Add restart components to custom certs

2025-05-13 10:54:34 +00:00 · 2019-01-14 19:51:20 +02:00 · 2019-01-14 19:51:20 +02:00 · 82fa8d6305
commit 82fa8d6305
parent 6d36ba86e9
14 changed files with 103 additions and 18 deletions
--- a/cluster/hosts.go
+++ b/cluster/hosts.go
@ -118,9 +118,13 @@ func (c *Cluster) InvertIndexHosts() error {
 	return nil
 }

-func (c *Cluster) SetUpHosts(ctx context.Context, rotateCerts bool) error {
+func (c *Cluster) SetUpHosts(ctx context.Context, flags ExternalFlags) error {
 	if c.AuthnStrategies[AuthnX509Provider] {
 		log.Infof(ctx, "[certificates] Deploying kubernetes certificates to Cluster nodes")
+		forceDeploy := false
+		if flags.CustomCerts || c.RancherKubernetesEngineConfig.RotateCertificates != nil {
+			forceDeploy = true
+		}
 		hostList := hosts.GetUniqueHostList(c.EtcdHosts, c.ControlPlaneHosts, c.WorkerHosts)
 		var errgrp errgroup.Group

@ -129,7 +133,7 @@ func (c *Cluster) SetUpHosts(ctx context.Context, rotateCerts bool) error {
 			errgrp.Go(func() error {
 				var errList []error
 				for host := range hostsQueue {
-					err := pki.DeployCertificatesOnPlaneHost(ctx, host.(*hosts.Host), c.RancherKubernetesEngineConfig, c.Certificates, c.SystemImages.CertDownloader, c.PrivateRegistriesMap, rotateCerts)
+					err := pki.DeployCertificatesOnPlaneHost(ctx, host.(*hosts.Host), c.RancherKubernetesEngineConfig, c.Certificates, c.SystemImages.CertDownloader, c.PrivateRegistriesMap, forceDeploy)
 					if err != nil {
 						errList = append(errList, err)
 					}
--- a/cluster/reconcile.go
+++ b/cluster/reconcile.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"

+	"github.com/rancher/rke/docker"
 	"github.com/rancher/rke/hosts"
 	"github.com/rancher/rke/k8s"
 	"github.com/rancher/rke/log"
@ -47,6 +48,12 @@ func ReconcileCluster(ctx context.Context, kubeCluster, currentCluster *Cluster,
 	if err := reconcileControl(ctx, currentCluster, kubeCluster, kubeClient); err != nil {
 		return err
 	}
+	if flags.CustomCerts {
+		if err := restartComponentsWhenCertChanges(ctx, currentCluster, kubeCluster); err != nil {
+			return err
+		}
+	}
+
 	log.Infof(ctx, "[reconcile] Reconciled cluster state successfully")
 	return nil
 }
@ -243,3 +250,75 @@ func cleanControlNode(ctx context.Context, kubeCluster, currentCluster *Cluster,
 	}
 	return nil
 }
+
+func restartComponentsWhenCertChanges(ctx context.Context, currentCluster, kubeCluster *Cluster) error {
+	AllCertsMap := map[string]bool{
+		pki.KubeAPICertName:            false,
+		pki.RequestHeaderCACertName:    false,
+		pki.CACertName:                 false,
+		pki.ServiceAccountTokenKeyName: false,
+		pki.APIProxyClientCertName:     false,
+		pki.KubeControllerCertName:     false,
+		pki.KubeSchedulerCertName:      false,
+		pki.KubeProxyCertName:          false,
+		pki.KubeNodeCertName:           false,
+	}
+	checkCertificateChanges(ctx, currentCluster, kubeCluster, AllCertsMap)
+	// check Restart Function
+	allHosts := hosts.GetUniqueHostList(kubeCluster.EtcdHosts, kubeCluster.ControlPlaneHosts, kubeCluster.WorkerHosts)
+	AllCertsFuncMap := map[string][]services.RestartFunc{
+		pki.CACertName:                 []services.RestartFunc{services.RestartKubeAPI, services.RestartKubeController, services.RestartKubelet},
+		pki.KubeAPICertName:            []services.RestartFunc{services.RestartKubeAPI, services.RestartKubeController},
+		pki.RequestHeaderCACertName:    []services.RestartFunc{services.RestartKubeAPI},
+		pki.ServiceAccountTokenKeyName: []services.RestartFunc{services.RestartKubeAPI, services.RestartKubeController},
+		pki.APIProxyClientCertName:     []services.RestartFunc{services.RestartKubeAPI},
+		pki.KubeControllerCertName:     []services.RestartFunc{services.RestartKubeController},
+		pki.KubeSchedulerCertName:      []services.RestartFunc{services.RestartScheduler},
+		pki.KubeProxyCertName:          []services.RestartFunc{services.RestartKubeproxy},
+		pki.KubeNodeCertName:           []services.RestartFunc{services.RestartKubelet},
+	}
+	for certName, changed := range AllCertsMap {
+		if changed {
+			for _, host := range allHosts {
+				runRestartFuncs(ctx, AllCertsFuncMap, certName, host)
+			}
+		}
+	}
+
+	for _, host := range kubeCluster.EtcdHosts {
+		etcdCertName := pki.GetEtcdCrtName(host.Address)
+		certMap := map[string]bool{
+			etcdCertName: false,
+		}
+		checkCertificateChanges(ctx, currentCluster, kubeCluster, certMap)
+		if certMap[etcdCertName] || AllCertsMap[pki.CACertName] {
+			if err := docker.DoRestartContainer(ctx, host.DClient, services.EtcdContainerName, host.HostnameOverride); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func runRestartFuncs(ctx context.Context, certFuncMap map[string][]services.RestartFunc, certName string, host *hosts.Host) error {
+	for _, restartFunc := range certFuncMap[certName] {
+		if err := restartFunc(ctx, host); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func checkCertificateChanges(ctx context.Context, currentCluster, kubeCluster *Cluster, certMap map[string]bool) {
+	for certName := range certMap {
+		if currentCluster.Certificates[certName].CertificatePEM != kubeCluster.Certificates[certName].CertificatePEM {
+			certMap[certName] = true
+			continue
+		}
+		if !(certName == pki.RequestHeaderCACertName || certName == pki.CACertName) {
+			if currentCluster.Certificates[certName].KeyPEM != kubeCluster.Certificates[certName].KeyPEM {
+				certMap[certName] = true
+			}
+		}
+	}
+}
--- a/cmd/cert.go
+++ b/cmd/cert.go
@ -154,7 +154,7 @@ func rebuildClusterWithRotatedCertificates(ctx context.Context,
 	clientKey = string(cert.EncodePrivateKeyPEM(kubeCluster.Certificates[pki.KubeAdminCertName].Key))
 	caCrt = string(cert.EncodeCertPEM(kubeCluster.Certificates[pki.CACertName].Certificate))

-	if err := kubeCluster.SetUpHosts(ctx, true); err != nil {
+	if err := kubeCluster.SetUpHosts(ctx, flags); err != nil {
 		return APIURL, caCrt, clientCert, clientKey, nil, err
 	}
 	// Save new State
--- a/cmd/up.go
+++ b/cmd/up.go
@ -161,7 +161,7 @@ func ClusterUp(ctx context.Context, dialersOptions hosts.DialersOptions, flags c
 	caCrt = string(cert.EncodeCertPEM(kubeCluster.Certificates[pki.CACertName].Certificate))

 	// moved deploying certs before reconcile to remove all unneeded certs generation from reconcile
-	err = kubeCluster.SetUpHosts(ctx, false)
+	err = kubeCluster.SetUpHosts(ctx, flags)
 	if err != nil {
 		return APIURL, caCrt, clientCert, clientKey, nil, err
 	}
--- a/pki/deploy.go
+++ b/pki/deploy.go
@ -21,13 +21,13 @@ const (
 	StateDeployerContainerName = "cluster-state-deployer"
 )

-func DeployCertificatesOnPlaneHost(ctx context.Context, host *hosts.Host, rkeConfig v3.RancherKubernetesEngineConfig, crtMap map[string]CertificatePKI, certDownloaderImage string, prsMap map[string]v3.PrivateRegistry, rotateCerts bool) error {
+func DeployCertificatesOnPlaneHost(ctx context.Context, host *hosts.Host, rkeConfig v3.RancherKubernetesEngineConfig, crtMap map[string]CertificatePKI, certDownloaderImage string, prsMap map[string]v3.PrivateRegistry, forceDeploy bool) error {
 	crtBundle := GenerateRKENodeCerts(ctx, rkeConfig, host.Address, crtMap)
 	env := []string{}
 	for _, crt := range crtBundle {
 		env = append(env, crt.ToEnv()...)
 	}
-	if rotateCerts {
+	if forceDeploy {
 		env = append(env, "FORCE_DEPLOY=true")
 	}
 	return doRunDeployer(ctx, host, env, certDownloaderImage, prsMap)
--- a/services/controlplane.go
+++ b/services/controlplane.go
@ -93,17 +93,17 @@ func RestartControlPlane(ctx context.Context, controlHosts []*hosts.Host) error
 			for host := range hostsQueue {
 				runHost := host.(*hosts.Host)
 				// restart KubeAPI
-				if err := restartKubeAPI(ctx, runHost); err != nil {
+				if err := RestartKubeAPI(ctx, runHost); err != nil {
 					errList = append(errList, err)
 				}

 				// restart KubeController
-				if err := restartKubeController(ctx, runHost); err != nil {
+				if err := RestartKubeController(ctx, runHost); err != nil {
 					errList = append(errList, err)
 				}

 				// restart scheduler
-				err := restartScheduler(ctx, runHost)
+				err := RestartScheduler(ctx, runHost)
 				if err != nil {
 					errList = append(errList, err)
 				}
--- a/services/kubeapi.go
+++ b/services/kubeapi.go
@ -25,6 +25,6 @@ func removeKubeAPI(ctx context.Context, host *hosts.Host) error {
 	return docker.DoRemoveContainer(ctx, host.DClient, KubeAPIContainerName, host.Address)
 }

-func restartKubeAPI(ctx context.Context, host *hosts.Host) error {
+func RestartKubeAPI(ctx context.Context, host *hosts.Host) error {
 	return docker.DoRestartContainer(ctx, host.DClient, KubeAPIContainerName, host.Address)
 }
--- a/services/kubecontroller.go
+++ b/services/kubecontroller.go
@ -23,6 +23,6 @@ func removeKubeController(ctx context.Context, host *hosts.Host) error {
 	return docker.DoRemoveContainer(ctx, host.DClient, KubeControllerContainerName, host.Address)
 }

-func restartKubeController(ctx context.Context, host *hosts.Host) error {
+func RestartKubeController(ctx context.Context, host *hosts.Host) error {
 	return docker.DoRestartContainer(ctx, host.DClient, KubeControllerContainerName, host.Address)
 }
--- a/services/kubelet.go
+++ b/services/kubelet.go
@ -24,6 +24,6 @@ func removeKubelet(ctx context.Context, host *hosts.Host) error {
 	return docker.DoRemoveContainer(ctx, host.DClient, KubeletContainerName, host.Address)
 }

-func restartKubelet(ctx context.Context, host *hosts.Host) error {
+func RestartKubelet(ctx context.Context, host *hosts.Host) error {
 	return docker.DoRestartContainer(ctx, host.DClient, KubeletContainerName, host.Address)
 }
--- a/services/kubeproxy.go
+++ b/services/kubeproxy.go
@ -23,6 +23,6 @@ func removeKubeproxy(ctx context.Context, host *hosts.Host) error {
 	return docker.DoRemoveContainer(ctx, host.DClient, KubeproxyContainerName, host.Address)
 }

-func restartKubeproxy(ctx context.Context, host *hosts.Host) error {
+func RestartKubeproxy(ctx context.Context, host *hosts.Host) error {
 	return docker.DoRestartContainer(ctx, host.DClient, KubeproxyContainerName, host.Address)
 }
--- a/services/proxy.go
+++ b/services/proxy.go
@ -25,6 +25,6 @@ func removeNginxProxy(ctx context.Context, host *hosts.Host) error {
 	return docker.DoRemoveContainer(ctx, host.DClient, NginxProxyContainerName, host.Address)
 }

-func restartNginxProxy(ctx context.Context, host *hosts.Host) error {
+func RestartNginxProxy(ctx context.Context, host *hosts.Host) error {
 	return docker.DoRestartContainer(ctx, host.DClient, NginxProxyContainerName, host.Address)
 }
--- a/services/scheduler.go
+++ b/services/scheduler.go
@ -23,6 +23,6 @@ func removeScheduler(ctx context.Context, host *hosts.Host) error {
 	return docker.DoRemoveContainer(ctx, host.DClient, SchedulerContainerName, host.Address)
 }

-func restartScheduler(ctx context.Context, host *hosts.Host) error {
+func RestartScheduler(ctx context.Context, host *hosts.Host) error {
 	return docker.DoRestartContainer(ctx, host.DClient, SchedulerContainerName, host.Address)
 }
--- a/services/services.go
+++ b/services/services.go
@ -47,6 +47,8 @@ const (
 	WorkerThreads = util.WorkerThreads
 )

+type RestartFunc func(context.Context, *hosts.Host) error
+
 func runSidekick(ctx context.Context, host *hosts.Host, prsMap map[string]v3.PrivateRegistry, sidecarProcess v3.Process) error {
 	isRunning, err := docker.IsContainerRunning(ctx, host.DClient, host.Address, SidekickContainerName, true)
 	if err != nil {
--- a/services/workerplane.go
+++ b/services/workerplane.go
@ -109,13 +109,13 @@ func RestartWorkerPlane(ctx context.Context, workerHosts []*hosts.Host) error {
 			var errList []error
 			for host := range hostsQueue {
 				runHost := host.(*hosts.Host)
-				if err := restartKubelet(ctx, runHost); err != nil {
+				if err := RestartKubelet(ctx, runHost); err != nil {
 					errList = append(errList, err)
 				}
-				if err := restartKubeproxy(ctx, runHost); err != nil {
+				if err := RestartKubeproxy(ctx, runHost); err != nil {
 					errList = append(errList, err)
 				}
-				if err := restartNginxProxy(ctx, runHost); err != nil {
+				if err := RestartNginxProxy(ctx, runHost); err != nil {
 					errList = append(errList, err)
 				}
 			}