From cbab593f3280ccbc76a84f3f6cf2a7c03f383f13 Mon Sep 17 00:00:00 2001 From: viovanov Date: Fri, 27 Sep 2019 11:21:32 +0300 Subject: [PATCH] Special workaround flag for an EKS bug https://github.com/awslabs/amazon-eks-ami/issues/341 --- pkg/bosh/converter/kube_converter.go | 13 +++++++------ pkg/bosh/manifest/manifest.go | 15 ++++++++------- pkg/kube/apis/extendedsecret/v1alpha1/types.go | 17 +++++++++-------- .../extendedsecret/extendedsecret_reconciler.go | 17 +++++++++++++++++ 4 files changed, 41 insertions(+), 21 deletions(-) diff --git a/pkg/bosh/converter/kube_converter.go b/pkg/bosh/converter/kube_converter.go index 75befa8af..924782527 100644 --- a/pkg/bosh/converter/kube_converter.go +++ b/pkg/bosh/converter/kube_converter.go @@ -92,12 +92,13 @@ func (kc *KubeConverter) Variables(manifestName string, variables []bdm.Variable } certRequest := esv1.CertificateRequest{ - CommonName: v.Options.CommonName, - AlternativeNames: v.Options.AlternativeNames, - IsCA: v.Options.IsCA, - SignerType: v.Options.SignerType, - ServiceRef: v.Options.ServiceRef, - Usages: usages, + CommonName: v.Options.CommonName, + AlternativeNames: v.Options.AlternativeNames, + IsCA: v.Options.IsCA, + SignerType: v.Options.SignerType, + ServiceRef: v.Options.ServiceRef, + ActivateEKSWorkaroundForSAN: v.Options.ActivateEKSWorkaroundForSAN, + Usages: usages, } if len(certRequest.SignerType) == 0 { certRequest.SignerType = esv1.LocalSigner diff --git a/pkg/bosh/manifest/manifest.go b/pkg/bosh/manifest/manifest.go index c58749e1f..ad2dd6916 100644 --- a/pkg/bosh/manifest/manifest.go +++ b/pkg/bosh/manifest/manifest.go @@ -54,13 +54,14 @@ const ( // VariableOptions from BOSH deployment manifest type VariableOptions struct { - CommonName string `json:"common_name"` - AlternativeNames []string `json:"alternative_names,omitempty"` - IsCA bool `json:"is_ca"` - CA string `json:"ca,omitempty"` - ExtendedKeyUsage []AuthType `json:"extended_key_usage,omitempty"` - SignerType string `json:"signer_type,omitempty"` - ServiceRef []esv1.ServiceReference `json:"serviceRef,omitempty"` + CommonName string `json:"common_name"` + AlternativeNames []string `json:"alternative_names,omitempty"` + IsCA bool `json:"is_ca"` + CA string `json:"ca,omitempty"` + ExtendedKeyUsage []AuthType `json:"extended_key_usage,omitempty"` + SignerType string `json:"signer_type,omitempty"` + ServiceRef []esv1.ServiceReference `json:"serviceRef,omitempty"` + ActivateEKSWorkaroundForSAN bool `json:"activateEKSWorkaroundForSAN,omitempty"` } // Variable from BOSH deployment manifest diff --git a/pkg/kube/apis/extendedsecret/v1alpha1/types.go b/pkg/kube/apis/extendedsecret/v1alpha1/types.go index 5a15a090b..95284de42 100644 --- a/pkg/kube/apis/extendedsecret/v1alpha1/types.go +++ b/pkg/kube/apis/extendedsecret/v1alpha1/types.go @@ -62,14 +62,15 @@ type ServiceReference struct { // CertificateRequest specifies the details for the certificate generation type CertificateRequest struct { - CommonName string `json:"commonName"` - AlternativeNames []string `json:"alternativeNames"` - IsCA bool `json:"isCA"` - CARef SecretReference `json:"CARef"` - CAKeyRef SecretReference `json:"CAKeyRef"` - SignerType SignerType `json:"signerType,omitempty"` - Usages []certv1.KeyUsage `json:"usages,omitempty"` - ServiceRef []ServiceReference `json:"serviceRef,omitempty"` + CommonName string `json:"commonName"` + AlternativeNames []string `json:"alternativeNames"` + IsCA bool `json:"isCA"` + CARef SecretReference `json:"CARef"` + CAKeyRef SecretReference `json:"CAKeyRef"` + SignerType SignerType `json:"signerType,omitempty"` + Usages []certv1.KeyUsage `json:"usages,omitempty"` + ServiceRef []ServiceReference `json:"serviceRef,omitempty"` + ActivateEKSWorkaroundForSAN bool `json:"activateEKSWorkaroundForSAN,omitempty"` } // Request specifies details for the secret generation diff --git a/pkg/kube/controllers/extendedsecret/extendedsecret_reconciler.go b/pkg/kube/controllers/extendedsecret/extendedsecret_reconciler.go index fe8f503b3..ba34424eb 100644 --- a/pkg/kube/controllers/extendedsecret/extendedsecret_reconciler.go +++ b/pkg/kube/controllers/extendedsecret/extendedsecret_reconciler.go @@ -233,6 +233,9 @@ func (r *ReconcileExtendedSecret) createSSHSecret(ctx context.Context, instance } func (r *ReconcileExtendedSecret) createCertificateSecret(ctx context.Context, instance *esv1.ExtendedSecret) error { + + serviceIPForEKSWorkaround := "" + for _, serviceRef := range instance.Spec.Request.CertificateRequest.ServiceRef { service := &corev1.Service{} @@ -242,6 +245,10 @@ func (r *ReconcileExtendedSecret) createCertificateSecret(ctx context.Context, i return errors.Wrapf(err, "Failed to get service reference '%s' for ExtendedSecret '%s'", serviceRef.Name, instance.Name) } + if serviceIPForEKSWorkaround == "" { + serviceIPForEKSWorkaround = service.Spec.ClusterIP + } + instance.Spec.Request.CertificateRequest.AlternativeNames = append(append( instance.Spec.Request.CertificateRequest.AlternativeNames, service.Name, @@ -265,6 +272,16 @@ func (r *ReconcileExtendedSecret) createCertificateSecret(ctx context.Context, i switch instance.Spec.Request.CertificateRequest.SignerType { case esv1.ClusterSigner: + if instance.Spec.Request.CertificateRequest.ActivateEKSWorkaroundForSAN { + if serviceIPForEKSWorkaround == "" { + return errors.Errorf("can't activate EKS workaround for ExtendedSecret '%s/%s'; couldn't find a ClusterIP for any service reference", instance.Namespace, instance.Name) + } + + ctxlog.Infof(ctx, "Activating EKS workaround for ExtendedSecret '%s/%s'. Using IP '%s' as a common name. See 'https://github.com/awslabs/amazon-eks-ami/issues/341' for more details.", instance.Namespace, instance.Name, serviceIPForEKSWorkaround) + + generationRequest.CommonName = serviceIPForEKSWorkaround + } + ctxlog.Info(ctx, "Generating certificate signing request and its key") csr, key, err := r.generator.GenerateCertificateSigningRequest(generationRequest) if err != nil {