Commit 301fb739 authored by Brian Downs's avatar Brian Downs

add node ip to the request header for cert gen

parent 8d5f58f0
...@@ -63,7 +63,7 @@ func Request(path string, info *clientaccess.Info, requester HTTPRequester) ([]b ...@@ -63,7 +63,7 @@ func Request(path string, info *clientaccess.Info, requester HTTPRequester) ([]b
return requester(u.String(), clientaccess.GetHTTPClient(info.CACerts), username, password) return requester(u.String(), clientaccess.GetHTTPClient(info.CACerts), username, password)
} }
func getNodeNamedCrt(nodeName, nodePasswordFile string) HTTPRequester { func getNodeNamedCrt(nodeName, nodeIP, nodePasswordFile string) HTTPRequester {
return func(u string, client *http.Client, username, password string) ([]byte, error) { return func(u string, client *http.Client, username, password string) ([]byte, error) {
req, err := http.NewRequest(http.MethodGet, u, nil) req, err := http.NewRequest(http.MethodGet, u, nil)
if err != nil { if err != nil {
...@@ -80,6 +80,7 @@ func getNodeNamedCrt(nodeName, nodePasswordFile string) HTTPRequester { ...@@ -80,6 +80,7 @@ func getNodeNamedCrt(nodeName, nodePasswordFile string) HTTPRequester {
return nil, err return nil, err
} }
req.Header.Set(version.Program+"-Node-Password", nodePassword) req.Header.Set(version.Program+"-Node-Password", nodePassword)
req.Header.Set("X-K3S-NODE-IP", nodeIP)
resp, err := client.Do(req) resp, err := client.Do(req)
if err != nil { if err != nil {
...@@ -142,8 +143,8 @@ func upgradeOldNodePasswordPath(oldNodePasswordFile, newNodePasswordFile string) ...@@ -142,8 +143,8 @@ func upgradeOldNodePasswordPath(oldNodePasswordFile, newNodePasswordFile string)
} }
} }
func getServingCert(nodeName, servingCertFile, servingKeyFile, nodePasswordFile string, info *clientaccess.Info) (*tls.Certificate, error) { func getServingCert(nodeName, nodeIP, servingCertFile, servingKeyFile, nodePasswordFile string, info *clientaccess.Info) (*tls.Certificate, error) {
servingCert, err := Request("/v1-"+version.Program+"/serving-kubelet.crt", info, getNodeNamedCrt(nodeName, nodePasswordFile)) servingCert, err := Request("/v1-"+version.Program+"/serving-kubelet.crt", info, getNodeNamedCrt(nodeName, nodeIP, nodePasswordFile))
if err != nil { if err != nil {
return nil, err return nil, err
} }
...@@ -205,9 +206,9 @@ func splitCertKeyPEM(bytes []byte) (certPem []byte, keyPem []byte) { ...@@ -205,9 +206,9 @@ func splitCertKeyPEM(bytes []byte) (certPem []byte, keyPem []byte) {
return return
} }
func getNodeNamedHostFile(filename, keyFile, nodeName, nodePasswordFile string, info *clientaccess.Info) error { func getNodeNamedHostFile(filename, keyFile, nodeName, nodeIP, nodePasswordFile string, info *clientaccess.Info) error {
basename := filepath.Base(filename) basename := filepath.Base(filename)
fileBytes, err := Request("/v1-"+version.Program+"/"+basename, info, getNodeNamedCrt(nodeName, nodePasswordFile)) fileBytes, err := Request("/v1-"+version.Program+"/"+basename, info, getNodeNamedCrt(nodeName, nodeIP, nodePasswordFile))
if err != nil { if err != nil {
return err return err
} }
...@@ -359,14 +360,14 @@ func get(envInfo *cmds.Agent, proxy proxy.Proxy) (*config.Node, error) { ...@@ -359,14 +360,14 @@ func get(envInfo *cmds.Agent, proxy proxy.Proxy) (*config.Node, error) {
nodeName += "-" + nodeID nodeName += "-" + nodeID
} }
servingCert, err := getServingCert(nodeName, servingKubeletCert, servingKubeletKey, newNodePasswordFile, info) servingCert, err := getServingCert(nodeName, nodeIP, servingKubeletCert, servingKubeletKey, newNodePasswordFile, info)
if err != nil { if err != nil {
return nil, err return nil, err
} }
clientKubeletCert := filepath.Join(envInfo.DataDir, "client-kubelet.crt") clientKubeletCert := filepath.Join(envInfo.DataDir, "client-kubelet.crt")
clientKubeletKey := filepath.Join(envInfo.DataDir, "client-kubelet.key") clientKubeletKey := filepath.Join(envInfo.DataDir, "client-kubelet.key")
if err := getNodeNamedHostFile(clientKubeletCert, clientKubeletKey, nodeName, newNodePasswordFile, info); err != nil { if err := getNodeNamedHostFile(clientKubeletCert, clientKubeletKey, nodeName, nodeIP, newNodePasswordFile, info); err != nil {
return nil, err return nil, err
} }
......
...@@ -141,12 +141,17 @@ func servingKubeletCert(server *config.Control, keyFile string) http.Handler { ...@@ -141,12 +141,17 @@ func servingKubeletCert(server *config.Control, keyFile string) http.Handler {
return return
} }
ips := []net.IP{net.ParseIP("127.0.0.1")}
if nodeIP := req.Header.Get("X-K3S-NODE-IP"); nodeIP != "" {
ips = append(ips, net.ParseIP(nodeIP))
}
cert, err := certutil.NewSignedCert(certutil.Config{ cert, err := certutil.NewSignedCert(certutil.Config{
CommonName: nodeName, CommonName: nodeName,
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
AltNames: certutil.AltNames{ AltNames: certutil.AltNames{
DNSNames: []string{nodeName, "localhost"}, DNSNames: []string{nodeName, "localhost"},
IPs: []net.IP{net.ParseIP("127.0.0.1")}, IPs: ips,
}, },
}, key, caCert[0], caKey) }, key, caCert[0], caKey)
if err != nil { if err != nil {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment