feat: add yurtadm renew certificate

Signed-off-by: HIHIA <283304489@qq.com>

pkg/yurtadm/cmd/cmd.go

@@ -28,6 +28,7 @@ import (
 	"github.com/openyurtio/openyurt/pkg/projectinfo"
 	"github.com/openyurtio/openyurt/pkg/yurtadm/cmd/docs"
 	"github.com/openyurtio/openyurt/pkg/yurtadm/cmd/join"
+	"github.com/openyurtio/openyurt/pkg/yurtadm/cmd/renew"
 	"github.com/openyurtio/openyurt/pkg/yurtadm/cmd/reset"
 	"github.com/openyurtio/openyurt/pkg/yurtadm/cmd/token"
 	"github.com/openyurtio/openyurt/pkg/yurtadm/cmd/yurtinit"
@@ -50,6 +51,7 @@ func NewYurtadmCommand() *cobra.Command {
 	cmds.AddCommand(reset.NewCmdReset(os.Stdin, os.Stdout, os.Stderr))
 	cmds.AddCommand(token.NewCmdToken(os.Stdin, os.Stdout, os.Stderr))
 	cmds.AddCommand(docs.NewDocsCmd(cmds))
+	cmds.AddCommand(renew.NewCmdRenew(os.Stdin, os.Stdout, os.Stderr))
 
 	klog.InitFlags(nil)
 	// goflag.Parse()

pkg/yurtadm/cmd/join/phases/postcheck.go

@@ -17,64 +17,31 @@ limitations under the License.
 package phases
 
 import (
-	"fmt"
-	"io"
-	"net/http"
-	"time"
-
-	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/klog/v2"
 
 	"github.com/openyurtio/openyurt/pkg/yurtadm/cmd/join/joindata"
-	"github.com/openyurtio/openyurt/pkg/yurtadm/constants"
-	"github.com/openyurtio/openyurt/pkg/yurtadm/util/initsystem"
+	"github.com/openyurtio/openyurt/pkg/yurtadm/util/kubernetes"
+	"github.com/openyurtio/openyurt/pkg/yurtadm/util/yurthub"
 )
 
-// RunPostCheck executes the node health check process.
+// RunPostCheck executes the node health check and clean process.
 func RunPostCheck(data joindata.YurtJoinData) error {
 	klog.V(1).Infof("check kubelet status.")
-	if err := checkKubeletStatus(); err != nil {
+	if err := kubernetes.CheckKubeletStatus(); err != nil {
 		return err
 	}
 	klog.V(1).Infof("kubelet service is active")
 
 	klog.V(1).Infof("waiting hub agent ready.")
-	if err := checkYurthubHealthz(data); err != nil {
+	if err := yurthub.CheckYurthubHealthz(data.YurtHubServer()); err != nil {
 		return err
 	}
 	klog.V(1).Infof("hub agent is ready")
 
-	return nil
-}
-
-// checkKubeletStatus check if kubelet is healthy.
-func checkKubeletStatus() error {
-	initSystem, err := initsystem.GetInitSystem()
-	if err != nil {
+	if err := yurthub.CleanHubBootstrapConfig(); err != nil {
 		return err
 	}
-	if ok := initSystem.ServiceIsActive("kubelet"); !ok {
-		return fmt.Errorf("kubelet is not active. ")
-	}
-	return nil
-}
+	klog.V(1).Infof("clean yurthub bootstrap config file success")
 
-// checkYurthubHealthz check if YurtHub is healthy.
-func checkYurthubHealthz(joinData joindata.YurtJoinData) error {
-	req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://%s%s", fmt.Sprintf("%s:10267", joinData.YurtHubServer()), constants.ServerHealthzURLPath), nil)
-	if err != nil {
-		return err
-	}
-	client := &http.Client{}
-	return wait.PollImmediate(time.Second*5, 300*time.Second, func() (bool, error) {
-		resp, err := client.Do(req)
-		if err != nil {
-			return false, nil
-		}
-		ok, err := io.ReadAll(resp.Body)
-		if err != nil {
-			return false, nil
-		}
-		return string(ok) == "OK", nil
-	})
+	return nil
 }

pkg/yurtadm/cmd/join/phases/prepare.go

@@ -17,18 +17,16 @@ limitations under the License.
 package phases
 
 import (
-	"fmt"
 	"os"
 	"path/filepath"
-	"strings"
 
 	"k8s.io/klog/v2"
 
-	"github.com/openyurtio/openyurt/pkg/util/templates"
 	"github.com/openyurtio/openyurt/pkg/yurtadm/cmd/join/joindata"
 	"github.com/openyurtio/openyurt/pkg/yurtadm/constants"
 	yurtadmutil "github.com/openyurtio/openyurt/pkg/yurtadm/util/kubernetes"
 	"github.com/openyurtio/openyurt/pkg/yurtadm/util/system"
+	"github.com/openyurtio/openyurt/pkg/yurtadm/util/yurthub"
 )
 
 // RunPrepare executes the node initialization process.
@@ -66,58 +64,17 @@ func RunPrepare(data joindata.YurtJoinData) error {
 	if err := yurtadmutil.SetKubeletConfigForNode(); err != nil {
 		return err
 	}
-	if err := addYurthubStaticYaml(data, filepath.Join(constants.KubeletConfigureDir, constants.ManifestsSubDirName)); err != nil {
+	if err := yurthub.SetHubBootstrapConfig(data.ServerAddr(), data.JoinToken(), data.CaCertHashes()); err != nil {
 		return err
 	}
-	if err := yurtadmutil.SetDiscoveryConfig(data); err != nil {
+	if err := yurthub.AddYurthubStaticYaml(data, filepath.Join(constants.KubeletConfigureDir, constants.ManifestsSubDirName)); err != nil {
 		return err
 	}
-	if err := yurtadmutil.SetKubeadmJoinConfig(data); err != nil {
-		return err
-	}
-	return nil
-}
-
-// addYurthubStaticYaml generate YurtHub static yaml for worker node.
-func addYurthubStaticYaml(data joindata.YurtJoinData, podManifestPath string) error {
-	klog.Info("[join-node] Adding edge hub static yaml")
-	if _, err := os.Stat(podManifestPath); err != nil {
-		if os.IsNotExist(err) {
-			err = os.MkdirAll(podManifestPath, os.ModePerm)
-			if err != nil {
-				return err
-			}
-		} else {
-			klog.Errorf("Describe dir %s fail: %v", podManifestPath, err)
-			return err
-		}
-	}
-
-	// There can be multiple master IP addresses
-	serverAddrs := strings.Split(data.ServerAddr(), ",")
-	for i := 0; i < len(serverAddrs); i++ {
-		serverAddrs[i] = fmt.Sprintf("https://%s", serverAddrs[i])
-	}
-
-	kubernetesServerAddrs := strings.Join(serverAddrs, ",")
-
-	ctx := map[string]string{
-		"kubernetesServerAddr": kubernetesServerAddrs,
-		"image":                data.YurtHubImage(),
-		"joinToken":            data.JoinToken(),
-		"workingMode":          data.NodeRegistration().WorkingMode,
-		"organizations":        data.NodeRegistration().Organizations,
-		"yurthubServerAddr":    data.YurtHubServer(),
-	}
-
-	yurthubTemplate, err := templates.SubsituteTemplate(constants.YurthubTemplate, ctx)
-	if err != nil {
+	if err := yurtadmutil.SetDiscoveryConfig(data); err != nil {
 		return err
 	}
-
-	if err := os.WriteFile(filepath.Join(podManifestPath, constants.YurthubStaticPodFileName), []byte(yurthubTemplate), 0600); err != nil {
+	if err := yurtadmutil.SetKubeadmJoinConfig(data); err != nil {
 		return err
 	}
-	klog.Info("[join-node] Add hub agent static yaml is ok")
 	return nil
 }

pkg/yurtadm/cmd/renew/certificate/certificate.go

@@ -0,0 +1,169 @@
+/*
+Copyright 2023 The OpenYurt Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificate
+
+import (
+	"fmt"
+	"github.com/openyurtio/openyurt/pkg/yurthub/util"
+	"net/url"
+	"strings"
+
+	"github.com/spf13/cobra"
+	flag "github.com/spf13/pflag"
+	"k8s.io/klog/v2"
+
+	"github.com/openyurtio/openyurt/pkg/projectinfo"
+	yurtconstants "github.com/openyurtio/openyurt/pkg/yurtadm/constants"
+	"github.com/openyurtio/openyurt/pkg/yurtadm/util/yurthub"
+)
+
+type certificateOptions struct {
+	token                    string
+	caCertHashes             []string
+	unsafeSkipCAVerification bool
+	serverAddr               string
+	yurthubServer            string
+}
+
+// newCertificateOptions returns a struct ready for being used for creating cmd renew flags.
+func newCertificateOptions() *certificateOptions {
+	return &certificateOptions{
+		caCertHashes:             make([]string, 0),
+		unsafeSkipCAVerification: true,
+		yurthubServer:            yurtconstants.DefaultYurtHubServerAddr,
+	}
+}
+
+// NewCmdCertificate returns "yurtadm renew certificate" command.
+func NewCmdCertificate() *cobra.Command {
+	o := newCertificateOptions()
+
+	certificateCmd := &cobra.Command{
+		Use:   "certificate",
+		Short: "Create bootstrap file for yurthub to update certificate",
+		RunE: func(certificateCmd *cobra.Command, args []string) error {
+			if err := o.validate(); err != nil {
+				klog.Fatalf("validate options: %v", err)
+			}
+
+			if exist, err := util.FileExists(yurtconstants.YurthubCaPath); err != nil {
+				klog.Infof("couldn't stat ca.crt file")
+			} else if exist {
+				ok, err := yurthub.CheckYurthubCertValid(yurtconstants.YurthubCaPath)
+				if err != nil {
+					return err
+				}
+				if ok {
+					klog.Info("The certificate has not expired, stop update.")
+					return nil
+				}
+			}
+
+			us, err := parseRemoteServers(o.serverAddr)
+			if err != nil {
+				return err
+			}
+
+			// 1.create a temporary bootstrap file and set to /var/lib/yurthub directory
+			if err := yurthub.SetHubBootstrapConfig(us[0].Host, o.token, o.caCertHashes); err != nil {
+				return err
+			}
+
+			// 2.Check if yurthub status is healthy
+			if err := yurthub.CheckYurthubHealthz(o.yurthubServer); err != nil {
+				return err
+			}
+
+			// 3.Delete temporary bootstrap file
+			if err := yurthub.CleanHubBootstrapConfig(); err != nil {
+				return err
+			}
+
+			return nil
+		},
+	}
+
+	addCertificateConfigFlags(certificateCmd.Flags(), o)
+	return certificateCmd
+}
+
+func (options *certificateOptions) validate() error {
+	if len(options.serverAddr) == 0 {
+		return fmt.Errorf("server-address is empty")
+	}
+
+	if len(options.token) == 0 {
+		return fmt.Errorf("bootstrap token is empty")
+	}
+
+	if len(options.caCertHashes) == 0 && !options.unsafeSkipCAVerification {
+		return fmt.Errorf("set --discovery-token-unsafe-skip-ca-verification flag as true or pass CACertHashes to continue")
+	}
+
+	return nil
+}
+
+func parseRemoteServers(serverAddr string) ([]*url.URL, error) {
+	servers := strings.Split(serverAddr, ",")
+	us := make([]*url.URL, 0, len(servers))
+	remoteServers := make([]string, 0, len(servers))
+	for _, server := range servers {
+		u, err := url.Parse(server)
+		if err != nil {
+			klog.Errorf("failed to parse server address %s, %v", servers, err)
+			return us, err
+		}
+		if u.Scheme == "" {
+			u.Scheme = "https"
+		} else if u.Scheme != "https" {
+			return us, fmt.Errorf("only https scheme is supported for server address(%s)", serverAddr)
+		}
+		us = append(us, u)
+		remoteServers = append(remoteServers, u.String())
+	}
+
+	if len(us) < 1 {
+		return us, fmt.Errorf("no server address is set, can not connect remote server")
+	}
+	klog.Infof("%s would connect remote servers: %s", projectinfo.GetHubName(), strings.Join(remoteServers, ","))
+
+	return us, nil
+}
+
+// addCertificateConfigFlags adds certificate flags bound to the config to the specified flagset
+func addCertificateConfigFlags(flagSet *flag.FlagSet, certificateOptions *certificateOptions) {
+	flagSet.StringVar(
+		&certificateOptions.token, yurtconstants.TokenStr, certificateOptions.token,
+		"Use this token for bootstrapping yurthub.",
+	)
+	flagSet.StringSliceVar(
+		&certificateOptions.caCertHashes, yurtconstants.TokenDiscoveryCAHash, certificateOptions.caCertHashes,
+		"For token-based discovery, validate that the root CA public key matches this hash (format: \"<type>:<value>\").",
+	)
+	flagSet.BoolVar(
+		&certificateOptions.unsafeSkipCAVerification, yurtconstants.TokenDiscoverySkipCAHash, certificateOptions.unsafeSkipCAVerification,
+		"For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.",
+	)
+	flagSet.StringVar(
+		&certificateOptions.serverAddr, yurtconstants.ServerAddr, certificateOptions.serverAddr,
+		"The address of Kubernetes kube-apiserver,the format is: \"server1,server2,...\"",
+	)
+	flagSet.StringVar(
+		&certificateOptions.yurthubServer, yurtconstants.YurtHubServerAddr, certificateOptions.yurthubServer,
+		"Sets the address for yurthub server addr",
+	)
+}