Merge pull request kubeedge#6013 from WillardHu/revert-5994

Revert: Fixed the hub client certificate doesn't have any IP address
1Shubham7 · Dec 2, 2024 · 92115c4 · 92115c4
2 parents e32898f + a76e959
commit 92115c4
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 43 deletions.
diff --git a/cloud/pkg/cloudhub/config/config.go b/cloud/pkg/cloudhub/config/config.go
@@ -1,7 +1,6 @@
 package config
 
 import (
-	"net"
 	"sync"
 
 	"k8s.io/klog/v2"
@@ -97,11 +96,3 @@ func (c *Configure) UpdateCerts(cert, key []byte) {
 		c.Key = key
 	}
 }
-
-func (c *Configure) ConvAdvertiseAddressToIPs() []net.IP {
-	ips := make([]net.IP, 0, len(c.AdvertiseAddress))
-	for _, addr := range c.AdvertiseAddress {
-		ips = append(ips, net.ParseIP(addr))
-	}
-	return ips
-}
diff --git a/cloud/pkg/cloudhub/servers/httpserver/certificate/certs.go b/cloud/pkg/cloudhub/servers/httpserver/certificate/certs.go
@@ -154,10 +154,6 @@ func signEdgeCert(r io.ReadCloser, usagesStr string) (*pem.Block, error) {
 		hubconfig.Config.CaKey,
 		usages,
 		edgeCertSigningDuration,
-		&certutil.AltNames{
-			IPs:      hubconfig.Config.ConvAdvertiseAddressToIPs(),
-			DNSNames: hubconfig.Config.DNSNames,
-		},
 	))
 	if err != nil {
 		return nil, fmt.Errorf("fail to signCerts, err: %v", err)

diff --git a/cloud/pkg/cloudhub/servers/httpserver/pre_server.go b/cloud/pkg/cloudhub/servers/httpserver/pre_server.go
@@ -19,6 +19,7 @@ import (
 	"context"
 	"crypto/x509"
 	"fmt"
+	"net"
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
@@ -107,7 +108,12 @@ func createCertsToSecret(ctx context.Context) error {
 		if err != nil {
 			klog.Info("CloudCoreCert and key don't exist in the secret, and will be signed by CA")
 
+			ips := make([]net.IP, 0, len(hubconfig.Config.AdvertiseAddress))
+			for _, addr := range hubconfig.Config.AdvertiseAddress {
+				ips = append(ips, net.ParseIP(addr))
+			}
 			h := certs.GetHandler(certs.HandlerTypeX509)
+
 			keywrap, err := h.GenPrivateKey()
 			if err != nil {
 				return fmt.Errorf("faield to generate the private key, err: %v", err)
@@ -123,7 +129,7 @@ func createCertsToSecret(ctx context.Context) error {
 				Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 				AltNames: certutil.AltNames{
 					DNSNames: hubconfig.Config.DNSNames,
-					IPs:      hubconfig.Config.ConvAdvertiseAddressToIPs(),
+					IPs:      ips,
 				},
 			}, hubconfig.Config.Ca, hubconfig.Config.CaKey, key.Public(), year100)
 			certPEM, err := h.SignCerts(opts)

diff --git a/pkg/security/certs/types.go b/pkg/security/certs/types.go
@@ -59,12 +59,7 @@ type SignCertsOptions struct {
 	expiration time.Duration
 }
 
-func SignCertsOptionsWithCA(
-	cfg certutil.Config,
-	caDER, caKeyDER []byte,
-	publicKey any,
-	expiration time.Duration,
-) SignCertsOptions {
+func SignCertsOptionsWithCA(cfg certutil.Config, caDER, caKeyDER []byte, publicKey any, expiration time.Duration) SignCertsOptions {
 	return SignCertsOptions{
 		cfg:        cfg,
 		caDER:      caDER,
@@ -74,13 +69,8 @@ func SignCertsOptionsWithCA(
 	}
 }
 
-func SignCertsOptionsWithCSR(
-	csrDER, caDER, caKeyDER []byte,
-	usages []x509.ExtKeyUsage,
-	expiration time.Duration,
-	alt *certutil.AltNames,
-) SignCertsOptions {
-	opts := SignCertsOptions{
+func SignCertsOptionsWithCSR(csrDER, caDER, caKeyDER []byte, usages []x509.ExtKeyUsage, expiration time.Duration) SignCertsOptions {
+	return SignCertsOptions{
 		csrDER:   csrDER,
 		caDER:    caDER,
 		caKeyDER: caKeyDER,
@@ -89,17 +79,9 @@ func SignCertsOptionsWithCSR(
 		},
 		expiration: expiration,
 	}
-	if alt != nil {
-		opts.cfg.AltNames = *alt
-	}
-	return opts
 }
 
-func SignCertsOptionsWithK8sCSR(
-	csrDER []byte,
-	usages []x509.ExtKeyUsage,
-	expiration time.Duration,
-) SignCertsOptions {
+func SignCertsOptionsWithK8sCSR(csrDER []byte, usages []x509.ExtKeyUsage, expiration time.Duration) SignCertsOptions {
 	return SignCertsOptions{
 		csrDER: csrDER,
 		cfg: certutil.Config{

diff --git a/pkg/security/certs/x509_ca_certs_test.go b/pkg/security/certs/x509_ca_certs_test.go
@@ -33,7 +33,7 @@ func TestSignX509Certs(t *testing.T) {
 	}, certpkw, nil)
 
 	opts := SignCertsOptionsWithCSR(csrblock.Bytes, cablock.Bytes, capkw.DER(),
-		[]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 24*time.Hour, nil)
+		[]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 24*time.Hour)
 	certblock, err := certh.SignCerts(opts)
 	if err != nil {
 		t.Fatal(err)

diff --git a/pkg/security/certs/x509_certs.go b/pkg/security/certs/x509_certs.go
@@ -76,13 +76,9 @@ func (h x509CertsHandler) SignCerts(opts SignCertsOptions) (*pem.Block, error) {
 		}
 		opts.cfg.CommonName = csr.Subject.CommonName
 		opts.cfg.Organization = csr.Subject.Organization
+		opts.cfg.AltNames.DNSNames = csr.DNSNames
+		opts.cfg.AltNames.IPs = csr.IPAddresses
 		pubkey = csr.PublicKey
-		if len(csr.DNSNames) > 0 {
-			opts.cfg.AltNames.DNSNames = csr.DNSNames
-		}
-		if len(csr.IPAddresses) > 0 {
-			opts.cfg.AltNames.IPs = csr.IPAddresses
-		}
 	}
 	if len(opts.cfg.CommonName) == 0 {
 		return nil, errors.New("must specify a CommonName")