diff --git a/charts/member-agent/templates/deployment.yaml b/charts/member-agent/templates/deployment.yaml index cfa1a1468..92a8e653c 100644 --- a/charts/member-agent/templates/deployment.yaml +++ b/charts/member-agent/templates/deployment.yaml @@ -25,7 +25,11 @@ spec: containerPort: 80 args: - --leader-elect=true + {{- if .Values.useCAAuth }} + - --use-ca-auth={{ .Values.useCAAuth }} + {{- else }} - --tls-insecure={{ .Values.tlsClientInsecure }} + {{- end }} - --v={{ .Values.logVerbosity }} - -add_dir_header env: @@ -37,6 +41,14 @@ spec: value: "{{ .Values.config.memberClusterName }}" - name: HUB_CERTIFICATE_AUTHORITY value: "{{ .Values.config.hubCA }}" + {{- if .Values.useCAAuth }} + - name: IDENTITY_KEY + value: "{{ .Values.config.identityKey }}" + - name: IDENTITY_CERT + value: "{{ .Values.config.identityCert }}" + - name: CA_BUNDLE + value: "{{ .Values.config.CABundle }}" + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} ports: @@ -60,6 +72,7 @@ spec: httpGet: path: /readyz port: hubhealthz + {{- if not .Values.useCAAuth }} volumeMounts: - name: provider-token mountPath: /config @@ -67,11 +80,11 @@ spec: image: "{{ .Values.refreshtoken.repository }}:{{ .Values.refreshtoken.tag }}" imagePullPolicy: {{ .Values.refreshtoken.pullPolicy }} args: - {{ $provider := .Values.config.provider }} + {{- $provider := .Values.config.provider }} - {{ $provider }} - {{ range $key, $value := (index .Values $provider) }} + {{- range $key, $value := (index .Values $provider) }} - --{{ $key }}={{ $value }} - {{ end }} + {{- end }} - --v={{ .Values.logVerbosity }} ports: - name: http @@ -80,10 +93,11 @@ spec: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: - name: provider-token - mountPath: /config + mountPath: /config volumes: - name: provider-token emptyDir: {} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/member-agent/values.yaml b/charts/member-agent/values.yaml index 2071c9a86..9f84e43b2 100644 --- a/charts/member-agent/values.yaml +++ b/charts/member-agent/values.yaml @@ -32,6 +32,9 @@ config: hubURL : https://: memberClusterName: membercluster-sample hubCA: + identityKey: "identity-key-path" + identityCert: "identity-cert-path" + CABundle: "ca-bundle-path" secret: name: "hub-kubeconfig-secret" @@ -41,3 +44,4 @@ azure: clientid: tlsClientInsecure: true #TODO should be false in the production +useCAAuth: false diff --git a/cmd/memberagent/main.go b/cmd/memberagent/main.go index 24cf6edc2..f6e2a06b4 100644 --- a/cmd/memberagent/main.go +++ b/cmd/memberagent/main.go @@ -39,6 +39,7 @@ import ( var ( scheme = runtime.NewScheme() + useCAAuth = flag.Bool("use-ca-auth", false, "Use identity and CA bundle to authenticate the member agent.") tlsClientInsecure = flag.Bool("tls-insecure", false, "Enable TLSClientConfig.Insecure property. Enabling this will make the connection inSecure (should be 'true' for testing purpose only.)") hubProbeAddr = flag.String("hub-health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") hubMetricsAddr = flag.String("hub-metrics-bind-address", ":8080", "The address the metric endpoint binds to.") @@ -72,8 +73,8 @@ func main() { } tokenFilePath := os.Getenv("CONFIG_PATH") - if tokenFilePath == "" { - klog.ErrorS(errors.New("hub token file path cannot be empty"), "error has occurred retrieving CONFIG_PATH") + if !*useCAAuth && tokenFilePath == "" { + klog.ErrorS(errors.New("hub token file path cannot be empty if CA auth not used"), "error has occurred retrieving CONFIG_PATH") os.Exit(1) } @@ -85,21 +86,51 @@ func main() { mcNamespace := fmt.Sprintf(utils.NamespaceNameFormat, mcName) - err := retry.OnError(retry.DefaultRetry, func(e error) bool { - return true - }, func() error { - // Stat returns file info. It will return - // an error if there is no file. - _, err := os.Stat(tokenFilePath) - return err - }) - if err != nil { - klog.ErrorS(err, " cannot retrieve token file from the path %s", tokenFilePath) - os.Exit(1) + identityKeyFile := os.Getenv("IDENTITY_KEY") + identityCertFile := os.Getenv("IDENTITY_CERT") + caBundleFile := os.Getenv("CA_BUNDLE") + + if *useCAAuth { + if identityKeyFile == "" { + klog.ErrorS(errors.New("identity key file path cannot be empty"), "error has occurred retrieving IDENTITY_KEY") + os.Exit(1) + } + + if identityCertFile == "" { + klog.ErrorS(errors.New("identity cert file path cannot be empty"), "error has occurred retrieving IDENTITY_CERT") + os.Exit(1) + } + + if caBundleFile == "" { + klog.ErrorS(errors.New("CA bundle file path cannot be empty"), "error has occurred retrieving CA_BUNDLE") + os.Exit(1) + } + } else { + err := retry.OnError(retry.DefaultRetry, func(e error) bool { + return true + }, func() error { + // Stat returns file info. It will return + // an error if there is no file. + _, err := os.Stat(tokenFilePath) + return err + }) + if err != nil { + klog.ErrorS(err, " cannot retrieve token file from the path %s", tokenFilePath) + os.Exit(1) + } } var hubConfig rest.Config - if *tlsClientInsecure { + if *useCAAuth { + hubConfig = rest.Config{ + Host: hubURL, + TLSClientConfig: rest.TLSClientConfig{ + CertFile: identityCertFile, + KeyFile: identityKeyFile, + CAFile: caBundleFile, + }, + } + } else if *tlsClientInsecure { hubConfig = rest.Config{ BearerTokenFile: tokenFilePath, Host: hubURL,