProxyServerForwardRemoteMode = "Remote" - WorkingNamespace = "kube-system" - RavenConfigName = "raven-cfg" + WorkingNamespace = "kube-system" + RavenConfigName = "raven-cfg" + RavenEnableProxy = "enable-l7-proxy" + RavenEnableTunnel = "enable-l3-tunnel" + + GatewayProxyInternalService = "x-raven-proxy-internal-svc" + LabelCurrentGatewayEndpoints = "raven.openyurt.io/endpoints-name" + LabelCurrentGatewayType = "raven.openyurt.io/gateway-type" ) diff --git a/pkg/utils/metaserver.go b/pkg/utils/metaserver.go index b5cfb22..d9f24d6 100644 --- a/pkg/utils/metaserver.go +++ b/pkg/utils/metaserver.go @@ -19,11 +19,11 @@ package utils import ( "context" "net/http" + "net/http/pprof" "k8s.io/klog/v2" "github.com/gorilla/mux" - "github.com/openyurtio/openyurt/pkg/util/profile" "github.com/prometheus/client_golang/prometheus/promhttp" ) @@ -34,7 +34,7 @@ func RunMetaServer(ctx context.Context, addr string) { muxHandler := mux.NewRouter() muxHandler.Handle("/metrics", promhttp.Handler()) // register handler for pprof - profile.Install(muxHandler) + Install(muxHandler) metaServer := &http.Server{ Addr: addr, Handler: muxHandler, @@ -42,7 +42,7 @@ func RunMetaServer(ctx context.Context, addr string) { } go func(ctx context.Context) { <-ctx.Done() - err := metaServer.Shutdown(ctx) + err := metaServer.Shutdown(context.TODO()) if err != nil { klog.Errorf("failed to shutdown meta server, error %s", err.Error()) } @@ -53,3 +53,19 @@ func RunMetaServer(ctx context.Context, addr string) { } }(ctx) } + +// Install adds the Profiling webservice to the given mux. +func Install(c *mux.Router) { + c.HandleFunc("/debug/pprof/profile", pprof.Profile) + c.HandleFunc("/debug/pprof/symbol", pprof.Symbol) + c.HandleFunc("/debug/pprof/trace", pprof.Trace) + c.HandleFunc("/debug/pprof", redirectTo("/debug/pprof/")) + c.PathPrefix("/debug/pprof/").HandlerFunc(pprof.Index) +} + +// redirectTo redirects request to a certain destination. +func redirectTo(to string) func(http.ResponseWriter, *http.Request) { + return func(rw http.ResponseWriter, req *http.Request) { + http.Redirect(rw, req, to, http.StatusFound) + } +} diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go index ed4b427..d625de1 100644 --- a/pkg/utils/utils.go +++ b/pkg/utils/utils.go @@ -20,7 +20,7 @@ import ( "context" "fmt" - "github.com/openyurtio/openyurt/pkg/apis/raven/v1beta1" + "github.com/openyurtio/api/raven/v1beta1" "sigs.k8s.io/controller-runtime/pkg/client" ) From 66a8ed5fa1d0cf85284e9c95f30fb8749ed97d9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8F=A9=E8=BD=A9?= Date: Fri, 24 Nov 2023 16:32:29 +0800 Subject: [PATCH 2/2] modify image tag --- charts/raven-agent/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/raven-agent/values.yaml b/charts/raven-agent/values.yaml index fef15f4..6681f1b 100644 --- a/charts/raven-agent/values.yaml +++ b/charts/raven-agent/values.yaml @@ -6,7 +6,7 @@ image: repository: openyurt/raven-agent pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: v0.4.0 + tag: 0.4.0 imagePullSecrets: [] nameOverride: ""