Skip to content

Commit

Permalink
Merge pull request #150 from slintes/disable-http2-0.7
Browse files Browse the repository at this point in the history
[release-0.7] Disable HTTP/2
  • Loading branch information
openshift-ci[bot] authored Oct 20, 2023
2 parents 629ce6a + 15f3e23 commit 6f01258
Show file tree
Hide file tree
Showing 112 changed files with 5,646 additions and 2,943 deletions.
27 changes: 0 additions & 27 deletions api/v1alpha1/selfnoderemediationconfig_webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,6 @@ package v1alpha1

import (
"fmt"
"os"
"path/filepath"
"time"

v1 "k8s.io/api/core/v1"
Expand All @@ -30,12 +28,6 @@ import (
"sigs.k8s.io/controller-runtime/pkg/webhook"
)

const (
webhookCertDir = "/apiserver.local.config/certificates"
webhookCertName = "apiserver.crt"
webhookKeyName = "apiserver.key"
)

// fields names
const (
peerApiServerTimeout = "PeerApiServerTimeout"
Expand Down Expand Up @@ -66,25 +58,6 @@ type field struct {
var selfNodeRemediationConfigLog = logf.Log.WithName("selfnoderemediationconfig-resource")

func (r *SelfNodeRemediationConfig) SetupWebhookWithManager(mgr ctrl.Manager) error {

// check if OLM injected certs
certs := []string{filepath.Join(webhookCertDir, webhookCertName), filepath.Join(webhookCertDir, webhookKeyName)}
certsInjected := true
for _, fname := range certs {
if _, err := os.Stat(fname); err != nil {
certsInjected = false
break
}
}
if certsInjected {
server := mgr.GetWebhookServer()
server.CertDir = webhookCertDir
server.CertName = webhookCertName
server.KeyName = webhookKeyName
} else {
selfNodeRemediationConfigLog.Info("OLM injected certs for webhooks not found")
}

return ctrl.NewWebhookManagedBy(mgr).
For(r).
Complete()
Expand Down
2 changes: 1 addition & 1 deletion config/default/manager_auth_proxy_patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ spec:
spec:
containers:
- name: kube-rbac-proxy
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
image: quay.io/brancz/kube-rbac-proxy:v0.14.4
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
Expand Down
10 changes: 5 additions & 5 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ require (
github.com/pkg/errors v0.9.1
go.uber.org/zap v1.24.0
golang.org/x/sys v0.13.0
google.golang.org/grpc v1.49.0
google.golang.org/protobuf v1.28.1
google.golang.org/grpc v1.56.3
google.golang.org/protobuf v1.30.0
k8s.io/api v0.26.3
k8s.io/apiextensions-apiserver v0.26.1
k8s.io/apimachinery v0.26.10-0.20231013031804-4eaec8069337
Expand All @@ -27,7 +27,7 @@ require (
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver v1.5.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/emicklei/go-restful/v3 v3.9.0 // indirect
github.com/evanphx/json-patch/v5 v5.6.0 // indirect
Expand Down Expand Up @@ -65,15 +65,15 @@ require (
go.uber.org/multierr v1.6.0 // indirect
golang.org/x/crypto v0.14.0 // indirect
golang.org/x/net v0.17.0 // indirect
golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect
golang.org/x/oauth2 v0.7.0 // indirect
golang.org/x/sync v0.1.0 // indirect
golang.org/x/term v0.13.0 // indirect
golang.org/x/text v0.13.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.7.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 // indirect
google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
Expand Down
44 changes: 10 additions & 34 deletions go.sum

Large diffs are not rendered by default.

53 changes: 50 additions & 3 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,10 @@ limitations under the License.
package main

import (
"crypto/tls"
"flag"
"os"
"path/filepath"
"strconv"
"time"

Expand Down Expand Up @@ -57,6 +59,10 @@ import (
const (
nodeNameEnvVar = "MY_NODE_NAME"
peerHealthDefaultPort = 30001

WebhookCertDir = "/apiserver.local.config/certificates"
WebhookCertName = "apiserver.crt"
WebhookKeyName = "apiserver.key"
)

var (
Expand All @@ -76,12 +82,14 @@ func main() {
var metricsAddr string
var enableLeaderElection bool
var probeAddr string
var enableHTTP2 bool
var isManager bool
flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
flag.BoolVar(&enableLeaderElection, "leader-elect", false,
"Enable leader election for controller manager. "+
"Enabling this will ensure there is only one active controller manager.")
flag.BoolVar(&enableHTTP2, "enable-http2", false, "If HTTP/2 should be enabled for the metrics and webhook servers.")
flag.BoolVar(&isManager, "is-manager", false,
"Used to differentiate between the self node remediation agents that runs in a daemonset to the 'manager' that only"+
"reconciles the config CRD and installs the DS")
Expand All @@ -95,7 +103,9 @@ func main() {
ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))

mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
Scheme: scheme,
Scheme: scheme,
// HEADS UP: once controller runtime is updated and this changes to metrics.Options{},
// and in case you configure TLS / SecureServing, disable HTTP/2 in it for mitigating related CVEs!
MetricsBindAddress: metricsAddr,
Port: 9443,
HealthProbeBindAddress: probeAddr,
Expand All @@ -108,7 +118,7 @@ func main() {
}

if isManager {
initSelfNodeRemediationManager(mgr)
initSelfNodeRemediationManager(mgr, enableHTTP2)
} else {
initSelfNodeRemediationAgent(mgr)
}
Expand All @@ -131,9 +141,11 @@ func main() {
}
}

func initSelfNodeRemediationManager(mgr manager.Manager) {
func initSelfNodeRemediationManager(mgr manager.Manager, enableHTTP2 bool) {
setupLog.Info("Starting as a manager that installs the daemonset")

configureWebhookServer(mgr, enableHTTP2)

if err := utils.InitOutOfServiceTaintSupportedFlag(mgr.GetConfig()); err != nil {
setupLog.Error(err, "unable to verify out of service taint support. out of service taint isn't supported")
}
Expand Down Expand Up @@ -321,3 +333,38 @@ func initSelfNodeRemediationAgent(mgr manager.Manager) {
os.Exit(1)
}
}

func configureWebhookServer(mgr ctrl.Manager, enableHTTP2 bool) {

server := mgr.GetWebhookServer()

// check for OLM injected certs
certs := []string{filepath.Join(WebhookCertDir, WebhookCertName), filepath.Join(WebhookCertDir, WebhookKeyName)}
certsInjected := true
for _, fname := range certs {
if _, err := os.Stat(fname); err != nil {
certsInjected = false
break
}
}
if certsInjected {
server.CertDir = WebhookCertDir
server.CertName = WebhookCertName
server.KeyName = WebhookKeyName
} else {
setupLog.Info("OLM injected certs for webhooks not found")
}

// disable http/2 for mitigating relevant CVEs
if !enableHTTP2 {
server.TLSOpts = append(server.TLSOpts,
func(c *tls.Config) {
c.NextProtos = []string{"http/1.1"}
},
)
setupLog.Info("HTTP/2 for webhooks disabled")
} else {
setupLog.Info("HTTP/2 for webhooks enabled")
}

}
31 changes: 17 additions & 14 deletions vendor/github.com/cespare/xxhash/v2/README.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions vendor/github.com/cespare/xxhash/v2/testall.sh

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

47 changes: 20 additions & 27 deletions vendor/github.com/cespare/xxhash/v2/xxhash.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 6f01258

Please sign in to comment.