From a76e95971552746e54ca14bd2c3be95983dc3522 Mon Sep 17 00:00:00 2001 From: WillardHu Date: Mon, 2 Dec 2024 13:51:01 +0800 Subject: [PATCH] Revert: Fixed the hub client certificate doesn't have any IP address This reverts commit df855910a35fc3629b23edafa75cf03ca9e280e4. Signed-off-by: WillardHu --- cloud/pkg/cloudhub/config/config.go | 9 ------- .../servers/httpserver/certificate/certs.go | 4 --- .../cloudhub/servers/httpserver/pre_server.go | 8 +++++- pkg/security/certs/types.go | 26 +++---------------- pkg/security/certs/x509_ca_certs_test.go | 2 +- pkg/security/certs/x509_certs.go | 8 ++---- 6 files changed, 14 insertions(+), 43 deletions(-) diff --git a/cloud/pkg/cloudhub/config/config.go b/cloud/pkg/cloudhub/config/config.go index df9835b40a9..29c2d2a9d57 100644 --- a/cloud/pkg/cloudhub/config/config.go +++ b/cloud/pkg/cloudhub/config/config.go @@ -1,7 +1,6 @@ package config import ( - "net" "sync" "k8s.io/klog/v2" @@ -97,11 +96,3 @@ func (c *Configure) UpdateCerts(cert, key []byte) { c.Key = key } } - -func (c *Configure) ConvAdvertiseAddressToIPs() []net.IP { - ips := make([]net.IP, 0, len(c.AdvertiseAddress)) - for _, addr := range c.AdvertiseAddress { - ips = append(ips, net.ParseIP(addr)) - } - return ips -} diff --git a/cloud/pkg/cloudhub/servers/httpserver/certificate/certs.go b/cloud/pkg/cloudhub/servers/httpserver/certificate/certs.go index b3defa40dc0..27e7faabf06 100644 --- a/cloud/pkg/cloudhub/servers/httpserver/certificate/certs.go +++ b/cloud/pkg/cloudhub/servers/httpserver/certificate/certs.go @@ -154,10 +154,6 @@ func signEdgeCert(r io.ReadCloser, usagesStr string) (*pem.Block, error) { hubconfig.Config.CaKey, usages, edgeCertSigningDuration, - &certutil.AltNames{ - IPs: hubconfig.Config.ConvAdvertiseAddressToIPs(), - DNSNames: hubconfig.Config.DNSNames, - }, )) if err != nil { return nil, fmt.Errorf("fail to signCerts, err: %v", err) diff --git a/cloud/pkg/cloudhub/servers/httpserver/pre_server.go b/cloud/pkg/cloudhub/servers/httpserver/pre_server.go index 65b78407315..543c1bd7311 100644 --- a/cloud/pkg/cloudhub/servers/httpserver/pre_server.go +++ b/cloud/pkg/cloudhub/servers/httpserver/pre_server.go @@ -19,6 +19,7 @@ import ( "context" "crypto/x509" "fmt" + "net" "time" corev1 "k8s.io/api/core/v1" @@ -107,7 +108,12 @@ func createCertsToSecret(ctx context.Context) error { if err != nil { klog.Info("CloudCoreCert and key don't exist in the secret, and will be signed by CA") + ips := make([]net.IP, 0, len(hubconfig.Config.AdvertiseAddress)) + for _, addr := range hubconfig.Config.AdvertiseAddress { + ips = append(ips, net.ParseIP(addr)) + } h := certs.GetHandler(certs.HandlerTypeX509) + keywrap, err := h.GenPrivateKey() if err != nil { return fmt.Errorf("faield to generate the private key, err: %v", err) @@ -123,7 +129,7 @@ func createCertsToSecret(ctx context.Context) error { Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, AltNames: certutil.AltNames{ DNSNames: hubconfig.Config.DNSNames, - IPs: hubconfig.Config.ConvAdvertiseAddressToIPs(), + IPs: ips, }, }, hubconfig.Config.Ca, hubconfig.Config.CaKey, key.Public(), year100) certPEM, err := h.SignCerts(opts) diff --git a/pkg/security/certs/types.go b/pkg/security/certs/types.go index 2174575bcb7..13d88dda117 100644 --- a/pkg/security/certs/types.go +++ b/pkg/security/certs/types.go @@ -59,12 +59,7 @@ type SignCertsOptions struct { expiration time.Duration } -func SignCertsOptionsWithCA( - cfg certutil.Config, - caDER, caKeyDER []byte, - publicKey any, - expiration time.Duration, -) SignCertsOptions { +func SignCertsOptionsWithCA(cfg certutil.Config, caDER, caKeyDER []byte, publicKey any, expiration time.Duration) SignCertsOptions { return SignCertsOptions{ cfg: cfg, caDER: caDER, @@ -74,13 +69,8 @@ func SignCertsOptionsWithCA( } } -func SignCertsOptionsWithCSR( - csrDER, caDER, caKeyDER []byte, - usages []x509.ExtKeyUsage, - expiration time.Duration, - alt *certutil.AltNames, -) SignCertsOptions { - opts := SignCertsOptions{ +func SignCertsOptionsWithCSR(csrDER, caDER, caKeyDER []byte, usages []x509.ExtKeyUsage, expiration time.Duration) SignCertsOptions { + return SignCertsOptions{ csrDER: csrDER, caDER: caDER, caKeyDER: caKeyDER, @@ -89,17 +79,9 @@ func SignCertsOptionsWithCSR( }, expiration: expiration, } - if alt != nil { - opts.cfg.AltNames = *alt - } - return opts } -func SignCertsOptionsWithK8sCSR( - csrDER []byte, - usages []x509.ExtKeyUsage, - expiration time.Duration, -) SignCertsOptions { +func SignCertsOptionsWithK8sCSR(csrDER []byte, usages []x509.ExtKeyUsage, expiration time.Duration) SignCertsOptions { return SignCertsOptions{ csrDER: csrDER, cfg: certutil.Config{ diff --git a/pkg/security/certs/x509_ca_certs_test.go b/pkg/security/certs/x509_ca_certs_test.go index 656f3e6bc50..43638762be3 100644 --- a/pkg/security/certs/x509_ca_certs_test.go +++ b/pkg/security/certs/x509_ca_certs_test.go @@ -33,7 +33,7 @@ func TestSignX509Certs(t *testing.T) { }, certpkw, nil) opts := SignCertsOptionsWithCSR(csrblock.Bytes, cablock.Bytes, capkw.DER(), - []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 24*time.Hour, nil) + []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 24*time.Hour) certblock, err := certh.SignCerts(opts) if err != nil { t.Fatal(err) diff --git a/pkg/security/certs/x509_certs.go b/pkg/security/certs/x509_certs.go index c2e3e0ed66b..a454a0daa4a 100644 --- a/pkg/security/certs/x509_certs.go +++ b/pkg/security/certs/x509_certs.go @@ -76,13 +76,9 @@ func (h x509CertsHandler) SignCerts(opts SignCertsOptions) (*pem.Block, error) { } opts.cfg.CommonName = csr.Subject.CommonName opts.cfg.Organization = csr.Subject.Organization + opts.cfg.AltNames.DNSNames = csr.DNSNames + opts.cfg.AltNames.IPs = csr.IPAddresses pubkey = csr.PublicKey - if len(csr.DNSNames) > 0 { - opts.cfg.AltNames.DNSNames = csr.DNSNames - } - if len(csr.IPAddresses) > 0 { - opts.cfg.AltNames.IPs = csr.IPAddresses - } } if len(opts.cfg.CommonName) == 0 { return nil, errors.New("must specify a CommonName")