Run node certificate manager in hybrid overlay

hybrid-overlay-node runs on windows nodes and should be able to set the same annotations as ovnkube-node. Signed-off-by: Patryk Diak <pdiak@redhat.com>
ovn-org · Sep 29, 2023 · ac329f8 · ac329f8
1 parent e79fdd9
commit ac329f8
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 11 deletions.
diff --git a/go-controller/cmd/ovnkube/ovnkube.go b/go-controller/cmd/ovnkube/ovnkube.go
@@ -278,7 +278,7 @@ func startOvnKube(ctx *cli.Context, cancel context.CancelFunc) error {
 	}()
 
 	if config.Kubernetes.BootstrapKubeconfig != "" {
-		if err := util.StartNodeCertificateManager(ctx.Context, ovnKubeStartWg, &config.Kubernetes); err != nil {
+		if err := util.StartNodeCertificateManager(ctx.Context, ovnKubeStartWg, os.Getenv("K8S_NODE"), &config.Kubernetes); err != nil {
 			return fmt.Errorf("failed to start the node certificate manager: %w", err)
 		}
 	}

diff --git a/go-controller/hybrid-overlay/cmd/hybrid-overlay-node/hybrid-overlay-node.go b/go-controller/hybrid-overlay/cmd/hybrid-overlay-node/hybrid-overlay-node.go
@@ -9,6 +9,7 @@ import (
 	"syscall"
 
 	"github.com/urfave/cli/v2"
+	"k8s.io/client-go/tools/clientcmd"
 
 	"github.com/ovn-org/ovn-kubernetes/go-controller/hybrid-overlay/pkg/controller"
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/config"
@@ -99,7 +100,29 @@ func runHybridOverlay(ctx *cli.Context) error {
 		return fmt.Errorf("missing node name; use the 'node' flag to provide one")
 	}
 
-	clientset, err := util.NewKubernetesClientset(&config.Kubernetes)
+	wg := &sync.WaitGroup{}
+	clientCfg := config.Kubernetes
+	if config.Kubernetes.BootstrapKubeconfig != "" {
+		if err := util.StartNodeCertificateManager(ctx.Context, wg, nodeName, &config.Kubernetes); err != nil {
+			return fmt.Errorf("failed to start the node certificate manager: %w", err)
+		}
+
+		bootstrapConfig, err := clientcmd.BuildConfigFromFlags("", config.Kubernetes.BootstrapKubeconfig)
+		if err != nil {
+			return err
+		}
+		// Copy the APIServer and CAData from the bootstrap kubeconfig
+		clientCfg.APIServer = bootstrapConfig.Host
+		clientCfg.CAData = bootstrapConfig.CAData
+		if bootstrapConfig.CAFile != "" {
+			bytes, err := os.ReadFile(bootstrapConfig.CAFile)
+			if err != nil {
+				return err
+			}
+			clientCfg.CAData = bytes
+		}
+	}
+	clientset, err := util.NewKubernetesClientset(&clientCfg)
 	if err != nil {
 		return err
 	}
@@ -121,7 +144,6 @@ func runHybridOverlay(ctx *cli.Context) error {
 	}
 
 	f.Start(stopChan)
-	wg := &sync.WaitGroup{}
 	wg.Add(1)
 	go func() {
 		defer wg.Done()

diff --git a/go-controller/pkg/util/kube.go b/go-controller/pkg/util/kube.go
@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"net"
 	"os"
-	"path"
 	"path/filepath"
 	"runtime"
 	"strings"
@@ -208,8 +207,8 @@ func newKubernetesRestConfig(conf *config.KubernetesConfig) (*rest.Config, error
 		// uses the current context in kubeconfig
 		kconfig, err = clientcmd.BuildConfigFromFlags("", conf.Kubeconfig)
 	} else if strings.HasPrefix(conf.APIServer, "https") {
-		if conf.Token == "" || len(conf.CAData) == 0 {
-			return nil, fmt.Errorf("TLS-secured apiservers require token and CA certificate")
+		if (conf.Token == "" && conf.CertDir == "") || len(conf.CAData) == 0 {
+			return nil, fmt.Errorf("TLS-secured apiservers require token/cert and CA certificate")
 		}
 		if _, err := cert.NewPoolFromBytes(conf.CAData); err != nil {
 			return nil, err
@@ -224,8 +223,8 @@ func newKubernetesRestConfig(conf *config.KubernetesConfig) (*rest.Config, error
 			kconfig = &rest.Config{
 				Host: conf.APIServer,
 				TLSClientConfig: rest.TLSClientConfig{
-					KeyFile:  path.Join(conf.CertDir, certNamePrefix+"-current.pem"),
-					CertFile: path.Join(conf.CertDir, certNamePrefix+"-current.pem"),
+					KeyFile:  filepath.Join(conf.CertDir, certNamePrefix+"-current.pem"),
+					CertFile: filepath.Join(conf.CertDir, certNamePrefix+"-current.pem"),
 					CAData:   conf.CAData,
 				},
 			}
@@ -254,10 +253,9 @@ func newKubernetesRestConfig(conf *config.KubernetesConfig) (*rest.Config, error
 // StartNodeCertificateManager manages the creation and rotation of the node-specific client certificate.
 // When there is no existing certificate, it will use the BootstrapKubeconfig kubeconfig to create a CSR and it will
 // wait for the certificate before returning.
-func StartNodeCertificateManager(ctx context.Context, wg *sync.WaitGroup, conf *config.KubernetesConfig) error {
-	nodeName := os.Getenv("K8S_NODE")
+func StartNodeCertificateManager(ctx context.Context, wg *sync.WaitGroup, nodeName string, conf *config.KubernetesConfig) error {
 	if nodeName == "" {
-		return fmt.Errorf("failed to get the node name required for the certificate from K8S_NODE env")
+		return fmt.Errorf("the provided node name cannot be empty")
 	}
 	defaultKConfig, err := newKubernetesRestConfig(conf)
 	if err != nil {