Cache kubeadm certificate keys to avoid race conditions

Signed-off-by: daniel-weisse <daniel.weisse@gmx.net>
This commit is contained in:
daniel-weisse 2022-07-07 15:01:04 +02:00 committed by Paul Meyer
parent 5d54ce689b
commit 586b65f089
4 changed files with 132 additions and 6 deletions

View File

@ -0,0 +1,58 @@
package kubeadm
import (
"fmt"
"sync"
"time"
"k8s.io/kubernetes/cmd/kubeadm/app/phases/copycerts"
"k8s.io/utils/clock"
)
// certificateKeyTTL is the time a certificate key is valid for.
const certificateKeyTTL = time.Hour
// keyManager handles creation of certificate encryption keys.
type keyManager struct {
mux sync.Mutex
key string
expirationDate time.Time
clock clock.Clock
}
func newKeyManager() *keyManager {
return &keyManager{
clock: clock.RealClock{},
}
}
// getCertificatetKey returns the encryption key to use for uploading PKI certificates to Kubernetes.
// A Key is cached for one hour, but its expiration date is extended by two minutes if a request is made
// within two minutes of the key expiring to avoid just-expired keys.
// This is necessary since uploading a certificate with a different key overwrites any others.
// This means we can no longer decrypt the certificates using an old key.
func (k *keyManager) getCertificatetKey() (string, error) {
k.mux.Lock()
defer k.mux.Unlock()
switch {
case k.key == "" || k.expirationDate.Before(k.clock.Now()):
// key was not yet generated, or has expired
// generate a new key and set TTL
key, err := copycerts.CreateCertificateKey()
if err != nil {
return "", fmt.Errorf("couldn't create control plane certificate key: %w", err)
}
k.expirationDate = k.clock.Now().Add(certificateKeyTTL)
k.key = key
case k.expirationDate.After(k.clock.Now()):
// key is still valid
// if TTL is less than 2 minutes away, increase it by 2 minutes
// this is to avoid the key expiring too soon when a node uses it to join the cluster
if k.expirationDate.Sub(k.clock.Now()) < 2*time.Minute {
k.expirationDate = k.expirationDate.Add(2 * time.Minute)
}
}
return k.key, nil
}

View File

@ -0,0 +1,63 @@
package kubeadm
import (
"testing"
"time"
"github.com/stretchr/testify/assert"
"k8s.io/utils/clock"
testclock "k8s.io/utils/clock/testing"
)
func TestKeyManager(t *testing.T) {
testCases := map[string]struct {
clock clock.Clock
ttl time.Time
key string
shouldReuse bool
}{
"no key exists": {
clock: testclock.NewFakeClock(time.Time{}),
},
"key exists and is valid": {
clock: testclock.NewFakeClock(time.Time{}),
ttl: time.Time{}.Add(time.Hour),
key: "key",
shouldReuse: true,
},
"key has expired": {
clock: testclock.NewFakeClock(time.Time{}.Add(time.Hour)),
ttl: time.Time{},
key: "key",
},
"key expires in the next 30 seconds": {
clock: testclock.NewFakeClock(time.Time{}),
ttl: time.Time{}.Add(30 * time.Second),
key: "key",
shouldReuse: true,
},
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
km := &keyManager{
expirationDate: tc.ttl,
key: tc.key,
clock: tc.clock,
}
key, err := km.getCertificatetKey()
assert.NoError(err)
assert.True(km.expirationDate.After(tc.clock.Now().Add(2 * time.Minute)))
if tc.shouldReuse {
assert.Equal(tc.key, key)
} else {
assert.Equal(km.key, key)
assert.NotEqual(tc.key, key)
}
})
}
}

View File

@ -28,6 +28,7 @@ import (
type Kubeadm struct {
apiServerEndpoint string
log *logger.Logger
keyManager *keyManager
client clientset.Interface
file file.Handler
}
@ -47,6 +48,7 @@ func New(apiServerEndpoint string, log *logger.Logger) (*Kubeadm, error) {
return &Kubeadm{
apiServerEndpoint: apiServerEndpoint,
log: log,
keyManager: newKeyManager(),
client: client,
file: file,
}, nil
@ -112,7 +114,7 @@ func (k *Kubeadm) GetJoinToken(ttl time.Duration) (*kubeadm.BootstrapTokenDiscov
// The key can be used by new nodes to join the cluster as a control plane node.
func (k *Kubeadm) GetControlPlaneCertificateKey() (string, error) {
k.log.Infof("Creating new random control plane certificate key")
key, err := copycerts.CreateCertificateKey()
key, err := k.keyManager.getCertificatetKey()
if err != nil {
return "", fmt.Errorf("couldn't create control plane certificate key: %w", err)
}

View File

@ -18,6 +18,7 @@ import (
"k8s.io/client-go/kubernetes/fake"
corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
fakecorev1 "k8s.io/client-go/kubernetes/typed/core/v1/fake"
testclock "k8s.io/utils/clock/testing"
)
func TestMain(m *testing.M) {
@ -83,9 +84,10 @@ kind: Config`,
require := require.New(t)
client := &Kubeadm{
log: logger.NewTest(t),
file: file.NewHandler(afero.NewMemMapFs()),
client: fake.NewSimpleClientset(),
log: logger.NewTest(t),
keyManager: &keyManager{clock: testclock.NewFakeClock(time.Time{})},
file: file.NewHandler(afero.NewMemMapFs()),
client: fake.NewSimpleClientset(),
}
if tc.adminConf != "" {
require.NoError(client.file.Write(constants.CoreOSAdminConfFilename, []byte(tc.adminConf), file.OptNone))
@ -124,8 +126,9 @@ func TestGetControlPlaneCertificateKey(t *testing.T) {
assert := assert.New(t)
client := &Kubeadm{
log: logger.NewTest(t),
client: tc.client,
keyManager: &keyManager{clock: testclock.NewFakeClock(time.Time{})},
log: logger.NewTest(t),
client: tc.client,
}
_, err := client.GetControlPlaneCertificateKey()