/
uploadproxy.go
145 lines (123 loc) · 4.57 KB
/
uploadproxy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
package main
import (
"flag"
"fmt"
"os"
"github.com/kelseyhightower/envconfig"
"github.com/pkg/errors"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/clientcmd"
"k8s.io/klog/v2"
"sigs.k8s.io/controller-runtime/pkg/manager/signals"
cdiclient "kubevirt.io/containerized-data-importer/pkg/client/clientset/versioned"
"kubevirt.io/containerized-data-importer/pkg/uploadproxy"
"kubevirt.io/containerized-data-importer/pkg/util"
certfetcher "kubevirt.io/containerized-data-importer/pkg/util/cert/fetcher"
certwatcher "kubevirt.io/containerized-data-importer/pkg/util/cert/watcher"
cryptowatch "kubevirt.io/containerized-data-importer/pkg/util/tls-crypto-watch"
)
const (
// Default port that api listens on.
defaultPort = 8443
// Default address api listens on.
defaultHost = "0.0.0.0"
)
var (
configPath string
kubeURL string
verbose string
uploadProxyEnvs UploadProxyEnvs
)
// UploadProxyEnvs contains environment variables read for setting custom cert paths
type UploadProxyEnvs struct {
ServerCertFile string `default:"/var/run/certs/cdi-uploadproxy-server-cert/tls.crt" split_words:"true"`
ServerKeyFile string `default:"/var/run/certs/cdi-uploadproxy-server-cert/tls.key" split_words:"true"`
UploadClientKeyFile string `default:"/var/run/certs/cdi-uploadserver-client-cert/tls.key" split_words:"true"`
UploadClientCertFile string `default:"/var/run/certs/cdi-uploadserver-client-cert/tls.crt" split_words:"true"`
UploadServerCABundleConfigMap string `default:"cdi-uploadserver-signer-bundle" split_words:"true"`
}
func init() {
// flags
flag.StringVar(&configPath, "kubeconfig", os.Getenv("KUBECONFIG"), "(Optional) Overrides $KUBECONFIG")
flag.StringVar(&kubeURL, "server", "", "(Optional) URL address of a remote api server. Do not set for local clusters.")
klog.InitFlags(nil)
flag.Parse()
// get the verbose level so it can be passed to the importer pod
defVerbose := fmt.Sprintf("%d", 1) // note flag values are strings
verbose = defVerbose
// visit actual flags passed in and if passed check -v and set verbose
flag.Visit(func(f *flag.Flag) {
if f.Name == "v" {
verbose = f.Value.String()
}
})
if verbose == defVerbose {
klog.V(1).Infof("Note: increase the -v level in the api deployment for more detailed logging, eg. -v=%d or -v=%d\n", 2, 3)
}
}
func main() {
defer klog.Flush()
namespace := util.GetNamespace()
err := envconfig.Process("", &uploadProxyEnvs)
if err != nil {
klog.Fatalf("Unable to get environment variables: %v\n", errors.WithStack(err))
}
cfg, err := clientcmd.BuildConfigFromFlags(kubeURL, configPath)
if err != nil {
klog.Fatalf("Unable to get kube config: %v\n", errors.WithStack(err))
}
client, err := kubernetes.NewForConfig(cfg)
if err != nil {
klog.Fatalf("Unable to get kube client: %v\n", errors.WithStack(err))
}
cdiClient := cdiclient.NewForConfigOrDie(cfg)
ctx := signals.SetupSignalHandler()
apiServerPublicKey, err := getAPIServerPublicKey()
if err != nil {
klog.Fatalf("Unable to get apiserver public key %v\n", errors.WithStack(err))
}
cdiConfigTLSWatcher, err := cryptowatch.NewCdiConfigTLSWatcher(ctx, cdiClient)
if err != nil {
klog.Fatalf("Unable to create cdiConfigTLSWatcher: %v\n", errors.WithStack(err))
}
certWatcher, err := certwatcher.New(uploadProxyEnvs.ServerCertFile, uploadProxyEnvs.ServerKeyFile)
if err != nil {
klog.Fatalf("Unable to create certwatcher: %v\n", errors.WithStack(err))
}
clientCertFetcher := &certfetcher.FileCertFetcher{KeyFileName: uploadProxyEnvs.UploadClientKeyFile, CertFileName: uploadProxyEnvs.UploadClientCertFile}
serverCAFetcher := &certfetcher.ConfigMapCertBundleFetcher{
Name: uploadProxyEnvs.UploadServerCABundleConfigMap,
Client: client.CoreV1().ConfigMaps(namespace),
}
uploadProxy, err := uploadproxy.NewUploadProxy(defaultHost,
defaultPort,
apiServerPublicKey,
cdiConfigTLSWatcher,
certWatcher,
clientCertFetcher,
serverCAFetcher,
client)
if err != nil {
klog.Fatalf("UploadProxy failed to initialize: %v\n", errors.WithStack(err))
}
go func() {
if err := certWatcher.Start(ctx.Done()); err != nil {
klog.Errorf("failed to close certWatcher, %v", err)
}
if err := ctx.Err(); err != nil {
klog.Errorf("certWatcher failed; %v", err)
}
}()
err = uploadProxy.Start()
if err != nil {
klog.Fatalf("TLS server failed: %v\n", errors.WithStack(err))
}
}
func getAPIServerPublicKey() (string, error) {
const envName = "APISERVER_PUBLIC_KEY"
val, ok := os.LookupEnv(envName)
if !ok {
return "", errors.Errorf("%s not defined", envName)
}
return val, nil
}