From 4eb998d4d419f5efa3a1a27ce390a45e009c8320 Mon Sep 17 00:00:00 2001 From: ricoberger Date: Fri, 7 Jan 2022 12:35:07 +0100 Subject: [PATCH] [core] Add debug endpoints The api server exposed some "/api/debug" endpoints now. These endpoints can be used to get the "http/pprof" information and to dump an http request. The debug endpoints can be enabled via the "--api.debug" flag. By default these endpoints are disabled. We also fixed some typos in the documentation for the Azure and Helm plugin. In the Azure we had a wrong link for the permissions documentation and in the Helm plugin the configuration section was missing. Besides the changes from above, we also enabled the secure and http only flag for the cookie, which is created by the auth middleware when authentication is enabled. --- CHANGELOG.md | 1 + deploy/helm/kobs/Chart.yaml | 2 +- deploy/helm/kobs/templates/deployment.yaml | 1 + deploy/helm/kobs/values.yaml | 1 + docs/configuration/getting-started.md | 1 + docs/installation/helm.md | 1 + docs/plugins/azure.md | 2 +- docs/plugins/helm.md | 14 ++++++++++ pkg/api/api.go | 32 ++++++++++++++++++++++ pkg/api/middleware/auth/auth.go | 12 +++++--- 10 files changed, 61 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a2b9d7ca6..cddab1bcf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,7 @@ NOTE: As semantic versioning states all 0.y.z releases can contain breaking chan - [#277](https://github.com/kobsio/kobs/pull/277): Support multiple versions for the documentation. - [#282](https://github.com/kobsio/kobs/pull/282): [helm] Add permission handling based on clusters, namespaces and the names of Helm releases. - [#283](https://github.com/kobsio/kobs/pull/283): [core] Add optional `defaultTime` argument to `getTimeParams` function to overwrite the default time range. +- [#285](https://github.com/kobsio/kobs/pull/285): [core] Add `/api/debug` endpoints for debugging the API server. ### Fixed diff --git a/deploy/helm/kobs/Chart.yaml b/deploy/helm/kobs/Chart.yaml index 6c3dd289b..7203f1169 100644 --- a/deploy/helm/kobs/Chart.yaml +++ b/deploy/helm/kobs/Chart.yaml @@ -4,5 +4,5 @@ description: Kubernetes Observability Platform type: application home: https://kobs.io icon: https://kobs.io/assets/images/logo.svg -version: 0.10.0 +version: 0.10.1 appVersion: v0.7.0 diff --git a/deploy/helm/kobs/templates/deployment.yaml b/deploy/helm/kobs/templates/deployment.yaml index 0c5176a1d..e0cd85178 100644 --- a/deploy/helm/kobs/templates/deployment.yaml +++ b/deploy/helm/kobs/templates/deployment.yaml @@ -33,6 +33,7 @@ spec: imagePullPolicy: {{ .Values.kobs.image.pullPolicy }} args: - --development={{ .Values.kobs.settings.development }} + - --api.debug={{ .Values.kobs.settings.debug }} - --api.auth.enabled={{ .Values.kobs.settings.auth.enabled }} - --api.auth.header.teams={{ .Values.kobs.settings.auth.headerTeams }} - --api.auth.header.user={{ .Values.kobs.settings.auth.headerUser }} diff --git a/deploy/helm/kobs/values.yaml b/deploy/helm/kobs/values.yaml index 2defdafc5..3f4a0465d 100644 --- a/deploy/helm/kobs/values.yaml +++ b/deploy/helm/kobs/values.yaml @@ -113,6 +113,7 @@ kobs: ## settings: development: false + debug: false auth: enabled: false headerTeams: X-Auth-Request-Groups diff --git a/docs/configuration/getting-started.md b/docs/configuration/getting-started.md index 24622a9bd..3e073ac9c 100644 --- a/docs/configuration/getting-started.md +++ b/docs/configuration/getting-started.md @@ -15,6 +15,7 @@ The following command-line arguments and environment variables are available. | `--api.auth.header.user string` | `KOBS_API_AUTH_HEADER_USER` | The header, which contains the user id. | `X-Auth-Request-Email` | | `--api.auth.session.interval duration` | `KOBS_API_AUTH_SESSION_INTERVAL` | The interval for how long a session is valid. | `48h0m0s` | | `--api.auth.session.token string` | `KOBS_API_AUTH_SESSION_TOKEN` | The token to encrypt the session cookie. | | +| `--api.debug` | | Enable `/api/debug` endpoints for the API server. | `false` | | `--app.address` | `KOBS_APP_ADDRESS` | The address, where the Application server is listen on. | `:15219` | | `--app.assets` | `KOBS_APP_ASSETS` | The location of the assets directory. | `app/build` | | `--clusters.cache-duration.namespaces` | `KOBS_CLUSTERS_CACHE_DURATION_NAMESPACES` | The duration, for how long requests to get the list of namespaces should be cached. | `5m` | diff --git a/docs/installation/helm.md b/docs/installation/helm.md index a49139987..b987394f0 100644 --- a/docs/installation/helm.md +++ b/docs/installation/helm.md @@ -67,6 +67,7 @@ helm upgrade --install kobs kobs/kobs | `kobs.volumeMounts` | Specify additional volumeMounts for the kobs container. | `[]` | | `kobs.env` | Set additional environment variables for the kobs container. | `[]` | | `kobs.settings.development` | Run kobs in development mode. | `false` | +| `kobs.settings.debug` | Enable the `/api/debug` endpoints for the API server. | `false` | | `kobs.settings.auth.enabled` | Enable the authentication and authorization middleware. | `false` | | `kobs.settings.auth.headerTeams` | The header, which contains the team ids. | `X-Auth-Request-Email` | | `kobs.settings.auth.headerUser` | The header, which contains the user id. | `X-Auth-Request-Groups` | diff --git a/docs/plugins/azure.md b/docs/plugins/azure.md index 387e0b5f1..2678bf302 100644 --- a/docs/plugins/azure.md +++ b/docs/plugins/azure.md @@ -28,7 +28,7 @@ plugins: | name | string | Name of the Azure instance. | Yes | | displayName | string | Name of the Azure instance as it is shown in the UI. | Yes | | descriptions | string | Description of the Azure instance. | No | -| permissionsEnabled | boolean | Enable the permission handling. The permissions can be defined via the [PermissionsCustom](../resources/teams.md#permissionscustom) in a team. An example of the permission format can be found in the [usage](#usage) section of this page. | No | +| permissionsEnabled | boolean | Enable the permission handling. An example of the permission format can be found in the [usage](#usage) section of this page. | No | | credentials | [Credentials](#credentials) | The credentials to access the Azure API. | Yes | ### Credentials diff --git a/docs/plugins/helm.md b/docs/plugins/helm.md index 8e255bb2a..57bad13e0 100644 --- a/docs/plugins/helm.md +++ b/docs/plugins/helm.md @@ -6,6 +6,20 @@ The Helm plugin can be used to manage Helm releases within kobs. ![Details](assets/helm-details.png) +## Configuration + +The following configuration can be used for the Helm plugin. + +```yaml +plugins: + helm: + permissionsEnabled: true +``` + +| Field | Type | Description | Required | +| ----- | ---- | ----------- | -------- | +| permissionsEnabled | boolean | Enable the permission handling. An example of the permission format can be found in the [usage](#usage) section of this page. | No | + ## Options The following options can be used for a panel with the Helm plugin: diff --git a/pkg/api/api.go b/pkg/api/api.go index 16811cd2a..1637b664d 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -2,7 +2,10 @@ package api import ( "context" + "fmt" "net/http" + "net/http/httputil" + "net/http/pprof" "os" "time" @@ -22,6 +25,7 @@ import ( var ( address string + debug bool ) // init is used to define all flags, which are needed for the api server. We have to define the address, where the api @@ -33,6 +37,7 @@ func init() { } flag.StringVar(&address, "api.address", defaultAddress, "The address, where the API server is listen on.") + flag.BoolVar(&debug, "api.debug", false, "Enable \"/api/debug\" endpoints for the API server.") } // Server implements the api server. The api server is used to serve the rest api for kobs. @@ -87,6 +92,33 @@ func New(clustersClient clusters.Client, pluginsRouter chi.Router, isDevelopment render.JSON(w, r, nil) }) + if debug { + router.Route("/api/debug", func(r chi.Router) { + r.Get("/request/dump", func(w http.ResponseWriter, r *http.Request) { + dump, err := httputil.DumpRequest(r, true) + if err != nil { + http.Error(w, fmt.Sprint(err), http.StatusInternalServerError) + return + } + + fmt.Fprintf(w, "%s", string(dump)) + }) + + r.HandleFunc("/pprof/", pprof.Index) + r.HandleFunc("/pprof/cmdline", pprof.Cmdline) + r.HandleFunc("/pprof/profile", pprof.Profile) + r.HandleFunc("/pprof/symbol", pprof.Symbol) + + r.Handle("/pprof/allocs", pprof.Handler("allocs")) + r.Handle("/pprof/block", pprof.Handler("block")) + r.Handle("/pprof/goroutine", pprof.Handler("goroutine")) + r.Handle("/pprof/heap", pprof.Handler("heap")) + r.Handle("/pprof/mutex", pprof.Handler("mutex")) + r.Handle("/pprof/threadcreate", pprof.Handler("threadcreate")) + r.Handle("/pprof/trace", pprof.Handler("trace")) + }) + } + router.Route("/api", func(r chi.Router) { r.Use(middleware.RequestID) r.Use(middleware.Recoverer) diff --git a/pkg/api/middleware/auth/auth.go b/pkg/api/middleware/auth/auth.go index d4226faac..b9a0a0ae9 100644 --- a/pkg/api/middleware/auth/auth.go +++ b/pkg/api/middleware/auth/auth.go @@ -128,8 +128,10 @@ func (a *Auth) Handler(next http.Handler) http.Handler { } http.SetCookie(w, &http.Cookie{ - Name: "kobs-auth", - Value: token, + Name: "kobs-auth", + Value: token, + Secure: true, + HttpOnly: true, }) ctx = context.WithValue(ctx, authContext.UserKey, user) } else { @@ -157,8 +159,10 @@ func (a *Auth) Handler(next http.Handler) http.Handler { } http.SetCookie(w, &http.Cookie{ - Name: "kobs-auth", - Value: token, + Name: "kobs-auth", + Value: token, + Secure: true, + HttpOnly: true, }) ctx = context.WithValue(ctx, authContext.UserKey, newUser) } else {