Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / c6859b05f2d90a36393d2852f0bcf61d8cdd5890 / . / core / nebula / controller / controllers / ca.go
blob: 37b38562547d596f8c9ef3e973a90c88242a2e96 [file] [log] [blame]
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]1package controllers
2
3import (
4 "context"
5 "fmt"
6 "io/ioutil"
7 "os"
8 "os/exec"
9 "path/filepath"
10 "time"
11
12 corev1 "k8s.io/api/core/v1"
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]13 "k8s.io/apimachinery/pkg/api/errors"
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]14 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]15 utilruntime "k8s.io/apimachinery/pkg/util/runtime"
16 "k8s.io/apimachinery/pkg/util/wait"
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]17 corev1informers "k8s.io/client-go/informers/core/v1"
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]18 "k8s.io/client-go/kubernetes"
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]19 corev1listers "k8s.io/client-go/listers/core/v1"
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]20 "k8s.io/client-go/tools/cache"
21 "k8s.io/client-go/util/workqueue"
22 "k8s.io/klog/v2"
23
giolekvac6859b02021-12-09 18:40:51 +0400[diff] [blame^]24 nebulav1 "github.com/giolekva/pcloud/core/nebula/controller/apis/nebula/v1"
25 clientset "github.com/giolekva/pcloud/core/nebula/controller/generated/clientset/versioned"
26 informers "github.com/giolekva/pcloud/core/nebula/controller/generated/informers/externalversions/nebula/v1"
27 listers "github.com/giolekva/pcloud/core/nebula/controller/generated/listers/nebula/v1"
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]28)
29
30var secretImmutable = true
31
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]32type caRef struct {
33 key string
34}
35
36type nodeRef struct {
37 key string
38}
39
giolekva695960b2021-10-07 22:00:29 +0400[diff] [blame]40type NebulaController struct {
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]41 kubeClient kubernetes.Interface
42 nebulaClient clientset.Interface
43 caLister listers.NebulaCALister
44 caSynced cache.InformerSynced
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]45 nodeLister listers.NebulaNodeLister
46 nodeSynced cache.InformerSynced
47 secretLister corev1listers.SecretLister
48 secretSynced cache.InformerSynced
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]49 workqueue workqueue.RateLimitingInterface
50
51 nebulaCert string
52}
53
giolekva695960b2021-10-07 22:00:29 +0400[diff] [blame]54func NewNebulaController(kubeClient kubernetes.Interface,
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]55 nebulaClient clientset.Interface,
56 caInformer informers.NebulaCAInformer,
57 nodeInformer informers.NebulaNodeInformer,
58 secretInformer corev1informers.SecretInformer,
giolekva695960b2021-10-07 22:00:29 +0400[diff] [blame]59 nebulaCert string) *NebulaController {
60 c := &NebulaController{
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]61 kubeClient: kubeClient,
62 nebulaClient: nebulaClient,
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]63 caLister: caInformer.Lister(),
64 caSynced: caInformer.Informer().HasSynced,
65 nodeLister: nodeInformer.Lister(),
66 nodeSynced: nodeInformer.Informer().HasSynced,
67 secretLister: secretInformer.Lister(),
68 secretSynced: secretInformer.Informer().HasSynced,
69 workqueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "Nebula"),
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]70 nebulaCert: nebulaCert,
71 }
72
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]73 caInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
74 AddFunc: c.enqueueCA,
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]75 UpdateFunc: func(_, o interface{}) {
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]76 c.enqueueCA(o)
77 },
78 DeleteFunc: func(o interface{}) {
79 },
80 })
81 nodeInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
82 AddFunc: c.enqueueNode,
83 UpdateFunc: func(_, o interface{}) {
84 c.enqueueNode(o)
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]85 },
86 DeleteFunc: func(o interface{}) {
87 },
88 })
89
90 return c
91}
92
giolekva695960b2021-10-07 22:00:29 +0400[diff] [blame]93func (c *NebulaController) enqueueCA(o interface{}) {
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]94 var key string
95 var err error
96 if key, err = cache.MetaNamespaceKeyFunc(o); err != nil {
97 utilruntime.HandleError(err)
98 return
99 }
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]100 c.workqueue.Add(caRef{key})
101}
102
giolekva695960b2021-10-07 22:00:29 +0400[diff] [blame]103func (c *NebulaController) enqueueNode(o interface{}) {
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]104 var key string
105 var err error
106 if key, err = cache.MetaNamespaceKeyFunc(o); err != nil {
107 utilruntime.HandleError(err)
108 return
109 }
110 c.workqueue.Add(nodeRef{key})
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]111}
112
giolekva695960b2021-10-07 22:00:29 +0400[diff] [blame]113func (c *NebulaController) Run(workers int, stopCh <-chan struct{}) error {
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]114 defer utilruntime.HandleCrash()
115 defer c.workqueue.ShutDown()
116 klog.Info("Starting NebulaCA controller")
117 klog.Info("Waiting for informer caches to sync")
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]118 if ok := cache.WaitForCacheSync(stopCh, c.caSynced, c.nodeSynced, c.secretSynced); !ok {
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]119 return fmt.Errorf("Failed to wait for caches to sync")
120 }
121 fmt.Println("Starting workers")
122 for i := 0; i < workers; i++ {
123 go wait.Until(c.runWorker, time.Second, stopCh)
124 }
125 fmt.Println("Started workers")
126 <-stopCh
127 fmt.Println("Shutting down workers")
128 return nil
129}
130
giolekva695960b2021-10-07 22:00:29 +0400[diff] [blame]131func (c *NebulaController) runWorker() {
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]132 for c.processNextWorkItem() {
133 }
134}
135
giolekva695960b2021-10-07 22:00:29 +0400[diff] [blame]136func (c *NebulaController) processNextWorkItem() bool {
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]137 o, shutdown := c.workqueue.Get()
138 if shutdown {
139 return false
140 }
141 err := func(o interface{}) error {
142 defer c.workqueue.Done(o)
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]143 if ref, ok := o.(caRef); ok {
144 if err := c.processCAWithKey(ref.key); err != nil {
145 c.workqueue.AddRateLimited(ref)
146 return fmt.Errorf("Error syncing '%s': %s, requeuing", ref.key, err.Error())
147 }
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]148 c.workqueue.Forget(o)
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]149 fmt.Printf("Successfully synced CA '%s'\n", ref.key)
150 } else if ref, ok := o.(nodeRef); ok {
151 if err := c.processNodeWithKey(ref.key); err != nil {
152 c.workqueue.AddRateLimited(ref)
153 return fmt.Errorf("Error syncing '%s': %s, requeuing", ref.key, err.Error())
154 }
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]155 c.workqueue.Forget(o)
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]156 fmt.Printf("Successfully synced Node '%s'\n", ref.key)
157 } else {
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]158 c.workqueue.Forget(o)
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]159 utilruntime.HandleError(fmt.Errorf("expected reference in workqueue but got %#v", o))
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]160 return nil
161 }
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]162 c.workqueue.Forget(o)
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]163 return nil
164 }(o)
165 if err != nil {
166 utilruntime.HandleError(err)
167 return true
168 }
169 return true
170}
171
giolekva695960b2021-10-07 22:00:29 +0400[diff] [blame]172func (c *NebulaController) processCAWithKey(key string) error {
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]173 namespace, name, err := cache.SplitMetaNamespaceKey(key)
174 if err != nil {
175 return nil
176 }
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]177 ca, err := c.caLister.NebulaCAs(namespace).Get(name)
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]178 if err != nil {
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]179 if errors.IsNotFound(err) {
180 utilruntime.HandleError(fmt.Errorf("CA '%s' in work queue no longer exists", key))
181 return nil
182 }
183 return err
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]184 }
185 if ca.Status.State == nebulav1.NebulaCAStateReady {
186 fmt.Printf("%s CA is already in Ready state\n", ca.Name)
187 return nil
188 }
giolekva4b2934b2021-10-08 19:37:12 +0400[diff] [blame]189 keyDir, err := generateCAKey(ca.Name, c.nebulaCert)
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]190 if err != nil {
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]191 return err
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]192 }
193 defer os.RemoveAll(keyDir)
194 secret, err := createSecretFromDir(keyDir)
195 if err != nil {
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]196 return err
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]197 }
198 secret.Immutable = &secretImmutable
199 secret.Name = ca.Spec.SecretName
200 _, err = c.kubeClient.CoreV1().Secrets(namespace).Create(context.TODO(), secret, metav1.CreateOptions{})
201 if err != nil {
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]202 return err
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]203 }
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]204 err = c.updateCAStatus(ca, nebulav1.NebulaCAStateReady, "Generated credentials")
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]205 if err != nil {
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]206 return err
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]207 }
208 return nil
209}
210
giolekva695960b2021-10-07 22:00:29 +0400[diff] [blame]211func (c *NebulaController) processNodeWithKey(key string) error {
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]212 namespace, name, err := cache.SplitMetaNamespaceKey(key)
213 if err != nil {
214 return nil
215 }
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]216 node, err := c.nodeLister.NebulaNodes(namespace).Get(name)
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]217 if err != nil {
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]218 if errors.IsNotFound(err) {
219 utilruntime.HandleError(fmt.Errorf("NebulaNode '%s' in work queue no longer exists", key))
220 return nil
221 }
222 return err
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]223 }
224 if node.Status.State == nebulav1.NebulaNodeStateReady {
225 fmt.Printf("%s Node is already in Ready state\n", node.Name)
226 return nil
227 }
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]228 ca, err := c.caLister.NebulaCAs(node.Spec.CANamespace).Get(node.Spec.CAName)
229 if err != nil {
230 return err
231 }
232 if ca.Status.State != nebulav1.NebulaCAStateReady {
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]233 return fmt.Errorf("Referenced CA %s is not ready yet.", node.Spec.CAName)
234 }
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]235 caSecret, err := c.secretLister.Secrets(ca.Namespace).Get(ca.Spec.SecretName)
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]236 if err != nil {
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]237 if errors.IsNotFound(err) {
238 c.updateNodeStatus(node, nebulav1.NebulaNodeStateError, "Could not find CA secret")
239 }
240 return err
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]241 }
242 dir, err := extractSecret(caSecret)
243 if err != nil {
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]244 return err
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]245 }
giolekva4b2934b2021-10-08 19:37:12 +0400[diff] [blame]246 if node.Spec.PubKey == "" {
247 if err := generateNodeKey(node.Name, node.Spec.IPCidr, dir, c.nebulaCert); err != nil {
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]248 return err
giolekva4b2934b2021-10-08 19:37:12 +0400[diff] [blame]249 }
250 } else {
251 if err := generateNodeKeyFromPub(node.Name, node.Spec.IPCidr, node.Spec.PubKey, dir, c.nebulaCert); err != nil {
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]252 return err
giolekva4b2934b2021-10-08 19:37:12 +0400[diff] [blame]253 }
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]254 }
255 defer os.RemoveAll(dir)
256 if err := os.Remove(filepath.Join(dir, "ca.key")); err != nil {
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]257 return err
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]258 }
259 if err := os.Remove(filepath.Join(dir, "ca.png")); err != nil {
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]260 return err
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]261 }
262 secret, err := createSecretFromDir(dir)
263 if err != nil {
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]264 return err
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]265 }
266 secret.Immutable = &secretImmutable
267 secret.Name = node.Spec.SecretName
268 _, err = c.kubeClient.CoreV1().Secrets(namespace).Create(context.TODO(), secret, metav1.CreateOptions{})
269 if err != nil {
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]270 return err
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]271 }
272 err = c.updateNodeStatus(node, nebulav1.NebulaNodeStateReady, "Generated credentials")
273 if err != nil {
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]274 return err
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]275 }
276 return nil
277}
278
giolekva695960b2021-10-07 22:00:29 +0400[diff] [blame]279func (c *NebulaController) updateCAStatus(ca *nebulav1.NebulaCA, state nebulav1.NebulaCAState, msg string) error {
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]280 cp := ca.DeepCopy()
281 cp.Status.State = state
282 cp.Status.Message = msg
283 _, err := c.nebulaClient.LekvaV1().NebulaCAs(cp.Namespace).UpdateStatus(context.TODO(), cp, metav1.UpdateOptions{})
284 return err
285}
286
giolekva695960b2021-10-07 22:00:29 +0400[diff] [blame]287func (c *NebulaController) updateNodeStatus(node *nebulav1.NebulaNode, state nebulav1.NebulaNodeState, msg string) error {
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]288 cp := node.DeepCopy()
289 cp.Status.State = state
290 cp.Status.Message = msg
291 _, err := c.nebulaClient.LekvaV1().NebulaNodes(cp.Namespace).UpdateStatus(context.TODO(), cp, metav1.UpdateOptions{})
292 return err
293}
294
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]295func createSecretFromDir(path string) (*corev1.Secret, error) {
296 all, err := ioutil.ReadDir(path)
297 if err != nil {
298 return nil, err
299 }
300 secret := &corev1.Secret{
301 Data: make(map[string][]byte),
302 }
303 for _, f := range all {
304 if f.IsDir() {
305 continue
306 }
307 d, err := ioutil.ReadFile(filepath.Join(path, f.Name()))
308 if err != nil {
309 return nil, err
310 }
311 secret.Data[f.Name()] = d
312 }
313 return secret, nil
314}
315
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]316func extractSecret(secret *corev1.Secret) (string, error) {
317 tmp, err := os.MkdirTemp("", secret.Name)
318 if err != nil {
319 return "", err
320 }
321 for name, data := range secret.Data {
322 if err := ioutil.WriteFile(filepath.Join(tmp, name), data, 0644); err != nil {
323 defer os.RemoveAll(tmp)
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]324 return "", err
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]325 }
326 }
327 return tmp, nil
328}
329
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]330func generateCAKey(name, nebulaCert string) (string, error) {
331 tmp, err := os.MkdirTemp("", name)
332 if err != nil {
333 return "", err
334 }
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]335 cmd := exec.Command(nebulaCert, "ca",
336 "-name", name,
337 "-out-key", filepath.Join(tmp, "ca.key"),
338 "-out-crt", filepath.Join(tmp, "ca.crt"),
339 "-out-qr", filepath.Join(tmp, "ca.png"))
giolekva4b2934b2021-10-08 19:37:12 +0400[diff] [blame]340 if d, err := cmd.CombinedOutput(); err != nil {
341 return "", fmt.Errorf(string(d))
giolekva96755fa2021-10-06 21:00:00 +0400[diff] [blame]342 }
343 return tmp, nil
344}
345
giolekva4b2934b2021-10-08 19:37:12 +0400[diff] [blame]346func generateNodeKeyFromPub(name, ip, pubKey, dir, nebulaCert string) error {
347 hostPub := filepath.Join(dir, "host.pub")
348 if err := ioutil.WriteFile(hostPub, []byte(pubKey), 0644); err != nil {
349 return err
350 }
351 defer os.Remove(hostPub)
352 cmd := exec.Command(nebulaCert, "sign",
353 "-ca-crt", filepath.Join(dir, "ca.crt"),
354 "-ca-key", filepath.Join(dir, "ca.key"),
355 "-name", name,
356 "-ip", ip,
357 "-in-pub", hostPub,
358 "-out-crt", filepath.Join(dir, "host.crt"),
359 "-out-qr", filepath.Join(dir, "host.png"))
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]360 if _, err := cmd.CombinedOutput(); err != nil {
361 return err
giolekva4b2934b2021-10-08 19:37:12 +0400[diff] [blame]362 }
363 return nil
364}
365
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]366func generateNodeKey(name, ip, dir, nebulaCert string) error {
367 cmd := exec.Command(nebulaCert, "sign",
368 "-ca-crt", filepath.Join(dir, "ca.crt"),
369 "-ca-key", filepath.Join(dir, "ca.key"),
370 "-name", name,
371 "-ip", ip,
372 "-out-key", filepath.Join(dir, "host.key"),
373 "-out-crt", filepath.Join(dir, "host.crt"),
374 "-out-qr", filepath.Join(dir, "host.png"))
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame]375 if _, err := cmd.CombinedOutput(); err != nil {
376 return err
giolekva5ebab802021-10-07 21:50:34 +0400[diff] [blame]377 }
378 return nil
379}