Startseite Erkunden Hilfe
Registrieren Anmelden
gaoyagang
/
GtDataStore
1
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Struktur: b1c599a1de
Branches Tags
GtDataStore
/
vendor
/
k8s.io
/
client-go
/
transport
/
cert_rotation.go

cert_rotation.go 4.3 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176 
  1. /*
    2. 

  2. Copyright 2020 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package transport
    18. 

  18. 

  19. import (
    20. 

  20. 	"bytes"
    21. 

  21. 	"crypto/tls"
    22. 

  22. 	"fmt"
    23. 

  23. 	"reflect"
    24. 

  24. 	"sync"
    25. 

  25. 	"time"
    26. 

  26. 

  27. 	utilnet "k8s.io/apimachinery/pkg/util/net"
    28. 

  28. 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
    29. 

  29. 	"k8s.io/apimachinery/pkg/util/wait"
    30. 

  30. 	"k8s.io/client-go/util/connrotation"
    31. 

  31. 	"k8s.io/client-go/util/workqueue"
    32. 

  32. 	"k8s.io/klog/v2"
    33. 

  33. )
    34. 

  34. 

  35. const workItemKey = "key"
    36. 

  36. 

  37. // CertCallbackRefreshDuration is exposed so that integration tests can crank up the reload speed.
    38. 

  38. var CertCallbackRefreshDuration = 5 * time.Minute
    39. 

  39. 

  40. type reloadFunc func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
    41. 

  41. 

  42. type dynamicClientCert struct {
    43. 

  43. 	clientCert *tls.Certificate
    44. 

  44. 	certMtx    sync.RWMutex
    45. 

  45. 

  46. 	reload     reloadFunc
    47. 

  47. 	connDialer *connrotation.Dialer
    48. 

  48. 

  49. 	// queue only ever has one item, but it has nice error handling backoff/retry semantics
    50. 

  50. 	queue workqueue.RateLimitingInterface
    51. 

  51. }
    52. 

  52. 

  53. func certRotatingDialer(reload reloadFunc, dial utilnet.DialFunc) *dynamicClientCert {
    54. 

  54. 	d := &dynamicClientCert{
    55. 

  55. 		reload:     reload,
    56. 

  56. 		connDialer: connrotation.NewDialer(connrotation.DialFunc(dial)),
    57. 

  57. 		queue:      workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "DynamicClientCertificate"),
    58. 

  58. 	}
    59. 

  59. 

  60. 	return d
    61. 

  61. }
    62. 

  62. 

  63. // loadClientCert calls the callback and rotates connections if needed
    64. 

  64. func (c *dynamicClientCert) loadClientCert() (*tls.Certificate, error) {
    65. 

  65. 	cert, err := c.reload(nil)
    66. 

  66. 	if err != nil {
    67. 

  67. 		return nil, err
    68. 

  68. 	}
    69. 

  69. 

  70. 	// check to see if we have a change. If the values are the same, do nothing.
    71. 

  71. 	c.certMtx.RLock()
    72. 

  72. 	haveCert := c.clientCert != nil
    73. 

  73. 	if certsEqual(c.clientCert, cert) {
    74. 

  74. 		c.certMtx.RUnlock()
    75. 

  75. 		return c.clientCert, nil
    76. 

  76. 	}
    77. 

  77. 	c.certMtx.RUnlock()
    78. 

  78. 

  79. 	c.certMtx.Lock()
    80. 

  80. 	c.clientCert = cert
    81. 

  81. 	c.certMtx.Unlock()
    82. 

  82. 

  83. 	// The first certificate requested is not a rotation that is worth closing connections for
    84. 

  84. 	if !haveCert {
    85. 

  85. 		return cert, nil
    86. 

  86. 	}
    87. 

  87. 

  88. 	klog.V(1).Infof("certificate rotation detected, shutting down client connections to start using new credentials")
    89. 

  89. 	c.connDialer.CloseAll()
    90. 

  90. 

  91. 	return cert, nil
    92. 

  92. }
    93. 

  93. 

  94. // certsEqual compares tls Certificates, ignoring the Leaf which may get filled in dynamically
    95. 

  95. func certsEqual(left, right *tls.Certificate) bool {
    96. 

  96. 	if left == nil || right == nil {
    97. 

  97. 		return left == right
    98. 

  98. 	}
    99. 

  99. 

  100. 	if !byteMatrixEqual(left.Certificate, right.Certificate) {
    101. 

  101. 		return false
    102. 

  102. 	}
    103. 

  103. 

  104. 	if !reflect.DeepEqual(left.PrivateKey, right.PrivateKey) {
    105. 

  105. 		return false
    106. 

  106. 	}
    107. 

  107. 

  108. 	if !byteMatrixEqual(left.SignedCertificateTimestamps, right.SignedCertificateTimestamps) {
    109. 

  109. 		return false
    110. 

  110. 	}
    111. 

  111. 

  112. 	if !bytes.Equal(left.OCSPStaple, right.OCSPStaple) {
    113. 

  113. 		return false
    114. 

  114. 	}
    115. 

  115. 

  116. 	return true
    117. 

  117. }
    118. 

  118. 

  119. func byteMatrixEqual(left, right [][]byte) bool {
    120. 

  120. 	if len(left) != len(right) {
    121. 

  121. 		return false
    122. 

  122. 	}
    123. 

  123. 

  124. 	for i := range left {
    125. 

  125. 		if !bytes.Equal(left[i], right[i]) {
    126. 

  126. 			return false
    127. 

  127. 		}
    128. 

  128. 	}
    129. 

  129. 	return true
    130. 

  130. }
    131. 

  131. 

  132. // run starts the controller and blocks until stopCh is closed.
    133. 

  133. func (c *dynamicClientCert) Run(stopCh <-chan struct{}) {
    134. 

  134. 	defer utilruntime.HandleCrash()
    135. 

  135. 	defer c.queue.ShutDown()
    136. 

  136. 

  137. 	klog.V(3).Infof("Starting client certificate rotation controller")
    138. 

  138. 	defer klog.V(3).Infof("Shutting down client certificate rotation controller")
    139. 

  139. 

  140. 	go wait.Until(c.runWorker, time.Second, stopCh)
    141. 

  141. 

  142. 	go wait.PollImmediateUntil(CertCallbackRefreshDuration, func() (bool, error) {
    143. 

  143. 		c.queue.Add(workItemKey)
    144. 

  144. 		return false, nil
    145. 

  145. 	}, stopCh)
    146. 

  146. 

  147. 	<-stopCh
    148. 

  148. }
    149. 

  149. 

  150. func (c *dynamicClientCert) runWorker() {
    151. 

  151. 	for c.processNextWorkItem() {
    152. 

  152. 	}
    153. 

  153. }
    154. 

  154. 

  155. func (c *dynamicClientCert) processNextWorkItem() bool {
    156. 

  156. 	dsKey, quit := c.queue.Get()
    157. 

  157. 	if quit {
    158. 

  158. 		return false
    159. 

  159. 	}
    160. 

  160. 	defer c.queue.Done(dsKey)
    161. 

  161. 

  162. 	_, err := c.loadClientCert()
    163. 

  163. 	if err == nil {
    164. 

  164. 		c.queue.Forget(dsKey)
    165. 

  165. 		return true
    166. 

  166. 	}
    167. 

  167. 

  168. 	utilruntime.HandleError(fmt.Errorf("%v failed with : %v", dsKey, err))
    169. 

  169. 	c.queue.AddRateLimited(dsKey)
    170. 

  170. 

  171. 	return true
    172. 

  172. }
    173. 

  173. 

  174. func (c *dynamicClientCert) GetClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
    175. 

  175. 	return c.loadClientCert()
    176. 

  176. }
    177.