Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix the bug that tunnel-agent/tunnel-server crashes when the local certificate can not be loaded correctly #378

Merged
merged 1 commit into from
Jul 13, 2021

Conversation

SataQiu
Copy link
Member

@SataQiu SataQiu commented Jul 6, 2021

What type of PR is this?

/kind bug

What this PR does / why we need it:

Fix the bug that tunnel-agent/tunnel-server crashes when the local certificate can not be loaded correctly

Which issue(s) this PR fixes:

Fixes #377

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Fix the bug that tunnel-agent/tunnel-server crashes when the local certificate can not be loaded correctly

other Note

…rtificate can not be loaded correctly

Signed-off-by: SataQiu <1527062125@qq.com>
@openyurt-bot openyurt-bot added the kind/bug kind/bug label Jul 6, 2021
@openyurt-bot openyurt-bot requested review from Peeknut and yixingjia July 6, 2021 07:46
@openyurt-bot openyurt-bot added the size/M size/M: 30-99 label Jul 6, 2021
@SataQiu
Copy link
Member Author

SataQiu commented Jul 6, 2021

With this patch, the tunnel-agent can recover from a damaged certificate automatically:

I0706 07:40:48.416970       1 start.go:48] yurttunnel-agent version: projectinfo.Info{GitVersion:"v0.4.0", GitCommit:"9426d63", BuildDate:"2021-07-06T07:26:53Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}
I0706 07:40:48.417017       1 options.go:136] ipv4=172.16.247.51&host=izbp1ikl8dfbhoc2661jufz is set for agent identifies
I0706 07:40:48.417021       1 options.go:141] neither --kube-config nor --apiserver-addr is set, will use /etc/kubernetes/kubelet.conf as the kubeconfig
I0706 07:40:48.417024       1 options.go:145] create the clientset based on the kubeconfig(/etc/kubernetes/kubelet.conf).
I0706 07:40:48.436797       1 start.go:84] yurttunnel-server address: 122.43.234.97:32502
I0706 07:40:48.436840       1 certificate_store.go:130] Loading cert/key pair from "/var/lib/yurttunnel-agent/pki/yurttunnel-agent-current.pem".
W0706 07:40:48.436904       1 filestore_wrapper.go:50] unexpected error occurred when loading the certificate: could not convert data from "/var/lib/yurttunnel-agent/pki/yurttunnel-agent-current.pem" into cert/key pair: tls: failed to find any PEM data in certificate input, will regenerate it
I0706 07:40:48.437075       1 anpagent.go:57] start serving grpc request redirected from yurttunnel-server: 122.43.234.97:32502
I0706 07:40:48.437194       1 util.go:45] "start handling meta requests(metrics/pprof)" server endpoint="127.0.0.1:10266"
E0706 07:41:08.437575       1 clientset.go:156] "cannot sync once" err="rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 122.43.234.97:32502: i/o timeout\""
E0706 07:41:33.650318       1 clientset.go:156] "cannot sync once" err="rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 122.43.234.97:32502: i/o timeout\""

@SataQiu
Copy link
Member Author

SataQiu commented Jul 6, 2021

We do not need to check the DNSNames and IPAddresses of the local certificate, because the cert-manager has already checked it for us: https://github.com/kubernetes/client-go/blob/ca3a47f0b44a052c089e90389cfaf8a4b9ef98ad/util/certificate/certificate_manager.go#L582-L584

	if !m.certSatisfiesTemplateLocked() {
		return m.now()
	}

@SataQiu
Copy link
Member Author

SataQiu commented Jul 6, 2021

/assign @rambohe-ch

@SataQiu
Copy link
Member Author

SataQiu commented Jul 12, 2021

@Fei-Guo PTAL!

@rambohe-ch
Copy link
Member

/lgtm

@openyurt-bot openyurt-bot added the lgtm lgtm label Jul 13, 2021
@rambohe-ch
Copy link
Member

We do not need to check the DNSNames and IPAddresses of the local certificate, because the cert-manager has already checked it for us: https://github.com/kubernetes/client-go/blob/ca3a47f0b44a052c089e90389cfaf8a4b9ef98ad/util/certificate/certificate_manager.go#L582-L584

	if !m.certSatisfiesTemplateLocked() {
		return m.now()
	}

It looks like that certificate will be updated automatically if dnsnames or ips changed. yes, so we do not need to check alternate name values again.

@rambohe-ch
Copy link
Member

/approve

@openyurt-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rambohe-ch, SataQiu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openyurt-bot openyurt-bot added the approved approved label Jul 13, 2021
@openyurt-bot openyurt-bot merged commit 2ac7fd4 into openyurtio:master Jul 13, 2021
MrGirl pushed a commit to MrGirl/openyurt that referenced this pull request Mar 29, 2022
…rtificate can not be loaded correctly (openyurtio#378)

Signed-off-by: SataQiu <1527062125@qq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved approved kind/bug kind/bug lgtm lgtm size/M size/M: 30-99
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[BUG] tunnel-agent crashes when the local certificate can not be loaded correctly
3 participants