v2.2.10

分支 (545)

标签 (1936)

管理

管理

master

main

release/v2.9

fix/v2.9/42823

release/v2.8

release/v2.7

fix/42823

v2.9.2-hotfix-tigeraoperator-conflict

v2.8.9-hotfix-test-cve-monitoring

v2.7.16-hotfix-test-cve-monitoring

v2.8-define-artifacts-to-upload

v2.9.2-hotfix-metrics-downstream-network

v2.9.2-hotfix-downstream-caches-reduction

v2.8-self-hosted-runners

v2.9.2-hotfix-transport-leak

v2.8.5-hotfix-tigeraoperator-conflict

markus/temp-remove-rsa

fix/42788-v2.9

fix/42788

backport-userretention-to-v2.8

v2.9.3-alpha4

v2.10.0-alpha2

v2.8.9-alpha9

v2.9.2-hotfix-ch-2-efe7cd186

v2.10.0-alpha1

v2.7.16-alpha3

v2.7.16-alpha4

v2.8.9-alpha8

v2.8.9-alpha7

v2.9.3-alpha3

v2.9.3-alpha2

v2.9.3-alpha1

v2.8.9-alpha6

v2.8.9-alpha5

v2.8.9-alpha4

v2.8.9-alpha3

v2.8.9-alpha2

v2.8.9-alpha1

v2.9.2-hotfix-ch-1-77f48fb9f

v2.9.2-hotfix-ch-2-3778e74e6

rancher
/
pkg
/
controllers
/
user
/
certsexpiration
/
certsexpiration.go

package certsexpiration

import (
	"context"
	"encoding/json"
	"reflect"
	"strings"
	"time"

	"github.com/rancher/kontainer-engine/cluster"
	"github.com/rancher/rancher/pkg/controllers/management/clusterprovisioner"
	rkecluster "github.com/rancher/rke/cluster"
	"github.com/rancher/rke/pki"
	v1 "github.com/rancher/types/apis/core/v1"
	v3 "github.com/rancher/types/apis/management.cattle.io/v3"
	"github.com/rancher/types/config"
	"github.com/sirupsen/logrus"
	corev1 "k8s.io/api/core/v1"
	"k8s.io/apimachinery/pkg/labels"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/client-go/util/cert"
)

type Controller struct {
	ClusterName   string
	ClusterLister v3.ClusterLister
	ClusterClient v3.ClusterInterface
	ClusterStore  cluster.PersistentStore
	SecretLister  v1.SecretLister
}

func Register(ctx context.Context, userContext *config.UserContext) {
	c := &Controller{
		ClusterName:   userContext.ClusterName,
		ClusterLister: userContext.Management.Management.Clusters("").Controller().Lister(),
		ClusterClient: userContext.Management.Management.Clusters(""),
		ClusterStore:  clusterprovisioner.NewPersistentStore(userContext.Management.Core.Namespaces(""), userContext.Management.Core),
		SecretLister:  userContext.Core.Secrets("").Controller().Lister(),
	}

	userContext.Management.Management.Clusters("").AddHandler(ctx, "certificate-expiration", c.sync)
}

func (c Controller) sync(key string, cluster *v3.Cluster) (runtime.Object, error) {
	if key == "" || cluster == nil || cluster.DeletionTimestamp != nil || cluster.Name != c.ClusterName {
		return cluster, nil
	}

	if cluster.Spec.RancherKubernetesEngineConfig == nil {
		return cluster, nil
	}
	certsExpInfo := map[string]v3.CertExpiration{}

	cluster, err := c.ClusterLister.Get("", key)
	if err != nil {
		return cluster, err
	}
	certBundle, err := c.getClusterCertificateBundle(cluster.Name)
	if err != nil {
		return cluster, err
	}
	for certName, certObj := range certBundle {
		info, err := getCertExpiration(certObj.CertificatePEM)
		if err != nil {
			logrus.Debugf("failed to get expiration date for certificate [%s] for cluster [%s]:%v", certName, key, err)
			continue
		}
		certsExpInfo[certName] = info
	}
	if !reflect.DeepEqual(cluster.Status.CertificatesExpiration, certsExpInfo) {
		toUpdate := cluster.DeepCopy()
		toUpdate.Status.CertificatesExpiration = certsExpInfo
		return c.ClusterClient.Update(toUpdate)
	}
	return cluster, nil

}

func (c Controller) getClusterCertificateBundle(clusterName string) (map[string]pki.CertificatePKI, error) {
	// cluster has a state file ?
	currentState, err := getRKECurrentStateFromStore(c.ClusterStore, clusterName)
	if err != nil {
		return nil, err
	}
	if currentState != nil {
		cleanCertificateBundle(currentState.CertificatesBundle)
		return currentState.CertificatesBundle, nil
	}

	// No state file, let's try get the certs from the user cluster
	certs, err := c.getCertsFromUserCluster()
	if err != nil {
		return nil, err
	}
	cleanCertificateBundle(certs)
	return certs, nil
}

func getRKECurrentStateFromStore(store cluster.PersistentStore, clusterName string) (*rkecluster.State, error) {
	cluster, err := store.Get(clusterName)
	if err != nil {
		return nil, err
	}
	var fullState rkecluster.FullState
	stateStr, ok := cluster.Metadata["fullState"]
	if !ok {
		return nil, nil
	}
	err = json.Unmarshal([]byte(stateStr), &fullState)
	if err != nil {
		return nil, err
	}
	return &fullState.CurrentState, nil
}

func (c Controller) getCertsFromUserCluster() (map[string]pki.CertificatePKI, error) {
	certs := map[string]pki.CertificatePKI{}
	secrets, err := c.SecretLister.List("kube-system", labels.Everything())
	if err != nil {
		return nil, err
	}
	for _, secret := range secrets {
		if strings.HasPrefix(secret.GetName(), "kube-") &&
			secret.Type == corev1.SecretTypeOpaque {
			cert, ok := secret.Data["Certificate"]
			if !ok {
				logrus.Debugf("secret [%s] for cluster [%s] doesn't contain a certificate", secret.GetName(), c.ClusterName)
				continue
			}
			certs[secret.GetName()] = pki.CertificatePKI{CertificatePEM: string(cert)}
		}
	}
	return certs, nil
}

func cleanCertificateBundle(certs map[string]pki.CertificatePKI) {
	for name := range certs {
		if strings.Contains(name, "client") ||
			strings.Contains(name, "token") ||
			strings.Contains(name, "header") ||
			strings.Contains(name, "admin") {
			delete(certs, name)
		}
	}
}

func getCertificateExpDate(c string) (*time.Time, error) {
	certs, err := cert.ParseCertsPEM([]byte(c))
	if err != nil {
		return nil, err
	}
	return &certs[0].NotAfter, nil
}

func getCertExpiration(c string) (v3.CertExpiration, error) {
	date, err := getCertificateExpDate(c)
	if err != nil {
		return v3.CertExpiration{}, err
	}
	return v3.CertExpiration{
		ExpirationDate: date.Format(time.RFC3339),
	}, nil
}