From 0c8f3b4449d6631aacd92f920604e05521d87638 Mon Sep 17 00:00:00 2001 From: chentao <421224811@qq.com> Date: Fri, 18 Jun 2021 14:41:57 +0800 Subject: [PATCH] fix the error when cert-mgr-mode set to kubelet --- cmd/yurthub/app/options/options.go | 2 +- cmd/yurthub/app/start.go | 11 +- pkg/yurthub/certificate/hubself/cert_mgr.go | 101 ++++++--------- .../certificate/interfaces/interfaces.go | 3 +- pkg/yurthub/certificate/kubelet/cert_mgr.go | 48 ++------ pkg/yurthub/gc/gc.go | 9 +- pkg/yurthub/restconfig/restconfig.go | 115 ++++++++++++++++++ pkg/yurthub/transport/transport.go | 7 -- pkg/yurthub/util/util.go | 29 +++-- 9 files changed, 196 insertions(+), 129 deletions(-) create mode 100644 pkg/yurthub/restconfig/restconfig.go diff --git a/cmd/yurthub/app/options/options.go b/cmd/yurthub/app/options/options.go index f4bb0aa3287..37cc0cea12d 100644 --- a/cmd/yurthub/app/options/options.go +++ b/cmd/yurthub/app/options/options.go @@ -62,7 +62,7 @@ func NewYurtHubOptions() *YurtHubOptions { YurtHubProxyPort: "10261", YurtHubPort: "10267", GCFrequency: 120, - CertMgrMode: "hubself", + CertMgrMode: util.YurtHubCertificateManagerName, LBMode: "rr", HeartbeatFailedRetry: 3, HeartbeatHealthyThreshold: 2, diff --git a/cmd/yurthub/app/start.go b/cmd/yurthub/app/start.go index 137dfe8cc13..9d0bc3f60c3 100644 --- a/cmd/yurthub/app/start.go +++ b/cmd/yurthub/app/start.go @@ -30,6 +30,7 @@ import ( "github.com/openyurtio/openyurt/pkg/yurthub/healthchecker" "github.com/openyurtio/openyurt/pkg/yurthub/network" "github.com/openyurtio/openyurt/pkg/yurthub/proxy" + "github.com/openyurtio/openyurt/pkg/yurthub/restconfig" "github.com/openyurtio/openyurt/pkg/yurthub/server" "github.com/openyurtio/openyurt/pkg/yurthub/transport" @@ -110,6 +111,14 @@ func Run(cfg *config.YurtHubConfiguration, stopCh <-chan struct{}) error { healthChecker.Run() trace++ + klog.Infof("%d. new restConfig manager for %s mode", trace, cfg.CertMgrMode) + restConfigMgr, err := restconfig.NewRestConfigManager(cfg, certManager, healthChecker) + if err != nil { + klog.Errorf("could not new restConfig manager, %v", err) + return err + } + trace++ + klog.Infof("%d. new cache manager with storage wrapper and serializer manager", trace) cacheMgr, err := cachemanager.NewCacheManager(cfg.StorageWrapper, cfg.SerializerManager) if err != nil { @@ -119,7 +128,7 @@ func Run(cfg *config.YurtHubConfiguration, stopCh <-chan struct{}) error { trace++ klog.Infof("%d. new gc manager for node %s, and gc frequency is a random time between %d min and %d min", trace, cfg.NodeName, cfg.GCFrequency, 3*cfg.GCFrequency) - gcMgr, err := gc.NewGCManager(cfg, transportManager, stopCh) + gcMgr, err := gc.NewGCManager(cfg, transportManager, restConfigMgr, stopCh) if err != nil { klog.Errorf("could not new gc manager, %v", err) return err diff --git a/pkg/yurthub/certificate/hubself/cert_mgr.go b/pkg/yurthub/certificate/hubself/cert_mgr.go index 2a11f9b4fca..afd54dc33bf 100644 --- a/pkg/yurthub/certificate/hubself/cert_mgr.go +++ b/pkg/yurthub/certificate/hubself/cert_mgr.go @@ -50,22 +50,21 @@ import ( ) const ( - CertificateManagerName = "hubself" - HubName = "yurthub" - HubRootDir = "/var/lib/" - HubPkiDirName = "pki" - HubCaFileName = "ca.crt" - HubConfigFileName = "%s.conf" - BootstrapConfigFileName = "bootstrap-hub.conf" - BootstrapUser = "token-bootstrap-client" - DefaultClusterName = "kubernetes" - ClusterInfoName = "cluster-info" - KubeconfigName = "kubeconfig" + yurtHubName = "yurthub" + hubRootDir = "/var/lib/" + hubPkiDirName = "pki" + hubCaFileName = "ca.crt" + hubConfigFileName = "%s.conf" + bootstrapConfigFileName = "bootstrap-hub.conf" + bootstrapUser = "token-bootstrap-client" + defaultClusterName = "kubernetes" + clusterInfoName = "cluster-info" + kubeconfigName = "kubeconfig" ) // Register registers a YurtCertificateManager func Register(cmr *hubcert.CertificateManagerRegistry) { - cmr.Register(CertificateManagerName, func(cfg *config.YurtHubConfiguration) (interfaces.YurtCertificateManager, error) { + cmr.Register(util.YurtHubCertificateManagerName, func(cfg *config.YurtHubConfiguration) (interfaces.YurtCertificateManager, error) { return NewYurtHubCertManager(cfg) }) } @@ -92,12 +91,12 @@ func NewYurtHubCertManager(cfg *config.YurtHubConfiguration) (interfaces.YurtCer hubName := projectinfo.GetHubName() if len(hubName) == 0 { - hubName = HubName + hubName = yurtHubName } rootDir := cfg.RootDir if len(rootDir) == 0 { - rootDir = filepath.Join(HubRootDir, hubName) + rootDir = filepath.Join(hubRootDir, hubName) } ycm := &yurtHubCertManager{ @@ -185,44 +184,16 @@ func (ycm *yurtHubCertManager) Update(cfg *config.YurtHubConfiguration) error { return nil } -// GetRestConfig get rest client config from hub agent conf file. -func (ycm *yurtHubCertManager) GetRestConfig() *restclient.Config { - healthyServer := ycm.remoteServers[0] - if healthyServer == nil { - klog.Infof("all of remote servers are unhealthy, so return nil for rest config") - return nil - } - - // certificate expired, rest config can not be used to connect remote server, - // so return nil for rest config - if ycm.Current() == nil { - klog.Infof("certificate expired, so return nil for rest config") - return nil - } - - hubConfFile := ycm.getHubConfFile() - if isExist, _ := util.FileExists(hubConfFile); isExist { - cfg, err := util.LoadRESTClientConfig(hubConfFile) - if err != nil { - klog.Errorf("could not get rest config for %s, %v", hubConfFile, err) - return nil - } - - // re-fix host connecting healthy server - cfg.Host = healthyServer.String() - klog.Infof("re-fix hub rest config host successfully with server %s", cfg.Host) - return cfg - } - - klog.Errorf("%s config file(%s) is not exist", ycm.hubName, hubConfFile) - return nil -} - // GetCaFile returns the path of ca file func (ycm *yurtHubCertManager) GetCaFile() string { return ycm.caFile } +// GetConfFile returns the path of yurtHub config file path +func (ycm *yurtHubCertManager) GetConfFilePath() string { + return ycm.getHubConfFile() +} + // NotExpired returns hub client cert is expired or not. // True: not expired // False: expired @@ -258,13 +229,13 @@ func (ycm *yurtHubCertManager) initCaCert() error { } // make sure configMap kube-public/cluster-info in k8s cluster beforehand - insecureClusterInfo, err := insecureClient.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(context.Background(), ClusterInfoName, metav1.GetOptions{}) + insecureClusterInfo, err := insecureClient.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(context.Background(), clusterInfoName, metav1.GetOptions{}) if err != nil { klog.Errorf("failed to get cluster-info configmap, %v", err) return err } - kubeconfigStr, ok := insecureClusterInfo.Data[KubeconfigName] + kubeconfigStr, ok := insecureClusterInfo.Data[kubeconfigName] if !ok || len(kubeconfigStr) == 0 { return fmt.Errorf("no kubeconfig in cluster-info configmap of kube-public namespace") } @@ -300,7 +271,7 @@ func (ycm *yurtHubCertManager) initBootstrap() error { } ycm.bootstrapConfStore = bootstrapConfStore - contents, err := ycm.bootstrapConfStore.Get(BootstrapConfigFileName) + contents, err := ycm.bootstrapConfStore.Get(bootstrapConfigFileName) if err == storage.ErrStorageNotFound { klog.Infof("%s bootstrap conf file does not exist, so create it", ycm.hubName) return ycm.createBootstrapConfFile(ycm.joinToken) @@ -462,39 +433,39 @@ func (ycm *yurtHubCertManager) initHubConf() error { // getPkiDir returns the directory for storing hub agent pki func (ycm *yurtHubCertManager) getPkiDir() string { - return filepath.Join(ycm.rootDir, HubPkiDirName) + return filepath.Join(ycm.rootDir, hubPkiDirName) } // getCaFile returns the path of ca file func (ycm *yurtHubCertManager) getCaFile() string { - return filepath.Join(ycm.getPkiDir(), HubCaFileName) + return filepath.Join(ycm.getPkiDir(), hubCaFileName) } // getBootstrapConfFile returns the path of bootstrap conf file func (ycm *yurtHubCertManager) getBootstrapConfFile() string { - return filepath.Join(ycm.rootDir, BootstrapConfigFileName) + return filepath.Join(ycm.rootDir, bootstrapConfigFileName) } // getHubConfFile returns the path of hub agent conf file. func (ycm *yurtHubCertManager) getHubConfFile() string { - return filepath.Join(ycm.rootDir, fmt.Sprintf(HubConfigFileName, ycm.hubName)) + return filepath.Join(ycm.rootDir, fmt.Sprintf(hubConfigFileName, ycm.hubName)) } // createBasic create basic client cmd config func createBasic(apiServerAddr string, caCert []byte) *clientcmdapi.Config { - contextName := fmt.Sprintf("%s@%s", BootstrapUser, DefaultClusterName) + contextName := fmt.Sprintf("%s@%s", bootstrapUser, defaultClusterName) return &clientcmdapi.Config{ Clusters: map[string]*clientcmdapi.Cluster{ - DefaultClusterName: { + defaultClusterName: { Server: apiServerAddr, CertificateAuthorityData: caCert, }, }, Contexts: map[string]*clientcmdapi.Context{ contextName: { - Cluster: DefaultClusterName, - AuthInfo: BootstrapUser, + Cluster: defaultClusterName, + AuthInfo: bootstrapUser, }, }, AuthInfos: map[string]*clientcmdapi.AuthInfo{}, @@ -508,7 +479,7 @@ func createInsecureRestClientConfig(remoteServer *url.URL) (*restclient.Config, return nil, fmt.Errorf("no healthy remote server") } cfg := createBasic(remoteServer.String(), []byte{}) - cfg.Clusters[DefaultClusterName].InsecureSkipTLSVerify = true + cfg.Clusters[defaultClusterName].InsecureSkipTLSVerify = true restConfig, err := clientcmd.NewDefaultClientConfig(*cfg, &clientcmd.ConfigOverrides{}).ClientConfig() if err != nil { @@ -536,7 +507,7 @@ func createBootstrapConf(apiServerAddr, caFile, joinToken string) *clientcmdapi. } cfg := createBasic(apiServerAddr, caCert) - cfg.AuthInfos[BootstrapUser] = &clientcmdapi.AuthInfo{Token: joinToken} + cfg.AuthInfos[bootstrapUser] = &clientcmdapi.AuthInfo{Token: joinToken} return cfg } @@ -559,7 +530,7 @@ func (ycm *yurtHubCertManager) createBootstrapConfFile(joinToken string) error { return err } - err = ycm.bootstrapConfStore.Update(BootstrapConfigFileName, content) + err = ycm.bootstrapConfStore.Update(bootstrapConfigFileName, content) if err != nil { klog.Errorf("could not create bootstrap conf file(%s), %v", ycm.getBootstrapConfFile(), err) return err @@ -586,21 +557,21 @@ func (ycm *yurtHubCertManager) updateBootstrapConfFile(joinToken string) error { return fmt.Errorf("could not load bootstrap conf file(%s), %v", ycm.getBootstrapConfFile(), err) } - if curKubeConfig.AuthInfos[BootstrapUser] != nil { - if curKubeConfig.AuthInfos[BootstrapUser].Token == joinToken { + if curKubeConfig.AuthInfos[bootstrapUser] != nil { + if curKubeConfig.AuthInfos[bootstrapUser].Token == joinToken { klog.Infof("join token for %s bootstrap conf file is not changed", ycm.hubName) return nil } } - curKubeConfig.AuthInfos[BootstrapUser] = &clientcmdapi.AuthInfo{Token: joinToken} + curKubeConfig.AuthInfos[bootstrapUser] = &clientcmdapi.AuthInfo{Token: joinToken} content, err := clientcmd.Write(*curKubeConfig) if err != nil { klog.Errorf("could not update bootstrap config into bytes, %v", err) return err } - err = ycm.bootstrapConfStore.Update(BootstrapConfigFileName, content) + err = ycm.bootstrapConfStore.Update(bootstrapConfigFileName, content) if err != nil { klog.Errorf("could not update bootstrap config, %v", err) return err diff --git a/pkg/yurthub/certificate/interfaces/interfaces.go b/pkg/yurthub/certificate/interfaces/interfaces.go index 32c1489f8a3..3d3f0f6a812 100644 --- a/pkg/yurthub/certificate/interfaces/interfaces.go +++ b/pkg/yurthub/certificate/interfaces/interfaces.go @@ -19,7 +19,6 @@ package interfaces import ( "github.com/openyurtio/openyurt/cmd/yurthub/app/config" - "k8s.io/client-go/rest" "k8s.io/client-go/util/certificate" ) @@ -27,7 +26,7 @@ import ( type YurtCertificateManager interface { certificate.Manager Update(cfg *config.YurtHubConfiguration) error - GetRestConfig() *rest.Config + GetConfFilePath() string GetCaFile() string NotExpired() bool } diff --git a/pkg/yurthub/certificate/kubelet/cert_mgr.go b/pkg/yurthub/certificate/kubelet/cert_mgr.go index 026c470503d..86c3b3dacd3 100644 --- a/pkg/yurthub/certificate/kubelet/cert_mgr.go +++ b/pkg/yurthub/certificate/kubelet/cert_mgr.go @@ -28,25 +28,20 @@ import ( "github.com/openyurtio/openyurt/cmd/yurthub/app/config" "github.com/openyurtio/openyurt/pkg/yurthub/certificate" "github.com/openyurtio/openyurt/pkg/yurthub/certificate/interfaces" - "github.com/openyurtio/openyurt/pkg/yurthub/healthchecker" "github.com/openyurtio/openyurt/pkg/yurthub/util" "k8s.io/apimachinery/pkg/util/wait" - "k8s.io/client-go/rest" "k8s.io/klog" ) const ( - certificateManagerName = "kubelet" - defaultPairDir = "/var/lib/kubelet/pki" - defaultPairFile = "kubelet-client-current.pem" - defaultCaFile = "/etc/kubernetes/pki/ca.crt" - certVerifyDuration = 30 * time.Minute + defaultPairFile = "kubelet-client-current.pem" + certVerifyDuration = 30 * time.Minute ) // Register registers a YurtCertificateManager func Register(cmr *certificate.CertificateManagerRegistry) { - cmr.Register(certificateManagerName, func(cfg *config.YurtHubConfiguration) (interfaces.YurtCertificateManager, error) { + cmr.Register(util.KubeletCertificateManagerName, func(cfg *config.YurtHubConfiguration) (interfaces.YurtCertificateManager, error) { return NewKubeletCertManager(cfg, 0, "") }) } @@ -59,7 +54,6 @@ type kubeletCertManager struct { remoteServers []*url.URL caFile string certVerifyDuration time.Duration - checker healthchecker.HealthChecker stopped bool } @@ -76,9 +70,10 @@ func NewKubeletCertManager(cfg *config.YurtHubConfiguration, period time.Duratio } if len(certDir) == 0 { - certDir = defaultPairDir + pairFile = util.DefaultKubeletPairFilePath + } else { + pairFile = filepath.Join(certDir, defaultPairFile) } - pairFile = filepath.Join(certDir, defaultPairFile) if pairFileExists, err := util.FileExists(pairFile); err != nil { return nil, err @@ -94,17 +89,12 @@ func NewKubeletCertManager(cfg *config.YurtHubConfiguration, period time.Duratio pairFile: pairFile, cert: cert, remoteServers: cfg.RemoteServers, - caFile: defaultCaFile, + caFile: util.DefaultKubeletRootCAFilePath, certVerifyDuration: period, stopCh: make(chan struct{}), }, nil } -// SetHealthChecker set healthChecker -func (kcm *kubeletCertManager) SetHealthChecker(checker healthchecker.HealthChecker) { - kcm.checker = checker -} - // Stop stop cert manager func (kcm *kubeletCertManager) Stop() { kcm.certAccessLock.Lock() @@ -157,25 +147,9 @@ func (kcm *kubeletCertManager) GetCaFile() string { return kcm.caFile } -// GetRestConfig get *rest.Config from kubelet.conf -func (kcm *kubeletCertManager) GetRestConfig() *rest.Config { - var s *url.URL - for _, server := range kcm.remoteServers { - if kcm.checker.IsHealthy(server) { - s = server - break - } - } - if s == nil { - return nil - } - - cfg, err := util.LoadKubeletRestClientConfig(s) - if err != nil { - klog.Errorf("could not load kubelet rest client config, %v", err) - return nil - } - return cfg +// GetConfFile get an kube-config file path, but the kubelet mode just using the ca and pair, so return empty +func (kcm *kubeletCertManager) GetConfFilePath() string { + return "" } func (kcm *kubeletCertManager) NotExpired() bool { @@ -195,7 +169,7 @@ func (kcm *kubeletCertManager) updateCert(c *tls.Certificate) { } // Update do nothing -func (kcm *kubeletCertManager) Update(cfg *config.YurtHubConfiguration) error { +func (kcm *kubeletCertManager) Update(_ *config.YurtHubConfiguration) error { return nil } diff --git a/pkg/yurthub/gc/gc.go b/pkg/yurthub/gc/gc.go index 3a72b68ce3c..892af296482 100644 --- a/pkg/yurthub/gc/gc.go +++ b/pkg/yurthub/gc/gc.go @@ -23,6 +23,7 @@ import ( "github.com/openyurtio/openyurt/cmd/yurthub/app/config" "github.com/openyurtio/openyurt/pkg/yurthub/cachemanager" + "github.com/openyurtio/openyurt/pkg/yurthub/restconfig" "github.com/openyurtio/openyurt/pkg/yurthub/transport" "github.com/openyurtio/openyurt/pkg/yurthub/util" @@ -43,6 +44,7 @@ var ( type GCManager struct { store cachemanager.StorageWrapper transportManager transport.Interface + restConfigManager *restconfig.RestConfigManager nodeName string eventsGCFrequency time.Duration lastTime time.Time @@ -50,7 +52,7 @@ type GCManager struct { } // NewGCManager creates a *GCManager object -func NewGCManager(cfg *config.YurtHubConfiguration, transportManager transport.Interface, stopCh <-chan struct{}) (*GCManager, error) { +func NewGCManager(cfg *config.YurtHubConfiguration, transportManager transport.Interface, restConfigManager *restconfig.RestConfigManager, stopCh <-chan struct{}) (*GCManager, error) { gcFrequency := cfg.GCFrequency if gcFrequency == 0 { gcFrequency = defaultEventGcInterval @@ -59,6 +61,7 @@ func NewGCManager(cfg *config.YurtHubConfiguration, transportManager transport.I store: cfg.StorageWrapper, transportManager: transportManager, nodeName: cfg.NodeName, + restConfigManager: restConfigManager, eventsGCFrequency: time.Duration(gcFrequency) * time.Minute, stopCh: stopCh, } @@ -73,7 +76,7 @@ func (m *GCManager) Run() { go wait.JitterUntil(func() { klog.V(2).Infof("start gc events after waiting %v from previous gc", time.Since(m.lastTime)) m.lastTime = time.Now() - cfg := m.transportManager.GetRestClientConfig() + cfg := m.restConfigManager.GetRestConfig() if cfg == nil { klog.Errorf("could not get rest config, so skip gc") return @@ -96,7 +99,7 @@ func (m *GCManager) gcPodsWhenRestart() error { } klog.Infof("list pod keys from storage, total: %d", len(localPodKeys)) - cfg := m.transportManager.GetRestClientConfig() + cfg := m.restConfigManager.GetRestConfig() if cfg == nil { klog.Errorf("could not get rest config, so skip gc pods when restart") return err diff --git a/pkg/yurthub/restconfig/restconfig.go b/pkg/yurthub/restconfig/restconfig.go new file mode 100644 index 00000000000..fa880030e4f --- /dev/null +++ b/pkg/yurthub/restconfig/restconfig.go @@ -0,0 +1,115 @@ +/* +Copyright 2021 The OpenYurt Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package restconfig + +import ( + "net/url" + + "github.com/openyurtio/openyurt/cmd/yurthub/app/config" + "github.com/openyurtio/openyurt/pkg/projectinfo" + "github.com/openyurtio/openyurt/pkg/yurthub/certificate/interfaces" + "github.com/openyurtio/openyurt/pkg/yurthub/healthchecker" + "github.com/openyurtio/openyurt/pkg/yurthub/util" + + "k8s.io/client-go/rest" + "k8s.io/klog" +) + +type RestConfigManager struct { + remoteServers []*url.URL + certMgrMode string + checker healthchecker.HealthChecker + certManager interfaces.YurtCertificateManager +} + +// NewRestConfigManager creates a *RestConfigManager object +func NewRestConfigManager(cfg *config.YurtHubConfiguration, certMgr interfaces.YurtCertificateManager, healthChecker healthchecker.HealthChecker) (*RestConfigManager, error) { + mgr := &RestConfigManager{ + remoteServers: cfg.RemoteServers, + certMgrMode: cfg.CertMgrMode, + checker: healthChecker, + certManager: certMgr, + } + return mgr, nil +} + +func (rcm *RestConfigManager) GetRestConfig() *rest.Config { + certMgrMode := rcm.certMgrMode + switch certMgrMode { + case util.YurtHubCertificateManagerName: + return rcm.getHubselfRestConfig() + case util.KubeletCertificateManagerName: + return rcm.getKubeletRestConfig() + default: + return nil + } +} + +func (rcm *RestConfigManager) getKubeletRestConfig() *rest.Config { + healthyServer := rcm.getHealthyServer() + if healthyServer == nil { + klog.Infof("all of remote servers are unhealthy, so return nil for rest config") + return nil + } + cfg, err := util.LoadKubeletRestClientConfig(healthyServer) + if err != nil { + klog.Errorf("could not load kubelet rest client config, %v", err) + return nil + } + return cfg +} + +func (rcm *RestConfigManager) getHubselfRestConfig() *rest.Config { + healthyServer := rcm.getHealthyServer() + if healthyServer == nil { + klog.Infof("all of remote servers are unhealthy, so return nil for rest config") + return nil + } + + // certificate expired, rest config can not be used to connect remote server, + // so return nil for rest config + if rcm.certManager.Current() == nil { + klog.Infof("certificate expired, so return nil for rest config") + return nil + } + + hubConfFile := rcm.certManager.GetConfFilePath() + if isExist, _ := util.FileExists(hubConfFile); isExist { + cfg, err := util.LoadRESTClientConfig(hubConfFile) + if err != nil { + klog.Errorf("could not get rest config for %s, %v", hubConfFile, err) + return nil + } + + // re-fix host connecting healthy server + cfg.Host = healthyServer.String() + klog.Infof("re-fix hub rest config host successfully with server %s", cfg.Host) + return cfg + } + + klog.Errorf("%s config file(%s) is not exist", projectinfo.GetHubName(), hubConfFile) + return nil +} + +func (rcm *RestConfigManager) getHealthyServer() *url.URL { + for _, server := range rcm.remoteServers { + if rcm.checker.IsHealthy(server) { + return server + } + } + return nil +} diff --git a/pkg/yurthub/transport/transport.go b/pkg/yurthub/transport/transport.go index 931834e85c6..03f422281d6 100644 --- a/pkg/yurthub/transport/transport.go +++ b/pkg/yurthub/transport/transport.go @@ -28,7 +28,6 @@ import ( "github.com/openyurtio/openyurt/pkg/yurthub/util" utilnet "k8s.io/apimachinery/pkg/util/net" "k8s.io/apimachinery/pkg/util/wait" - "k8s.io/client-go/rest" "k8s.io/klog" ) @@ -37,8 +36,6 @@ type Interface interface { // concurrent use by multiple goroutines // CurrentTransport get transport that used by load balancer CurrentTransport() *http.Transport - // GetRestClientConfig get rest config that used by gc - GetRestClientConfig() *rest.Config // close all net connections that specified by address Close(address string) } @@ -86,10 +83,6 @@ func NewTransportManager(certMgr interfaces.YurtCertificateManager, stopCh <-cha return tm, nil } -func (tm *transportManager) GetRestClientConfig() *rest.Config { - return tm.certManager.GetRestConfig() -} - func (tm *transportManager) CurrentTransport() *http.Transport { return tm.currentTransport } diff --git a/pkg/yurthub/util/util.go b/pkg/yurthub/util/util.go index 5e204610bb6..afcda72b03a 100644 --- a/pkg/yurthub/util/util.go +++ b/pkg/yurthub/util/util.go @@ -43,6 +43,14 @@ import ( type ProxyKeyType int const ( + // YurtHubCertificateManagerName represents the certificateManager name in yurthub mode + YurtHubCertificateManagerName = "hubself" + // KubeletCertificateManagerName represents the certificateManager name in kubelet mode + KubeletCertificateManagerName = "kubelet" + // DefaultKubeletPairFilePath represents the default kubelet pair file path + DefaultKubeletPairFilePath = "/var/lib/kubelet/pki/kubelet-client-current.pem" + // DefaultKubeletRootCAFilePath represents the default kubelet ca file path + DefaultKubeletRootCAFilePath = "/etc/kubernetes/pki/ca.crt" // ProxyReqContentType represents request content type context key ProxyReqContentType ProxyKeyType = iota // ProxyRespContentType represents response content type context key @@ -283,7 +291,7 @@ func IsSupportedLBMode(lbMode string) bool { // IsSupportedCertMode check cert mode is supported or not func IsSupportedCertMode(certMode string) bool { switch certMode { - case "kubelet", "hubself": + case KubeletCertificateManagerName, YurtHubCertificateManagerName: return true } @@ -302,23 +310,18 @@ func FileExists(filename string) (bool, error) { // LoadKubeletRestClientConfig load *rest.Config for accessing healthyServer func LoadKubeletRestClientConfig(healthyServer *url.URL) (*rest.Config, error) { - const ( - pairFile = "/var/lib/kubelet/pki/kubelet-client-current.pem" - rootCAFile = "/etc/kubernetes/pki/ca.crt" - ) - tlsClientConfig := rest.TLSClientConfig{} - if _, err := certutil.NewPool(rootCAFile); err != nil { - klog.Errorf("Expected to load root CA config from %s, but got err: %v", rootCAFile, err) + if _, err := certutil.NewPool(DefaultKubeletRootCAFilePath); err != nil { + klog.Errorf("Expected to load root CA config from %s, but got err: %v", DefaultKubeletRootCAFilePath, err) } else { - tlsClientConfig.CAFile = rootCAFile + tlsClientConfig.CAFile = DefaultKubeletRootCAFilePath } - if can, _ := certutil.CanReadCertAndKey(pairFile, pairFile); !can { - return nil, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", pairFile) + if can, _ := certutil.CanReadCertAndKey(DefaultKubeletPairFilePath, DefaultKubeletPairFilePath); !can { + return nil, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", DefaultKubeletPairFilePath) } - tlsClientConfig.KeyFile = pairFile - tlsClientConfig.CertFile = pairFile + tlsClientConfig.KeyFile = DefaultKubeletPairFilePath + tlsClientConfig.CertFile = DefaultKubeletPairFilePath return &rest.Config{ Host: healthyServer.String(),