Skip to content

Commit

Permalink
add log
Browse files Browse the repository at this point in the history
Signed-off-by: clyi <[email protected]>
  • Loading branch information
changluyi committed Aug 12, 2024
1 parent ef40eb0 commit d155522
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 0 deletions.
4 changes: 4 additions & 0 deletions pkg/controller/signer.go
Original file line number Diff line number Diff line change
Expand Up @@ -247,6 +247,7 @@ func getCertApprovalCondition(status *csrv1.CertificateSigningRequestStatus) (ap
func newCertificateTemplate(certReq *x509.CertificateRequest) *x509.Certificate {
serialNumber, err := rand.Int(rand.Reader, big.NewInt(1<<62))
if err != nil {
klog.Errorf("failed to generate serial number: %v", err)
return nil
}

Expand All @@ -269,10 +270,12 @@ func newCertificateTemplate(certReq *x509.CertificateRequest) *x509.Certificate
func signCSR(template *x509.Certificate, requestKey c.PublicKey, issuer *x509.Certificate, issuerKey c.PrivateKey) (*x509.Certificate, error) {
derBytes, err := x509.CreateCertificate(rand.Reader, template, issuer, requestKey, issuerKey)
if err != nil {
klog.Error(err)
return nil, err
}
certs, err := x509.ParseCertificates(derBytes)
if err != nil {
klog.Errorf("failed to parse certificate: %v", err)
return nil, err
}
if len(certs) != 1 {
Expand Down Expand Up @@ -311,6 +314,7 @@ func decodePrivateKey(pemBytes []byte) (*rsa.PrivateKey, error) {

key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
if err != nil {
klog.Error(err)
return nil, err
}

Expand Down
20 changes: 20 additions & 0 deletions pkg/daemon/ipsec.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ func getOVSSystemID() (string, error) {
cmd := exec.Command("ovs-vsctl", "--retry", "-t", "60", "get", "Open_vSwitch", ".", "external-ids:system-id")
output, err := cmd.Output()
if err != nil {
klog.Errorf("failed to get ovs system id: %v", err)
return "", err
}
systemID := strings.ReplaceAll(string(output), "\"", "")
Expand Down Expand Up @@ -71,13 +72,15 @@ func checkCertExpired() (bool, error) {
func generateCSRCode() ([]byte, error) {
cn, err := getOVSSystemID()
if err != nil {
klog.Errorf("failed to get ovs system id: %v", err)
return nil, err
}

klog.Infof("ovs system id: %s", cn)
cmd := exec.Command("openssl", "genrsa", "-out", ipsecPrivKeyPath, "2048")
err = cmd.Run()
if err != nil {
klog.Errorf("failed to generate private key: %v", err)
return nil, err
}

Expand All @@ -97,11 +100,13 @@ func generateCSRCode() ([]byte, error) {
"-out", ipsecReqPath) // #nosec
err = cmd.Run()
if err != nil {
klog.Errorf("failed to generate csr: %v", err)
return nil, err
}

csrBytes, err := os.ReadFile(ipsecReqPath)
if err != nil {
klog.Errorf("failed to read csr: %v", err)
return nil, err
}

Expand All @@ -127,6 +132,7 @@ func (c *Controller) createCSR(csrBytes []byte) error {
}

if _, err := c.config.KubeClient.CertificatesV1().CertificateSigningRequests().Create(context.Background(), csr, metav1.CreateOptions{}); err != nil {
klog.Errorf("failed to create csr: %v", err)
return err
}

Expand All @@ -136,6 +142,7 @@ func (c *Controller) createCSR(csrBytes []byte) error {
for {
csr, err := c.config.KubeClient.CertificatesV1().CertificateSigningRequests().Get(context.Background(), csr.Name, metav1.GetOptions{})
if err != nil {
klog.Errorf("failed to get csr: %v", err)
return err
}
if len(csr.Status.Certificate) != 0 {
Expand All @@ -145,6 +152,7 @@ func (c *Controller) createCSR(csrBytes []byte) error {
counter++
time.Sleep(time.Second)
if counter > 300 {
klog.Errorf("failed to sign certificate after %d seconds", counter)
return fmt.Errorf("unable to sign certificate after %d seconds", counter)
}
}
Expand All @@ -157,23 +165,27 @@ func (c *Controller) createCSR(csrBytes []byte) error {

_, err := cmd.CombinedOutput()
if err != nil {
klog.Errorf("failed to generate cert: %v", err)
return err
}

klog.Infof("ipsec Cert file %s generated", ipsecCertPath)
secret, err := c.config.KubeClient.CoreV1().Secrets("kube-system").Get(context.Background(), util.DefaultOVNIPSecCA, metav1.GetOptions{})
if err != nil {
klog.Errorf("failed to get secret: %v", err)
return err
}

output := secret.Data["cacert"]
if err := os.WriteFile(ipsecCACertPath, output, 0o600); err != nil {
klog.Errorf("failed to write file: %v", err)
return err
}

klog.Infof("ipsec CA Cert file %s generated", ipsecCACertPath)
// the csr is no longer needed
if err := c.config.KubeClient.CertificatesV1().CertificateSigningRequests().Delete(context.Background(), csr.Name, metav1.DeleteOptions{}); err != nil {
klog.Errorf("failed to delete csr: %v", err)
return err
}

Expand Down Expand Up @@ -211,6 +223,7 @@ func unconfigureOVSWithIPSecKeys() error {
func linkCACertToIPSecDir() error {
cmd := exec.Command("ln", "-s", ipsecCACertPath, "/etc/ipsec.d/cacerts/")
if err := cmd.Run(); err != nil {
klog.Errorf("failed to link cacert: %v", err)
return err
}
return nil
Expand All @@ -220,29 +233,35 @@ func clearCACertToIPSecDir() error {
// clear /etc/openvswitch/keys/ipsec-cacert.pem
cmd := exec.Command("rm", "-f", "/etc/openvswitch/keys/ipsec-cacert.pem")
if err := cmd.Run(); err != nil {
klog.Errorf("failed to clear cacert: %v", err)
return err
}
return nil
}

func initIPSecKeysDir() error {
if err := os.MkdirAll(ipsecKeyDir, 0o755); err != nil {
klog.Errorf("failed to create %s: %v", ipsecKeyDir, err)
return err
}
return nil
}

func clearIPSecKeysDir() error {
if err := os.Remove(ipsecPrivKeyPath); err != nil && !os.IsNotExist(err) {
klog.Errorf("failed to remove %s: %v", ipsecPrivKeyPath, err)
return err
}
if err := os.Remove(ipsecReqPath); err != nil && !os.IsNotExist(err) {
klog.Errorf("failed to remove %s: %v", ipsecReqPath, err)
return err
}
if err := os.Remove(ipsecCACertPath); err != nil && !os.IsNotExist(err) {
klog.Errorf("failed to remove %s: %v", ipsecCACertPath, err)
return err
}
if err := os.Remove(ipsecCertPath); err != nil && !os.IsNotExist(err) {
klog.Errorf("failed to remove %s: %v", ipsecCertPath, err)
return err
}
return nil
Expand All @@ -258,6 +277,7 @@ func (c *Controller) ManageIPSecKeys() error {
} else {
checkCertExpired, err := checkCertExpired()
if err != nil {
klog.Errorf("check ipsec cert expired error: %v", err)
return err
}
if !checkCertExpired {
Expand Down

0 comments on commit d155522

Please sign in to comment.