|
1 | | -/* |
2 | | -Copyright 2024. |
3 | | -
|
4 | | -Licensed under the Apache License, Version 2.0 (the "License"); |
5 | | -you may not use this file except in compliance with the License. |
6 | | -You may obtain a copy of the License at |
7 | | -
|
8 | | - http://www.apache.org/licenses/LICENSE-2.0 |
9 | | -
|
10 | | -Unless required by applicable law or agreed to in writing, software |
11 | | -distributed under the License is distributed on an "AS IS" BASIS, |
12 | | -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
13 | | -See the License for the specific language governing permissions and |
14 | | -limitations under the License. |
15 | | -*/ |
16 | | - |
17 | | -// Package main contains the implementation of the CNPG-i operator plugin |
| 1 | +// Package main is the entrypoint of operator plugin |
18 | 2 | package main |
19 | 3 |
|
20 | 4 | import ( |
21 | | - "crypto/tls" |
22 | | - "flag" |
| 5 | + "context" |
| 6 | + "fmt" |
23 | 7 | "os" |
24 | 8 |
|
25 | | - // +kubebuilder:scaffold:imports |
26 | | - "k8s.io/apimachinery/pkg/runtime" |
27 | | - utilruntime "k8s.io/apimachinery/pkg/util/runtime" |
28 | | - clientgoscheme "k8s.io/client-go/kubernetes/scheme" |
| 9 | + "github.com/cloudnative-pg/machinery/pkg/log" |
| 10 | + "github.com/sourcegraph/conc/pool" |
| 11 | + "github.com/spf13/cobra" |
| 12 | + "github.com/spf13/viper" |
29 | 13 | ctrl "sigs.k8s.io/controller-runtime" |
30 | | - "sigs.k8s.io/controller-runtime/pkg/healthz" |
31 | | - "sigs.k8s.io/controller-runtime/pkg/log/zap" |
32 | | - "sigs.k8s.io/controller-runtime/pkg/metrics/filters" |
33 | | - metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" |
34 | | - "sigs.k8s.io/controller-runtime/pkg/webhook" |
35 | 14 |
|
36 | | - barmancloudv1 "github.com/cloudnative-pg/plugin-barman-cloud/api/v1" |
37 | 15 | "github.com/cloudnative-pg/plugin-barman-cloud/internal/cnpgi/operator" |
38 | | - "github.com/cloudnative-pg/plugin-barman-cloud/internal/controller" |
39 | | - |
40 | | - // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) |
41 | | - // to ensure that exec-entrypoint and run can make use of them. |
42 | | - _ "k8s.io/client-go/plugin/pkg/client/auth" |
| 16 | + "github.com/cloudnative-pg/plugin-barman-cloud/internal/manager" |
43 | 17 | ) |
44 | 18 |
|
45 | | -var ( |
46 | | - scheme = runtime.NewScheme() |
47 | | - setupLog = ctrl.Log.WithName("setup") |
48 | | -) |
49 | | - |
50 | | -func init() { |
51 | | - utilruntime.Must(clientgoscheme.AddToScheme(scheme)) |
52 | | - |
53 | | - utilruntime.Must(barmancloudv1.AddToScheme(scheme)) |
54 | | - // +kubebuilder:scaffold:scheme |
55 | | -} |
56 | | - |
57 | 19 | func main() { |
58 | | - var metricsAddr string |
59 | | - var enableLeaderElection bool |
60 | | - var probeAddr string |
61 | | - var secureMetrics bool |
62 | | - var enableHTTP2 bool |
63 | | - var tlsOpts []func(*tls.Config) |
64 | | - flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+ |
65 | | - "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") |
66 | | - flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") |
67 | | - flag.BoolVar(&enableLeaderElection, "leader-elect", false, |
68 | | - "Enable leader election for controller manager. "+ |
69 | | - "Enabling this will ensure there is only one active controller manager.") |
70 | | - flag.BoolVar(&secureMetrics, "metrics-secure", true, |
71 | | - "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") |
72 | | - flag.BoolVar(&enableHTTP2, "enable-http2", false, |
73 | | - "If set, HTTP/2 will be enabled for the metrics and webhook servers") |
74 | | - opts := zap.Options{ |
75 | | - Development: true, |
76 | | - } |
77 | | - opts.BindFlags(flag.CommandLine) |
78 | | - flag.Parse() |
79 | | - |
80 | | - ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) |
81 | | - |
82 | | - // if the enable-http2 flag is false (the default), http/2 should be disabled |
83 | | - // due to its vulnerabilities. More specifically, disabling http/2 will |
84 | | - // prevent from being vulnerable to the HTTP/2 Stream Cancellation and |
85 | | - // Rapid Reset CVEs. For more information see: |
86 | | - // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 |
87 | | - // - https://github.com/advisories/GHSA-4374-p667-p6c8 |
88 | | - disableHTTP2 := func(c *tls.Config) { |
89 | | - setupLog.Info("disabling http/2") |
90 | | - c.NextProtos = []string{"http/1.1"} |
| 20 | + cobra.EnableTraverseRunHooks = true |
| 21 | + |
| 22 | + logFlags := &log.Flags{} |
| 23 | + rootCmd := &cobra.Command{ |
| 24 | + Use: "plugin-barman-cloud", |
| 25 | + PersistentPreRunE: func(_ *cobra.Command, _ []string) error { |
| 26 | + logFlags.ConfigureLogging() |
| 27 | + return nil |
| 28 | + }, |
91 | 29 | } |
92 | 30 |
|
93 | | - if !enableHTTP2 { |
94 | | - tlsOpts = append(tlsOpts, disableHTTP2) |
95 | | - } |
| 31 | + logFlags.AddFlags(rootCmd.PersistentFlags()) |
| 32 | + rootCmd.AddCommand(newOperatorCommand()) |
96 | 33 |
|
97 | | - webhookServer := webhook.NewServer(webhook.Options{ |
98 | | - TLSOpts: tlsOpts, |
99 | | - }) |
100 | | - |
101 | | - // Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. |
102 | | - // More info: |
103 | | - // - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/server |
104 | | - // - https://book.kubebuilder.io/reference/metrics.html |
105 | | - metricsServerOptions := metricsserver.Options{ |
106 | | - BindAddress: metricsAddr, |
107 | | - SecureServing: secureMetrics, |
108 | | - // TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are |
109 | | - // not provided, self-signed certificates will be generated by default. This option is not recommended for |
110 | | - // production environments as self-signed certificates do not offer the same level of trust and security |
111 | | - // as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing |
112 | | - // unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName |
113 | | - // to provide certificates, ensuring the server communicates using trusted and secure certificates. |
114 | | - TLSOpts: tlsOpts, |
| 34 | + if err := rootCmd.Execute(); err != nil { |
| 35 | + fmt.Println(err) |
| 36 | + os.Exit(1) |
115 | 37 | } |
| 38 | +} |
116 | 39 |
|
117 | | - if secureMetrics { |
118 | | - // FilterProvider is used to protect the metrics endpoint with authn/authz. |
119 | | - // These configurations ensure that only authorized users and service accounts |
120 | | - // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: |
121 | | - // https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/metrics/filters#WithAuthenticationAndAuthorization |
122 | | - metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization |
| 40 | +func newOperatorCommand() *cobra.Command { |
| 41 | + cmd := operator.NewCommand() |
| 42 | + cmd.Use = "operator" |
| 43 | + cmd.Short = "Starts the BarmanObjectStore reconciler and the Barman Cloud CNPG-i plugin" |
| 44 | + grpcServer := cmd.RunE |
| 45 | + |
| 46 | + cmd.RunE = func(cmd *cobra.Command, args []string) error { |
| 47 | + ctrl.SetupSignalHandler() |
| 48 | + operatorPool := pool. |
| 49 | + New(). |
| 50 | + WithContext(cmd.Context()). |
| 51 | + WithCancelOnError(). |
| 52 | + WithFirstError() |
| 53 | + operatorPool.Go(func(ctx context.Context) error { |
| 54 | + cmd.SetContext(ctx) |
| 55 | + |
| 56 | + if len(viper.GetString("sidecar-image")) == 0 { |
| 57 | + return fmt.Errorf("missing required SIDECAR_IMAGE environment variable") |
| 58 | + } |
| 59 | + |
| 60 | + err := grpcServer(cmd, args) |
| 61 | + return err |
| 62 | + }) |
| 63 | + operatorPool.Go(manager.Start) |
| 64 | + return operatorPool.Wait() |
123 | 65 | } |
124 | 66 |
|
125 | | - mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ |
126 | | - Scheme: scheme, |
127 | | - Metrics: metricsServerOptions, |
128 | | - WebhookServer: webhookServer, |
129 | | - HealthProbeBindAddress: probeAddr, |
130 | | - LeaderElection: enableLeaderElection, |
131 | | - LeaderElectionID: "822e3f5c.cnpg.io", |
132 | | - // LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily |
133 | | - // when the Manager ends. This requires the binary to immediately end when the |
134 | | - // Manager is stopped, otherwise, this setting is unsafe. Setting this significantly |
135 | | - // speeds up voluntary leader transitions as the new leader don't have to wait |
136 | | - // LeaseDuration time first. |
137 | | - // |
138 | | - // In the default scaffold provided, the program ends immediately after |
139 | | - // the manager stops, so would be fine to enable this option. However, |
140 | | - // if you are doing or is intended to do any operation such as perform cleanups |
141 | | - // after the manager stops then its usage might be unsafe. |
142 | | - // LeaderElectionReleaseOnCancel: true, |
143 | | - }) |
144 | | - if err != nil { |
145 | | - setupLog.Error(err, "unable to start manager") |
146 | | - os.Exit(1) |
147 | | - } |
| 67 | + cmd.Flags().String("metrics-bind-address", "0", "The address the metrics endpoint binds to. "+ |
| 68 | + "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") |
| 69 | + _ = viper.BindPFlag("metrics-bind-address", cmd.Flags().Lookup("metrics-bind-address")) |
148 | 70 |
|
149 | | - if err = (&controller.ObjectStoreReconciler{ |
150 | | - Client: mgr.GetClient(), |
151 | | - Scheme: mgr.GetScheme(), |
152 | | - }).SetupWithManager(mgr); err != nil { |
153 | | - setupLog.Error(err, "unable to create controller", "controller", "ObjectStore") |
154 | | - os.Exit(1) |
155 | | - } |
156 | | - // +kubebuilder:scaffold:builder |
| 71 | + cmd.Flags().String("health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") |
| 72 | + _ = viper.BindPFlag("health-probe-bind-address", cmd.Flags().Lookup("health-probe-bind-address")) |
157 | 73 |
|
158 | | - if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { |
159 | | - setupLog.Error(err, "unable to set up health check") |
160 | | - os.Exit(1) |
161 | | - } |
162 | | - if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { |
163 | | - setupLog.Error(err, "unable to set up ready check") |
164 | | - os.Exit(1) |
165 | | - } |
| 74 | + cmd.Flags().Bool("leader-elect", false, |
| 75 | + "Enable leader election for controller manager. "+ |
| 76 | + "Enabling this will ensure there is only one active controller manager.") |
| 77 | + _ = viper.BindPFlag("leader-elect", cmd.Flags().Lookup("leader-elect")) |
166 | 78 |
|
167 | | - if err := mgr.Add(&operator.CNPGI{}); err != nil { |
168 | | - setupLog.Error(err, "unable to create CNPGI webserver") |
169 | | - os.Exit(1) |
170 | | - } |
| 79 | + cmd.Flags().Bool("metrics-secure", true, |
| 80 | + "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") |
| 81 | + _ = viper.BindPFlag("metrics-secure", cmd.Flags().Lookup("metrics-secure")) |
171 | 82 |
|
172 | | - setupLog.Info("starting manager") |
173 | | - if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { |
174 | | - setupLog.Error(err, "problem running manager") |
175 | | - os.Exit(1) |
176 | | - } |
| 83 | + cmd.Flags().Bool("enable-http2", false, |
| 84 | + "If set, HTTP/2 will be enabled for the metrics and webhook servers") |
| 85 | + _ = viper.BindPFlag("enable-http2", cmd.Flags().Lookup("enable-http2")) |
| 86 | + |
| 87 | + _ = viper.BindEnv("sidecar-image", "SIDECAR_IMAGE") |
| 88 | + |
| 89 | + return cmd |
177 | 90 | } |
0 commit comments