SDS Server

多集群证书管理

初始化SDS Server

s.initSDSServer(args)

func (s *Server) initSDSServer(args *PilotArgs) {
    if s.kubeClient != nil {
        // 是否校验客户端身份
        if !features.EnableXDSIdentityCheck {
            // Make sure we have security
            log.Warnf("skipping Kubernetes credential reader; PILOT_ENABLE_XDS_IDENTITY_CHECK must be set to true for this feature.")
        } else {
            // 多集群初始化
            sc := kubesecrets.NewMulticluster(s.kubeClient, s.clusterID, args.RegistryOptions.ClusterRegistriesNamespace, make(chan struct{}))
            // 添加事件处理器，当有变化则推送XDS
            sc.AddEventHandler(func(name, namespace string) {
                s.XDSServer.ConfigUpdate(&model.PushRequest{
                    Full: false,
                    ConfigsUpdated: map[model.ConfigKey]struct{}{
                        {
                            Kind:      gvk.Secret,
                            Name:      name,
                            Namespace: namespace,
                        }: {},
                    },
                    Reason: []model.TriggerReason{model.SecretTrigger},
                })
            })
            // sds Generator
            s.XDSServer.Generators[v3.SecretType] = xds.NewSecretGen(sc, s.XDSServer.Cache)
        }
    }
}

func NewMulticluster(client kube.Client, localCluster, secretNamespace string, stop chan struct{}) *Multicluster {
    // 初始化
    m := &Multicluster{
        remoteKubeControllers: map[string]*SecretsController{},
        localCluster:          localCluster,
        stop:                  stop,
    }
    // 添加本地集群
    m.addMemberCluster(client, localCluster)
    // 启动informer
    sc := secretcontroller.StartSecretController(client,
        func(c kube.Client, k string) error { m.addMemberCluster(c, k); return nil },
        func(c kube.Client, k string) error { m.updateMemberCluster(c, k); return nil },
        func(k string) error { m.deleteMemberCluster(k); return nil },
        secretNamespace,
        time.Millisecond*100,
        stop)
    m.secretController = sc
    return m
}

func NewController(
    kubeclientset kubernetes.Interface,
    namespace string,
    cs *ClusterStore,
    addCallback addSecretCallback,
    updateCallback updateSecretCallback,
    removeCallback removeSecretCallback) *Controller {

    //获取informer 需要有 "istio/multiCluster=true"标签
    secretsInformer := cache.NewSharedIndexInformer(
        &cache.ListWatch{
            ListFunc: func(opts meta_v1.ListOptions) (runtime.Object, error) {
                opts.LabelSelector = MultiClusterSecretLabel + "=true"
                return kubeclientset.CoreV1().Secrets(namespace).List(context.TODO(), opts)
            },
            WatchFunc: func(opts meta_v1.ListOptions) (watch.Interface, error) {
                opts.LabelSelector = MultiClusterSecretLabel + "=true"
                return kubeclientset.CoreV1().Secrets(namespace).Watch(context.TODO(), opts)
            },
        },
        &corev1.Secret{}, 0, cache.Indexers{},
    )
    // 获取一个queue
    queue := workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter())

    controller := &Controller{
        kubeclientset:  kubeclientset,
        namespace:      namespace,
        cs:             cs,
        informer:       secretsInformer,
        queue:          queue,
        addCallback:    addCallback,
        updateCallback: updateCallback,
        removeCallback: removeCallback,
    }

    log.Info("Setting up event handlers")
    // 添加事件处理，全部放入queue
    secretsInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
        AddFunc: func(obj interface{}) {
            key, err := cache.MetaNamespaceKeyFunc(obj)
            log.Infof("Processing add: %s", key)
            if err == nil {
                queue.Add(key)
            }
        },
        UpdateFunc: func(oldObj, newObj interface{}) {
            if oldObj == newObj || reflect.DeepEqual(oldObj, newObj) {
                return
            }

            key, err := cache.MetaNamespaceKeyFunc(newObj)
            log.Infof("Processing update: %s", key)
            if err == nil {
                queue.Add(key)
            }
        },
        DeleteFunc: func(obj interface{}) {
            key, err := cache.DeletionHandlingMetaNamespaceKeyFunc(obj)
            log.Infof("Processing delete: %s", key)
            if err == nil {
                queue.Add(key)
            }
        },
    })

    return controller
}

事件处理

func (c *Controller) processNextItem() bool {
    // 获取secret
    secretName, quit := c.queue.Get()
    if quit {
        return false
    }
    defer c.queue.Done(secretName)

    // 具体处理逻辑
    err := c.processItem(secretName.(string))
    if err == nil {
        // No error, reset the ratelimit counters
        c.queue.Forget(secretName)
    } else if c.queue.NumRequeues(secretName) < maxRetries {
        log.Errorf("Error processing %s (will retry): %v", secretName, err)
        c.queue.AddRateLimited(secretName)
    } else {
        log.Errorf("Error processing %s (giving up): %v", secretName, err)
        c.queue.Forget(secretName)
        utilruntime.HandleError(err)
    }

    return true
}

func (c *Controller) processItem(secretName string) error {
    if secretName == initialSyncSignal {
        c.initialSync.Store(true)
        return nil
    }

    obj, exists, err := c.informer.GetIndexer().GetByKey(secretName)
    if err != nil {
        return fmt.Errorf("error fetching object %s error: %v", secretName, err)
    }

    if exists {
        // 存在用addMemberCluster进行处理
        c.addMemberCluster(secretName, obj.(*corev1.Secret))
    } else {
        // 不存在则删除
        c.deleteMemberCluster(secretName)
    }

    return nil
}

func (c *Controller) addMemberCluster(secretName string, s *corev1.Secret) {
    for clusterID, kubeConfig := range s.Data {
        // 判断cluster是否存在
        if prev, ok := c.cs.remoteClusters[clusterID]; !ok {
            log.Infof("Adding cluster_id=%v from secret=%v", clusterID, secretName)
            // 创建remote集群对象
            remoteCluster, err := createRemoteCluster(kubeConfig, secretName)
            if err != nil {
                log.Errorf("Failed to add remote cluster from secret=%v for cluster_id=%v: %v",
                    secretName, clusterID, err)
                continue
            }
            // 写入remoteClusters
            c.cs.remoteClusters[clusterID] = remoteCluster
            // 调用addCallback
            if err := c.addCallback(remoteCluster.clients, clusterID); err != nil {
                log.Errorf("Error creating cluster_id=%s from secret %v: %v",
                    clusterID, secretName, err)
            }
        } else {
            if prev.secretName != secretName {
                log.Errorf("ClusterID reused in two different secrets: %v and %v. ClusterID "+
                    "must be unique across all secrets", prev.secretName, secretName)
                continue
            }

            kubeConfigSha := sha256.Sum256(kubeConfig)
            if bytes.Equal(kubeConfigSha[:], prev.kubeConfigSha[:]) {
                log.Infof("Updating cluster_id=%v from secret=%v: (kubeconfig are identical)", clusterID, secretName)
            } else {
                log.Infof("Updating cluster %v from secret %v", clusterID, secretName)

                remoteCluster, err := createRemoteCluster(kubeConfig, secretName)
                if err != nil {
                    log.Errorf("Error updating cluster_id=%v from secret=%v: %v",
                        clusterID, secretName, err)
                    continue
                }
                c.cs.remoteClusters[clusterID] = remoteCluster
                // 调用updateCallback
                if err := c.updateCallback(remoteCluster.clients, clusterID); err != nil {
                    log.Errorf("Error updating cluster_id from secret=%v: %s %v",
                        clusterID, secretName, err)
                }
            }
        }
    }

    log.Infof("Number of remote clusters: %d", len(c.cs.remoteClusters))
}

func (c *Controller) deleteMemberCluster(secretName string) {
    for clusterID, cluster := range c.cs.remoteClusters {
        if cluster.secretName == secretName {
            log.Infof("Deleting cluster_id=%v configured by secret=%v", clusterID, secretName)
            // 调用remove call back
            err := c.removeCallback(clusterID)
            if err != nil {
                log.Errorf("Error removing cluster_id=%v configured by secret=%v: %v",
                    clusterID, secretName, err)
            }
            delete(c.cs.remoteClusters, clusterID)
        }
    }
    log.Infof("Number of remote clusters: %d", len(c.cs.remoteClusters))
}

callbacks

addcallback

func (m *Multicluster) addMemberCluster(clients kube.Client, key string) {
    log.Infof("initializing Kubernetes credential reader for cluster %v", key)
    sc := NewSecretsController(clients, key)
    m.m.Lock()
    m.remoteKubeControllers[key] = sc
    m.m.Unlock()
    clients.RunAndWait(m.stop)
}

updatecallback

func (m *Multicluster) updateMemberCluster(clients kube.Client, key string) {
    m.deleteMemberCluster(key)
    m.addMemberCluster(clients, key)
}

delete callback

func (m *Multicluster) deleteMemberCluster(key string) {
    m.m.Lock()
    delete(m.remoteKubeControllers, key)
    m.m.Unlock()
}

Generate

func (s *SecretGen) Generate(proxy *model.Proxy, _ *model.PushContext, w *model.WatchedResource, req *model.PushRequest) model.Resources {
    if proxy.VerifiedIdentity == nil {
        adsLog.Warnf("proxy %v is not authorized to receive secrets. Ensure you are connecting over TLS port and are authenticated.", proxy.ID)
        return nil
    }
    // 获取远程和本地集群的secretcontroller
    secrets, err := s.secrets.ForCluster(proxy.Metadata.ClusterID)
    if err != nil {
        adsLog.Warnf("proxy %v is from an unknown cluster, cannot retrieve certificates: %v", proxy.ID, err)
        return nil
    }
    // 认证客户端身份
    if err := secrets.Authorize(proxy.VerifiedIdentity.ServiceAccount, proxy.VerifiedIdentity.Namespace); err != nil {
        adsLog.Warnf("proxy %v is not authorized to receive secrets: %v", proxy.ID, err)
        return nil
    }
    if req == nil || !needsUpdate(proxy, req.ConfigsUpdated) {
        return nil
    }
    var updatedSecrets map[model.ConfigKey]struct{}
    if !req.Full {
        updatedSecrets = model.ConfigsOfKind(req.ConfigsUpdated, gvk.Secret)
    }
    results := model.Resources{}
    for _, resource := range w.ResourceNames {
        // 获取对应的secretresource
        sr, err := parseResourceName(resource, proxy.ConfigNamespace)
        if err != nil {
            adsLog.Warnf("error parsing resource name: %v", err)
            continue
        }

        if updatedSecrets != nil {
            if !containsAny(updatedSecrets, relatedConfigs(model.ConfigKey{Kind: gvk.Secret, Name: sr.Name, Namespace: sr.Namespace})) {
                // This is an incremental update, filter out secrets that are not updated.
                continue
            }
        }
        // 请求的资源必须和proxy同一命名空间
        if err := s.proxyAuthorizedForSecret(proxy, sr); err != nil {
            adsLog.Warnf("requested secret %v not accessible for proxy %v: %v", sr.ResourceName, proxy.ID, err)
            continue
        }
        // 如果已经缓存则直接获取
        if cached, f := s.cache.Get(sr); f {
            // If it is in the Cache, add it and continue
            results = append(results, cached)
            continue
        }
        // 判断是否为网关根证书
        isCAOnlySecret := strings.HasSuffix(sr.Name, GatewaySdsCaSuffix)
        if isCAOnlySecret {
            // 获取根证书
            secret := secrets.GetCaCert(sr.Name, sr.Namespace)
            if secret != nil {
                res := toEnvoyCaSecret(sr.ResourceName, secret)
                results = append(results, res)
                s.cache.Add(sr, res)
            } else {
                adsLog.Warnf("failed to fetch ca certificate for %v", sr.ResourceName)
            }
        } else {
            // 获取私钥和证书
            key, cert := secrets.GetKeyAndCert(sr.Name, sr.Namespace)
            if key != nil && cert != nil {
                res := toEnvoyKeyCertSecret(sr.ResourceName, key, cert)
                results = append(results, res)
                s.cache.Add(sr, res)
            } else {
                adsLog.Warnf("failed to fetch key and certificate for %v", sr.ResourceName)
            }
        }
    }
    return results
}

PreviousDiscoveryServer NextMulticluster

Last updated 4 years ago

Was this helpful?