This repository has been archived by the owner on Nov 20, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 10
/
main.go
100 lines (95 loc) · 2.73 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
package main
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"log"
"net"
"net/http"
"net/url"
"time"
"github.com/labstack/echo/v4"
"github.com/labstack/echo/v4/middleware"
"github.com/spf13/cobra"
)
var opts struct {
TLSCertFile string
TLSKeyFile string
CAFile string
CertFile string
KeyFile string
Port int
APIServerBindPort int
}
func NewCommand() *cobra.Command {
cmd := &cobra.Command{
Use: "healthcheck-proxy",
Short: "crit healthcheck proxy sidecar",
SilenceErrors: true,
SilenceUsage: true,
RunE: func(cmd *cobra.Command, args []string) error {
caCert, err := ioutil.ReadFile(opts.CAFile)
if err != nil {
return err
}
cert, err := ioutil.ReadFile(opts.CertFile)
if err != nil {
return err
}
key, err := ioutil.ReadFile(opts.KeyFile)
if err != nil {
return err
}
caPool := x509.NewCertPool()
caPool.AppendCertsFromPEM(caCert)
tlsCert, err := tls.X509KeyPair(cert, key)
if err != nil {
return err
}
u, err := url.Parse(fmt.Sprintf("https://localhost:%d", opts.APIServerBindPort))
if err != nil {
return err
}
e := echo.New()
e.Use(middleware.Logger())
e.Use(middleware.Recover())
e.Use(middleware.ProxyWithConfig(middleware.ProxyConfig{
Balancer: middleware.NewRoundRobinBalancer([]*middleware.ProxyTarget{{URL: u}}),
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: caPool,
Certificates: []tls.Certificate{tlsCert},
},
},
}))
e.Use(middleware.BodyLimit("2M"))
e.Use(middleware.Secure())
s := &http.Server{
Addr: fmt.Sprintf("0.0.0.0:%d", opts.Port),
Handler: e,
ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second,
MaxHeaderBytes: 1 << 20,
}
l, err := net.Listen("tcp", s.Addr)
if err != nil {
return err
}
return s.ServeTLS(l, opts.TLSCertFile, opts.TLSKeyFile)
},
}
cmd.Flags().StringVar(&opts.CAFile, "client-ca-file", "/etc/kubernetes/pki/ca.crt", "")
cmd.Flags().StringVar(&opts.CertFile, "healthcheck-client-certificate", "/etc/kubernetes/pki/apiserver-healthcheck-client.crt", "")
cmd.Flags().StringVar(&opts.KeyFile, "healthcheck-client-key", "/etc/kubernetes/pki/apiserver-healthcheck-client.key", "")
cmd.Flags().StringVar(&opts.TLSCertFile, "tls-cert-file", "/etc/kubernetes/pki/apiserver.crt", "")
cmd.Flags().StringVar(&opts.TLSKeyFile, "tls-private-key-file", "/etc/kubernetes/pki/apiserver.key", "")
cmd.Flags().IntVar(&opts.Port, "secure-port", 6444, "")
cmd.Flags().IntVar(&opts.APIServerBindPort, "apiserver-port", 6443, "")
return cmd
}
func main() {
if err := NewCommand().Execute(); err != nil {
log.Fatal(err)
}
}