证书控制器chiron

Chiron是与Istiod链接的轻量级组件,该组件使用Kubernetes CA API签署证书而无需维护其私钥。使用此功能具有以下优点:

不像istiod,此功能不需要维护私有签名密钥,从而增强了安全性。
简化了向TLS客户端的根证书分发。客户不再需要等待Istiod生成和分发其CA证书。

配置提供证书

cat < ./istio.yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: meshConfig: certificates:

secretName: dns.example1-service-account
dnsNames: [example1.istio-system.svc, example1.istio-system]
secretName: dns.example2-service-account
dnsNames: [example2.istio-system.svc, example2.istio-system]
EOF

istioctl install -f ./istio.yaml

代码

初始化证书控制器

if err := s.initCertController(args); err != nil {
    return fmt.Errorf("error initializing certificate controller: %v", err)
}

具体逻辑

func (s *Server) initCertController(args *PilotArgs) error {
    var err error
    var secretNames, dnsNames, namespaces []string

    //获取网格配置
    meshConfig := s.environment.Mesh()
    if meshConfig.GetCertificates() == nil || len(meshConfig.GetCertificates()) == 0 {
        log.Info("No certificates specified, skipping K8S DNS certificate controller")
        return nil
    }

    k8sClient := s.kubeClient
    // 读取上述配置的certificates
    for _, c := range meshConfig.GetCertificates() {
        name := strings.Join(c.GetDnsNames(), ",")
        if len(name) == 0 { // 必须包含至少一个DNS name
            continue
        }
        if len(c.GetSecretName()) > 0 {
            // Chiron 将生成key和证书保存到secret
            secretNames = append(secretNames, c.GetSecretName())
            dnsNames = append(dnsNames, name)
            namespaces = append(namespaces, args.Namespace)
        }
    }

    // 设置和管理非pilot服务的证书.如果服务为空,则证书控制器将不执行任何操作。
    s.certController, err = chiron.NewWebhookController(defaultCertGracePeriodRatio, defaultMinCertGracePeriod,
        k8sClient.CoreV1(), k8sClient.AdmissionregistrationV1beta1(), k8sClient.CertificatesV1beta1(),
        defaultCACertPath, secretNames, dnsNames, namespaces)
    if err != nil {
        return fmt.Errorf("failed to create certificate controller: %v", err)
    }
    s.addStartFunc(func(stop <-chan struct{}) error {
        go func() {
            // 启动Chiron 管理certificates的生命周期
            s.certController.Run(stop)
        }()

        return nil
    })

    return nil
}

在启动时

func (wc *WebhookController) Run(stopCh <-chan struct{}) {
    // 创建证书
    for i, secretName := range wc.secretNames {
        err := wc.upsertSecret(secretName, wc.dnsNames[i], wc.serviceNamespaces[i])
        if err != nil {
            log.Errorf("error when upserting secret (%v) in ns (%v): %v", secretName, wc.serviceNamespaces[i], err)
        }
    }

    ...
}

创建WebhookController

func NewWebhookController(gracePeriodRatio float32, minGracePeriod time.Duration,
    core corev1.CoreV1Interface, admission admissionv1beta1.AdmissionregistrationV1beta1Interface,
    certClient certclient.CertificatesV1beta1Interface, k8sCaCertFile string,
    secretNames, dnsNames, serviceNamespaces []string) (*WebhookController, error) {

    ...

    c := &WebhookController{
        gracePeriodRatio:  gracePeriodRatio,
        minGracePeriod:    minGracePeriod,
        k8sCaCertFile:     k8sCaCertFile,
        core:              core,
        admission:         admission,
        certClient:        certClient,
        secretNames:       secretNames,
        dnsNames:          dnsNames,
        serviceNamespaces: serviceNamespaces,
        certUtil:          certutil.NewCertUtil(int(gracePeriodRatio * 100)),
    }

    // 读取CA.
    _, err := reloadCACert(c)
    if err != nil {
        return nil, err
    }
    if len(dnsNames) == 0 {
        log.Warn("the input services are empty, no services to manage certificates for")
    } else {
        // watch istio.io/dns-key-and-cert类型的secret
        istioSecretSelector := fields.SelectorFromSet(map[string]string{"type": IstioDNSSecretType}).String()
        scrtLW := listwatch.MultiNamespaceListerWatcher(serviceNamespaces, func(namespace string) cache.ListerWatcher {
            return &cache.ListWatch{
                ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
                    options.FieldSelector = istioSecretSelector
                    return core.Secrets(namespace).List(context.TODO(), options)
                },
                WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
                    options.FieldSelector = istioSecretSelector
                    return core.Secrets(namespace).Watch(context.TODO(), options)
                },
            }
        })
        c.scrtStore, c.scrtController =
            cache.NewInformer(scrtLW, &v1.Secret{}, secretResyncPeriod, cache.ResourceEventHandlerFuncs{
                DeleteFunc: c.scrtDeleted,
                UpdateFunc: c.scrtUpdated,
            })
    }

    return c, nil
}

当证书被删除时

scrtDeleted

func (wc *WebhookController) scrtDeleted(obj interface{}) {
    log.Debugf("enter WebhookController.scrtDeleted()")
    scrt, ok := obj.(*v1.Secret)
    if !ok {
        log.Warnf("failed to convert to secret object: %v", obj)
        return
    }

    scrtName := scrt.Name
    if wc.isWebhookSecret(scrtName, scrt.GetNamespace()) {
        log.Infof("re-create deleted Istio secret %s in namespace %s", scrtName, scrt.GetNamespace())
        dnsName, found := wc.getDNSName(scrtName)
        if !found {
            log.Errorf("failed to find the DNS name of the secret: %v", scrtName)
            return
        }
        // 重新生成证书
        err := wc.upsertSecret(scrtName, dnsName, scrt.GetNamespace())
        if err != nil {
            log.Errorf("re-create deleted Istio secret %s in namespace %s failed: %v",
                scrtName, scrt.GetNamespace(), err)
        }
    }
}

当证书被更新时

scrtUpdated

// scrtUpdated()在收到更新事件进行回调. 用于证书轮转

func (wc *WebhookController) scrtUpdated(oldObj, newObj interface{}) {

    ......

    //解析证书,无法解析则更新
    certBytes := scrt.Data[ca.CertChainID]
    _, err := util.ParsePemEncodedCertificate(certBytes)
    if err != nil {
        log.Warnf("failed to parse certificates in secret %s/%s (error: %v), refreshing the secret.",
            namespace, name, err)
        //更新证书
        if err = wc.refreshSecret(scrt); err != nil {
            log.Errora(err)
        }

        return
    }

    _, waitErr := wc.certUtil.GetWaitTime(certBytes, time.Now(), wc.minGracePeriod)

    //当 证书过期或者证书CA非K8S CA生成则重新签发
    caCert, err := wc.getCACert()
    if err != nil {
        log.Errorf("failed to get CA certificate: %v", err)
        return
    }
    if waitErr != nil || !bytes.Equal(caCert, scrt.Data[ca.RootCertID]) {
        log.Infof("refreshing secret %s/%s, either the leaf certificate is about to expire "+
            "or the root certificate is outdated", namespace, name)
        //更新证书
        if err = wc.refreshSecret(scrt); err != nil {
            log.Errorf("failed to update secret %s/%s (error: %s)", namespace, name, err)
        }
    }
}

upsertSecret/refreshSecret分别将调用GenKeyCertK8sCA生成证书,GenKeyCertK8sCA又将调用SignCSRK8s发出请求

SignCSRK8s 1. 发起CSR请求 2. Approve CSR 3. 读取certificate 4.删除依赖

Previousistio-cni Nextistio ca控制器

Last updated 4 years ago

Was this helpful?