Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

change yurthub's protocol from http to https #368

Closed
wants to merge 11 commits into from
Closed

change yurthub's protocol from http to https #368

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
2a9460f
change yurthub's protocol from http to https
wangchenglong01 Jun 23, 2021
0a0e313
change yurthub's protocol from http to https
wangchenglong01 Jun 23, 2021
4775c54
Merge branch 'yurthub-https' of https://github.com/wangchenglong01/op…
luckymrwang Jun 29, 2021
a3dd98b
Merge branch 'yurthub-https' of https://github.com/wangchenglong01/op…
luckymrwang Jun 29, 2021
2b53769
Merge branch 'yurthub-https' of https://github.com/wangchenglong01/op…
luckymrwang Jun 29, 2021
f2a30e4
Merge branch 'yurthub-https' of https://github.com/wangchenglong01/op…
luckymrwang Jun 29, 2021
229bb3f
Merge branch 'master' of https://github.com/openyurtio/openyurt into …
luckymrwang Jul 10, 2021
55b3ea2
Merge branch 'yurthub-https' of https://github.com/wangchenglong01/op…
luckymrwang Jul 10, 2021
c516d4d
Merge branch 'yurthub-https' of https://github.com/wangchenglong01/op…
luckymrwang Jul 10, 2021
d04af20
Merge branch 'yurthub-https' of https://github.com/wangchenglong01/op…
luckymrwang Jul 13, 2021
8b8f874
Merge branch 'master' of https://github.com/openyurtio/openyurt into …
luckymrwang Jul 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions cmd/yurthub/app/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,9 @@ type YurtHubConfiguration struct {
HubAgentDummyIfName string
StorageWrapper cachemanager.StorageWrapper
SerializerManager *serializer.SerializerManager
CAFile string
CertFile string
KeyFile string
}

// Complete converts *options.YurtHubOptions to *YurtHubConfiguration
Expand Down Expand Up @@ -94,6 +97,9 @@ func Complete(options *options.YurtHubOptions) (*YurtHubConfiguration, error) {
HubAgentDummyIfName: options.HubAgentDummyIfName,
StorageWrapper: storageWrapper,
SerializerManager: serializerManager,
CAFile: options.CAFile,
CertFile: options.CertFile,
KeyFile: options.KeyFile,
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the establishment and configuration of TLS may be better done by yurthub, users do not need to pay attention to the underlying certificate configuration by default.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a good idea. I will improve it later.


return cfg, nil
Expand Down
18 changes: 18 additions & 0 deletions cmd/yurthub/app/options/options.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,9 @@ type YurtHubOptions struct {
HubAgentDummyIfIP string
HubAgentDummyIfName string
DiskCachePath string
CAFile string
CertFile string
KeyFile string
}

// NewYurtHubOptions creates a new YurtHubOptions with a default config.
Expand Down Expand Up @@ -92,6 +95,18 @@ func ValidateOptions(options *YurtHubOptions) error {
return fmt.Errorf("server-address is empty")
}

if len(options.CAFile) == 0 {
return fmt.Errorf("CA is empty")
}

if len(options.CertFile) == 0 {
return fmt.Errorf("tls cert is empty")
}

if len(options.KeyFile) == 0 {
return fmt.Errorf("tls key is empty")
}

if !util.IsSupportedLBMode(options.LBMode) {
return fmt.Errorf("lb mode(%s) is not supported", options.LBMode)
}
Expand Down Expand Up @@ -130,6 +145,9 @@ func (o *YurtHubOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&o.HubAgentDummyIfIP, "dummy-if-ip", o.HubAgentDummyIfIP, "the ip address of dummy interface that used for container connect hub agent(exclusive ips: 169.254.31.0/24, 169.254.1.1/32)")
fs.StringVar(&o.HubAgentDummyIfName, "dummy-if-name", o.HubAgentDummyIfName, "the name of dummy interface that is used for hub agent")
fs.StringVar(&o.DiskCachePath, "disk-cache-path", o.DiskCachePath, "the path for kubernetes to storage metadata")
fs.StringVar(&o.CAFile, "ca-file", "", "the CA for yurthub to verify client")
fs.StringVar(&o.CertFile, "tls-cert-file", "", "the tls cert of yurthub")
fs.StringVar(&o.KeyFile, "tls-private-key-file", "", "the tls key of yurthub")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not convenient for user to setup server certifcates. I think Yurthub shoud generate server certificates by itself.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The latest code has been commited. Yurthub generated server certificates by itself.

}

// verifyDummyIP verify the specified ip is valid or not
Expand Down
31 changes: 28 additions & 3 deletions pkg/yurthub/server/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,10 @@ limitations under the License.
package server

import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"net"
"net/http"

Expand All @@ -27,6 +30,7 @@ import (

"github.com/gorilla/mux"
"github.com/prometheus/client_golang/prometheus/promhttp"
"k8s.io/klog"
)

// Server is an interface for providing http service for yurthub
Expand All @@ -38,6 +42,12 @@ type Server interface {
// and hubServer handles requests by hub agent itself, like profiling, metrics, healthz
// and proxyServer does not handle requests locally and proxy requests to kube-apiserver
type yurtHubServer struct {
CAFile string
// CertFile the tls cert file for proxyhub's https server
CertFile string
// KeyFile the tls key file for proxyhub's https server
KeyFile string

hubServer *http.Server
proxyServer *http.Server
dummyProxyServer *http.Server
Expand All @@ -55,9 +65,21 @@ func NewYurtHubServer(cfg *config.YurtHubConfiguration,
MaxHeaderBytes: 1 << 20,
}

caFile, err := ioutil.ReadFile(cfg.CAFile)
if err != nil {
klog.Errorf("Read ca file err: %v", err)
return nil, err
}
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM([]byte(caFile))

proxyServer := &http.Server{
Addr: cfg.YurtHubProxyServerAddr,
Handler: proxyHandler,
Addr: cfg.YurtHubProxyServerAddr,
Handler: proxyHandler,
TLSConfig: &tls.Config{
ClientCAs: certPool,
ClientAuth: tls.VerifyClientCertIfGiven,
},
MaxHeaderBytes: 1 << 20,
}

Expand All @@ -75,6 +97,9 @@ func NewYurtHubServer(cfg *config.YurtHubConfiguration,
}

return &yurtHubServer{
CAFile: cfg.CAFile,
CertFile: cfg.CertFile,
KeyFile: cfg.KeyFile,
hubServer: hubServer,
proxyServer: proxyServer,
dummyProxyServer: dummyProxyServer,
Expand All @@ -99,7 +124,7 @@ func (s *yurtHubServer) Run() {
}()
}

err := s.proxyServer.ListenAndServe()
err := s.proxyServer.ListenAndServeTLS(s.CertFile, s.KeyFile)
if err != nil {
panic(err)
}
Expand Down