Reduce memory consumption of pinniped-concierge-kube-cert-agent binary

Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-13 11:07:42 -08:00 · 2023-01-13 11:07:42 -08:00 · bc7ffd37a6
commit bc7ffd37a6
parent f691baec74
4 changed files with 39 additions and 7 deletions
--- a/cmd/pinniped-concierge-kube-cert-agent/main.go
+++ b/cmd/pinniped-concierge-kube-cert-agent/main.go
@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package main is the combined entrypoint for the Pinniped "kube-cert-agent" component.
@ -13,8 +13,23 @@ import (
 	"os"
 	"time"

-	// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
-	_ "go.pinniped.dev/internal/crypto/ptls"
+	// This side effect import ensures that we use fipsonly crypto during TLS in fips_strict mode.
+	//
+	// Commenting this out because it causes the runtime memory consumption of this binary to increase
+	// from ~1 MB to ~8 MB (as measured when running the sleep subcommand). This binary does not use TLS,
+	// so it should not be needed. If this binary is ever changed to make use of TLS client and/or server
+	// code, then we should bring this import back to support the use of the ptls library for client and
+	// server code, and we should also increase the memory limits on the kube cert agent deployment (as
+	// decided by the kube cert agent controller in the Concierge).
+	//
+	//nolint:godot // This is not sentence, it is a commented out line of import code.
+	// _ "go.pinniped.dev/internal/crypto/ptls"
+
+	// This side effect imports cgo so that runtime/cgo gets linked, when in fips_strict mode.
+	// Without this line, the binary will exit 133 upon startup in fips_strict mode.
+	// It also enables fipsonly tls mode, just to be absolutely sure that the fips code is enabled,
+	// even though it shouldn't be used currently by this binary.
+	_ "go.pinniped.dev/internal/crypto/fips"
 )

 //nolint:gochecknoglobals // these are swapped during unit tests.
--- a/internal/crypto/fips/doc.go
+++ b/internal/crypto/fips/doc.go
@ -0,0 +1,6 @@
+// Copyright 2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package fips can be imported to enable fipsonly tls mode when compiling with fips_strict.
+// It will also cause cgo to be explicitly imported when compiling with fips_strict.
+package fips
--- a/internal/crypto/fips/fips_strict.go
+++ b/internal/crypto/fips/fips_strict.go
@ -0,0 +1,12 @@
+// Copyright 2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build fips_strict
+// +build fips_strict
+
+package fips
+
+import (
+	"C"                     // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
+	_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
+)
--- a/internal/crypto/ptls/fips_strict.go
+++ b/internal/crypto/ptls/fips_strict.go
@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP
@ -16,11 +16,10 @@ import (
 	"path/filepath"
 	"runtime"

-	"C"                     // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
-	_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
-
 	"k8s.io/apiserver/pkg/server/options"

+	// Cause fipsonly tls mode with this side effect import.
+	_ "go.pinniped.dev/internal/crypto/fips"
 	"go.pinniped.dev/internal/plog"
 )