Virtual kubelet: improve certificates management

This commit refactors the logic used by the virtual kubelet to generate the certificate of the server (i.e., for logs/exec/metrics), in order to ensure its correctness when the pod is restarted (thus, changing the internal node IP), as well as supporting renewal when appropriate.
liqotech · Jul 22, 2022 · 9c43abb · 9c43abb
1 parent 24baa74
commit 9c43abb
Show file tree

Hide file tree

Showing 33 changed files with 229 additions and 1,104 deletions.
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -79,7 +79,6 @@ jobs:
         - crd-replicator
         - liqo-controller-manager
         - discovery
-        - init-virtual-kubelet
         - liqonet
         - uninstaller
         - virtual-kubelet
@@ -330,6 +329,6 @@ jobs:
           tag: ${{ needs.configure.outputs.commit-ref }}
           name: ${{ needs.configure.outputs.commit-ref }}
           prerelease: ${{ steps.semver_parser.outputs.prerelease != '' }}
-      
+
       - name: Update new version in krew-index
         uses: rajatjindal/[email protected]
diff --git a/cmd/init-virtual-kubelet/main.go b/cmd/init-virtual-kubelet/main.go
diff --git a/cmd/liqo-controller-manager/main.go b/cmd/liqo-controller-manager/main.go
@@ -17,12 +17,16 @@ package main
 import (
 	"crypto/tls"
 	"flag"
+	"fmt"
 	"net/http"
 	"os"
+	"strings"
 	"sync"
 	"time"
 
+	certificates "k8s.io/api/certificates/v1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/selection"
@@ -58,19 +62,13 @@ import (
 	peeringroles "github.com/liqotech/liqo/pkg/peering-roles"
 	tenantnamespace "github.com/liqotech/liqo/pkg/tenantNamespace"
 	argsutils "github.com/liqotech/liqo/pkg/utils/args"
+	"github.com/liqotech/liqo/pkg/utils/csr"
 	liqoerrors "github.com/liqotech/liqo/pkg/utils/errors"
 	"github.com/liqotech/liqo/pkg/utils/mapper"
 	"github.com/liqotech/liqo/pkg/utils/restcfg"
-	"github.com/liqotech/liqo/pkg/vkMachinery"
-	"github.com/liqotech/liqo/pkg/vkMachinery/csr"
 	"github.com/liqotech/liqo/pkg/vkMachinery/forge"
 )
 
-const (
-	defaultVKImage     = "liqo/virtual-kubelet"
-	defaultInitVKImage = "liqo/init-virtual-kubelet"
-)
-
 var (
 	scheme = runtime.NewScheme()
 )
@@ -131,9 +129,7 @@ func main() {
 		"The threshold (in percentage) of resources quantity variation which triggers a ResourceOffer update")
 
 	// Virtual-kubelet parameters
-	kubeletImage := flag.String("kubelet-image", defaultVKImage, "The image of the virtual kubelet to be deployed")
-	initKubeletImage := flag.String("init-kubelet-image", defaultInitVKImage,
-		"The image of the virtual kubelet init container to be deployed")
+	kubeletImage := flag.String("kubelet-image", "liqo/virtual-kubelet", "The image of the virtual kubelet to be deployed")
 	disableKubeletCertGeneration := flag.Bool("disable-kubelet-certificate-generation", false,
 		"Whether to disable the virtual kubelet certificate generation by means of an init container (used for logs/exec capabilities)")
 	flag.Var(&kubeletExtraAnnotations, "kubelet-extra-annotations", "Extra annotations to add to the Virtual Kubelet Deployments and Pods")
@@ -279,7 +275,6 @@ func main() {
 
 	virtualKubeletOpts := &forge.VirtualKubeletOpts{
 		ContainerImage:        *kubeletImage,
-		InitContainerImage:    *initKubeletImage,
 		DisableCertGeneration: *disableKubeletCertGeneration,
 		ExtraAnnotations:      kubeletExtraAnnotations.StringMap,
 		ExtraLabels:           kubeletExtraLabels.StringMap,
@@ -335,8 +330,14 @@ func main() {
 	}
 
 	// Start the handler to approve the virtual kubelet certificate signing requests.
-	csrWatcher := csr.NewWatcher(clientset, *resyncPeriod, labels.SelectorFromSet(vkMachinery.CsrLabels))
-	csrWatcher.RegisterHandler(csr.ApproverHandler(clientset, "LiqoApproval", "This CSR was approved by Liqo"))
+	csrWatcher := csr.NewWatcher(clientset, *resyncPeriod, labels.Everything(),
+		fields.OneTermEqualSelector("spec.signerName", certificates.KubeletServingSignerName))
+	csrWatcher.RegisterHandler(csr.ApproverHandler(clientset, "LiqoApproval", "This CSR was approved by Liqo",
+		// Approve only the CSRs for a requestor living in a liqo tenant namespace (based on the prefix).
+		// This is far from elegant, but the client-go utility generating the CSRs does not allow to customize the labels.
+		func(csr *certificates.CertificateSigningRequest) bool {
+			return strings.HasPrefix(csr.Spec.Username, fmt.Sprintf("system:serviceaccount:%v-", tenantnamespace.NamePrefix))
+		}))
 	csrWatcher.Start(ctx)
 
 	if err = mgr.Add(offerUpdater); err != nil {

diff --git a/cmd/virtual-kubelet/root/flag.go b/cmd/virtual-kubelet/root/flag.go
@@ -36,8 +36,9 @@ func InstallFlags(flags *pflag.FlagSet, o *Opts) {
 	flags.StringVar(&o.ForeignCluster.ClusterName, "foreign-cluster-name", o.ForeignCluster.ClusterName, "The name of the foreign cluster")
 	flags.StringVar(&o.LiqoIpamServer, "ipam-server", o.LiqoIpamServer, "The address to contact the IPAM module")
 
+	flags.StringVar(&o.NodeIP, "node-ip", o.NodeIP, "The IP address of the virtual kubelet pod, and assigned to the virtual node as internal address")
+	flags.BoolVar(&o.SelfSignedCertificate, "self-signed-certificate", false, "Whether to use a self-signed certificate for the virtual kubelet server")
 	flags.Uint16Var(&o.ListenPort, "listen-port", o.ListenPort, "The port to listen to for requests from the Kubernetes API server")
-	flags.StringVar(&o.MetricsAddress, "metrics-address", o.MetricsAddress, "Address to listen for metrics/stats requests")
 	flags.BoolVar(&o.EnableProfiling, "enable-profiling", o.EnableProfiling, "Enable pprof profiling")
 
 	flags.UintVar(&o.PodWorkers, "pod-reflection-workers", o.PodWorkers, "The number of pod reflection workers")