Merge pull request #1369 from vmware-tanzu/kube_cert_agent_reduce_memory

Reduce memory consumption of pinniped-concierge-kube-cert-agent binary
2023-01-13 14:26:39 -06:00 · 2023-01-13 14:26:39 -06:00 · f4c9202f49
commit f4c9202f49
parent f691baec74 bc7ffd37a6
4 changed files with 39 additions and 7 deletions
--- a/cmd/pinniped-concierge-kube-cert-agent/main.go
+++ b/cmd/pinniped-concierge-kube-cert-agent/main.go
@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Package main is the combined entrypoint for the Pinniped "kube-cert-agent" component.
@ -13,8 +13,23 @@ import (
 	"os"
 	"time"
-	// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
+	// This side effect import ensures that we use fipsonly crypto during TLS in fips_strict mode.
-	_ "go.pinniped.dev/internal/crypto/ptls"
+	//
 	// Commenting this out because it causes the runtime memory consumption of this binary to increase
 	// from ~1 MB to ~8 MB (as measured when running the sleep subcommand). This binary does not use TLS,
 	// so it should not be needed. If this binary is ever changed to make use of TLS client and/or server
 	// code, then we should bring this import back to support the use of the ptls library for client and
 	// server code, and we should also increase the memory limits on the kube cert agent deployment (as
 	// decided by the kube cert agent controller in the Concierge).
 	//
 	//nolint:godot // This is not sentence, it is a commented out line of import code.
 	// _ "go.pinniped.dev/internal/crypto/ptls"
 	// This side effect imports cgo so that runtime/cgo gets linked, when in fips_strict mode.
 	// Without this line, the binary will exit 133 upon startup in fips_strict mode.
 	// It also enables fipsonly tls mode, just to be absolutely sure that the fips code is enabled,
 	// even though it shouldn't be used currently by this binary.
 	_ "go.pinniped.dev/internal/crypto/fips"
 )
 //nolint:gochecknoglobals // these are swapped during unit tests.
--- a/internal/crypto/fips/doc.go
+++ b/internal/crypto/fips/doc.go
@ -0,0 +1,6 @@
 // Copyright 2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Package fips can be imported to enable fipsonly tls mode when compiling with fips_strict.
 // It will also cause cgo to be explicitly imported when compiling with fips_strict.
 package fips
--- a/internal/crypto/fips/fips_strict.go
+++ b/internal/crypto/fips/fips_strict.go
@ -0,0 +1,12 @@
 // Copyright 2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 //go:build fips_strict
 // +build fips_strict
 package fips
 import (
 	"C"                     // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
 	_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
 )
--- a/internal/crypto/ptls/fips_strict.go
+++ b/internal/crypto/ptls/fips_strict.go
@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP
@ -16,11 +16,10 @@ import (
 	"path/filepath"
 	"runtime"
 	"C"                     // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
 	_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
 	"k8s.io/apiserver/pkg/server/options"
 	// Cause fipsonly tls mode with this side effect import.
 	_ "go.pinniped.dev/internal/crypto/fips"
 	"go.pinniped.dev/internal/plog"
 )