Fix embedded excutor VPN config injection

Allow the executor to modify node config before certs are generated, and use this to add VPN node IPs to kubelet serving cert

Author: brandond

pkg/agent/config/config.go

@@ -27,6 +27,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/clientaccess"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/daemons/control/deps"
+	"github.com/k3s-io/k3s/pkg/daemons/executor"
 	"github.com/k3s-io/k3s/pkg/spegel"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/util/errors"
@@ -515,54 +516,13 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
 
 	os.Setenv("NODE_NAME", nodeName)
 
-	// Ensure that the kubelet's server certificate is valid for all configured node IPs.  Note
-	// that in the case of an external CCM, additional IPs may be added by the infra provider
-	// that the cert will not be valid for, as they are not present in the list collected here.
-	nodeExternalAndInternalIPs := append(nodeIPs, nodeExternalIPs...)
-
-	// Ask the server to sign our kubelet server cert.
-	if err := getKubeletServingCert(nodeName, nodeExternalAndInternalIPs, servingKubeletCert, servingKubeletKey, newNodePasswordFile, info); err != nil {
-		return nil, errors.WithMessage(err, servingKubeletCert)
-	}
-
-	// Ask the server to sign our kubelet client cert.
-	if err := getKubeletClientCert(clientKubeletCert, clientKubeletKey, nodeName, nodeIPs, newNodePasswordFile, info); err != nil {
-		return nil, errors.WithMessage(err, clientKubeletCert)
-	}
-
-	// Generate a kubeconfig for the kubelet.
 	kubeconfigKubelet := filepath.Join(envInfo.DataDir, "agent", "kubelet.kubeconfig")
-	if err := deps.KubeConfig(kubeconfigKubelet, apiServerURL, serverCAFile, clientKubeletCert, clientKubeletKey); err != nil {
-		return nil, err
-	}
-
 	clientKubeProxyCert := filepath.Join(envInfo.DataDir, "agent", "client-kube-proxy.crt")
 	clientKubeProxyKey := filepath.Join(envInfo.DataDir, "agent", "client-kube-proxy.key")
-
-	// Ask the server to sign our kube-proxy client cert.
-	if err := getClientCert(clientKubeProxyCert, clientKubeProxyKey, info); err != nil {
-		return nil, errors.WithMessage(err, clientKubeProxyCert)
-	}
-
-	// Generate a kubeconfig for kube-proxy.
 	kubeconfigKubeproxy := filepath.Join(envInfo.DataDir, "agent", "kubeproxy.kubeconfig")
-	if err := deps.KubeConfig(kubeconfigKubeproxy, apiServerURL, serverCAFile, clientKubeProxyCert, clientKubeProxyKey); err != nil {
-		return nil, err
-	}
-
 	clientK3sControllerCert := filepath.Join(envInfo.DataDir, "agent", "client-"+version.Program+"-controller.crt")
 	clientK3sControllerKey := filepath.Join(envInfo.DataDir, "agent", "client-"+version.Program+"-controller.key")
-
-	// Ask the server to sign our agent controller client cert.
-	if err := getClientCert(clientK3sControllerCert, clientK3sControllerKey, info); err != nil {
-		return nil, errors.WithMessage(err, clientK3sControllerCert)
-	}
-
-	// Generate a kubeconfig for the agent controller.
 	kubeconfigK3sController := filepath.Join(envInfo.DataDir, "agent", version.Program+"controller.kubeconfig")
-	if err := deps.KubeConfig(kubeconfigK3sController, apiServerURL, serverCAFile, clientK3sControllerCert, clientK3sControllerKey); err != nil {
-		return nil, err
-	}
 
 	// Ensure kubelet config dir exists
 	kubeletConfigDir := filepath.Join(envInfo.DataDir, "agent", "etc", "kubelet.conf.d")
@@ -769,6 +729,51 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
 		return nil, err
 	}
 
+	// allow executor to do additional configuration; this is the last chance to modify nodeConfig before certs are signed
+	if err := executor.Prepare(ctx, nodeConfig, *envInfo); err != nil {
+		return nil, errors.WithMessage(err, "failed to prepare configuration")
+	}
+
+	// Ensure that the kubelet's server certificate is valid for all configured node IPs.  Note
+	// that in the case of an external CCM, additional IPs may be added by the infra provider
+	// that the cert will not be valid for, as they are not present in the list collected here.
+	nodeExternalAndInternalIPs := append(nodeConfig.AgentConfig.NodeIPs, nodeConfig.AgentConfig.NodeExternalIPs...)
+
+	// Ask the server to sign our kubelet server cert.
+	if err := getKubeletServingCert(nodeConfig.AgentConfig.NodeName, nodeExternalAndInternalIPs, servingKubeletCert, servingKubeletKey, newNodePasswordFile, info); err != nil {
+		return nil, errors.WithMessage(err, servingKubeletCert)
+	}
+
+	// Ask the server to sign our kubelet client cert.
+	if err := getKubeletClientCert(clientKubeletCert, clientKubeletKey, nodeConfig.AgentConfig.NodeName, nodeConfig.AgentConfig.NodeIPs, newNodePasswordFile, info); err != nil {
+		return nil, errors.WithMessage(err, clientKubeletCert)
+	}
+
+	// Generate a kubeconfig for the kubelet.
+	if err := deps.KubeConfig(kubeconfigKubelet, apiServerURL, serverCAFile, clientKubeletCert, clientKubeletKey); err != nil {
+		return nil, err
+	}
+
+	// Ask the server to sign our kube-proxy client cert.
+	if err := getClientCert(clientKubeProxyCert, clientKubeProxyKey, info); err != nil {
+		return nil, errors.WithMessage(err, clientKubeProxyCert)
+	}
+
+	// Generate a kubeconfig for kube-proxy.
+	if err := deps.KubeConfig(kubeconfigKubeproxy, apiServerURL, serverCAFile, clientKubeProxyCert, clientKubeProxyKey); err != nil {
+		return nil, err
+	}
+
+	// Ask the server to sign our agent controller client cert.
+	if err := getClientCert(clientK3sControllerCert, clientK3sControllerKey, info); err != nil {
+		return nil, errors.WithMessage(err, clientK3sControllerCert)
+	}
+
+	// Generate a kubeconfig for the agent controller.
+	if err := deps.KubeConfig(kubeconfigK3sController, apiServerURL, serverCAFile, clientK3sControllerCert, clientK3sControllerKey); err != nil {
+		return nil, err
+	}
+
 	return nodeConfig, nil
 }
 

pkg/cli/agent/agent.go

@@ -23,7 +23,6 @@ import (
 	"github.com/k3s-io/k3s/pkg/util/mux"
 	"github.com/k3s-io/k3s/pkg/util/permissions"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/k3s-io/k3s/pkg/vpn"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
 	"k8s.io/klog/v2"
@@ -111,20 +110,6 @@ func Run(clx *cli.Context) (rerr error) {
 	cfg.DataDir = dataDir
 
 	go cmds.WriteCoverage(ctx)
-	if cfg.VPNAuthFile != "" {
-		cfg.VPNAuth, err = util.ReadFile(cfg.VPNAuthFile)
-		if err != nil {
-			return err
-		}
-	}
-
-	// Starts the VPN in the agent if config was set up
-	if cfg.VPNAuth != "" {
-		err := vpn.StartVPN(cfg.VPNAuth)
-		if err != nil {
-			return err
-		}
-	}
 
 	// Until the agent is run and retrieves config from the server, we won't know
 	// if the embedded registry is enabled. If it is not enabled, these are not

pkg/cli/server/server.go

@@ -117,21 +117,6 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 		}
 	}
 
-	if cmds.AgentConfig.VPNAuthFile != "" {
-		cmds.AgentConfig.VPNAuth, err = util.ReadFile(cmds.AgentConfig.VPNAuthFile)
-		if err != nil {
-			return err
-		}
-	}
-
-	// Starts the VPN in the server if config was set up
-	if cmds.AgentConfig.VPNAuth != "" {
-		err := vpn.StartVPN(cmds.AgentConfig.VPNAuth)
-		if err != nil {
-			return err
-		}
-	}
-
 	serverConfig := server.Config{}
 	serverConfig.DisableAgent = cfg.DisableAgent
 	serverConfig.ControlConfig.Runtime = config.NewRuntime()

pkg/daemons/executor/executor.go

@@ -28,6 +28,7 @@ var (
 // The enableMaintenance flag enables attempts to perform corrective maintenance during the test process.
 type TestFunc func(ctx context.Context, enableMaintenance bool) error
 
+// Executor is a set of functions for bootstrapping a node and starting the CRI, CNI, and Kubernetes components
 type Executor interface {
 	Bootstrap(ctx context.Context, nodeConfig *daemonconfig.Node, cfg cmds.Agent) error
 	Kubelet(ctx context.Context, args []string) error
@@ -49,6 +50,12 @@ type Executor interface {
 	IsSelfHosted() bool
 }
 
+// PreparingExecutor is an optional interface that Executors may implement to modify node configuration
+// and CLI flags before config is retrieved from the server.
+type PreparingExecutor interface {
+	Prepare(ctx context.Context, nodeConfig *daemonconfig.Node, cfg cmds.Agent) error
+}
+
 type ETCDSocketOpts struct {
 	ReuseAddress bool `json:"reuse-address,omitempty"`
 	ReusePort    bool `json:"reuse-port,omitempty"`
@@ -278,6 +285,13 @@ func IsSelfHosted() bool {
 	return executor.IsSelfHosted()
 }
 
+func Prepare(ctx context.Context, nodeConfig *daemonconfig.Node, cfg cmds.Agent) error {
+	if ex, ok := executor.(PreparingExecutor); ok {
+		return ex.Prepare(ctx, nodeConfig, cfg)
+	}
+	return nil
+}
+
 func CloseIfNilErr(err error, ch chan struct{}) error {
 	if err == nil {
 		close(ch)

pkg/executor/embed/embed.go

@@ -57,12 +57,75 @@ func init() {
 
 // explicit type check
 var _ executor.Executor = &Embedded{}
+var _ executor.PreparingExecutor = &Embedded{}
 
 type Embedded struct {
 	apiServerReady <-chan struct{}
 	etcdReady      chan struct{}
 	criReady       chan struct{}
 	nodeConfig     *daemonconfig.Node
+	vpnInfo        *vpn.Info
+}
+
+// Prepare modifies the node config prior to downloading client and server certificates from the server.
+// If node IPs or names need to be modified, it should be done here so that the kubelet client and serving certs are valid.
+func (e *Embedded) Prepare(ctx context.Context, nodeConfig *daemonconfig.Node, cfg cmds.Agent) error {
+	// If there is a VPN, we must start it early to overwrite NodeIP and flannel interface
+	var err error
+	if cfg.VPNAuthFile != "" {
+		cfg.VPNAuth, err = util.ReadFile(cfg.VPNAuthFile)
+		if err != nil {
+			return errors.WithMessage(err, "failed to read vpn-auth-file")
+		}
+	}
+
+	if cfg.VPNAuth != "" {
+		err = vpn.StartVPN(cfg.VPNAuth)
+		if err != nil {
+			return err
+		}
+
+		e.vpnInfo, err = vpn.GetInfo(cfg.VPNAuth)
+		if err != nil {
+			return err
+		}
+
+		// Pass ipv4, ipv6 or both depending on nodeIPs mode
+		nodeIPs := nodeConfig.AgentConfig.NodeIPs
+		var vpnIPs []net.IP
+		if utilsnet.IsIPv4(nodeIPs[0]) && e.vpnInfo.IPv4Address != nil {
+			vpnIPs = append(vpnIPs, e.vpnInfo.IPv4Address)
+			if e.vpnInfo.IPv6Address != nil {
+				vpnIPs = append(vpnIPs, e.vpnInfo.IPv6Address)
+			}
+		} else if utilsnet.IsIPv6(nodeIPs[0]) && e.vpnInfo.IPv6Address != nil {
+			vpnIPs = append(vpnIPs, e.vpnInfo.IPv6Address)
+			if e.vpnInfo.IPv4Address != nil {
+				vpnIPs = append(vpnIPs, e.vpnInfo.IPv4Address)
+			}
+		} else {
+			return fmt.Errorf("address family mismatch when assigning VPN addresses to node: node=%v, VPN ipv4=%v ipv6=%v", nodeIPs, e.vpnInfo.IPv4Address, e.vpnInfo.IPv6Address)
+		}
+
+		// Overwrite nodeip and flannel interface and throw a warning if user explicitly set those parameters
+		if len(vpnIPs) != 0 {
+			logrus.Infof("Node-ip changed to %v due to VPN", vpnIPs)
+			if len(cfg.NodeIP.Value()) != 0 {
+				logrus.Warn("VPN provider overrides configured node-ip parameter")
+			}
+			if len(cfg.NodeExternalIP.Value()) != 0 {
+				logrus.Warn("VPN provider overrides node-external-ip parameter")
+			}
+			nodeIPs = vpnIPs
+			nodeConfig.AgentConfig.NodeIPs = vpnIPs
+			nodeConfig.AgentConfig.NodeIP = vpnIPs[0].String()
+			nodeConfig.Flannel.Iface, err = net.InterfaceByName(e.vpnInfo.Interface)
+			if err != nil {
+				return errors.WithMessagef(err, "unable to find vpn interface: %s", e.vpnInfo.Interface)
+			}
+		}
+	}
+	return err
 }
 
 func (e *Embedded) Bootstrap(ctx context.Context, nodeConfig *daemonconfig.Node, cfg cmds.Agent) error {
@@ -100,50 +163,6 @@ func (e *Embedded) Bootstrap(ctx context.Context, nodeConfig *daemonconfig.Node,
 			}
 		}
 
-		// If there is a VPN, we must overwrite NodeIP and flannel interface
-		var vpnInfo *vpn.Info
-		if cfg.VPNAuth != "" {
-			vpnInfo, err = vpn.GetInfo(cfg.VPNAuth)
-			if err != nil {
-				return err
-			}
-
-			// Pass ipv4, ipv6 or both depending on nodeIPs mode
-			nodeIPs := nodeConfig.AgentConfig.NodeIPs
-			var vpnIPs []net.IP
-			if utilsnet.IsIPv4(nodeIPs[0]) && vpnInfo.IPv4Address != nil {
-				vpnIPs = append(vpnIPs, vpnInfo.IPv4Address)
-				if vpnInfo.IPv6Address != nil {
-					vpnIPs = append(vpnIPs, vpnInfo.IPv6Address)
-				}
-			} else if utilsnet.IsIPv6(nodeIPs[0]) && vpnInfo.IPv6Address != nil {
-				vpnIPs = append(vpnIPs, vpnInfo.IPv6Address)
-				if vpnInfo.IPv4Address != nil {
-					vpnIPs = append(vpnIPs, vpnInfo.IPv4Address)
-				}
-			} else {
-				return fmt.Errorf("address family mismatch when assigning VPN addresses to node: node=%v, VPN ipv4=%v ipv6=%v", nodeIPs, vpnInfo.IPv4Address, vpnInfo.IPv6Address)
-			}
-
-			// Overwrite nodeip and flannel interface and throw a warning if user explicitly set those parameters
-			if len(vpnIPs) != 0 {
-				logrus.Infof("Node-ip changed to %v due to VPN", vpnIPs)
-				if len(cfg.NodeIP.Value()) != 0 {
-					logrus.Warn("VPN provider overrides configured node-ip parameter")
-				}
-				if len(cfg.NodeExternalIP.Value()) != 0 {
-					logrus.Warn("VPN provider overrides node-external-ip parameter")
-				}
-				nodeIPs = vpnIPs
-				nodeConfig.AgentConfig.NodeIPs = vpnIPs
-				nodeConfig.AgentConfig.NodeIP = vpnIPs[0].String()
-				nodeConfig.Flannel.Iface, err = net.InterfaceByName(vpnInfo.Interface)
-				if err != nil {
-					return errors.WithMessagef(err, "unable to find vpn interface: %s", vpnInfo.Interface)
-				}
-			}
-		}
-
 		// set paths for embedded flannel if enabled
 		hostLocal, err := exec.LookPath("host-local")
 		if err != nil {
@@ -160,8 +179,8 @@ func (e *Embedded) Bootstrap(ctx context.Context, nodeConfig *daemonconfig.Node,
 		nodeConfig.AgentConfig.CNIConfDir = filepath.Join(cfg.DataDir, "agent", "etc", "cni", "net.d")
 
 		// It does not make sense to use VPN without its flannel backend
-		if cfg.VPNAuth != "" {
-			nodeConfig.Flannel.Backend = vpnInfo.ProviderName
+		if e.vpnInfo != nil {
+			nodeConfig.Flannel.Backend = e.vpnInfo.ProviderName
 		}
 	}
 

pkg/vpn/vpn.go

@@ -72,7 +72,10 @@ func StartVPN(vpnAuthConfigFile string) error {
 		logrus.Debugf("Flags passed to tailscale up: %v", args)
 		output, err := util.ExecCommand("tailscale", args)
 		if err != nil {
-			return errors.WithMessage(err, "tailscale up failed: "+output)
+			if output != "" {
+				return errors.WithMessagef(err, "tailscale up failed (%q)", output)
+			}
+			return errors.WithMessage(err, "tailscale up failed")
 		}
 		logrus.Debugf("Output from tailscale up: %v", output)
 		return nil