Reduce memory consumption of pinniped-concierge-kube-cert-agent binary

Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
This commit is contained in:
Ryan Richard 2023-01-13 11:07:42 -08:00
parent f691baec74
commit bc7ffd37a6
4 changed files with 39 additions and 7 deletions

View File

@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
// Package main is the combined entrypoint for the Pinniped "kube-cert-agent" component. // Package main is the combined entrypoint for the Pinniped "kube-cert-agent" component.
@ -13,8 +13,23 @@ import (
"os" "os"
"time" "time"
// this side effect import ensures that we use fipsonly crypto in fips_strict mode. // This side effect import ensures that we use fipsonly crypto during TLS in fips_strict mode.
_ "go.pinniped.dev/internal/crypto/ptls" //
// Commenting this out because it causes the runtime memory consumption of this binary to increase
// from ~1 MB to ~8 MB (as measured when running the sleep subcommand). This binary does not use TLS,
// so it should not be needed. If this binary is ever changed to make use of TLS client and/or server
// code, then we should bring this import back to support the use of the ptls library for client and
// server code, and we should also increase the memory limits on the kube cert agent deployment (as
// decided by the kube cert agent controller in the Concierge).
//
//nolint:godot // This is not sentence, it is a commented out line of import code.
// _ "go.pinniped.dev/internal/crypto/ptls"
// This side effect imports cgo so that runtime/cgo gets linked, when in fips_strict mode.
// Without this line, the binary will exit 133 upon startup in fips_strict mode.
// It also enables fipsonly tls mode, just to be absolutely sure that the fips code is enabled,
// even though it shouldn't be used currently by this binary.
_ "go.pinniped.dev/internal/crypto/fips"
) )
//nolint:gochecknoglobals // these are swapped during unit tests. //nolint:gochecknoglobals // these are swapped during unit tests.

View File

@ -0,0 +1,6 @@
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Package fips can be imported to enable fipsonly tls mode when compiling with fips_strict.
// It will also cause cgo to be explicitly imported when compiling with fips_strict.
package fips

View File

@ -0,0 +1,12 @@
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
//go:build fips_strict
// +build fips_strict
package fips
import (
"C" // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
)

View File

@ -1,4 +1,4 @@
// Copyright 2022 the Pinniped contributors. All Rights Reserved. // Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
// The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP // The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP
@ -16,11 +16,10 @@ import (
"path/filepath" "path/filepath"
"runtime" "runtime"
"C" // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
"k8s.io/apiserver/pkg/server/options" "k8s.io/apiserver/pkg/server/options"
// Cause fipsonly tls mode with this side effect import.
_ "go.pinniped.dev/internal/crypto/fips"
"go.pinniped.dev/internal/plog" "go.pinniped.dev/internal/plog"
) )