Merge pull request #1033 from ibuildthecloud/fixes

Fix server join issues
2019-11-08 22:55:06 +00:00 · 2019-11-08 22:55:06 +00:00 · 1671f3985f
parent c29a31931f b67b62478b
commit 1671f3985f
8 changed files with 83 additions and 39 deletions
--- a/go.mod
+++ b/go.mod
@ -96,7 +96,7 @@ require (
 	github.com/opencontainers/runc v1.0.0-rc2.0.20190611121236-6cc515888830
 	github.com/pkg/errors v0.8.1
 	github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 // indirect
-	github.com/rancher/dynamiclistener v0.1.1-0.20191031022009-6224794ef3cb
+	github.com/rancher/dynamiclistener v0.1.1-0.20191108205817-245f86cc340a
 	github.com/rancher/helm-controller v0.2.2
 	github.com/rancher/kine v0.1.2-0.20191107225357-527576e3452f
 	github.com/rancher/remotedialer v0.2.0
--- a/go.sum
+++ b/go.sum
@ -564,6 +564,8 @@ github.com/rancher/cri-tools v1.16.1-k3s.1 h1:iporgQ46noE6dtLzq6fWcIO2qjyPZy2m42
 github.com/rancher/cri-tools v1.16.1-k3s.1/go.mod h1:TEKhKv2EJIZp+p9jnEy4C63g8CosJzsI4kyKKkHag+8=
 github.com/rancher/dynamiclistener v0.1.1-0.20191031022009-6224794ef3cb h1:bMoA9UHr1QNTWVrf0fSJCba6YDU1xmt2jmeohpiugKg=
 github.com/rancher/dynamiclistener v0.1.1-0.20191031022009-6224794ef3cb/go.mod h1:fs/dxyNcB3YT6W9fVz4bDGfhmSQS17QQup6BIcGF++s=
+github.com/rancher/dynamiclistener v0.1.1-0.20191108205817-245f86cc340a h1:yIQXTC2BjGQ4Bt5Y7QhnxNWbbq8e6koH+pFrJL2VsIs=
+github.com/rancher/dynamiclistener v0.1.1-0.20191108205817-245f86cc340a/go.mod h1:fs/dxyNcB3YT6W9fVz4bDGfhmSQS17QQup6BIcGF++s=
 github.com/rancher/flannel v0.11.0-k3s.1 h1:mIwnfWDafjzQgFkZeJ1AkFrrAT3EdBaA1giE0eLJKo8=
 github.com/rancher/flannel v0.11.0-k3s.1/go.mod h1:Hn4ZV+eq0LhLZP63xZnxdGwXEoRSxs5sxELxu27M3UA=
 github.com/rancher/helm-controller v0.2.2 h1:MUqisy53/Ay1EYOF2uTCYBbGpgtZLNKKrI01BdxIbQo=
--- a/pkg/cli/cmds/server.go
+++ b/pkg/cli/cmds/server.go
@ -3,7 +3,6 @@ package cmds
 import (
 	"fmt"

-	"github.com/rancher/k3s/pkg/daemons/config"
 	"github.com/urfave/cli"
 )

@ -114,9 +113,9 @@ func NewServerCommand(action func(*cli.Context) error) cli.Command {
 			},
 			cli.StringFlag{
 				Name:        "flannel-backend",
-				Usage:       fmt.Sprintf("(networking) One of '%s', '%s', '%s', or '%s'", config.FlannelBackendNone, config.FlannelBackendVXLAN, config.FlannelBackendIPSEC, config.FlannelBackendWireguard),
+				Usage:       fmt.Sprintf("(networking) One of 'none', 'vxlan', 'ipsec', or 'flannel'"),
 				Destination: &ServerConfig.FlannelBackend,
-				Value:       config.FlannelBackendVXLAN,
+				Value:       "vxlan",
 			},
 			cli.StringFlag{
 				Name:        "token,t",
@ -149,14 +148,14 @@ func NewServerCommand(action func(*cli.Context) error) cli.Command {
 				Destination: &ServerConfig.ServerURL,
 			},
 			cli.BoolFlag{
-				Name:        "new-cluster",
+				Name:        "cluster-init",
 				Hidden:      hideDqlite,
 				Usage:       "(cluster) Initialize new cluster master",
 				EnvVar:      "K3S_CLUSTER_INIT",
 				Destination: &ServerConfig.ClusterInit,
 			},
 			cli.BoolFlag{
-				Name:        "reset-cluster",
+				Name:        "cluster-reset",
 				Hidden:      hideDqlite,
 				Usage:       "(cluster) Forget all peers and become a single cluster new cluster master",
 				EnvVar:      "K3S_CLUSTER_RESET",
--- a/pkg/daemons/control/server.go
+++ b/pkg/daemons/control/server.go
@ -21,6 +21,7 @@ import (
 	_ "github.com/rancher/k3s/pkg/cloudprovider"

 	certutil "github.com/rancher/dynamiclistener/cert"
+	"github.com/rancher/k3s/pkg/clientaccess"
 	"github.com/rancher/k3s/pkg/cluster"
 	"github.com/rancher/k3s/pkg/daemons/config"
 	"github.com/rancher/k3s/pkg/passwd"
@ -364,7 +365,7 @@ func readTokens(runtime *config.ControlRuntime) error {
 		runtime.AgentToken = "node:" + nodeToken
 	}
 	if serverToken, ok := tokens.Pass("server"); ok {
-		runtime.AgentToken = "server:" + serverToken
+		runtime.ServerToken = "server:" + serverToken
 	}
 	if clientToken, ok := tokens.Pass("admin"); ok {
 		runtime.ClientToken = "admin:" + clientToken
@ -426,6 +427,9 @@ func getServerPass(passwd *passwd.Passwd, config *config.Control) (string, error

 func getNodePass(config *config.Control, serverPass string) string {
 	if config.AgentToken == "" {
+		if _, passwd, ok := clientaccess.ParseUsernamePassword(serverPass); ok {
+			return passwd
+		}
 		return serverPass
 	}
 	return config.AgentToken
@ -621,9 +625,17 @@ func genRequestHeaderCerts(config *config.Control, runtime *config.ControlRuntim
 }

 func createClientCertKey(regen bool, commonName string, organization []string, altNames *certutil.AltNames, extKeyUsage []x509.ExtKeyUsage, caCertFile, caKeyFile, certFile, keyFile string) (bool, error) {
+	caBytes, err := ioutil.ReadFile(caCertFile)
+	if err != nil {
+		return false, err
+	}
+
+	pool := x509.NewCertPool()
+	pool.AppendCertsFromPEM(caBytes)
+
 	// check for certificate expiration
 	if !regen {
-		regen = expired(certFile)
+		regen = expired(certFile, pool)
 	}

 	if !regen {
@ -642,15 +654,11 @@ func createClientCertKey(regen bool, commonName string, organization []string, a
 		return false, err
 	}

-	caBytes, err := ioutil.ReadFile(caCertFile)
-	if err != nil {
-		return false, err
-	}
-
 	caCert, err := certutil.ParseCertsPEM(caBytes)
 	if err != nil {
 		return false, err
 	}
+
 	keyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile, regen)
 	if err != nil {
 		return false, err
@ -770,7 +778,7 @@ func setupStorageBackend(argsMap map[string]string, cfg *config.Control) {
 	}
 }

-func expired(certFile string) bool {
+func expired(certFile string, pool *x509.CertPool) bool {
 	certBytes, err := ioutil.ReadFile(certFile)
 	if err != nil {
 		return false
@ -779,6 +787,15 @@ func expired(certFile string) bool {
 	if err != nil {
 		return false
 	}
+	_, err = certificates[0].Verify(x509.VerifyOptions{
+		Roots: pool,
+		KeyUsages: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageAny,
+		},
+	})
+	if err != nil {
+		return true
+	}
 	return certutil.IsCertExpired(certificates[0])
 }

--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@ -200,9 +200,9 @@ func printTokens(advertiseIP string, config *config.Control) error {
 		advertiseIP = "127.0.0.1"
 	}

-	if len(config.Runtime.AgentToken) > 0 {
+	if len(config.Runtime.ServerToken) > 0 {
 		p := filepath.Join(config.DataDir, "token")
-		if err := writeToken(config.Runtime.AgentToken, p, config.Runtime.ServerCA); err == nil {
+		if err := writeToken(config.Runtime.ServerToken, p, config.Runtime.ServerCA); err == nil {
 			logrus.Infof("Node token is available at %s", p)
 			nodeFile = p
 		}
--- a/vendor/github.com/rancher/dynamiclistener/redirect.go
+++ b/vendor/github.com/rancher/dynamiclistener/redirect.go
@ -1,7 +1,6 @@
 package dynamiclistener

 import (
-	"fmt"
 	"net"
 	"net/http"
 	"strconv"
@ -12,7 +11,6 @@ import (
 func HTTPRedirect(next http.Handler) http.Handler {
 	return http.HandlerFunc(
 		func(rw http.ResponseWriter, r *http.Request) {
-			fmt.Println("!!!!!", r.URL.String(), r.Header)
 			if r.Header.Get("x-Forwarded-Proto") == "https" ||
 				r.Header.Get("x-Forwarded-Proto") == "wss" ||
 				strings.HasPrefix(r.URL.Path, "/ping") ||
--- a/vendor/github.com/rancher/dynamiclistener/storage/kubernetes/controller.go
+++ b/vendor/github.com/rancher/dynamiclistener/storage/kubernetes/controller.go
@ -9,8 +9,11 @@ import (
 	"github.com/rancher/wrangler-api/pkg/generated/controllers/core"
 	v1controller "github.com/rancher/wrangler-api/pkg/generated/controllers/core/v1"
 	"github.com/rancher/wrangler/pkg/start"
+	"github.com/sirupsen/logrus"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

 type CoreGetter func() *core.Factory
@ -79,31 +82,56 @@ func (s *storage) Get() (*v1.Secret, error) {
 	return s.storage.Get()
 }

+func (s *storage) targetSecret() (*v1.Secret, error) {
+	existingSecret, err := s.secrets.Get(s.namespace, s.name, metav1.GetOptions{})
+	if errors.IsNotFound(err) {
+		return &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      s.name,
+				Namespace: s.namespace,
+			},
+		}, nil
+	}
+	return existingSecret, err
+}
+
+func (s *storage) saveInK8s(secret *v1.Secret) (*v1.Secret, error) {
+	if s.secrets == nil {
+		return secret, nil
+	}
+
+	targetSecret, err := s.targetSecret()
+	if err != nil {
+		return nil, err
+	}
+
+	if equality.Semantic.DeepEqual(targetSecret.Annotations, secret.Annotations) &&
+		equality.Semantic.DeepEqual(targetSecret.Data, secret.Data) {
+		return secret, nil
+	}
+
+	targetSecret.Annotations = secret.Annotations
+	targetSecret.Type = v1.SecretTypeTLS
+	targetSecret.Data = secret.Data
+
+	if targetSecret.UID == "" {
+		logrus.Infof("Creating new TLS secret for %v", targetSecret.Annotations)
+		return s.secrets.Create(targetSecret)
+	} else {
+		logrus.Infof("Updating TLS secret for %v", targetSecret.Annotations)
+		return s.secrets.Update(targetSecret)
+	}
+}
+
 func (s *storage) Update(secret *v1.Secret) (err error) {
 	s.Lock()
 	defer s.Unlock()

-	if s.secrets != nil {
-		if secret.UID == "" {
-			secret.Name = s.name
-			secret.Namespace = s.namespace
-			secret, err = s.secrets.Create(secret)
-			if err != nil {
-				return err
-			}
-		} else {
-			existingSecret, err := s.storage.Get()
-			if err != nil {
-				return err
-			}
-			if !equality.Semantic.DeepEqual(secret.Data, existingSecret.Data) {
-				secret, err = s.secrets.Update(secret)
-				if err != nil {
-					return err
-				}
-			}
-		}
+	secret, err = s.saveInK8s(secret)
+	if err != nil {
+		return err
 	}

+	// update underlying storage
 	return s.storage.Update(secret)
 }
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -726,7 +726,7 @@ github.com/prometheus/procfs/internal/util
 # github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8
 github.com/rakelkar/gonetsh/netroute
 github.com/rakelkar/gonetsh/netsh
-# github.com/rancher/dynamiclistener v0.1.1-0.20191031022009-6224794ef3cb
+# github.com/rancher/dynamiclistener v0.1.1-0.20191108205817-245f86cc340a
 github.com/rancher/dynamiclistener
 github.com/rancher/dynamiclistener/factory
 github.com/rancher/dynamiclistener/storage/file