c6c2c525a6
Also fix some tests that were broken by bumping golang and dependencies in the previous commits. Note that in addition to changes made to satisfy the linter which do not impact the behavior of the code, this commit also adds ReadHeaderTimeout to all usages of http.Server to satisfy the linter (and because it seemed like a good suggestion).
193 lines
6.2 KiB
Go
193 lines
6.2 KiB
Go
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
// Package concierge contains functionality to load/store Config's from/to
|
|
// some source.
|
|
package concierge
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"os"
|
|
"strings"
|
|
|
|
"k8s.io/utils/pointer"
|
|
"sigs.k8s.io/yaml"
|
|
|
|
"go.pinniped.dev/internal/constable"
|
|
"go.pinniped.dev/internal/groupsuffix"
|
|
"go.pinniped.dev/internal/plog"
|
|
)
|
|
|
|
const (
|
|
aboutAYear = 60 * 60 * 24 * 365
|
|
about9Months = 60 * 60 * 24 * 30 * 9
|
|
|
|
// Use 10250 because it happens to be the same port on which the Kubelet listens, so some cluster types
|
|
// are more permissive with servers that run on this port. For example, GKE private clusters do not
|
|
// allow traffic from the control plane to most ports, but do allow traffic to port 10250. This allows
|
|
// the Concierge to work without additional configuration on these types of clusters.
|
|
aggregatedAPIServerPortDefault = 10250
|
|
|
|
// Use port 8444 because that is the port that was selected for the first released version of the
|
|
// impersonation proxy, and has been the value since. It was originally selected because the
|
|
// aggregated API server used to run on 8443 (has since changed), so 8444 was the next available port.
|
|
impersonationProxyPortDefault = 8444
|
|
)
|
|
|
|
// FromPath loads an Config from a provided local file path, inserts any
|
|
// defaults (from the Config documentation), and verifies that the config is
|
|
// valid (per the Config documentation).
|
|
//
|
|
// Note! The Config file should contain base64-encoded WebhookCABundle data.
|
|
// This function will decode that base64-encoded data to PEM bytes to be stored
|
|
// in the Config.
|
|
func FromPath(ctx context.Context, path string) (*Config, error) {
|
|
data, err := os.ReadFile(path)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("read file: %w", err)
|
|
}
|
|
|
|
var config Config
|
|
if err := yaml.Unmarshal(data, &config); err != nil {
|
|
return nil, fmt.Errorf("decode yaml: %w", err)
|
|
}
|
|
|
|
maybeSetAPIDefaults(&config.APIConfig)
|
|
maybeSetAggregatedAPIServerPortDefaults(&config.AggregatedAPIServerPort)
|
|
maybeSetImpersonationProxyServerPortDefaults(&config.ImpersonationProxyServerPort)
|
|
maybeSetAPIGroupSuffixDefault(&config.APIGroupSuffix)
|
|
maybeSetKubeCertAgentDefaults(&config.KubeCertAgentConfig)
|
|
|
|
if err := validateAPI(&config.APIConfig); err != nil {
|
|
return nil, fmt.Errorf("validate api: %w", err)
|
|
}
|
|
|
|
if err := validateAPIGroupSuffix(*config.APIGroupSuffix); err != nil {
|
|
return nil, fmt.Errorf("validate apiGroupSuffix: %w", err)
|
|
}
|
|
|
|
if err := validateServerPort(config.AggregatedAPIServerPort); err != nil {
|
|
return nil, fmt.Errorf("validate aggregatedAPIServerPort: %w", err)
|
|
}
|
|
|
|
if err := validateServerPort(config.ImpersonationProxyServerPort); err != nil {
|
|
return nil, fmt.Errorf("validate impersonationProxyServerPort: %w", err)
|
|
}
|
|
|
|
if err := validateNames(&config.NamesConfig); err != nil {
|
|
return nil, fmt.Errorf("validate names: %w", err)
|
|
}
|
|
|
|
plog.MaybeSetDeprecatedLogLevel(config.LogLevel, &config.Log)
|
|
if err := plog.ValidateAndSetLogLevelAndFormatGlobally(ctx, config.Log); err != nil {
|
|
return nil, fmt.Errorf("validate log level: %w", err)
|
|
}
|
|
|
|
if config.Labels == nil {
|
|
config.Labels = make(map[string]string)
|
|
}
|
|
|
|
return &config, nil
|
|
}
|
|
|
|
func maybeSetAPIDefaults(apiConfig *APIConfigSpec) {
|
|
if apiConfig.ServingCertificateConfig.DurationSeconds == nil {
|
|
apiConfig.ServingCertificateConfig.DurationSeconds = pointer.Int64Ptr(aboutAYear)
|
|
}
|
|
|
|
if apiConfig.ServingCertificateConfig.RenewBeforeSeconds == nil {
|
|
apiConfig.ServingCertificateConfig.RenewBeforeSeconds = pointer.Int64Ptr(about9Months)
|
|
}
|
|
}
|
|
|
|
func maybeSetAPIGroupSuffixDefault(apiGroupSuffix **string) {
|
|
if *apiGroupSuffix == nil {
|
|
*apiGroupSuffix = pointer.StringPtr(groupsuffix.PinnipedDefaultSuffix)
|
|
}
|
|
}
|
|
|
|
func maybeSetAggregatedAPIServerPortDefaults(port **int64) {
|
|
if *port == nil {
|
|
*port = pointer.Int64Ptr(aggregatedAPIServerPortDefault)
|
|
}
|
|
}
|
|
|
|
func maybeSetImpersonationProxyServerPortDefaults(port **int64) {
|
|
if *port == nil {
|
|
*port = pointer.Int64Ptr(impersonationProxyPortDefault)
|
|
}
|
|
}
|
|
|
|
func maybeSetKubeCertAgentDefaults(cfg *KubeCertAgentSpec) {
|
|
if cfg.NamePrefix == nil {
|
|
cfg.NamePrefix = pointer.StringPtr("pinniped-kube-cert-agent-")
|
|
}
|
|
|
|
if cfg.Image == nil {
|
|
cfg.Image = pointer.StringPtr("debian:latest")
|
|
}
|
|
}
|
|
|
|
func validateNames(names *NamesConfigSpec) error {
|
|
missingNames := []string{}
|
|
if names == nil {
|
|
names = &NamesConfigSpec{}
|
|
}
|
|
if names.ServingCertificateSecret == "" {
|
|
missingNames = append(missingNames, "servingCertificateSecret")
|
|
}
|
|
if names.CredentialIssuer == "" {
|
|
missingNames = append(missingNames, "credentialIssuer")
|
|
}
|
|
if names.APIService == "" {
|
|
missingNames = append(missingNames, "apiService")
|
|
}
|
|
if names.ImpersonationLoadBalancerService == "" {
|
|
missingNames = append(missingNames, "impersonationLoadBalancerService")
|
|
}
|
|
if names.ImpersonationClusterIPService == "" {
|
|
missingNames = append(missingNames, "impersonationClusterIPService")
|
|
}
|
|
if names.ImpersonationTLSCertificateSecret == "" {
|
|
missingNames = append(missingNames, "impersonationTLSCertificateSecret")
|
|
}
|
|
if names.ImpersonationCACertificateSecret == "" {
|
|
missingNames = append(missingNames, "impersonationCACertificateSecret")
|
|
}
|
|
if names.ImpersonationSignerSecret == "" {
|
|
missingNames = append(missingNames, "impersonationSignerSecret")
|
|
}
|
|
if names.AgentServiceAccount == "" {
|
|
missingNames = append(missingNames, "agentServiceAccount")
|
|
}
|
|
if len(missingNames) > 0 {
|
|
return constable.Error("missing required names: " + strings.Join(missingNames, ", "))
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func validateAPI(apiConfig *APIConfigSpec) error {
|
|
if *apiConfig.ServingCertificateConfig.DurationSeconds < *apiConfig.ServingCertificateConfig.RenewBeforeSeconds {
|
|
return constable.Error("durationSeconds cannot be smaller than renewBeforeSeconds")
|
|
}
|
|
|
|
if *apiConfig.ServingCertificateConfig.RenewBeforeSeconds <= 0 {
|
|
return constable.Error("renewBefore must be positive")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func validateAPIGroupSuffix(apiGroupSuffix string) error {
|
|
return groupsuffix.Validate(apiGroupSuffix)
|
|
}
|
|
|
|
func validateServerPort(port *int64) error {
|
|
// It cannot be below 1024 because the container is not running as root.
|
|
if *port < 1024 || *port > 65535 {
|
|
return constable.Error("must be within range 1024 to 65535")
|
|
}
|
|
return nil
|
|
}
|