perf: improve the usage of certificates (openyurtio#475)

we need to specify the usage of certificates of yurt-tunnel components clearly. Refs openyurtio#410
MrGirl · Sep 17, 2021 · 3dc8a1f · 3dc8a1f
1 parent e424b15
commit 3dc8a1f
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 10 deletions.
diff --git a/pkg/yurttunnel/pki/certmanager/certmanager.go b/pkg/yurttunnel/pki/certmanager/certmanager.go
@@ -87,7 +87,13 @@ func NewYurttunnelServerCertManager(
 		fmt.Sprintf(constants.YurttunnelServerCertDir, projectinfo.GetServerName()),
 		constants.YurttunneServerCSRCN,
 		[]string{constants.YurttunneServerCSROrg, constants.YurttunnelCSROrg},
-		dnsNames, ips)
+		dnsNames,
+		[]certificates.KeyUsage{
+			certificates.UsageKeyEncipherment,
+			certificates.UsageDigitalSignature,
+			certificates.UsageServerAuth,
+		},
+		ips)
 }
 
 // NewYurttunnelAgentCertManager creates a certificate manager for
@@ -109,6 +115,11 @@ func NewYurttunnelAgentCertManager(
 		constants.YurttunnelAgentCSRCN,
 		[]string{constants.YurttunnelCSROrg},
 		[]string{os.Getenv("NODE_NAME")},
+		[]certificates.KeyUsage{
+			certificates.UsageKeyEncipherment,
+			certificates.UsageDigitalSignature,
+			certificates.UsageClientAuth,
+		},
 		[]net.IP{net.ParseIP(nodeIP)})
 }
 
@@ -120,7 +131,9 @@ func newCertManager(
 	certDir,
 	commonName string,
 	organizations,
-	dnsNames []string, ipAddrs []net.IP) (certificate.Manager, error) {
+	dnsNames []string,
+	keyUsages []certificates.KeyUsage,
+	ipAddrs []net.IP) (certificate.Manager, error) {
 	certificateStore, err :=
 		store.NewFileStoreWrapper(componentName, certDir, certDir, "", "")
 	if err != nil {
@@ -142,11 +155,9 @@ func newCertManager(
 		ClientFn: func(current *tls.Certificate) (clicert.CertificateSigningRequestInterface, error) {
 			return clientset.CertificatesV1beta1().CertificateSigningRequests(), nil
 		},
-		SignerName:  certificates.LegacyUnknownSignerName,
-		GetTemplate: getTemplate,
-		Usages: []certificates.KeyUsage{
-			certificates.UsageAny,
-		},
+		SignerName:       certificates.LegacyUnknownSignerName,
+		GetTemplate:      getTemplate,
+		Usages:           keyUsages,
 		CertificateStore: certificateStore,
 	})
 	if err != nil {

diff --git a/pkg/yurttunnel/pki/pki.go b/pkg/yurttunnel/pki/pki.go
@@ -29,7 +29,7 @@ import (
 	"k8s.io/client-go/util/certificate"
 )
 
-// GenTGenTLSConfigUseCertMgrAndCertPool generates a TLS configuration
+// GenTLSConfigUseCertMgrAndCertPool generates a TLS configuration
 // using the given certificate manager and x509 CertPool
 func GenTLSConfigUseCertMgrAndCertPool(
 	m certificate.Manager,
@@ -110,7 +110,7 @@ func GenRootCertPool(kubeConfig, caFile string) (*x509.CertPool, error) {
 	return GenCertPoolUseCA(caFile)
 }
 
-// GenTGenTLSConfigUseCertMgrAndCA generates a TLS configuration based on the
+// GenTLSConfigUseCertMgrAndCA generates a TLS configuration based on the
 // given certificate manager and the CA file
 func GenTLSConfigUseCertMgrAndCA(
 	m certificate.Manager,

diff --git a/test/e2e/yurt/yurt.go b/test/e2e/yurt/yurt.go
@@ -94,7 +94,7 @@ func Register() {
 				spec := apiv1.PodSpec{}
 				container := apiv1.Container{}
 				spec.HostNetwork = true
-				spec.NodeSelector = map[string]string{"alibabacloud.com/is-edge-worker": "true"}
+				spec.NodeSelector = map[string]string{"openyurt.io/is-edge-worker": "true"}
 				container.Name = "yurt-test-busybox"
 				container.Image = "busybox"
 				container.Command = []string{"sleep", "3600"}