summaryrefslogtreecommitdiff
path: root/cloud/pkg/cloudhub/servers/httpserver/signcerts.go
diff options
context:
space:
mode:
Diffstat (limited to 'cloud/pkg/cloudhub/servers/httpserver/signcerts.go')
-rw-r--r--cloud/pkg/cloudhub/servers/httpserver/signcerts.go76
1 files changed, 17 insertions, 59 deletions
diff --git a/cloud/pkg/cloudhub/servers/httpserver/signcerts.go b/cloud/pkg/cloudhub/servers/httpserver/signcerts.go
index d9e1d4d59..1acbd9eae 100644
--- a/cloud/pkg/cloudhub/servers/httpserver/signcerts.go
+++ b/cloud/pkg/cloudhub/servers/httpserver/signcerts.go
@@ -5,7 +5,7 @@ Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
+ http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
@@ -13,24 +13,21 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
-
package httpserver
import (
- "crypto/sha256"
+ "context"
"crypto/x509"
- "encoding/hex"
"fmt"
"net"
- "strings"
"time"
- "github.com/golang-jwt/jwt"
certutil "k8s.io/client-go/util/cert"
"k8s.io/klog/v2"
hubconfig "github.com/kubeedge/kubeedge/cloud/pkg/cloudhub/config"
"github.com/kubeedge/kubeedge/common/constants"
+ "github.com/kubeedge/kubeedge/pkg/security/token"
)
// SignCerts creates server's certificate and key
@@ -60,28 +57,13 @@ func getIps(advertiseAddress []string) (Ips []net.IP) {
return
}
-// GenerateToken will create a token consisting of caHash and jwt Token and save it to secret
-func GenerateToken() error {
- // set double TokenRefreshDuration as expirationTime, which can guarantee that the validity period
- // of the token obtained at anytime is greater than or equal to TokenRefreshDuration
- expiresAt := time.Now().Add(time.Hour * hubconfig.Config.CloudHub.TokenRefreshDuration * 2).Unix()
-
- token := jwt.New(jwt.SigningMethodHS256)
-
- token.Claims = jwt.StandardClaims{
- ExpiresAt: expiresAt,
- }
-
- keyPEM := getCaKey()
- tokenString, err := token.SignedString(keyPEM)
-
+// GenerateAndRefresh creates a token and save it to secret, then craete a timer to refresh the token.
+func GenerateAndRefresh(ctx context.Context) error {
+ caHashToken, err := token.Create(hubconfig.Config.Ca, hubconfig.Config.CaKey,
+ hubconfig.Config.CloudHub.TokenRefreshDuration)
if err != nil {
- return fmt.Errorf("failed to generate the token for EdgeCore register, err: %v", err)
+ return fmt.Errorf("failed to generate the token for edgecore register, err: %v", err)
}
-
- caHash := getCaHash()
- // combine caHash and tokenString into caHashAndToken
- caHashToken := strings.Join([]string{caHash, tokenString}, ".")
// save caHashAndToken to secret
err = CreateTokenSecret([]byte(caHashToken))
if err != nil {
@@ -91,42 +73,18 @@ func GenerateToken() error {
t := time.NewTicker(time.Hour * hubconfig.Config.CloudHub.TokenRefreshDuration)
go func() {
for {
- <-t.C
- refreshedCaHashToken := refreshToken()
- if err := CreateTokenSecret([]byte(refreshedCaHashToken)); err != nil {
- klog.Exitf("Failed to create the ca token for edgecore register, err: %v", err)
+ select {
+ case <-t.C:
+ caHashToken, err = token.Create(hubconfig.Config.Ca, hubconfig.Config.CaKey,
+ hubconfig.Config.CloudHub.TokenRefreshDuration)
+ if err != nil {
+ klog.Error("failed to refresh the token for edgecore register, err: %v", err)
+ }
+ case <-ctx.Done():
+ break
}
}
}()
klog.Info("Succeed to creating token")
return nil
}
-
-func refreshToken() string {
- claims := &jwt.StandardClaims{}
- expirationTime := time.Now().Add(time.Hour * hubconfig.Config.CloudHub.TokenRefreshDuration * 2)
- claims.ExpiresAt = expirationTime.Unix()
- token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
- keyPEM := getCaKey()
- tokenString, err := token.SignedString(keyPEM)
- if err != nil {
- klog.Errorf("Failed to generate token signed by caKey, err: %v", err)
- }
- caHash := getCaHash()
- //put caHash in token
- caHashAndToken := strings.Join([]string{caHash, tokenString}, ".")
- return caHashAndToken
-}
-
-// getCaHash gets ca-hash
-func getCaHash() string {
- caDER := hubconfig.Config.Ca
- digest := sha256.Sum256(caDER)
- return hex.EncodeToString(digest[:])
-}
-
-// getCaKey gets caKey to encrypt token
-func getCaKey() []byte {
- caKey := hubconfig.Config.CaKey
- return caKey
-}
generated by cgit v1.2.3 (git 2.52.0) at 2026-01-17 07:57:57 +0000