feat: use TLS profile to configure CMO server

Author: simonpasquier

cmd/operator/main.go

@@ -25,12 +25,18 @@ import (
 	"strings"
 	"syscall"
 
+	configv1client "github.com/openshift/client-go/config/clientset/versioned"
+	"github.com/openshift/library-go/pkg/operator/events"
 	"golang.org/x/sync/errgroup"
 	"k8s.io/apimachinery/pkg/util/yaml"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/klog/v2"
+	"k8s.io/utils/clock"
 	runtimelog "sigs.k8s.io/controller-runtime/pkg/log"
 
+	"github.com/openshift/cluster-monitoring-operator/pkg/client"
 	"github.com/openshift/cluster-monitoring-operator/pkg/manifests"
 	cmo "github.com/openshift/cluster-monitoring-operator/pkg/operator"
 	"github.com/openshift/cluster-monitoring-operator/pkg/server"
@@ -83,6 +89,42 @@ type telemetryConfig struct {
 	Matches []string `json:"matches"`
 }
 
+func newClient(
+	ctx context.Context,
+	config *rest.Config,
+	version string,
+	namespace, namespaceUserWorkload string,
+) (*client.Client, error) {
+	kclient, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return nil, fmt.Errorf("creating kubernetes clientset client: %w", err)
+	}
+	controllerRef, err := events.GetControllerReferenceForCurrentPod(ctx, kclient, namespace, nil)
+	if err != nil {
+		klog.Warningf("unable to get owner reference (falling back to namespace): %v", err)
+	}
+
+	eventRecorder := events.NewKubeRecorderWithOptions(
+		kclient.CoreV1().Events(namespace),
+		events.RecommendedClusterSingletonCorrelatorOptions(),
+		"cluster-monitoring-operator",
+		controllerRef,
+		clock.RealClock{},
+	)
+
+	configClient, err := configv1client.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+
+	c, err := client.NewForConfig(config, version, namespace, namespaceUserWorkload, client.KubernetesClient(kclient), client.OpenshiftConfigClient(configClient), client.EventRecorder(eventRecorder))
+	if err != nil {
+		return nil, err
+	}
+
+	return c, nil
+}
+
 func Main() int {
 	flagset := flag.CommandLine
 	klog.InitFlags(flagset)
@@ -170,10 +212,25 @@ func Main() int {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
+	client, err := newClient(ctx, config, *releaseVersion, *namespace, *namespaceUserWorkload)
+	if err != nil {
+		fmt.Fprint(os.Stderr, err)
+		return 1
+	}
+
+	// Retrieve the TLS settings from the API server configuration.
+	apiServerConfig, err := client.GetAPIServerConfig(ctx)
+	if err != nil {
+		fmt.Fprint(os.Stderr, err)
+		return 1
+	}
+	apiServerConfigAdapter := manifests.NewAPIServerConfig(apiServerConfig)
+
 	userWorkloadConfigMapName := "user-workload-monitoring-config"
 	o, err := cmo.New(
 		ctx,
-		config,
+		client,
+		apiServerConfigAdapter,
 		*releaseVersion,
 		*namespace,
 		*namespaceUserWorkload,
@@ -203,11 +260,23 @@ func Main() int {
 
 	wg.Go(func() error { return o.Run(ctx) })
 
-	srv, err := server.NewServer("cluster-monitoring-operator", config, *kubeconfigPath, *certFile, *keyFile)
+	srv, err := server.NewServer(
+		"cluster-monitoring-operator",
+		config,
+		*kubeconfigPath,
+		*certFile, *keyFile,
+		apiServerConfigAdapter.MinTLSVersion(),
+		apiServerConfigAdapter.TLSCiphers(),
+	)
 	if err != nil {
 		fmt.Fprint(os.Stderr, err)
 		return 1
 	}
+
+	if err := srv.Prepare(ctx); err != nil {
+		fmt.Fprint(os.Stderr, err)
+		return 1
+	}
 	wg.Go(func() error { return srv.Run(ctx) })
 
 	term := make(chan os.Signal, 1)

pkg/client/client.go

@@ -602,8 +602,8 @@ func (c *Client) GetInfrastructure(ctx context.Context, name string) (*configv1.
 	return c.oscclient.ConfigV1().Infrastructures().Get(ctx, name, metav1.GetOptions{})
 }
 
-func (c *Client) GetAPIServerConfig(ctx context.Context, name string) (*configv1.APIServer, error) {
-	return c.oscclient.ConfigV1().APIServers().Get(ctx, name, metav1.GetOptions{})
+func (c *Client) GetAPIServerConfig(ctx context.Context) (*configv1.APIServer, error) {
+	return c.oscclient.ConfigV1().APIServers().Get(ctx, "cluster", metav1.GetOptions{})
 }
 
 func (c *Client) GetConsoleConfig(ctx context.Context, name string) (*configv1.Console, error) {
@@ -1963,3 +1963,11 @@ func Poll(ctx context.Context, condition wait.ConditionWithContextFunc, options
 
 	return nil
 }
+
+func (c *Client) OpenShiftConfigClientset() openshiftconfigclientset.Interface {
+	return c.oscclient
+}
+
+func (c *Client) EventsRecorder() events.Recorder {
+	return c.eventRecorder
+}

pkg/operator/operator.go

@@ -26,12 +26,10 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	configv1alpha1 "github.com/openshift/api/config/v1alpha1"
 	"github.com/openshift/api/features"
-	configv1client "github.com/openshift/client-go/config/clientset/versioned"
 	configv1informers "github.com/openshift/client-go/config/informers/externalversions"
 	"github.com/openshift/library-go/pkg/operator/certrotation"
 	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 	"github.com/openshift/library-go/pkg/operator/csr"
-	"github.com/openshift/library-go/pkg/operator/events"
 	certapiv1 "k8s.io/api/certificates/v1"
 	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -40,12 +38,9 @@ import (
 	apiutilerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/informers"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
-	"k8s.io/utils/clock"
 	"k8s.io/utils/ptr"
 
 	"github.com/openshift/cluster-monitoring-operator/pkg/alert"
@@ -186,9 +181,10 @@ type Operator struct {
 	remoteWrite                    bool
 	ClusterMonitoringConfigEnabled bool
 
+	apiServerConfig *manifests.APIServerConfig
+
 	lastKnowInfrastructureConfig *InfrastructureConfig
 	lastKnowProxyConfig          *ProxyConfig
-	lastKnownApiServerConfig     *manifests.APIServerConfig
 	lastKnownConsoleConfig       *configv1.Console
 
 	client *client.Client
@@ -210,40 +206,14 @@ type Operator struct {
 
 func New(
 	ctx context.Context,
-	config *rest.Config,
+	c *client.Client,
+	apiServerConfig *manifests.APIServerConfig,
 	version, namespace, namespaceUserWorkload, configMapName, userWorkloadConfigMapName string,
 	remoteWrite bool,
 	images map[string]string,
 	telemetryMatches []string,
 	a *manifests.Assets,
 ) (*Operator, error) {
-	kclient, err := kubernetes.NewForConfig(config)
-	if err != nil {
-		return nil, fmt.Errorf("creating kubernetes clientset client: %w", err)
-	}
-	controllerRef, err := events.GetControllerReferenceForCurrentPod(ctx, kclient, namespace, nil)
-	if err != nil {
-		klog.Warningf("unable to get owner reference (falling back to namespace): %v", err)
-	}
-
-	eventRecorder := events.NewKubeRecorderWithOptions(
-		kclient.CoreV1().Events(namespace),
-		events.RecommendedClusterSingletonCorrelatorOptions(),
-		"cluster-monitoring-operator",
-		controllerRef,
-		clock.RealClock{},
-	)
-
-	configClient, err := configv1client.NewForConfig(config)
-	if err != nil {
-		return nil, err
-	}
-
-	c, err := client.NewForConfig(config, version, namespace, namespaceUserWorkload, client.KubernetesClient(kclient), client.OpenshiftConfigClient(configClient), client.EventRecorder(eventRecorder))
-	if err != nil {
-		return nil, err
-	}
-
 	ruleController, err := alert.NewRuleController(ctx, c, version)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create alerting rule controller: %w", err)
@@ -259,6 +229,7 @@ func New(
 		telemetryMatches:          telemetryMatches,
 		configMapName:             configMapName,
 		userWorkloadConfigMapName: userWorkloadConfigMapName,
+		apiServerConfig:           apiServerConfig,
 		remoteWrite:               remoteWrite,
 		namespace:                 namespace,
 		namespaceUserWorkload:     namespaceUserWorkload,
@@ -432,7 +403,7 @@ func New(
 	)
 	o.informerFactories = append(o.informerFactories, kubeInformersOperatorNS)
 
-	configInformers := configv1informers.NewSharedInformerFactory(configClient, 10*time.Minute)
+	configInformers := configv1informers.NewSharedInformerFactory(c.OpenShiftConfigClientset(), 10*time.Minute)
 	missingVersion := "0.0.1-snapshot"
 
 	// By default, when the enabled/disabled list of featuregates changes,
@@ -442,7 +413,7 @@ func New(
 		version, missingVersion,
 		configInformers.Config().V1().ClusterVersions(),
 		configInformers.Config().V1().FeatureGates(),
-		eventRecorder,
+		c.EventsRecorder(),
 	)
 	go featureGateAccessor.Run(ctx)
 	go configInformers.Start(ctx.Done())
@@ -802,14 +773,6 @@ func (o *Operator) sync(ctx context.Context, key string) error {
 
 	var proxyConfig = getProxyReader(ctx, config, o.loadProxyConfig)
 
-	var apiServerConfig *manifests.APIServerConfig
-	apiServerConfig, err = o.loadApiServerConfig(ctx)
-
-	if err != nil {
-		o.reportFailed(ctx, newRunReportForError("APIServerConfigError", err))
-		return err
-	}
-
 	consoleConfig, err := o.loadConsoleConfig(ctx)
 	if err != nil {
 		klog.Warningf("Fail to load ConsoleConfig, AlertManager's externalURL may be outdated")
@@ -822,7 +785,7 @@ func (o *Operator) sync(ctx context.Context, key string) error {
 		o.loadInfrastructureConfig(ctx),
 		proxyConfig,
 		o.assets,
-		apiServerConfig,
+		o.apiServerConfig,
 		consoleConfig,
 	)
 
@@ -959,20 +922,6 @@ func (o *Operator) loadProxyConfig(ctx context.Context) (*ProxyConfig, error) {
 	return o.lastKnowProxyConfig, nil
 }
 
-func (o *Operator) loadApiServerConfig(ctx context.Context) (*manifests.APIServerConfig, error) {
-	config, err := o.client.GetAPIServerConfig(ctx, "cluster")
-	if err != nil {
-		klog.Warningf("failed to get api server config: %v", err)
-
-		if o.lastKnownApiServerConfig == nil {
-			return nil, fmt.Errorf("no last known api server configuration")
-		}
-	} else {
-		o.lastKnownApiServerConfig = manifests.NewAPIServerConfig(config)
-	}
-	return o.lastKnownApiServerConfig, nil
-}
-
 func (o *Operator) loadConsoleConfig(ctx context.Context) (*configv1.Console, error) {
 	config, err := o.client.GetConsoleConfig(ctx, "cluster")
 	if err == nil {

pkg/server/server.go

@@ -24,7 +24,6 @@ import (
 	"github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer"
 	"github.com/openshift/library-go/pkg/config/configdefaults"
 	"github.com/openshift/library-go/pkg/config/serving"
-	"github.com/openshift/library-go/pkg/crypto"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/union"
 	genericapiserver "k8s.io/apiserver/pkg/server"
@@ -43,10 +42,14 @@ type Server struct {
 	kubeClient        *kubernetes.Clientset
 	kubeConfig        string
 	certFile, keyFile string
+	minTLSVersion     string
+	cipherSuites      []string
+
+	srv *genericapiserver.GenericAPIServer
 }
 
 // NewServer returns a functional Server.
-func NewServer(name string, config *rest.Config, kubeConfig, certFile, keyFile string) (*Server, error) {
+func NewServer(name string, config *rest.Config, kubeConfig, certFile, keyFile string, minTLSVersion string, cipherSuites []string) (*Server, error) {
 	kubeClient, err := kubernetes.NewForConfig(config)
 	if err != nil {
 		return nil, err
@@ -61,24 +64,24 @@ func NewServer(name string, config *rest.Config, kubeConfig, certFile, keyFile s
 	}, nil
 }
 
-// Run starts the HTTPS server exposing the Prometheus /metrics and validate webhook endpoints on port :8443.
+// Prepare configures the HTTPS server exposing the Prometheus /metrics and
+// validate webhook endpoints on port :8443.
+//
 // The server performs authn/authz as prescribed by
 // https://github.com/openshift/enhancements/blob/master/enhancements/monitoring/client-cert-scraping.md.
-func (s *Server) Run(ctx context.Context) error {
+func (s *Server) Prepare(ctx context.Context) error {
 	var server *genericapiserver.GenericAPIServer
 
 	servingInfo := configv1.HTTPServingInfo{}
 	configdefaults.SetRecommendedHTTPServingInfoDefaults(&servingInfo)
 	servingInfo.ServingInfo.CertInfo.CertFile = s.certFile
 	servingInfo.ServingInfo.CertInfo.KeyFile = s.keyFile
+
 	// Don't set a CA file for client certificates because the CA is read from
 	// the kube-system/extension-apiserver-authentication ConfigMap.
 	servingInfo.ServingInfo.ClientCA = ""
-	// Use intermediate TLS profile cipher suites to avoid insecure cipher warnings
-	// Convert OpenSSL cipher names to IANA names for Kubernetes validation
-	intermediateTLSProfile := configv1.TLSProfiles[configv1.TLSProfileIntermediateType]
-	servingInfo.ServingInfo.CipherSuites = crypto.OpenSSLToIANACipherSuites(intermediateTLSProfile.Ciphers)
-	servingInfo.ServingInfo.MinTLSVersion = string(intermediateTLSProfile.MinTLSVersion)
+	servingInfo.ServingInfo.CipherSuites = s.cipherSuites
+	servingInfo.ServingInfo.MinTLSVersion = s.minTLSVersion
 
 	serverConfig, err := serving.ToServerConfig(
 		ctx,
@@ -125,15 +128,16 @@ func (s *Server) Run(ctx context.Context) error {
 		*handler,
 	)
 
-	go func() {
-		if err := server.PrepareRun().RunWithContext(ctx); err != nil {
-			klog.Fatal(err)
-		}
-		klog.Info("server exited")
-	}()
+	s.srv = server
+	return nil
+}
 
-	<-ctx.Done()
+func (s *Server) Run(ctx context.Context) error {
+	if err := s.srv.PrepareRun().RunWithContext(ctx); ctx.Err() == nil {
+		return err
+	}
 
+	klog.Info("server exited")
 	return nil
 }