Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.24] Backports for 2023-07 release #7910

Merged
merged 2 commits into from Jul 7, 2023
Merged

[release-1.24] Backports for 2023-07 release #7910

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1c87ed7
Add `--data-dir` to the `k3s certificate rotate-ca` cli (#7791)
zhaileilei123 Jul 3, 2023
fab2adb
Fall back to basic/bearer auth when node identity auth is rejected
brandond Jun 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
14 changes: 14 additions & 0 deletions pkg/agent/config/config.go
View file
Open in desktop
Expand Up @@ -139,6 +139,20 @@ func getNodeNamedCrt(nodeName string, nodeIPs []net.IP, nodePasswordFile string)
}
defer resp.Body.Close()

// If we got a 401 Unauthorized response when using client certs, try again without client cert auth.
// This allows us to fall back from node identity to token when the node resource is deleted.
if resp.StatusCode == http.StatusUnauthorized {
if transport, ok := client.Transport.(*http.Transport); ok && transport.TLSClientConfig != nil && len(transport.TLSClientConfig.Certificates) != 0 {
logrus.Infof("Node authorization rejected, retrying without client certificate authentication")
transport.TLSClientConfig.Certificates = []tls.Certificate{}
resp, err = client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
}
}

if resp.StatusCode == http.StatusForbidden {
return nil, fmt.Errorf("Node password rejected, duplicate hostname or contents of '%s' may not match server node-passwd entry, try enabling a unique node name with the --with-node-id flag", nodePasswordFile)
}
Expand Down
5 changes: 5 additions & 0 deletions pkg/cli/cmds/certs.go
View file
Open in desktop
Expand Up @@ -35,6 +35,11 @@ var (
Value: "https://127.0.0.1:6443",
Destination: &ServerConfig.ServerURL,
},
cli.StringFlag{
Name: "data-dir,d",
Usage: "(data) Folder to hold state default /var/lib/rancher/" + version.Program + " or ${HOME}/.rancher/" + version.Program + " if not root",
Destination: &ServerConfig.DataDir,
},
cli.StringFlag{
Name: "path",
Usage: "Path to directory containing new CA certificates",
Expand Down
4 changes: 2 additions & 2 deletions pkg/clientaccess/token.go
View file
Open in desktop
Expand Up @@ -367,7 +367,7 @@ func getCACerts(u url.URL) ([]byte, error) {
return cacerts, nil
}

// get makes a request to a url using a provided client, username, and password,
// get makes a request to a url using a provided client and credentials,
// returning the response body.
func get(u string, client *http.Client, username, password, token string) ([]byte, error) {
req, err := http.NewRequest(http.MethodGet, u, nil)
Expand All @@ -394,7 +394,7 @@ func get(u string, client *http.Client, username, password, token string) ([]byt
return io.ReadAll(resp.Body)
}

// put makes a request to a url using a provided client, username, and password
// put makes a request to a url using a provided client and credentials,
// only an error is returned
func put(u string, body []byte, client *http.Client, username, password, token string) error {
req, err := http.NewRequest(http.MethodPut, u, bytes.NewBuffer(body))
Expand Down