/
scsvr.go
107 lines (92 loc) · 3.23 KB
/
scsvr.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
package httptrans
import (
"crypto/tls"
"crypto/x509"
"fmt"
"github.com/bytedance/Elkeid/server/agent_center/common"
"github.com/bytedance/Elkeid/server/agent_center/common/ylog"
"github.com/bytedance/Elkeid/server/agent_center/httptrans/http_handler"
"github.com/bytedance/Elkeid/server/agent_center/httptrans/midware"
"github.com/gin-gonic/gin"
"github.com/prometheus/client_golang/prometheus/promhttp"
"io/ioutil"
"net/http"
"os"
)
func Run() {
go runAPIServer(common.HttpPort, common.HttpSSLEnable, common.HttpAuthEnable, common.SSLCertFile, common.SSLKeyFile)
runRawDataServer(common.RawDataPort, common.SSLCaFile, common.SSLRawDataCertFile, common.SSLRawDataKeyFile)
}
func runAPIServer(port int, enableSSL, enableAuth bool, certFile, keyFile string) {
router := gin.Default()
router.GET("/metrics", func(c *gin.Context) {
promhttp.Handler().ServeHTTP(c.Writer, c.Request)
})
router.GET("/ping", func(c *gin.Context) {
c.JSON(http.StatusOK, gin.H{"message": "pong"})
})
apiGroup := router.Group("/")
if enableAuth {
apiGroup.Use(midware.AKSKAuth())
}
{
apiGroup.GET("/conn/stat", http_handler.ConnStat) //Get conn status
apiGroup.GET("/conn/list", http_handler.ConnList) //Get agentID list
apiGroup.GET("/conn/count", http_handler.ConnCount) //Get the total number of conn
apiGroup.POST("/conn/reset", http_handler.ConnReset) //Disconnect the agent
apiGroup.POST("/command/", http_handler.PostCommand) //Post commands to the agent
apiGroup.GET("/kube/cluster/list", http_handler.ClusterList)
}
var err error
ylog.Infof("RunServer", "####HTTP_LISTEN_ON:%d", port)
if enableSSL {
err = router.RunTLS(fmt.Sprintf(":%d", port), certFile, keyFile)
} else {
err = router.Run(fmt.Sprintf(":%d", port))
}
if err != nil {
ylog.Errorf("RunServer", "####http run error: %v", err)
}
}
func runRawDataServer(port int, caFile, certFile, keyFile string) {
router := gin.Default()
rawDataGroup := router.Group("/rawdata")
{
rawDataGroup.POST("/audit", http_handler.RDAudit) //Save audit log from k8s cluster
}
var err error
tlsConfig := credential(certFile, keyFile, caFile)
if tlsConfig == nil {
ylog.Errorf("RunRawDataServer", "####GET_CREDENTIAL_ERROR")
os.Exit(-1)
}
server := http.Server{
Addr: fmt.Sprintf(":%d", port),
Handler: router,
TLSConfig: tlsConfig,
}
ylog.Infof("RunRawDataServer", "####RAW_DATA_HTTP_LISTEN_ON:%d", port)
err = server.ListenAndServeTLS("", "")
if err != nil {
ylog.Errorf("RunRawDataServer", "####raw_data http run error: %v", err)
}
}
// Get the encryption certificate
func credential(crtFile, keyFile, caFile string) *tls.Config {
cert, err := tls.LoadX509KeyPair(crtFile, keyFile)
if err != nil {
ylog.Errorf("Credential", "LOAD_X509_ERROR:%s crtFile:%s keyFile:%s", err.Error(), crtFile, keyFile)
return nil
}
caBytes, err := ioutil.ReadFile(caFile)
if err != nil {
ylog.Errorf("Credential", "READ_CAFILE_ERROR:%s caFile:%s", err.Error(), caFile)
return nil
}
certPool := x509.NewCertPool()
if ok := certPool.AppendCertsFromPEM(caBytes); !ok {
ylog.Errorf("Credential", "####APPEND_CERT_ERROR: %v", err)
return nil
}
return &tls.Config{ClientCAs: certPool, ClientAuth: tls.RequireAndVerifyClientCert, Certificates: []tls.Certificate{cert}}
}