ContainerImage.Pinniped/internal/config/supervisor/config.go

// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// Package supervisor contains functionality to load/store Config's from/to
// some source.
package supervisor

import (
	"fmt"
	"io/ioutil"
	"strings"

	"k8s.io/utils/pointer"
	"sigs.k8s.io/yaml"

	"go.pinniped.dev/internal/constable"
	"go.pinniped.dev/internal/groupsuffix"
	"go.pinniped.dev/internal/plog"
)

const (
	NetworkDisabled = "disabled"
	NetworkUnix     = "unix"
	NetworkTCP      = "tcp"
)

// FromPath loads an Config from a provided local file path, inserts any
// defaults (from the Config documentation), and verifies that the config is
// valid (Config documentation).
func FromPath(path string) (*Config, error) {
	data, err := ioutil.ReadFile(path)
	if err != nil {
		return nil, fmt.Errorf("read file: %w", err)
	}

	var config Config
	if err := yaml.Unmarshal(data, &config); err != nil {
		return nil, fmt.Errorf("decode yaml: %w", err)
	}

	if config.Labels == nil {
		config.Labels = make(map[string]string)
	}

	maybeSetAPIGroupSuffixDefault(&config.APIGroupSuffix)

	if err := validateAPIGroupSuffix(*config.APIGroupSuffix); err != nil {
		return nil, fmt.Errorf("validate apiGroupSuffix: %w", err)
	}

	if err := validateNames(&config.NamesConfig); err != nil {
		return nil, fmt.Errorf("validate names: %w", err)
	}

	if err := plog.ValidateAndSetLogLevelGlobally(config.LogLevel); err != nil {
		return nil, fmt.Errorf("validate log level: %w", err)
	}

	// support setting this to null or {} or empty in the YAML
	if config.Endpoints == nil {
		config.Endpoints = &Endpoints{}
	}

	maybeSetEndpointDefault(&config.Endpoints.HTTPS, Endpoint{
		Network: NetworkTCP,
		Address: ":8443",
	})
	maybeSetEndpointDefault(&config.Endpoints.HTTP, Endpoint{
		Network: NetworkTCP,
		Address: ":8080",
	})

	if err := validateEndpoint(*config.Endpoints.HTTPS); err != nil {
		return nil, fmt.Errorf("validate https endpoint: %w", err)
	}
	if err := validateEndpoint(*config.Endpoints.HTTP); err != nil {
		return nil, fmt.Errorf("validate http endpoint: %w", err)
	}
	if err := validateAtLeastOneEnabledEndpoint(*config.Endpoints.HTTPS, *config.Endpoints.HTTP); err != nil {
		return nil, fmt.Errorf("validate endpoints: %w", err)
	}

	return &config, nil
}

func maybeSetEndpointDefault(endpoint **Endpoint, defaultEndpoint Endpoint) {
	if *endpoint != nil {
		return
	}
	*endpoint = &defaultEndpoint
}

func maybeSetAPIGroupSuffixDefault(apiGroupSuffix **string) {
	if *apiGroupSuffix == nil {
		*apiGroupSuffix = pointer.StringPtr(groupsuffix.PinnipedDefaultSuffix)
	}
}

func validateAPIGroupSuffix(apiGroupSuffix string) error {
	return groupsuffix.Validate(apiGroupSuffix)
}

func validateNames(names *NamesConfigSpec) error {
	missingNames := []string{}
	if names.DefaultTLSCertificateSecret == "" {
		missingNames = append(missingNames, "defaultTLSCertificateSecret")
	}
	if len(missingNames) > 0 {
		return constable.Error("missing required names: " + strings.Join(missingNames, ", "))
	}
	return nil
}

func validateEndpoint(endpoint Endpoint) error {
	switch n := endpoint.Network; n {
	case NetworkTCP, NetworkUnix:
		if len(endpoint.Address) == 0 {
			return fmt.Errorf("address must be set with %q network", n)
		}
		return nil
	case NetworkDisabled:
		if len(endpoint.Address) != 0 {
			return fmt.Errorf("address set to %q when disabled, should be empty", endpoint.Address)
		}
		return nil
	default:
		return fmt.Errorf("unknown network %q", n)
	}
}

func validateAtLeastOneEnabledEndpoint(endpoints ...Endpoint) error {
	for _, endpoint := range endpoints {
		if endpoint.Network != NetworkDisabled {
			return nil
		}
	}
	return constable.Error("all endpoints are disabled")
}
internal/config: wire API group suffix through to server components Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-01-19 15:52:12 +00:00			`// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.`
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-15 19:40:56 +00:00			`// SPDX-License-Identifier: Apache-2.0`

			`// Package supervisor contains functionality to load/store Config's from/to`
			`// some source.`
			`package supervisor`

			`import (`
			`"fmt"`
			`"io/ioutil"`
Configure name of the supervisor default TLS cert secret via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-28 18:56:50 +00:00			`"strings"`
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-15 19:40:56 +00:00
Replace all usages of strPtr() with pointer.StringPtr() 2021-05-12 20:20:00 +00:00			`"k8s.io/utils/pointer"`
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-15 19:40:56 +00:00			`"sigs.k8s.io/yaml"`
Configure name of the supervisor default TLS cert secret via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-28 18:56:50 +00:00
			`"go.pinniped.dev/internal/constable"`
Allow multiple Pinnipeds to work on same cluster Yes, this is a huge commit. The middleware allows you to customize the API groups of all of the *.pinniped.dev API groups. Some notes about other small things in this commit: - We removed the internal/client package in favor of pkg/conciergeclient. The two packages do basically the same thing. I don't think we use the former anymore. - We re-enabled cluster-scoped owner assertions in the integration tests. This code was added in internal/ownerref. See a0546942 for when this assertion was removed. - Note: the middlware code is in charge of restoring the GV of a request object, so we should never need to write mutations that do that. - We updated the supervisor secret generation to no longer manually set an owner reference to the deployment since the middleware code now does this. I think we still need some way to make an initial event for the secret generator controller, which involves knowing the namespace and the name of the generated secret, so I still wired the deployment through. We could use a namespace/name tuple here, but I was lazy. Signed-off-by: Andrew Keesler <akeesler@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com> 2021-01-13 01:27:41 +00:00			`"go.pinniped.dev/internal/groupsuffix"`
Add log level support Signed-off-by: Monis Khan <mok@vmware.com> 2020-11-10 14:57:29 +00:00			`"go.pinniped.dev/internal/plog"`
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-15 19:40:56 +00:00			`)`

Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com> 2021-12-15 20:48:55 +00:00			`const (`
			`NetworkDisabled = "disabled"`
			`NetworkUnix = "unix"`
			`NetworkTCP = "tcp"`
			`)`

Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-15 19:40:56 +00:00			`// FromPath loads an Config from a provided local file path, inserts any`
			`// defaults (from the Config documentation), and verifies that the config is`
			`// valid (Config documentation).`
			`func FromPath(path string) (*Config, error) {`
			`data, err := ioutil.ReadFile(path)`
			`if err != nil {`
			`return nil, fmt.Errorf("read file: %w", err)`
			`}`

			`var config Config`
			`if err := yaml.Unmarshal(data, &config); err != nil {`
			`return nil, fmt.Errorf("decode yaml: %w", err)`
			`}`

			`if config.Labels == nil {`
			`config.Labels = make(map[string]string)`
			`}`

internal/config: wire API group suffix through to server components Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-01-19 15:52:12 +00:00			`maybeSetAPIGroupSuffixDefault(&config.APIGroupSuffix)`

Allow multiple Pinnipeds to work on same cluster Yes, this is a huge commit. The middleware allows you to customize the API groups of all of the *.pinniped.dev API groups. Some notes about other small things in this commit: - We removed the internal/client package in favor of pkg/conciergeclient. The two packages do basically the same thing. I don't think we use the former anymore. - We re-enabled cluster-scoped owner assertions in the integration tests. This code was added in internal/ownerref. See a0546942 for when this assertion was removed. - Note: the middlware code is in charge of restoring the GV of a request object, so we should never need to write mutations that do that. - We updated the supervisor secret generation to no longer manually set an owner reference to the deployment since the middleware code now does this. I think we still need some way to make an initial event for the secret generator controller, which involves knowing the namespace and the name of the generated secret, so I still wired the deployment through. We could use a namespace/name tuple here, but I was lazy. Signed-off-by: Andrew Keesler <akeesler@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com> 2021-01-13 01:27:41 +00:00			`if err := validateAPIGroupSuffix(*config.APIGroupSuffix); err != nil {`
			`return nil, fmt.Errorf("validate apiGroupSuffix: %w", err)`
			`}`

Configure name of the supervisor default TLS cert secret via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-28 18:56:50 +00:00			`if err := validateNames(&config.NamesConfig); err != nil {`
			`return nil, fmt.Errorf("validate names: %w", err)`
			`}`

Add log level support Signed-off-by: Monis Khan <mok@vmware.com> 2020-11-10 14:57:29 +00:00			`if err := plog.ValidateAndSetLogLevelGlobally(config.LogLevel); err != nil {`
			`return nil, fmt.Errorf("validate log level: %w", err)`
			`}`

Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com> 2021-12-15 20:48:55 +00:00			`// support setting this to null or {} or empty in the YAML`
			`if config.Endpoints == nil {`
			`config.Endpoints = &Endpoints{}`
			`}`

			`maybeSetEndpointDefault(&config.Endpoints.HTTPS, Endpoint{`
			`Network: NetworkTCP,`
			`Address: ":8443",`
			`})`
			`maybeSetEndpointDefault(&config.Endpoints.HTTP, Endpoint{`
			`Network: NetworkTCP,`
			`Address: ":8080",`
			`})`

			`if err := validateEndpoint(*config.Endpoints.HTTPS); err != nil {`
			`return nil, fmt.Errorf("validate https endpoint: %w", err)`
			`}`
			`if err := validateEndpoint(*config.Endpoints.HTTP); err != nil {`
			`return nil, fmt.Errorf("validate http endpoint: %w", err)`
			`}`
			`if err := validateAtLeastOneEnabledEndpoint(config.Endpoints.HTTPS, config.Endpoints.HTTP); err != nil {`
			`return nil, fmt.Errorf("validate endpoints: %w", err)`
			`}`

Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-15 19:40:56 +00:00			`return &config, nil`
			`}`
Configure name of the supervisor default TLS cert secret via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-28 18:56:50 +00:00
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com> 2021-12-15 20:48:55 +00:00			`func maybeSetEndpointDefault(endpoint **Endpoint, defaultEndpoint Endpoint) {`
			`if *endpoint != nil {`
			`return`
			`}`
			`*endpoint = &defaultEndpoint`
			`}`

internal/config: wire API group suffix through to server components Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-01-19 15:52:12 +00:00			`func maybeSetAPIGroupSuffixDefault(apiGroupSuffix **string) {`
			`if *apiGroupSuffix == nil {`
Replace all usages of strPtr() with pointer.StringPtr() 2021-05-12 20:20:00 +00:00			`*apiGroupSuffix = pointer.StringPtr(groupsuffix.PinnipedDefaultSuffix)`
internal/config: wire API group suffix through to server components Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-01-19 15:52:12 +00:00			`}`
			`}`

Allow multiple Pinnipeds to work on same cluster Yes, this is a huge commit. The middleware allows you to customize the API groups of all of the *.pinniped.dev API groups. Some notes about other small things in this commit: - We removed the internal/client package in favor of pkg/conciergeclient. The two packages do basically the same thing. I don't think we use the former anymore. - We re-enabled cluster-scoped owner assertions in the integration tests. This code was added in internal/ownerref. See a0546942 for when this assertion was removed. - Note: the middlware code is in charge of restoring the GV of a request object, so we should never need to write mutations that do that. - We updated the supervisor secret generation to no longer manually set an owner reference to the deployment since the middleware code now does this. I think we still need some way to make an initial event for the secret generator controller, which involves knowing the namespace and the name of the generated secret, so I still wired the deployment through. We could use a namespace/name tuple here, but I was lazy. Signed-off-by: Andrew Keesler <akeesler@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com> 2021-01-13 01:27:41 +00:00			`func validateAPIGroupSuffix(apiGroupSuffix string) error {`
			`return groupsuffix.Validate(apiGroupSuffix)`
			`}`

Configure name of the supervisor default TLS cert secret via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-28 18:56:50 +00:00			`func validateNames(names *NamesConfigSpec) error {`
			`missingNames := []string{}`
			`if names.DefaultTLSCertificateSecret == "" {`
			`missingNames = append(missingNames, "defaultTLSCertificateSecret")`
			`}`
			`if len(missingNames) > 0 {`
			`return constable.Error("missing required names: " + strings.Join(missingNames, ", "))`
			`}`
			`return nil`
			`}`
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com> 2021-12-15 20:48:55 +00:00
			`func validateEndpoint(endpoint Endpoint) error {`
			`switch n := endpoint.Network; n {`
			`case NetworkTCP, NetworkUnix:`
			`if len(endpoint.Address) == 0 {`
			`return fmt.Errorf("address must be set with %q network", n)`
			`}`
			`return nil`
			`case NetworkDisabled:`
			`if len(endpoint.Address) != 0 {`
			`return fmt.Errorf("address set to %q when disabled, should be empty", endpoint.Address)`
			`}`
			`return nil`
			`default:`
			`return fmt.Errorf("unknown network %q", n)`
			`}`
			`}`

			`func validateAtLeastOneEnabledEndpoint(endpoints ...Endpoint) error {`
			`for _, endpoint := range endpoints {`
			`if endpoint.Network != NetworkDisabled {`
			`return nil`
			`}`
			`}`
			`return constable.Error("all endpoints are disabled")`
			`}`