update yurt-tunnel-server certificate automatically

[YRXING]

What type of PR is this?

/kind enhancement
/kind good-first-issue
/kind feature
/kind design

What this PR does / why we need it:

improve yurt-tunnel-server to automatically update server certificates when LB service address changed.

Which issue(s) this PR fixes:

Fixes #411

Special notes for your reviewer:

the test is needed.
and is this idea feasible?

Does this PR introduce a user-facing change?

other Note

[openyurt-bot]

@YRXING: GitHub didn't allow me to assign the following users: your_reviewer.

Note that only openyurtio members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

What type of PR is this?

/kind enhancement
/kind good-first-issue
/kind feature
/kind design

What this PR does / why we need it:

improve yurt-tunnel-server to automatically update server certificates when LB service address changed.

Which issue(s) this PR fixes:

Fixes #411

Special notes for your reviewer:

the test is needed.
and is this idea feasible?

Does this PR introduce a user-facing change?

other Note

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rambohe-ch]

@YRXING would you be able to add an e2e test case for server certificate updating?

[rambohe-ch]

@YRXING Code is not readable if server certificate coupling with IPs resolving. how about decouple server certificate and IPs resolving?

[rambohe-ch]

@YRXING please fix e2e test error.

[YRXING]

Here is the yurttunnel-server's log. Firstly, it will get the dnsNames and ips through api-server directly and generate the certificate. Then it begins to watch the related resources to regenerate the certificate automatically. When I recreate the x-tunnel-server-svc resources, the ip changed, and you can see a new certificate at the directory /var/lib/yurttunnel-server/pki

I1108 09:56:14.373548 1 start.go:53] yurttunnel-server version: projectinfo.Info{GitVersion:"v0.5.0", GitCommit:"58587a2", BuildDate:"2021-11-08T09:47:55Z", GoVersion:"go1.15.15", Compiler:"gc", Platform:"linux/amd64"}
W1108 09:56:14.374525 1 client_config.go:552] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
I1108 09:56:14.378621 1 options.go:155] yurttunnel server config: &config.Config{EgressSelectorEnabled:false, EnableIptables:true, EnableDNSController:true, IptablesSyncPeriod:60, DNSSyncPeriod:1800, CertDNSNames:[]string{}, CertIPs:[]net.IP{}, ListenAddrForAgent:"172.18.0.3:10262", ListenAddrForMaster:"172.18.0.3:10263", ListenInsecureAddrForMaster:"172.18.0.3:10264", ListenMetaAddr:"172.18.0.3:10265", RootCert:(*x509.CertPool)(0xc0001b2150), Client:(*kubernetes.Clientset)(0xc00052e2c0), SharedInformerFactory:(*informers.sharedInformerFactory)(0xc000184fa0), ServerCount:1, ProxyStrategy:"destHost", InterceptorServerUDSFile:""}
I1108 09:56:14.379496 1 leaderelection.go:242] attempting to acquire leader lease kube-system/tunnel-dns-controller...
E1108 09:56:14.391434 1 iptables.go:200] failed to delete rule that nat chain OUTPUT jumps to TUNNEL-PORT: error checking rule: exit status 2: iptables v1.6.0: Couldn't load target `TUNNEL-PORT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
I1108 09:56:14.427397 1 leaderelection.go:252] successfully acquired lease kube-system/tunnel-dns-controller
I1108 09:56:14.427772 1 dns.go:197] starting tunnel dns controller
I1108 09:56:14.427798 1 shared_informer.go:223] Waiting for caches to sync for tunnel-dns-controller
I1108 09:56:19.427766 1 certmanager.go:92] subject of tunnel server certificate, ips=[]net.IP{net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xac, 0x12, 0x0, 0x3}, net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xa, 0x60, 0x24, 0x81}, net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0x7f, 0x0, 0x0, 0x1}, net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xac, 0x12, 0x0, 0x3}, net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xa, 0x60, 0x4a, 0x9b}}, dnsNames=[]string{"openyurt-e2e-test-control-plane", "x-tunnel-server-svc", "x-tunnel-server-svc.kube-system", "x-tunnel-server-svc.kube-system.svc", "x-tunnel-server-svc.kube-system.svc.cluster.local", "x-tunnel-server-internal-svc", "x-tunnel-server-internal-svc.kube-system", "x-tunnel-server-internal-svc.kube-system.svc", "x-tunnel-server-internal-svc.kube-system.svc.cluster.local"}
W1108 09:56:19.428083 1 filestore_wrapper.go:49] unexpected error occurred when loading the certificate: no cert/key files read at "/var/lib/yurttunnel-server/pki/yurttunnel-server-current.pem", ("", "") or ("/var/lib/yurttunnel-server/pki", "/var/lib/yurttunnel-server/pki"), will regenerate it
I1108 09:56:19.450782 1 handler.go:140] enqueue service add event for kube-system/x-tunnel-server-internal-svc
I1108 09:56:19.452619 1 handler.go:173] handle configmap add event for kube-system/yurt-tunnel-server-cfg to update localhost ports
I1108 09:56:19.452693 1 handler.go:92] enqueue configmap add event for kube-system/yurt-tunnel-server-cfg
I1108 09:56:19.458894 1 handler.go:42] enqueue node add event for openyurt-e2e-test-worker
I1108 09:56:19.458942 1 handler.go:42] enqueue node add event for openyurt-e2e-test-control-plane
I1108 09:56:19.528734 1 shared_informer.go:230] Caches are synced for tunnel-dns-controller
I1108 09:56:19.600667 1 dns.go:317] sync tunnel server service as whole
I1108 09:56:19.600699 1 dns.go:326] sync dns record as whole
I1108 09:56:19.600891 1 dns.go:326] sync dns record as whole
I1108 09:56:19.733518 1 iptables.go:456] clear conntrack entries for ports ["10250" "10255"] and nodes ["172.18.0.3"]
E1108 09:56:19.741585 1 iptables.go:473] clear conntrack for 172.18.0.3:10250 failed: "conntrack v1.4.4 (conntrack-tools): 0 flow entries have been deleted.\n", error message: exit status 1
E1108 09:56:19.743633 1 iptables.go:473] clear conntrack for 172.18.0.3:10255 failed: "conntrack v1.4.4 (conntrack-tools): 0 flow entries have been deleted.\n", error message: exit status 1
I1108 09:56:19.743688 1 iptables.go:525] directly access nodes changed, [172.18.0.3] for ports [10250 10255]
I1108 09:56:20.608794 1 dns.go:317] sync tunnel server service as whole
I1108 09:56:21.200157 1 handler.go:165] adding node dns record for openyurt-e2e-test-worker
I1108 09:56:21.602066 1 handler.go:165] adding node dns record for openyurt-e2e-test-control-plane
I1108 09:56:24.429200 1 anpserver.go:106] start handling request from interceptor
I1108 09:56:24.429288 1 wraphandler.go:67] add localHostProxyMiddleware into wrap handler
I1108 09:56:24.429446 1 tracereq.go:63] 1 informer synced in traceReqMiddleware
I1108 09:56:24.429479 1 wraphandler.go:67] add TraceReqMiddleware into wrap handler
I1108 09:56:24.429612 1 anpserver.go:142] start handling https request from master at 172.18.0.3:10263
I1108 09:56:24.429945 1 anpserver.go:194] start handling connection from agents
I1108 09:56:24.430119 1 anpserver.go:156] start handling http request from master at 172.18.0.3:10264
I1108 09:56:24.430802 1 util.go:71] "start handling meta requests(metrics/pprof)" server endpoint="172.18.0.3:10265"
I1108 09:56:31.634010 1 server.go:616] "Connect request from agent" agentID="openyurt-e2e-test-worker"
I1108 09:56:31.634097 1 backend_manager.go:184] "Register backend for agent" connection=&agent.agentServiceConnectServer{ServerStream:(*grpc.serverStream)(0xc0001a8240)} agentID="172.18.0.2"
I1108 09:56:31.634137 1 backend_manager.go:184] "Register backend for agent" connection=&agent.agentServiceConnectServer{ServerStream:(*grpc.serverStream)(0xc0001a8240)} agentID="openyurt-e2e-test-worker"
I1108 10:11:32.544041 1 certmanager.go:170] ip changed, the latest tunnel server's ips=[]net.IP{net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xa, 0x60, 0x4a, 0x9b}}
I1108 10:17:50.520728 1 certmanager.go:170] ip changed, the latest tunnel server's ips=[]net.IP{net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xac, 0x12, 0x0, 0x3}, net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xa, 0x60, 0xa, 0x27}, net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0x7f, 0x0, 0x0, 0x1}, net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xac, 0x12, 0x0, 0x3}, net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xa, 0x60, 0x4a, 0x9b}}

[rambohe-ch]

/lgtm
/approve

[openyurt-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rambohe-ch, YRXING

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rambohe-ch]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment