From f80318e695d94ab9fc2297a25480c133582111e4 Mon Sep 17 00:00:00 2001
From: rambohe-ch <linbo.hlb@alibaba-inc.com>
Date: Mon, 6 Nov 2023 15:21:37 +0800
Subject: [PATCH] disable the iptables setting of yurthub component by default

---
 cmd/yurthub/app/options/options.go            |  3 +-
 cmd/yurthub/app/options/options_test.go       |  2 +-
 pkg/yurthub/certificate/manager/manager.go    |  8 +++--
 .../certificate/manager/manager_test.go       | 33 +++++++++++++++++++
 pkg/yurthub/network/dummyif_linux.go          |  2 +-
 pkg/yurthub/network/network.go                |  8 +++--
 6 files changed, 49 insertions(+), 7 deletions(-)

diff --git a/cmd/yurthub/app/options/options.go b/cmd/yurthub/app/options/options.go
index bb8daa6497d..cc8c46dde0a 100644
--- a/cmd/yurthub/app/options/options.go
+++ b/cmd/yurthub/app/options/options.go
@@ -111,7 +111,7 @@ func NewYurtHubOptions() *YurtHubOptions {
 		RootDir:                   filepath.Join("/var/lib/", projectinfo.GetHubName()),
 		EnableProfiling:           true,
 		EnableDummyIf:             true,
-		EnableIptables:            true,
+		EnableIptables:            false,
 		HubAgentDummyIfName:       fmt.Sprintf("%s-dummy0", projectinfo.GetHubName()),
 		DiskCachePath:             disk.CacheBaseDir,
 		AccessServerThroughHub:    true,
@@ -201,6 +201,7 @@ func (o *YurtHubOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.BoolVar(&o.EnableProfiling, "profiling", o.EnableProfiling, "enable profiling via web interface host:port/debug/pprof/")
 	fs.BoolVar(&o.EnableDummyIf, "enable-dummy-if", o.EnableDummyIf, "enable dummy interface or not")
 	fs.BoolVar(&o.EnableIptables, "enable-iptables", o.EnableIptables, "enable iptables manager to setup rules for accessing hub agent")
+	fs.MarkDeprecated("enable-iptables", "It is planned to be removed from OpenYurt in the future version")
 	fs.StringVar(&o.HubAgentDummyIfIP, "dummy-if-ip", o.HubAgentDummyIfIP, "the ip address of dummy interface that used for container connect hub agent(exclusive ips: 169.254.31.0/24, 169.254.1.1/32)")
 	fs.StringVar(&o.HubAgentDummyIfName, "dummy-if-name", o.HubAgentDummyIfName, "the name of dummy interface that is used for hub agent")
 	fs.StringVar(&o.DiskCachePath, "disk-cache-path", o.DiskCachePath, "the path for kubernetes to storage metadata")
diff --git a/cmd/yurthub/app/options/options_test.go b/cmd/yurthub/app/options/options_test.go
index a4370df98cc..8d3ee4e89b2 100644
--- a/cmd/yurthub/app/options/options_test.go
+++ b/cmd/yurthub/app/options/options_test.go
@@ -53,7 +53,7 @@ func TestNewYurtHubOptions(t *testing.T) {
 		RootDir:                   filepath.Join("/var/lib/", projectinfo.GetHubName()),
 		EnableProfiling:           true,
 		EnableDummyIf:             true,
-		EnableIptables:            true,
+		EnableIptables:            false,
 		HubAgentDummyIfName:       fmt.Sprintf("%s-dummy0", projectinfo.GetHubName()),
 		DiskCachePath:             disk.CacheBaseDir,
 		AccessServerThroughHub:    true,
diff --git a/pkg/yurthub/certificate/manager/manager.go b/pkg/yurthub/certificate/manager/manager.go
index 194715abb97..c06b7dec172 100644
--- a/pkg/yurthub/certificate/manager/manager.go
+++ b/pkg/yurthub/certificate/manager/manager.go
@@ -123,8 +123,12 @@ func (hcm *yurtHubCertManager) Ready() bool {
 		errs = append(errs, apiServerClientCertNotReadyError)
 	}
 
-	if exist, _ := util.FileExists(hcm.YurtClientCertificateManager.GetCaFile()); !exist {
-		errs = append(errs, caCertIsNotReadyError)
+	if exist, err := util.FileExists(hcm.YurtClientCertificateManager.GetCaFile()); !exist {
+		if err == nil {
+			errs = append(errs, caCertIsNotReadyError)
+		} else {
+			errs = append(errs, err)
+		}
 	}
 
 	if hcm.GetHubServerCert() == nil {
diff --git a/pkg/yurthub/certificate/manager/manager_test.go b/pkg/yurthub/certificate/manager/manager_test.go
index fc5483fc772..3e0d0405ae5 100644
--- a/pkg/yurthub/certificate/manager/manager_test.go
+++ b/pkg/yurthub/certificate/manager/manager_test.go
@@ -24,11 +24,17 @@ import (
 	"testing"
 	"time"
 
+	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/tools/clientcmd"
+	certutil "k8s.io/client-go/util/cert"
+	"k8s.io/klog/v2"
 
 	"github.com/openyurtio/openyurt/cmd/yurthub/app/options"
 	"github.com/openyurtio/openyurt/pkg/projectinfo"
+	kubeconfigutil "github.com/openyurtio/openyurt/pkg/util/kubeconfig"
 	"github.com/openyurtio/openyurt/pkg/yurthub/certificate/testdata"
+	"github.com/openyurtio/openyurt/pkg/yurthub/util"
 )
 
 func TestGetHubServerCertFile(t *testing.T) {
@@ -103,11 +109,38 @@ func TestReady(t *testing.T) {
 		if mgr.Ready() {
 			return true, nil
 		}
+
+		if exist, err := util.FileExists(mgr.GetCaFile()); !exist {
+			if err != nil {
+				return false, err
+			}
+
+			if exist, err := util.FileExists(mgr.GetHubConfFile()); err != nil {
+				return false, nil
+			} else if exist {
+				klog.Infof("%s file already exists, so use it to create ca file", mgr.GetHubConfFile())
+				hubKubeConfig, err := clientcmd.LoadFromFile(mgr.GetHubConfFile())
+				if err != nil {
+					return false, err
+				}
+
+				cluster := kubeconfigutil.GetClusterFromKubeConfig(hubKubeConfig)
+				if cluster != nil {
+					if err := certutil.WriteCert(mgr.GetCaFile(), cluster.CertificateAuthorityData); err != nil {
+						return false, errors.Wrap(err, "couldn't save the CA certificate to disk")
+					}
+				} else {
+					return false, errors.Errorf("couldn't prepare ca.crt(%s) file", mgr.GetCaFile())
+				}
+			}
+		}
 		return false, nil
 	})
 
 	if err != nil {
 		t.Errorf("certificates are not ready, %v", err)
+		mgr.Stop()
+		return
 	}
 
 	mgr.Stop()
diff --git a/pkg/yurthub/network/dummyif_linux.go b/pkg/yurthub/network/dummyif_linux.go
index f3306db96d8..64989e3f227 100644
--- a/pkg/yurthub/network/dummyif_linux.go
+++ b/pkg/yurthub/network/dummyif_linux.go
@@ -35,7 +35,7 @@ type dummyInterfaceController struct {
 	netlink.Handle
 }
 
-// NewDummyInterfaceManager returns an instance for create/delete dummy net interface
+// NewDummyInterfaceController returns an instance for create/delete dummy net interface
 func NewDummyInterfaceController() DummyInterfaceController {
 	return &dummyInterfaceController{
 		Handle: netlink.Handle{},
diff --git a/pkg/yurthub/network/network.go b/pkg/yurthub/network/network.go
index 20c1a64b186..779d593620e 100644
--- a/pkg/yurthub/network/network.go
+++ b/pkg/yurthub/network/network.go
@@ -64,12 +64,16 @@ func (m *NetworkManager) Run(stopCh <-chan struct{}) {
 			select {
 			case <-stopCh:
 				klog.Infof("exit network manager run goroutine normally")
-				if err := m.iptablesManager.CleanUpIptablesRules(); err != nil {
-					klog.Errorf("failed to cleanup iptables, %v", err)
+				if m.enableIptables {
+					if err := m.iptablesManager.CleanUpIptablesRules(); err != nil {
+						klog.Errorf("failed to cleanup iptables, %v", err)
+					}
 				}
 				err := m.ifController.DeleteDummyInterface(m.dummyIfName)
 				if err != nil {
 					klog.Errorf("failed to delete dummy interface %s, %v", m.dummyIfName, err)
+				} else {
+					klog.Infof("remove dummy interface %s successfully", m.dummyIfName)
 				}
 				return
 			case <-ticker.C: