Merge pull request #192 from dougbtv/config-cert-ocp-414

OCPBUGS-19860: Multus annotation permissions: Certificate duration should be configurable [backport 4.14]
openshift · Sep 28, 2023 · cc707f6 · cc707f6
2 parents 68180ea + 60d73e9
commit cc707f6
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 8 deletions.
diff --git a/cmd/kubeconfig_generator/main.go b/cmd/kubeconfig_generator/main.go
@@ -23,6 +23,7 @@ import (
 	"os/signal"
 	"syscall"
 	"text/template"
+	"time"
 
 	"github.com/spf13/pflag"
 
@@ -58,6 +59,7 @@ func main() {
 	certDir := pflag.StringP("certdir", "", "/tmp", "specify cert directory")
 	bootstrapConfig := pflag.StringP("bootstrap-config", "", "/tmp/kubeconfig", "specify bootstrap kubernetes config")
 	kubeconfigPath := pflag.StringP("kubeconfig", "", "/run/multus/kubeconfig", "specify output kubeconfig path")
+	certDurationString := pflag.StringP("cert-duration", "", "10m", "specify certificate duration")
 	helpFlag := pflag.BoolP("help", "h", false, "show help message and quit")
 
 	pflag.Parse()
@@ -77,10 +79,14 @@ func main() {
 	if !st.IsDir() {
 		klog.Fatalf("cert directory %q is not directory", *certDir)
 	}
+	certDuration, err := time.ParseDuration(*certDurationString)
+	if err != nil {
+		klog.Fatalf("failed to parse duration %q: %v", *certDurationString, err)
+	}
 
-	nodeName := os.Getenv("K8S_NODE")
+	nodeName := os.Getenv("MULTUS_NODE_NAME")
 	if nodeName == "" {
-		klog.Fatalf("cannot identify node name from K8S_NODE env variables")
+		klog.Fatalf("cannot identify node name from MULTUS_NODE_NAME env variables")
 	}
 
 	// retrieve API server from bootstrapConfig()
@@ -92,7 +98,7 @@ func main() {
 	caData := base64.StdEncoding.EncodeToString(config.CAData)
 
 	// run certManager to create certification
-	if _, err = k8sclient.PerNodeK8sClient(nodeName, *bootstrapConfig, *certDir); err != nil {
+	if _, err = k8sclient.PerNodeK8sClient(nodeName, *bootstrapConfig, certDuration, *certDir); err != nil {
 		klog.Fatalf("failed to start cert manager: %v", err)
 	}
 

diff --git a/pkg/k8sclient/kubeconfig.go b/pkg/k8sclient/kubeconfig.go
@@ -75,7 +75,7 @@ func getPerNodeKubeconfig(bootstrap *rest.Config, certDir string) *rest.Config {
 }
 
 // PerNodeK8sClient creates/reload new multus kubeconfig per-node.
-func PerNodeK8sClient(nodeName, bootstrapKubeconfigFile, certDir string) (*ClientInfo, error) {
+func PerNodeK8sClient(nodeName, bootstrapKubeconfigFile string, certDuration time.Duration, certDir string) (*ClientInfo, error) {
 	bootstrapKubeconfig, err := clientcmd.BuildConfigFromFlags("", bootstrapKubeconfigFile)
 	if err != nil {
 		return nil, logging.Errorf("failed to load bootstrap kubeconfig %s: %v", bootstrapKubeconfigFile, err)
@@ -98,7 +98,6 @@ func PerNodeK8sClient(nodeName, bootstrapKubeconfigFile, certDir string) (*Clien
 		return nil, logging.Errorf("failed to initialize the certificate store: %v", err)
 	}
 
-	certDuration := 10 * time.Minute
 	certManager, err := certificate.NewManager(&certificate.Config{
 		ClientsetFn: newClientsetFn,
 		Template: &x509.CertificateRequest{

diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -189,11 +189,20 @@ func NewCNIServer(daemonConfig *ControllerNetConf, serverConfig []byte, ignoreRe
 			return nil, err
 		}
 		perNodeCertConfig := daemonConfig.PerNodeCertificate
-		nodeName := os.Getenv("K8S_NODE")
+		nodeName := os.Getenv("MULTUS_NODE_NAME")
 		if nodeName == "" {
-			return nil, logging.Errorf("error getting node name for perNodeCertificate")
+			return nil, logging.Errorf("error getting node name for perNodeCertificate, please check manifest to have MULTUS_NODE_NAME")
 		}
-		kubeClient, err = k8s.PerNodeK8sClient(nodeName, perNodeCertConfig.BootstrapKubeconfig, perNodeCertConfig.CertDir)
+
+		certDuration := DefaultCertDuration
+		if perNodeCertConfig.CertDuration != "" {
+			certDuration, err = time.ParseDuration(perNodeCertConfig.CertDuration)
+			if err != nil {
+				return nil, logging.Errorf("failed to parse certDuration: %v", err)
+			}
+		}
+
+		kubeClient, err = k8s.PerNodeK8sClient(nodeName, perNodeCertConfig.BootstrapKubeconfig, certDuration, perNodeCertConfig.CertDir)
 		if err != nil {
 			return nil, logging.Errorf("error getting perNodeClient: %v", err)
 		}

diff --git a/pkg/server/types.go b/pkg/server/types.go
@@ -16,6 +16,7 @@ package server
 
 import (
 	"net/http"
+	"time"
 
 	"github.com/containernetworking/cni/pkg/invoke"
 
@@ -34,6 +35,8 @@ const (
 	DefaultMultusDaemonConfigFile = "/etc/cni/net.d/multus.d/daemon-config.json"
 	// DefaultMultusRunDir specifies default RunDir for multus
 	DefaultMultusRunDir = "/run/multus/"
+	// DefaultCertDuration specifies default duration for certs in per-node-certs config
+	DefaultCertDuration = 10 * time.Minute
 )
 
 // Metrics represents server's metrics.
@@ -61,6 +64,7 @@ type PerNodeCertificate struct {
 	Enabled             bool   `json:"enabled,omitempty"`
 	BootstrapKubeconfig string `json:"bootstrapKubeconfig,omitempty"`
 	CertDir             string `json:"certDir,omitempty"`
+	CertDuration        string `json:"certDuration,omitempty"`
 }
 
 // ControllerNetConf for the controller cni configuration