Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support pass bootstrap-file to yurthub #1333

Merged
merged 1 commit into from
Mar 28, 2023
Merged

support pass bootstrap-file to yurthub #1333

merged 1 commit into from
Mar 28, 2023

Conversation

rambohe-ch
Copy link
Member

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line:
/kind bug
/kind documentation
/kind enhancement
/kind good-first-issue
/kind feature
/kind question
/kind design
/sig ai
/sig iot
/sig network
/sig storage

/kind feature

What this PR does / why we need it:

  1. support pass bootstrap file instead of join token for bootstrapping yurthub in order to improve security of yurthub. so yurtadm join will not leave bootstrap token on the edge node.
  2. parameter --join-token is deprecated in yurthub, and plan to remove in OpenYurt version v1.5.
  3. add /v1/readyz endpoint for yurthub, add used by yurtadm command to check certificates are ready or not.

Which issue(s) this PR fixes:

Fixes #1290

Special notes for your reviewer:

Does this PR introduce a user-facing change?

other Note

@openyurt-bot
Copy link
Collaborator

@rambohe-ch: GitHub didn't allow me to assign the following users: your_reviewer.

Note that only openyurtio members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line:
/kind bug
/kind documentation
/kind enhancement
/kind good-first-issue
/kind feature
/kind question
/kind design
/sig ai
/sig iot
/sig network
/sig storage

/kind feature

What this PR does / why we need it:

  1. support pass bootstrap file instead of join token for bootstrapping yurthub in order to improve security of yurthub. so yurtadm join will not leave bootstrap token on the edge node.
  2. parameter --join-token is deprecated in yurthub, and plan to remove in OpenYurt version v1.5.
  3. add /v1/readyz endpoint for yurthub, add used by yurtadm command to check certificates are ready or not.

Which issue(s) this PR fixes:

Fixes #1290

Special notes for your reviewer:

Does this PR introduce a user-facing change?

other Note

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openyurt-bot openyurt-bot added the kind/feature kind/feature label Mar 27, 2023
@openyurt-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rambohe-ch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openyurt-bot openyurt-bot added approved approved size/M size/M: 30-99 labels Mar 27, 2023
@rambohe-ch
Copy link
Member Author

@YTGhost PTAL

@sonarcloud
Copy link

sonarcloud bot commented Mar 27, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 1 Code Smell

No Coverage information No Coverage information
2.0% 2.0% Duplication

@github-advanced-security
Copy link

You have successfully added a new Trivy configuration .github/workflows/trivy-scan.yml:images/target:yurt-manager. As part of the setup process, we have scanned this repository and found 2 existing alerts. Please check the repository Security tab to see all alerts.

@github-advanced-security
Copy link

You have successfully added a new Trivy configuration .github/workflows/trivy-scan.yml:images/target:yurthub. As part of the setup process, we have scanned this repository and found 2 existing alerts. Please check the repository Security tab to see all alerts.

@github-advanced-security
Copy link

You have successfully added a new Trivy configuration .github/workflows/trivy-scan.yml:images/target:node-servant. As part of the setup process, we have scanned this repository and found 2 existing alerts. Please check the repository Security tab to see all alerts.

@codecov
Copy link

codecov bot commented Mar 27, 2023

Codecov Report

Merging #1333 (8aa60fe) into master (9d0f316) will decrease coverage by 0.19%.
The diff coverage is 20.31%.

@@            Coverage Diff             @@
##           master    #1333      +/-   ##
==========================================
- Coverage   53.28%   53.10%   -0.19%     
==========================================
  Files         102      102              
  Lines       12776    12833      +57     
==========================================
+ Hits         6808     6815       +7     
- Misses       5413     5461      +48     
- Partials      555      557       +2
Flag Coverage Δ
unittests 53.10% <20.31%> (-0.19%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/yurthub/server/server.go 0.00% <0.00%> (ø)
pkg/yurthub/certificate/token/token.go 57.00% <14.58%> (-7.81%) ⬇️
cmd/yurthub/app/config/config.go 53.25% <100.00%> (+0.17%) ⬆️
cmd/yurthub/app/options/options.go 94.67% <100.00%> (+0.06%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

YTGhost
YTGhost reviewed Mar 27, 2023
View reviewed changes
pkg/yurthub/certificate/token/token.go
Comment on lines 330 to +333
func (ycm *yurtHubCertManager) getBootstrapConfFile() string {
if len(ycm.bootstrapFile) != 0 {
return ycm.bootstrapFile
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

generateCertClientFn will invoke getBootstrapConfFile() function, dose it work well if yurthub restart and bootstrap file doesn't exist?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, we need to use bootstrap file to apply certificates when certificates expired, so getBootstrapConfFile() is used in generateCertClientFn, and yurthub will always wait for bootstrap file until it is prepared by yurtadm renew certificate command.

@rambohe-ch rambohe-ch mentioned this pull request Mar 28, 2023
Merged
@YTGhost
Copy link
Member

YTGhost commented Mar 28, 2023

/lgtm

@openyurt-bot openyurt-bot added the lgtm lgtm label Mar 28, 2023
@openyurt-bot openyurt-bot merged commit 6c3cb34 into openyurtio:master Mar 28, 2023
@open-digger-bot open-digger-bot bot mentioned this pull request Mar 29, 2023
Closed
JameKeal pushed a commit to JameKeal/openyurt that referenced this pull request Apr 4, 2023
@rambohe-ch @JameKeal
support pass bootstrap-file to yurthub (openyurtio#1333)
5e6bd7f
@rambohe-ch rambohe-ch modified the milestone: controlplane-v1.3 Apr 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YTGhost YTGhost YTGhost left review comments

@SataQiu SataQiu Awaiting requested review from SataQiu

Assignees

@YTGhost YTGhost

Labels
approved approved kind/feature kind/feature lgtm lgtm size/M size/M: 30-99
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[feature request]improve bootstrap configuration for YurtHub
3 participants
@rambohe-ch @openyurt-bot @YTGhost