resolve conflict

cmd/yurt-controller-manager/app/controllermanager.go

@@ -287,6 +287,7 @@ var ControllersDisabledByDefault = sets.NewString()
 func NewControllerInitializers() map[string]InitFunc {
 	controllers := map[string]InitFunc{}
 	controllers["nodelifecycle"] = startNodeLifecycleController
+	controllers["yurthubcsrapprover"] = startYurtHubCSRApproverController
 
 	return controllers
 }

cmd/yurt-controller-manager/app/core.go

@@ -25,6 +25,7 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/openyurtio/openyurt/pkg/controller/certificates"
 	lifecyclecontroller "github.com/openyurtio/openyurt/pkg/controller/nodelifecycle"
 )
 
@@ -53,3 +54,11 @@ func startNodeLifecycleController(ctx ControllerContext) (http.Handler, bool, er
 	go lifecycleController.Run(ctx.Stop)
 	return nil, true, nil
 }
+
+func startYurtHubCSRApproverController(ctx ControllerContext) (http.Handler, bool, error) {
+	clientSet := ctx.ClientBuilder.ClientOrDie("csr-controller")
+	go certificates.NewCSRApprover(clientSet, ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests()).
+		Run(certificates.YurtHubCSRApproverThreadiness, ctx.Stop)
+
+	return nil, true, nil
+}

cmd/yurthub/app/config/config.go

@@ -17,6 +17,7 @@ limitations under the License.
 package config
 
 import (
+	"crypto/tls"
 	"fmt"
 	"net"
 	"net/url"
@@ -44,33 +45,36 @@ import (
 
 // YurtHubConfiguration represents configuration of yurthub
 type YurtHubConfiguration struct {
-	LBMode                      string
-	RemoteServers               []*url.URL
-	YurtHubServerAddr           string
-	YurtHubProxyServerAddr      string
-	YurtHubProxyServerDummyAddr string
-	GCFrequency                 int
-	CertMgrMode                 string
-	KubeletRootCAFilePath       string
-	KubeletPairFilePath         string
-	NodeName                    string
-	HeartbeatFailedRetry        int
-	HeartbeatHealthyThreshold   int
-	HeartbeatTimeoutSeconds     int
-	MaxRequestInFlight          int
-	JoinToken                   string
-	RootDir                     string
-	EnableProfiling             bool
-	EnableDummyIf               bool
-	EnableIptables              bool
-	HubAgentDummyIfName         string
-	StorageWrapper              cachemanager.StorageWrapper
-	SerializerManager           *serializer.SerializerManager
-	RESTMapperManager           *meta.RESTMapperManager
-	MutatedMasterServiceAddr    string
-	Filters                     *filter.Filters
-	SharedFactory               informers.SharedInformerFactory
-	YurtSharedFactory           yurtinformers.SharedInformerFactory
+	LBMode                            string
+	RemoteServers                     []*url.URL
+	YurtHubServerAddr                 string
+	YurtHubProxyServerAddr            string
+	YurtHubProxyServerSecureAddr      string
+	YurtHubProxyServerDummyAddr       string
+	YurtHubProxyServerSecureDummyAddr string
+	GCFrequency                       int
+	CertMgrMode                       string
+	KubeletRootCAFilePath             string
+	KubeletPairFilePath               string
+	NodeName                          string
+	HeartbeatFailedRetry              int
+	HeartbeatHealthyThreshold         int
+	HeartbeatTimeoutSeconds           int
+	MaxRequestInFlight                int
+	JoinToken                         string
+	RootDir                           string
+	EnableProfiling                   bool
+	EnableDummyIf                     bool
+	EnableIptables                    bool
+	HubAgentDummyIfName               string
+	StorageWrapper                    cachemanager.StorageWrapper
+	SerializerManager                 *serializer.SerializerManager
+	RESTMapperManager                 *meta.RESTMapperManager
+	TLSConfig                         *tls.Config
+	MutatedMasterServiceAddr          string
+	Filters                           *filter.Filters
+	SharedFactory                     informers.SharedInformerFactory
+	YurtSharedFactory                 yurtinformers.SharedInformerFactory
 }
 
 // Complete converts *options.YurtHubOptions to *YurtHubConfiguration
@@ -91,8 +95,9 @@ func Complete(options *options.YurtHubOptions) (*YurtHubConfiguration, error) {
 
 	hubServerAddr := net.JoinHostPort(options.YurtHubHost, options.YurtHubPort)
 	proxyServerAddr := net.JoinHostPort(options.YurtHubHost, options.YurtHubProxyPort)
+	proxySecureServerAddr := net.JoinHostPort(options.YurtHubHost, options.YurtHubProxySecurePort)
 	proxyServerDummyAddr := net.JoinHostPort(options.HubAgentDummyIfIP, options.YurtHubProxyPort)
-
+	proxySecureServerDummyAddr := net.JoinHostPort(options.HubAgentDummyIfIP, options.YurtHubProxySecurePort)
 	sharedFactory, yurtSharedFactory, err := createSharedInformers(fmt.Sprintf("http://%s", proxyServerAddr))
 	if err != nil {
 		return nil, err
@@ -115,33 +120,35 @@ func Complete(options *options.YurtHubOptions) (*YurtHubConfiguration, error) {
 	}
 
 	cfg := &YurtHubConfiguration{
-		LBMode:                      options.LBMode,
-		RemoteServers:               us,
-		YurtHubServerAddr:           hubServerAddr,
-		YurtHubProxyServerAddr:      proxyServerAddr,
-		YurtHubProxyServerDummyAddr: proxyServerDummyAddr,
-		GCFrequency:                 options.GCFrequency,
-		CertMgrMode:                 options.CertMgrMode,
-		KubeletRootCAFilePath:       options.KubeletRootCAFilePath,
-		KubeletPairFilePath:         options.KubeletPairFilePath,
-		NodeName:                    options.NodeName,
-		HeartbeatFailedRetry:        options.HeartbeatFailedRetry,
-		HeartbeatHealthyThreshold:   options.HeartbeatHealthyThreshold,
-		HeartbeatTimeoutSeconds:     options.HeartbeatTimeoutSeconds,
-		MaxRequestInFlight:          options.MaxRequestInFlight,
-		JoinToken:                   options.JoinToken,
-		RootDir:                     options.RootDir,
-		EnableProfiling:             options.EnableProfiling,
-		EnableDummyIf:               options.EnableDummyIf,
-		EnableIptables:              options.EnableIptables,
-		HubAgentDummyIfName:         options.HubAgentDummyIfName,
-		StorageWrapper:              storageWrapper,
-		SerializerManager:           serializerManager,
-		RESTMapperManager:           restMapperManager,
-		MutatedMasterServiceAddr:    mutatedMasterServiceAddr,
-		Filters:                     filters,
-		SharedFactory:               sharedFactory,
-		YurtSharedFactory:           yurtSharedFactory,
+		LBMode:                            options.LBMode,
+		RemoteServers:                     us,
+		YurtHubServerAddr:                 hubServerAddr,
+		YurtHubProxyServerAddr:            proxyServerAddr,
+		YurtHubProxyServerSecureAddr:      proxySecureServerAddr,
+		YurtHubProxyServerDummyAddr:       proxyServerDummyAddr,
+		YurtHubProxyServerSecureDummyAddr: proxySecureServerDummyAddr,
+		GCFrequency:                       options.GCFrequency,
+		CertMgrMode:                       options.CertMgrMode,
+		KubeletRootCAFilePath:             options.KubeletRootCAFilePath,
+		KubeletPairFilePath:               options.KubeletPairFilePath,
+		NodeName:                          options.NodeName,
+		HeartbeatFailedRetry:              options.HeartbeatFailedRetry,
+		HeartbeatHealthyThreshold:         options.HeartbeatHealthyThreshold,
+		HeartbeatTimeoutSeconds:           options.HeartbeatTimeoutSeconds,
+		MaxRequestInFlight:                options.MaxRequestInFlight,
+		JoinToken:                         options.JoinToken,
+		RootDir:                           options.RootDir,
+		EnableProfiling:                   options.EnableProfiling,
+		EnableDummyIf:                     options.EnableDummyIf,
+		EnableIptables:                    options.EnableIptables,
+		HubAgentDummyIfName:               options.HubAgentDummyIfName,
+		StorageWrapper:                    storageWrapper,
+		SerializerManager:                 serializerManager,
+		RESTMapperManager:                 restMapperManager,
+		MutatedMasterServiceAddr:          mutatedMasterServiceAddr,
+		Filters:                           filters,
+		SharedFactory:                     sharedFactory,
+		YurtSharedFactory:                 yurtSharedFactory,
 	}
 
 	return cfg, nil

cmd/yurthub/app/options/options.go

@@ -38,6 +38,7 @@ type YurtHubOptions struct {
 	YurtHubHost               string
 	YurtHubPort               string
 	YurtHubProxyPort          string
+	YurtHubProxySecurePort    string
 	GCFrequency               int
 	CertMgrMode               string
 	KubeletRootCAFilePath     string
@@ -68,6 +69,7 @@ func NewYurtHubOptions() *YurtHubOptions {
 		YurtHubHost:               "127.0.0.1",
 		YurtHubProxyPort:          "10261",
 		YurtHubPort:               "10267",
+		YurtHubProxySecurePort:    "10268",
 		GCFrequency:               120,
 		CertMgrMode:               util.YurtHubCertificateManagerName,
 		KubeletRootCAFilePath:     util.DefaultKubeletRootCAFilePath,
@@ -121,6 +123,7 @@ func (o *YurtHubOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&o.YurtHubHost, "bind-address", o.YurtHubHost, "the IP address on which to listen for the --serve-port port.")
 	fs.StringVar(&o.YurtHubPort, "serve-port", o.YurtHubPort, "the port on which to serve HTTP requests(like profiling, metrics) for hub agent.")
 	fs.StringVar(&o.YurtHubProxyPort, "proxy-port", o.YurtHubProxyPort, "the port on which to proxy HTTP requests to kube-apiserver")
+	fs.StringVar(&o.YurtHubProxySecurePort, "proxy-secure-port", o.YurtHubProxySecurePort, "the port on which to proxy HTTPS requests to kube-apiserver")
 	fs.StringVar(&o.ServerAddr, "server-addr", o.ServerAddr, "the address of Kubernetes kube-apiserver,the format is: \"server1,server2,...\"")
 	fs.StringVar(&o.CertMgrMode, "cert-mgr-mode", o.CertMgrMode, "the cert manager mode, kubelet: use certificates that belongs to kubelet, hubself: auto generate client cert for hub agent.")
 	fs.StringVar(&o.KubeletRootCAFilePath, "kubelet-ca-file", o.KubeletRootCAFilePath, "the ca file path used by kubelet.")

cmd/yurthub/app/start.go

@@ -18,6 +18,7 @@ package app
 
 import (
 	"fmt"
+	"path/filepath"
 
 	"github.com/openyurtio/openyurt/cmd/yurthub/app/config"
 	"github.com/openyurtio/openyurt/cmd/yurthub/app/options"
@@ -122,6 +123,14 @@ func Run(cfg *config.YurtHubConfiguration, stopCh <-chan struct{}) error {
 	}
 	trace++
 
+	klog.Infof("%d. create tls config for secure servers ", trace)
+	cfg.TLSConfig, err = server.GenUseCertMgrAndTLSConfig(restConfigMgr, certManager, filepath.Join(cfg.RootDir, "pki"), stopCh)
+	if err != nil {
+		klog.Errorf("could not create tls config, %v", err)
+		return err
+	}
+	trace++
+
 	klog.Infof("%d. new cache manager with storage wrapper and serializer manager", trace)
 	cacheMgr, err := cachemanager.NewCacheManager(cfg.StorageWrapper, cfg.SerializerManager, cfg.RESTMapperManager)
 	if err != nil {
@@ -164,7 +173,7 @@ func Run(cfg *config.YurtHubConfiguration, stopCh <-chan struct{}) error {
 		}
 		networkMgr.Run(stopCh)
 		trace++
-		klog.Infof("%d. new %s server and begin to serve, dummy proxy server: %s", trace, projectinfo.GetHubName(), cfg.YurtHubProxyServerDummyAddr)
+		klog.Infof("%d. new %s server and begin to serve, dummy proxy server: %s, secure dummy proxy server: %s", trace, projectinfo.GetHubName(), cfg.YurtHubProxyServerDummyAddr, cfg.YurtHubProxyServerSecureDummyAddr)
 	}
 
 	// start shared informers here
@@ -173,7 +182,7 @@ func Run(cfg *config.YurtHubConfiguration, stopCh <-chan struct{}) error {
 		cfg.YurtSharedFactory.Start(stopCh)
 	}
 
-	klog.Infof("%d. new %s server and begin to serve, proxy server: %s, hub server: %s", trace, projectinfo.GetHubName(), cfg.YurtHubProxyServerAddr, cfg.YurtHubServerAddr)
+	klog.Infof("%d. new %s server and begin to serve, proxy server: %s, secure proxy server: %s, hub server: %s", trace, projectinfo.GetHubName(), cfg.YurtHubProxyServerAddr, cfg.YurtHubProxyServerSecureAddr, cfg.YurtHubServerAddr)
 	s, err := server.NewYurtHubServer(cfg, certManager, yurtProxyHandler)
 	if err != nil {
 		klog.Errorf("could not create hub server, %v", err)