Skip to content

Commit

Permalink
Fix per node cert feature
Browse files Browse the repository at this point in the history
This change introduces certDuration as parameter to customize
cert duration. In addition, environment variable for node name
is matched to other usages.
  • Loading branch information
s1061123 committed Sep 26, 2023
1 parent 1dd4edd commit 5745d2f
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 8 deletions.
12 changes: 9 additions & 3 deletions cmd/kubeconfig_generator/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"os/signal"
"syscall"
"text/template"
"time"

"github.com/spf13/pflag"

Expand Down Expand Up @@ -58,6 +59,7 @@ func main() {
certDir := pflag.StringP("certdir", "", "/tmp", "specify cert directory")
bootstrapConfig := pflag.StringP("bootstrap-config", "", "/tmp/kubeconfig", "specify bootstrap kubernetes config")
kubeconfigPath := pflag.StringP("kubeconfig", "", "/run/multus/kubeconfig", "specify output kubeconfig path")
certDurationString := pflag.StringP("cert-duration", "", "10m", "specify certificate duration")
helpFlag := pflag.BoolP("help", "h", false, "show help message and quit")

pflag.Parse()
Expand All @@ -77,10 +79,14 @@ func main() {
if !st.IsDir() {
klog.Fatalf("cert directory %q is not directory", *certDir)
}
certDuration, err := time.ParseDuration(*certDurationString)
if err != nil {
klog.Fatalf("failed to parse duration %q: %v", *certDurationString, err)
}

nodeName := os.Getenv("K8S_NODE")
nodeName := os.Getenv("MULTUS_NODE_NAME")
if nodeName == "" {
klog.Fatalf("cannot identify node name from K8S_NODE env variables")
klog.Fatalf("cannot identify node name from MULTUS_NODE_NAME env variables")
}

// retrieve API server from bootstrapConfig()
Expand All @@ -92,7 +98,7 @@ func main() {
caData := base64.StdEncoding.EncodeToString(config.CAData)

// run certManager to create certification
if _, err = k8sclient.PerNodeK8sClient(nodeName, *bootstrapConfig, *certDir); err != nil {
if _, err = k8sclient.PerNodeK8sClient(nodeName, *bootstrapConfig, certDuration, *certDir); err != nil {
klog.Fatalf("failed to start cert manager: %v", err)
}

Expand Down
3 changes: 1 addition & 2 deletions pkg/k8sclient/kubeconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ func getPerNodeKubeconfig(bootstrap *rest.Config, certDir string) *rest.Config {
}

// PerNodeK8sClient creates/reload new multus kubeconfig per-node.
func PerNodeK8sClient(nodeName, bootstrapKubeconfigFile, certDir string) (*ClientInfo, error) {
func PerNodeK8sClient(nodeName, bootstrapKubeconfigFile string, certDuration time.Duration, certDir string) (*ClientInfo, error) {
bootstrapKubeconfig, err := clientcmd.BuildConfigFromFlags("", bootstrapKubeconfigFile)
if err != nil {
return nil, logging.Errorf("failed to load bootstrap kubeconfig %s: %v", bootstrapKubeconfigFile, err)
Expand All @@ -98,7 +98,6 @@ func PerNodeK8sClient(nodeName, bootstrapKubeconfigFile, certDir string) (*Clien
return nil, logging.Errorf("failed to initialize the certificate store: %v", err)
}

certDuration := 10 * time.Minute
certManager, err := certificate.NewManager(&certificate.Config{
ClientsetFn: newClientsetFn,
Template: &x509.CertificateRequest{
Expand Down
12 changes: 9 additions & 3 deletions pkg/server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -189,11 +189,17 @@ func NewCNIServer(daemonConfig *ControllerNetConf, serverConfig []byte, ignoreRe
return nil, err
}
perNodeCertConfig := daemonConfig.PerNodeCertificate
nodeName := os.Getenv("K8S_NODE")
nodeName := os.Getenv("MULTUS_NODE_NAME")
if nodeName == "" {
return nil, logging.Errorf("error getting node name for perNodeCertificate")
return nil, logging.Errorf("error getting node name for perNodeCertificate, please check manifest to have MULTUS_NODE_NAME")
}
kubeClient, err = k8s.PerNodeK8sClient(nodeName, perNodeCertConfig.BootstrapKubeconfig, perNodeCertConfig.CertDir)

certDuration := DefaultCertDuration
if perNodeCertConfig.CertDuration != "" {
certDuration, err = time.ParseDuration(perNodeCertConfig.CertDuration)
}

kubeClient, err = k8s.PerNodeK8sClient(nodeName, perNodeCertConfig.BootstrapKubeconfig, certDuration, perNodeCertConfig.CertDir)
if err != nil {
return nil, logging.Errorf("error getting perNodeClient: %v", err)
}
Expand Down
4 changes: 4 additions & 0 deletions pkg/server/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package server

import (
"net/http"
"time"

"github.com/containernetworking/cni/pkg/invoke"

Expand All @@ -34,6 +35,8 @@ const (
DefaultMultusDaemonConfigFile = "/etc/cni/net.d/multus.d/daemon-config.json"
// DefaultMultusRunDir specifies default RunDir for multus
DefaultMultusRunDir = "/run/multus/"
// DefaultCertDuration specifies default duration for certs in per-node-certs config
DefaultCertDuration = 10 * time.Minute
)

// Metrics represents server's metrics.
Expand Down Expand Up @@ -61,6 +64,7 @@ type PerNodeCertificate struct {
Enabled bool `json:"enabled,omitempty"`
BootstrapKubeconfig string `json:"bootstrapKubeconfig,omitempty"`
CertDir string `json:"certDir,omitempty"`
CertDuration string `json:"certDuration,omitempty"`
}

// ControllerNetConf for the controller cni configuration
Expand Down

0 comments on commit 5745d2f

Please sign in to comment.