Reduce memory consumption of pinniped-concierge-kube-cert-agent binary
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
This commit is contained in:
parent
f691baec74
commit
bc7ffd37a6
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
// Package main is the combined entrypoint for the Pinniped "kube-cert-agent" component.
|
// Package main is the combined entrypoint for the Pinniped "kube-cert-agent" component.
|
||||||
@ -13,8 +13,23 @@ import (
|
|||||||
"os"
|
"os"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
|
// This side effect import ensures that we use fipsonly crypto during TLS in fips_strict mode.
|
||||||
_ "go.pinniped.dev/internal/crypto/ptls"
|
//
|
||||||
|
// Commenting this out because it causes the runtime memory consumption of this binary to increase
|
||||||
|
// from ~1 MB to ~8 MB (as measured when running the sleep subcommand). This binary does not use TLS,
|
||||||
|
// so it should not be needed. If this binary is ever changed to make use of TLS client and/or server
|
||||||
|
// code, then we should bring this import back to support the use of the ptls library for client and
|
||||||
|
// server code, and we should also increase the memory limits on the kube cert agent deployment (as
|
||||||
|
// decided by the kube cert agent controller in the Concierge).
|
||||||
|
//
|
||||||
|
//nolint:godot // This is not sentence, it is a commented out line of import code.
|
||||||
|
// _ "go.pinniped.dev/internal/crypto/ptls"
|
||||||
|
|
||||||
|
// This side effect imports cgo so that runtime/cgo gets linked, when in fips_strict mode.
|
||||||
|
// Without this line, the binary will exit 133 upon startup in fips_strict mode.
|
||||||
|
// It also enables fipsonly tls mode, just to be absolutely sure that the fips code is enabled,
|
||||||
|
// even though it shouldn't be used currently by this binary.
|
||||||
|
_ "go.pinniped.dev/internal/crypto/fips"
|
||||||
)
|
)
|
||||||
|
|
||||||
//nolint:gochecknoglobals // these are swapped during unit tests.
|
//nolint:gochecknoglobals // these are swapped during unit tests.
|
||||||
|
6
internal/crypto/fips/doc.go
Normal file
6
internal/crypto/fips/doc.go
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
|
||||||
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
// Package fips can be imported to enable fipsonly tls mode when compiling with fips_strict.
|
||||||
|
// It will also cause cgo to be explicitly imported when compiling with fips_strict.
|
||||||
|
package fips
|
12
internal/crypto/fips/fips_strict.go
Normal file
12
internal/crypto/fips/fips_strict.go
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
|
||||||
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
//go:build fips_strict
|
||||||
|
// +build fips_strict
|
||||||
|
|
||||||
|
package fips
|
||||||
|
|
||||||
|
import (
|
||||||
|
"C" // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
|
||||||
|
_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
|
||||||
|
)
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
// The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP
|
// The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP
|
||||||
@ -16,11 +16,10 @@ import (
|
|||||||
"path/filepath"
|
"path/filepath"
|
||||||
"runtime"
|
"runtime"
|
||||||
|
|
||||||
"C" // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
|
|
||||||
_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
|
|
||||||
|
|
||||||
"k8s.io/apiserver/pkg/server/options"
|
"k8s.io/apiserver/pkg/server/options"
|
||||||
|
|
||||||
|
// Cause fipsonly tls mode with this side effect import.
|
||||||
|
_ "go.pinniped.dev/internal/crypto/fips"
|
||||||
"go.pinniped.dev/internal/plog"
|
"go.pinniped.dev/internal/plog"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user