From 301fb73952dc5b9e451996b3cf645bb2b180e725 Mon Sep 17 00:00:00 2001 From: Brian Downs Date: Wed, 2 Sep 2020 19:15:09 -0700 Subject: [PATCH] add node ip to the request header for cert gen Signed-off-by: Brian Downs --- pkg/agent/config/config.go | 15 ++++++++------- pkg/server/router.go | 7 ++++++- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/pkg/agent/config/config.go b/pkg/agent/config/config.go index fd018ace78..3925820916 100644 --- a/pkg/agent/config/config.go +++ b/pkg/agent/config/config.go @@ -63,7 +63,7 @@ func Request(path string, info *clientaccess.Info, requester HTTPRequester) ([]b return requester(u.String(), clientaccess.GetHTTPClient(info.CACerts), username, password) } -func getNodeNamedCrt(nodeName, nodePasswordFile string) HTTPRequester { +func getNodeNamedCrt(nodeName, nodeIP, nodePasswordFile string) HTTPRequester { return func(u string, client *http.Client, username, password string) ([]byte, error) { req, err := http.NewRequest(http.MethodGet, u, nil) if err != nil { @@ -80,6 +80,7 @@ func getNodeNamedCrt(nodeName, nodePasswordFile string) HTTPRequester { return nil, err } req.Header.Set(version.Program+"-Node-Password", nodePassword) + req.Header.Set("X-K3S-NODE-IP", nodeIP) resp, err := client.Do(req) if err != nil { @@ -142,8 +143,8 @@ func upgradeOldNodePasswordPath(oldNodePasswordFile, newNodePasswordFile string) } } -func getServingCert(nodeName, servingCertFile, servingKeyFile, nodePasswordFile string, info *clientaccess.Info) (*tls.Certificate, error) { - servingCert, err := Request("/v1-"+version.Program+"/serving-kubelet.crt", info, getNodeNamedCrt(nodeName, nodePasswordFile)) +func getServingCert(nodeName, nodeIP, servingCertFile, servingKeyFile, nodePasswordFile string, info *clientaccess.Info) (*tls.Certificate, error) { + servingCert, err := Request("/v1-"+version.Program+"/serving-kubelet.crt", info, getNodeNamedCrt(nodeName, nodeIP, nodePasswordFile)) if err != nil { return nil, err } @@ -205,9 +206,9 @@ func splitCertKeyPEM(bytes []byte) (certPem []byte, keyPem []byte) { return } -func getNodeNamedHostFile(filename, keyFile, nodeName, nodePasswordFile string, info *clientaccess.Info) error { +func getNodeNamedHostFile(filename, keyFile, nodeName, nodeIP, nodePasswordFile string, info *clientaccess.Info) error { basename := filepath.Base(filename) - fileBytes, err := Request("/v1-"+version.Program+"/"+basename, info, getNodeNamedCrt(nodeName, nodePasswordFile)) + fileBytes, err := Request("/v1-"+version.Program+"/"+basename, info, getNodeNamedCrt(nodeName, nodeIP, nodePasswordFile)) if err != nil { return err } @@ -359,14 +360,14 @@ func get(envInfo *cmds.Agent, proxy proxy.Proxy) (*config.Node, error) { nodeName += "-" + nodeID } - servingCert, err := getServingCert(nodeName, servingKubeletCert, servingKubeletKey, newNodePasswordFile, info) + servingCert, err := getServingCert(nodeName, nodeIP, servingKubeletCert, servingKubeletKey, newNodePasswordFile, info) if err != nil { return nil, err } clientKubeletCert := filepath.Join(envInfo.DataDir, "client-kubelet.crt") clientKubeletKey := filepath.Join(envInfo.DataDir, "client-kubelet.key") - if err := getNodeNamedHostFile(clientKubeletCert, clientKubeletKey, nodeName, newNodePasswordFile, info); err != nil { + if err := getNodeNamedHostFile(clientKubeletCert, clientKubeletKey, nodeName, nodeIP, newNodePasswordFile, info); err != nil { return nil, err } diff --git a/pkg/server/router.go b/pkg/server/router.go index 316d6d45df..c09df22c61 100644 --- a/pkg/server/router.go +++ b/pkg/server/router.go @@ -141,12 +141,17 @@ func servingKubeletCert(server *config.Control, keyFile string) http.Handler { return } + ips := []net.IP{net.ParseIP("127.0.0.1")} + if nodeIP := req.Header.Get("X-K3S-NODE-IP"); nodeIP != "" { + ips = append(ips, net.ParseIP(nodeIP)) + } + cert, err := certutil.NewSignedCert(certutil.Config{ CommonName: nodeName, Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, AltNames: certutil.AltNames{ DNSNames: []string{nodeName, "localhost"}, - IPs: []net.IP{net.ParseIP("127.0.0.1")}, + IPs: ips, }, }, key, caCert[0], caKey) if err != nil {