rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-09-18 08:06:20 +00:00
Code Issues Releases Wiki Activity

Fix for deleting unused etcd and kubelet certs

Browse Source
This commit is contained in:
XianglongLuo
2019-12-12 14:00:21 +08:00
parent 988160874b
commit 329b6b522e
2 changed files with 174 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
pki/services.go
View File

@@ -6,6 +6,7 @@ import (
"fmt"
"reflect"
"sort"
"strings"
"github.com/rancher/rke/hosts"
"github.com/rancher/rke/log"
@@ -370,7 +371,6 @@ func GenerateEtcdCertificates(ctx context.Context, certs map[string]CertificateP
ips = append(ips, ip.String())
}
sort.Strings(ips)
for _, host := range etcdHosts {
etcdName := GetCrtNameForHost(host, EtcdCertName)
if _, ok := certs[etcdName]; ok && certs[etcdName].CertificatePEM != "" && !rotate {
@@ -403,6 +403,8 @@ func GenerateEtcdCertificates(ctx context.Context, certs map[string]CertificateP
}
certs[etcdName] = ToCertObject(etcdName, "", "", etcdCrt, etcdKey, nil)
}
log.Debugf(ctx, "Checking and deleting unused etcd certificates, current etcd nodes are: %v", etcdHosts)
deleteUnusedCerts(ctx, certs, EtcdCertName, etcdHosts)
return nil
}
@@ -516,6 +518,8 @@ func GenerateKubeletCertificate(ctx context.Context, certs map[string]Certificat
}
certs[kubeletName] = ToCertObject(kubeletName, "", "", kubeletCrt, kubeletKey, nil)
}
log.Debugf(ctx, "Checking and deleting unused kubelet certificates, current nodes are : %v", allHosts)
deleteUnusedCerts(ctx, certs, KubeletCertName, allHosts)
return nil
}
@@ -555,6 +559,15 @@ func GenerateRKEServicesCerts(ctx context.Context, certs map[string]CertificateP
}
if IsKubeletGenerateServingCertificateEnabledinConfig(&rkeConfig) {
RKECerts = append(RKECerts, GenerateKubeletCertificate)
} else {
//Clean up kubelet certs when GenerateServingCertificate is disabled
log.Infof(ctx, "[certificates] GenerateServingCertificate is disabled, checking if there are unused kubelet certificates")
for k := range certs {
if strings.HasPrefix(k, KubeletCertName) {
log.Infof(ctx, "[certificates] Deleting unused kubelet certificate: %s", k)
delete(certs, k)
}
}
}
for _, gen := range RKECerts {
if err := gen(ctx, certs, rkeConfig, configPath, configDir, rotate); err != nil {
@@ -588,3 +601,21 @@ func GenerateRKEServicesCSRs(ctx context.Context, certs map[string]CertificatePK
}
return nil
}
func deleteUnusedCerts(ctx context.Context, certs map[string]CertificatePKI, certName string, hosts []*hosts.Host) {
log.Infof(ctx, "[certificates] Checking and deleting unused %s certificates", certName)
unusedCerts := make(map[string]bool)
for k := range certs {
if strings.HasPrefix(k, certName) {
unusedCerts[k] = true
}
}
for _, host := range hosts {
Name := GetCrtNameForHost(host, certName)
delete(unusedCerts, Name)
}
for k := range unusedCerts {
log.Infof(ctx, "[certificates] Deleting unused certificate: %s", k)
delete(certs, k)
}
}