update certificate automatically

cmd/yurt-tunnel-server/app/start.go

@@ -103,7 +103,7 @@ func Run(cfg *config.CompletedConfig, stopCh <-chan struct{}) error {
 
 	// 2. create a certificate manager for the tunnel server and run the
 	// csr approver for both yurttunnel-server and yurttunnel-agent
-	serverCertMgr, err := certmanager.NewYurttunnelServerCertManager(cfg.Client, cfg.CertDNSNames, cfg.CertIPs, stopCh)
+	serverCertMgr, err := certmanager.NewYurttunnelServerCertManager(cfg.Client, cfg.SharedInformerFactory, cfg.CertDNSNames, cfg.CertIPs, stopCh)
 	if err != nil {
 		return err
 	}

hack/lib/release-images.sh

@@ -141,7 +141,6 @@ EOF
                ln "${binary_path}" "${docker_build_path}/${binary_name}"
                docker build --no-cache -t "${yurt_component_image}" -f "${docker_file_path}" ${docker_build_path}
                docker save ${yurt_component_image} > ${YURT_IMAGE_DIR}/${yurt_component_name}-${SUPPORTED_OS}-${arch}.tar
-               rm -rf ${docker_build_path}
             fi
         done
     done

hack/local_up_openyurt.sh

@@ -120,9 +120,19 @@ function gen_kind_config {
     # fill name:tag of images and fill bin dir
     local bindir=$(escape_slash ${YURT_LOCAL_BIN_DIR}/${LOCAL_OS}/${LOCAL_ARCH})
     local node_image=$(escape_slash $(echo ${KIND_NODE_IMAGES[${minor}-18]}))
-    sed -i "s/image: |fill image here|$/image: ${node_image}/g 
+
+    # there are some differences between UNIX and Linux when executing the SED command.
+    # just add a "" blank character after the - i instruction
+    if [ $LOCAL_OS == "darwin" ]; then
+      bindir=$(escape_slash ${YURT_LOCAL_BIN_DIR}/"linux"/${LOCAL_ARCH})
+      sed -i "" "s/image: |fill image here|$/image: ${node_image}/g
+          s/- hostPath: |fill local bin dir|/- hostPath: ${bindir}/g" \
+              ${gen_config_path}
+    else
+      sed -i "s/image: |fill image here|$/image: ${node_image}/g
         s/- hostPath: |fill local bin dir|/- hostPath: ${bindir}/g" \
-            ${gen_config_path}    
+            ${gen_config_path}
+    fi
 }
 
 function install_kind {
@@ -172,6 +182,10 @@ function build_target_binaries_and_images {
 function kind_load_images {
     local postfix="${LOCAL_OS}-${LOCAL_ARCH}.tar"
 
+    if [[ ${LOCAL_OS} == "darwin" ]]; then
+      postfix="linux-${LOCAL_ARCH}.tar"
+    fi 
+
     for bin in ${BUILD_TARGETS[@]}; do
         local imagename="${bin}-${postfix}"
 
@@ -262,7 +276,7 @@ function get_kubeconfig {
 function cleanup {
     rm -rf ${YURT_ROOT}/_output
     rm -rf ${YURT_ROOT}/dockerbuild
-    rm -f ${KIND_CONFIG} 
+    rm -f ${KIND_CONFIG}
     kind delete clusters ${CLUSTER_NAME}
 }
 

pkg/projectinfo/projectinfo.go

@@ -55,6 +55,11 @@ func GetServerName() string {
 	return projectPrefix + "tunnel-server"
 }
 
+// tunnel server label: yurt-tunnel-server
+func YurtTunnelServerLabel() string {
+	return projectPrefix + "-tunnel-server"
+}
+
 // Agent name: yurttunnel-agent
 func GetAgentName() string {
 	return projectPrefix + "tunnel-agent"

pkg/yurttunnel/dns/dns.go

@@ -137,9 +137,11 @@ func NewCoreDNSRecordController(client clientset.Interface,
 
 // newServiceInformer creates a shared index informer that returns only interested services
 func newServiceInformer(cs clientset.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
-	selector := fmt.Sprintf("metadata.name=%v", constants.YurttunnelServerInternalServiceName)
+	// this informer will be used by coreDNSRecordController and certificate manager,
+	// so it should return x-tunnel-server-svc and x-tunnel-server-internal-svc
+	selector := fmt.Sprintf("name=%v", projectinfo.YurtTunnelServerLabel())
 	tweakListOptions := func(options *metav1.ListOptions) {
-		options.FieldSelector = selector
+		options.LabelSelector = selector
 	}
 	return coreinformers.NewFilteredServiceInformer(cs, constants.YurttunnelServerServiceNs, resyncPeriod, nil, tweakListOptions)
 }

pkg/yurttunnel/pki/certmanager/certmanager.go

@@ -32,11 +32,15 @@ import (
 	"github.com/openyurtio/openyurt/pkg/yurttunnel/server/serveraddr"
 
 	certificates "k8s.io/api/certificates/v1beta1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/informers"
+	coreinformers "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/kubernetes"
 	clicert "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
+	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/certificate"
 	"k8s.io/klog/v2"
 )
@@ -45,15 +49,20 @@ import (
 // the yurttunnel-server
 func NewYurttunnelServerCertManager(
 	clientset kubernetes.Interface,
+	factory informers.SharedInformerFactory,
 	clCertNames []string,
 	clIPs []net.IP,
 	stopCh <-chan struct{}) (certificate.Manager, error) {
-	// get server DNS names and IPs
 	var (
 		dnsNames = []string{}
 		ips      = []net.IP{}
 		err      error
 	)
+
+	// add endPoints informer
+	factory.InformerFor(&v1.Endpoints{}, newEndPointsInformer)
+
+	// the ips and dnsNames should be acquired through api-server at the first time, because the informer factory has not started yet.
 	_ = wait.PollUntil(5*time.Second, func() (bool, error) {
 		dnsNames, ips, err = serveraddr.GetYurttunelServerDNSandIP(clientset)
 		if err != nil {
@@ -76,11 +85,18 @@ func NewYurttunnelServerCertManager(
 
 		return true, nil
 	}, stopCh)
-	// add user specified DNS anems and IP addresses
+	// add user specified DNS names and IP addresses
 	dnsNames = append(dnsNames, clCertNames...)
 	ips = append(ips, clIPs...)
 	klog.Infof("subject of tunnel server certificate, ips=%#+v, dnsNames=%#+v", ips, dnsNames)
 
+	// the dynamic ip acquire func
+	getIPs := func() ([]net.IP, error) {
+		_, dynamicIPs, err := serveraddr.YurttunnelServerAddrManager(factory)
+		dynamicIPs = append(dynamicIPs, clIPs...)
+		return dynamicIPs, err
+	}
+
 	return newCertManager(
 		clientset,
 		projectinfo.GetServerName(),
@@ -94,7 +110,8 @@ func NewYurttunnelServerCertManager(
 			certificates.UsageServerAuth,
 			certificates.UsageClientAuth,
 		},
-		ips)
+		ips,
+		getIPs)
 }
 
 // NewYurttunnelAgentCertManager creates a certificate manager for
@@ -121,7 +138,8 @@ func NewYurttunnelAgentCertManager(
 			certificates.UsageDigitalSignature,
 			certificates.UsageClientAuth,
 		},
-		[]net.IP{net.ParseIP(nodeIP)})
+		[]net.IP{net.ParseIP(nodeIP)},
+		nil)
 }
 
 // NewCertManager creates a certificate manager that will generates a
@@ -134,21 +152,30 @@ func newCertManager(
 	organizations,
 	dnsNames []string,
 	keyUsages []certificates.KeyUsage,
-	ipAddrs []net.IP) (certificate.Manager, error) {
+	ips []net.IP,
+	getIPs serveraddr.GetIPs) (certificate.Manager, error) {
 	certificateStore, err :=
 		store.NewFileStoreWrapper(componentName, certDir, certDir, "", "")
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize the server certificate store: %v", err)
 	}
 
 	getTemplate := func() *x509.CertificateRequest {
+		// use dynamic ips
+		if getIPs != nil {
+			tmpIPs, err := getIPs()
+			if err == nil && len(tmpIPs) != 0 {
+				klog.Infof("the latest tunnel server's ips=%#+v", tmpIPs)
+				ips = tmpIPs
+			}
+		}
 		return &x509.CertificateRequest{
 			Subject: pkix.Name{
 				CommonName:   commonName,
 				Organization: organizations,
 			},
 			DNSNames:    dnsNames,
-			IPAddresses: ipAddrs,
+			IPAddresses: ips,
 		}
 	}
 
@@ -167,3 +194,12 @@ func newCertManager(
 
 	return certManager, nil
 }
+
+// newEndPointsInformer creates a shared index informer that returns only interested endpoints
+func newEndPointsInformer(cs kubernetes.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	selector := fmt.Sprintf("metadata.name=%v", constants.YurttunnelEndpointsName)
+	tweakListOptions := func(options *metav1.ListOptions) {
+		options.FieldSelector = selector
+	}
+	return coreinformers.NewFilteredEndpointsInformer(cs, constants.YurttunnelEndpointsNs, resyncPeriod, nil, tweakListOptions)
+}