From 3dc8a1f3e92aea07d89fe21942468cda5e4add4c Mon Sep 17 00:00:00 2001 From: ke-jobs <82319732+ke-jobs@users.noreply.github.com> Date: Fri, 17 Sep 2021 16:54:50 +0800 Subject: [PATCH] perf: improve the usage of certificates (#475) we need to specify the usage of certificates of yurt-tunnel components clearly. Refs #410 --- pkg/yurttunnel/pki/certmanager/certmanager.go | 25 +++++++++++++------ pkg/yurttunnel/pki/pki.go | 4 +-- test/e2e/yurt/yurt.go | 2 +- 3 files changed, 21 insertions(+), 10 deletions(-) diff --git a/pkg/yurttunnel/pki/certmanager/certmanager.go b/pkg/yurttunnel/pki/certmanager/certmanager.go index d8d13645df8..10b0cc797d2 100644 --- a/pkg/yurttunnel/pki/certmanager/certmanager.go +++ b/pkg/yurttunnel/pki/certmanager/certmanager.go @@ -87,7 +87,13 @@ func NewYurttunnelServerCertManager( fmt.Sprintf(constants.YurttunnelServerCertDir, projectinfo.GetServerName()), constants.YurttunneServerCSRCN, []string{constants.YurttunneServerCSROrg, constants.YurttunnelCSROrg}, - dnsNames, ips) + dnsNames, + []certificates.KeyUsage{ + certificates.UsageKeyEncipherment, + certificates.UsageDigitalSignature, + certificates.UsageServerAuth, + }, + ips) } // NewYurttunnelAgentCertManager creates a certificate manager for @@ -109,6 +115,11 @@ func NewYurttunnelAgentCertManager( constants.YurttunnelAgentCSRCN, []string{constants.YurttunnelCSROrg}, []string{os.Getenv("NODE_NAME")}, + []certificates.KeyUsage{ + certificates.UsageKeyEncipherment, + certificates.UsageDigitalSignature, + certificates.UsageClientAuth, + }, []net.IP{net.ParseIP(nodeIP)}) } @@ -120,7 +131,9 @@ func newCertManager( certDir, commonName string, organizations, - dnsNames []string, ipAddrs []net.IP) (certificate.Manager, error) { + dnsNames []string, + keyUsages []certificates.KeyUsage, + ipAddrs []net.IP) (certificate.Manager, error) { certificateStore, err := store.NewFileStoreWrapper(componentName, certDir, certDir, "", "") if err != nil { @@ -142,11 +155,9 @@ func newCertManager( ClientFn: func(current *tls.Certificate) (clicert.CertificateSigningRequestInterface, error) { return clientset.CertificatesV1beta1().CertificateSigningRequests(), nil }, - SignerName: certificates.LegacyUnknownSignerName, - GetTemplate: getTemplate, - Usages: []certificates.KeyUsage{ - certificates.UsageAny, - }, + SignerName: certificates.LegacyUnknownSignerName, + GetTemplate: getTemplate, + Usages: keyUsages, CertificateStore: certificateStore, }) if err != nil { diff --git a/pkg/yurttunnel/pki/pki.go b/pkg/yurttunnel/pki/pki.go index 1b0878e544c..c68020568a1 100644 --- a/pkg/yurttunnel/pki/pki.go +++ b/pkg/yurttunnel/pki/pki.go @@ -29,7 +29,7 @@ import ( "k8s.io/client-go/util/certificate" ) -// GenTGenTLSConfigUseCertMgrAndCertPool generates a TLS configuration +// GenTLSConfigUseCertMgrAndCertPool generates a TLS configuration // using the given certificate manager and x509 CertPool func GenTLSConfigUseCertMgrAndCertPool( m certificate.Manager, @@ -110,7 +110,7 @@ func GenRootCertPool(kubeConfig, caFile string) (*x509.CertPool, error) { return GenCertPoolUseCA(caFile) } -// GenTGenTLSConfigUseCertMgrAndCA generates a TLS configuration based on the +// GenTLSConfigUseCertMgrAndCA generates a TLS configuration based on the // given certificate manager and the CA file func GenTLSConfigUseCertMgrAndCA( m certificate.Manager, diff --git a/test/e2e/yurt/yurt.go b/test/e2e/yurt/yurt.go index 00076952294..5694f0f52a8 100644 --- a/test/e2e/yurt/yurt.go +++ b/test/e2e/yurt/yurt.go @@ -94,7 +94,7 @@ func Register() { spec := apiv1.PodSpec{} container := apiv1.Container{} spec.HostNetwork = true - spec.NodeSelector = map[string]string{"alibabacloud.com/is-edge-worker": "true"} + spec.NodeSelector = map[string]string{"openyurt.io/is-edge-worker": "true"} container.Name = "yurt-test-busybox" container.Image = "busybox" container.Command = []string{"sleep", "3600"}