Merge pull request #2744 from erikwilson/rke2-node-password-bootstrap

Bootstrap node password with local file
pull/2812/head
Erik Wilson 2021-01-11 09:51:30 -07:00 committed by GitHub
commit c71060f288
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 105 additions and 43 deletions

View File

@ -361,6 +361,8 @@ func get(envInfo *cmds.Agent, proxy proxy.Proxy) (*config.Node, error) {
nodeName += "-" + nodeID nodeName += "-" + nodeID
} }
os.Setenv("NODE_NAME", nodeName)
servingCert, err := getServingCert(nodeName, nodeIP, servingKubeletCert, servingKubeletKey, newNodePasswordFile, info) servingCert, err := getServingCert(nodeName, nodeIP, servingKubeletCert, servingKubeletKey, newNodePasswordFile, info)
if err != nil { if err != nil {
return nil, err return nil, err
@ -485,8 +487,6 @@ func get(envInfo *cmds.Agent, proxy proxy.Proxy) (*config.Node, error) {
nodeConfig.AgentConfig.ClusterCIDR = *controlConfig.ClusterIPRange nodeConfig.AgentConfig.ClusterCIDR = *controlConfig.ClusterIPRange
} }
os.Setenv("NODE_NAME", nodeConfig.AgentConfig.NodeName)
nodeConfig.AgentConfig.ExtraKubeletArgs = envInfo.ExtraKubeletArgs nodeConfig.AgentConfig.ExtraKubeletArgs = envInfo.ExtraKubeletArgs
nodeConfig.AgentConfig.ExtraKubeProxyArgs = envInfo.ExtraKubeProxyArgs nodeConfig.AgentConfig.ExtraKubeProxyArgs = envInfo.ExtraKubeProxyArgs

View File

@ -1,17 +1,21 @@
package server package server
import ( import (
"context"
"crypto" "crypto"
"crypto/x509" "crypto/x509"
"errors"
"io/ioutil" "io/ioutil"
"net" "net"
"net/http" "net/http"
"os"
"path/filepath" "path/filepath"
"strconv" "strconv"
"strings" "strings"
"sync"
"time"
"github.com/gorilla/mux" "github.com/gorilla/mux"
"github.com/pkg/errors"
certutil "github.com/rancher/dynamiclistener/cert" certutil "github.com/rancher/dynamiclistener/cert"
"github.com/rancher/k3s/pkg/bootstrap" "github.com/rancher/k3s/pkg/bootstrap"
"github.com/rancher/k3s/pkg/daemons/config" "github.com/rancher/k3s/pkg/daemons/config"
@ -26,13 +30,16 @@ const (
staticURL = "/static/" staticURL = "/static/"
) )
func router(serverConfig *config.Control) http.Handler { func router(ctx context.Context, config *Config) http.Handler {
serverConfig := &config.ControlConfig
nodeAuth := passwordBootstrap(ctx, config)
prefix := "/v1-" + version.Program prefix := "/v1-" + version.Program
authed := mux.NewRouter() authed := mux.NewRouter()
authed.Use(authMiddleware(serverConfig, version.Program+":agent")) authed.Use(authMiddleware(serverConfig, version.Program+":agent"))
authed.NotFoundHandler = serverConfig.Runtime.Handler authed.NotFoundHandler = serverConfig.Runtime.Handler
authed.Path(prefix + "/serving-kubelet.crt").Handler(servingKubeletCert(serverConfig, serverConfig.Runtime.ServingKubeletKey, serverConfig.Runtime)) authed.Path(prefix + "/serving-kubelet.crt").Handler(servingKubeletCert(serverConfig, serverConfig.Runtime.ServingKubeletKey, nodeAuth))
authed.Path(prefix + "/client-kubelet.crt").Handler(clientKubeletCert(serverConfig, serverConfig.Runtime.ClientKubeletKey, serverConfig.Runtime)) authed.Path(prefix + "/client-kubelet.crt").Handler(clientKubeletCert(serverConfig, serverConfig.Runtime.ClientKubeletKey, nodeAuth))
authed.Path(prefix + "/client-kube-proxy.crt").Handler(fileHandler(serverConfig.Runtime.ClientKubeProxyCert, serverConfig.Runtime.ClientKubeProxyKey)) authed.Path(prefix + "/client-kube-proxy.crt").Handler(fileHandler(serverConfig.Runtime.ClientKubeProxyCert, serverConfig.Runtime.ClientKubeProxyKey))
authed.Path(prefix + "/client-" + version.Program + "-controller.crt").Handler(fileHandler(serverConfig.Runtime.ClientK3sControllerCert, serverConfig.Runtime.ClientK3sControllerKey)) authed.Path(prefix + "/client-" + version.Program + "-controller.crt").Handler(fileHandler(serverConfig.Runtime.ClientK3sControllerCert, serverConfig.Runtime.ClientK3sControllerKey))
authed.Path(prefix + "/client-ca.crt").Handler(fileHandler(serverConfig.Runtime.ClientCA)) authed.Path(prefix + "/client-ca.crt").Handler(fileHandler(serverConfig.Runtime.ClientCA))
@ -126,30 +133,16 @@ func getCACertAndKeys(caCertFile, caKeyFile, signingKeyFile string) ([]*x509.Cer
return caCert, caKey.(crypto.Signer), key.(crypto.Signer), nil return caCert, caKey.(crypto.Signer), key.(crypto.Signer), nil
} }
func servingKubeletCert(server *config.Control, keyFile string, runtime *config.ControlRuntime) http.Handler { func servingKubeletCert(server *config.Control, keyFile string, auth nodePassBootstrapper) http.Handler {
var secretClient coreclient.SecretClient
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) { return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
if secretClient == nil {
if runtime.Core == nil {
sendError(errors.New("runtime core not ready"), resp)
return
}
secretClient = runtime.Core.Core().V1().Secret()
}
if req.TLS == nil { if req.TLS == nil {
resp.WriteHeader(http.StatusNotFound) resp.WriteHeader(http.StatusNotFound)
return return
} }
nodeName, nodePassword, err := getNodeInfo(req) nodeName, errCode, err := auth(req)
if err != nil { if err != nil {
sendError(err, resp) sendError(err, resp, errCode)
return
}
if err := nodepassword.Ensure(secretClient, nodeName, nodePassword); err != nil {
sendError(err, resp, http.StatusForbidden)
return return
} }
@ -188,30 +181,16 @@ func servingKubeletCert(server *config.Control, keyFile string, runtime *config.
}) })
} }
func clientKubeletCert(server *config.Control, keyFile string, runtime *config.ControlRuntime) http.Handler { func clientKubeletCert(server *config.Control, keyFile string, auth nodePassBootstrapper) http.Handler {
var secretClient coreclient.SecretClient
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) { return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
if secretClient == nil {
if runtime.Core == nil {
sendError(errors.New("runtime core not ready"), resp)
return
}
secretClient = runtime.Core.Core().V1().Secret()
}
if req.TLS == nil { if req.TLS == nil {
resp.WriteHeader(http.StatusNotFound) resp.WriteHeader(http.StatusNotFound)
return return
} }
nodeName, nodePassword, err := getNodeInfo(req) nodeName, errCode, err := auth(req)
if err != nil { if err != nil {
sendError(err, resp) sendError(err, resp, errCode)
return
}
if err := nodepassword.Ensure(secretClient, nodeName, nodePassword); err != nil {
sendError(err, resp, http.StatusForbidden)
return return
} }
@ -292,12 +271,95 @@ func serveStatic(urlPrefix, staticDir string) http.Handler {
} }
func sendError(err error, resp http.ResponseWriter, status ...int) { func sendError(err error, resp http.ResponseWriter, status ...int) {
code := http.StatusInternalServerError var code int
if len(status) == 1 { if len(status) == 1 {
code = status[0] code = status[0]
} }
if code == 0 || code == http.StatusOK {
code = http.StatusInternalServerError
}
logrus.Error(err) logrus.Error(err)
resp.WriteHeader(code) resp.WriteHeader(code)
resp.Write([]byte(err.Error())) resp.Write([]byte(err.Error()))
} }
// nodePassBootstrapper returns a node name, or http error code and error
type nodePassBootstrapper func(req *http.Request) (string, int, error)
func passwordBootstrap(ctx context.Context, config *Config) nodePassBootstrapper {
runtime := config.ControlConfig.Runtime
var secretClient coreclient.SecretClient
var once sync.Once
return nodePassBootstrapper(func(req *http.Request) (string, int, error) {
nodeName, nodePassword, err := getNodeInfo(req)
if err != nil {
return "", http.StatusBadRequest, err
}
if secretClient == nil {
if runtime.Core != nil {
// initialize the client if we can
secretClient = runtime.Core.Core().V1().Secret()
} else if nodeName == os.Getenv("NODE_NAME") {
// or verify the password locally and ensure a secret later
return verifyLocalPassword(ctx, config, &once, nodeName, nodePassword)
} else {
// or reject the request until the core is ready
return "", http.StatusServiceUnavailable, errors.New("runtime core not ready")
}
}
if err := nodepassword.Ensure(secretClient, nodeName, nodePassword); err != nil {
return "", http.StatusForbidden, err
}
return nodeName, http.StatusOK, nil
})
}
func verifyLocalPassword(ctx context.Context, config *Config, once *sync.Once, nodeName, nodePassword string) (string, int, error) {
// use same password file location that the agent creates
nodePasswordRoot := "/"
if config.Rootless {
nodePasswordRoot = filepath.Join(config.ControlConfig.DataDir, "agent")
}
nodeConfigPath := filepath.Join(nodePasswordRoot, "etc", "rancher", "node")
nodePasswordFile := filepath.Join(nodeConfigPath, "password")
passBytes, err := ioutil.ReadFile(nodePasswordFile)
if err != nil {
return "", http.StatusInternalServerError, errors.Wrap(err, "unable to read node password file")
}
password := strings.TrimSpace(string(passBytes))
if password != nodePassword {
return "", http.StatusForbidden, errors.Wrapf(err, "unable to verify local password for node '%s'", nodeName)
}
// make sure the secret is created when the api server is ready
ensureSecret := func() {
runtime := config.ControlConfig.Runtime
for {
select {
case <-ctx.Done():
return
case <-time.After(1 * time.Second):
if runtime.Core != nil {
logrus.Debugf("runtime core has become available, ensuring password secret for node '%s'", nodeName)
secretClient := runtime.Core.Core().V1().Secret()
if err := nodepassword.Ensure(secretClient, nodeName, nodePassword); err != nil {
logrus.Warnf("error ensuring node password secret for pre-validated node '%s': %v", nodeName, err)
}
return
}
}
}
}
go once.Do(ensureSecret)
logrus.Debugf("password verified locally for node '%s'", nodeName)
return nodeName, http.StatusOK, nil
}

View File

@ -60,7 +60,7 @@ func StartServer(ctx context.Context, config *Config) error {
return errors.Wrap(err, "starting kubernetes") return errors.Wrap(err, "starting kubernetes")
} }
config.ControlConfig.Runtime.Handler = router(&config.ControlConfig) config.ControlConfig.Runtime.Handler = router(ctx, config)
go startOnAPIServerReady(ctx, config) go startOnAPIServerReady(ctx, config)