ContainerImage.Pinniped/internal/supervisor/server/bootstrap.go

// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package server

import (
	"context"
	"crypto/tls"
	"fmt"
	"net"
	"net/http"
	"time"

	"go.uber.org/atomic"
	"k8s.io/apimachinery/pkg/util/sets"

	"go.pinniped.dev/internal/certauthority"
)

// contextKey type is unexported to prevent collisions.
type contextKey int

const bootstrapKey contextKey = iota

func withBootstrapConnCtx(ctx context.Context, _ net.Conn) context.Context {
	isBootstrap := atomic.NewBool(false) // safe for concurrent access
	return context.WithValue(ctx, bootstrapKey, isBootstrap)
}

func setIsBootstrapConn(ctx context.Context) {
	isBootstrap, _ := ctx.Value(bootstrapKey).(*atomic.Bool)
	if isBootstrap == nil {
		return
	}
	isBootstrap.Store(true)
}

func withBootstrapPaths(handler http.Handler, paths ...string) http.Handler {
	bootstrapPaths := sets.NewString(paths...)
	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
		isBootstrap, _ := req.Context().Value(bootstrapKey).(*atomic.Bool)

		if isBootstrap != nil && isBootstrap.Load() && !bootstrapPaths.Has(req.URL.Path) {
			http.Error(w, "pinniped supervisor has invalid TLS serving certificate configuration", http.StatusInternalServerError)
			return
		}

		handler.ServeHTTP(w, req)
	})
}

func getBootstrapCert() (*tls.Certificate, error) {
	const forever = 10 * 365 * 24 * time.Hour

	bootstrapCA, err := certauthority.New("pinniped-supervisor-bootstrap-ca", forever)
	if err != nil {
		return nil, fmt.Errorf("failed to create bootstrap CA: %w", err)
	}

	bootstrapCert, err := bootstrapCA.IssueServerCert([]string{"pinniped-supervisor-bootstrap-cert"}, nil, forever)
	if err != nil {
		return nil, fmt.Errorf("failed to create bootstrap cert: %w", err)
	}

	return bootstrapCert, nil // this is just enough to complete a TLS handshake, trust distribution does not matter
}
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com> 2021-12-15 20:48:55 +00:00			`// Copyright 2021 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`package server`

			`import (`
			`"context"`
			`"crypto/tls"`
			`"fmt"`
			`"net"`
			`"net/http"`
			`"time"`

			`"go.uber.org/atomic"`
			`"k8s.io/apimachinery/pkg/util/sets"`

			`"go.pinniped.dev/internal/certauthority"`
			`)`

			`// contextKey type is unexported to prevent collisions.`
			`type contextKey int`

			`const bootstrapKey contextKey = iota`

			`func withBootstrapConnCtx(ctx context.Context, _ net.Conn) context.Context {`
			`isBootstrap := atomic.NewBool(false) // safe for concurrent access`
			`return context.WithValue(ctx, bootstrapKey, isBootstrap)`
			`}`

			`func setIsBootstrapConn(ctx context.Context) {`
			`isBootstrap, _ := ctx.Value(bootstrapKey).(*atomic.Bool)`
			`if isBootstrap == nil {`
			`return`
			`}`
			`isBootstrap.Store(true)`
			`}`

			`func withBootstrapPaths(handler http.Handler, paths ...string) http.Handler {`
			`bootstrapPaths := sets.NewString(paths...)`
			`return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {`
			`isBootstrap, _ := req.Context().Value(bootstrapKey).(*atomic.Bool)`

			`if isBootstrap != nil && isBootstrap.Load() && !bootstrapPaths.Has(req.URL.Path) {`
			`http.Error(w, "pinniped supervisor has invalid TLS serving certificate configuration", http.StatusInternalServerError)`
			`return`
			`}`

			`handler.ServeHTTP(w, req)`
			`})`
			`}`

			`func getBootstrapCert() (*tls.Certificate, error) {`
			`const forever = 10 * 365 * 24 * time.Hour`

			`bootstrapCA, err := certauthority.New("pinniped-supervisor-bootstrap-ca", forever)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to create bootstrap CA: %w", err)`
			`}`

			`bootstrapCert, err := bootstrapCA.IssueServerCert([]string{"pinniped-supervisor-bootstrap-cert"}, nil, forever)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to create bootstrap cert: %w", err)`
			`}`

			`return bootstrapCert, nil // this is just enough to complete a TLS handshake, trust distribution does not matter`
			`}`