fix(controller): separate proxy from controller on leader-election (#747)

* fix(controller): separate proxy from controller on leader-election

Signed-off-by: Oliver Bähler <[email protected]>

* fix(controller): separate proxy from controller on leader-election

Signed-off-by: Oliver Bähler <[email protected]>

---------

Signed-off-by: Oliver Bähler <[email protected]>

Author: oliverbaehler

charts/capsule-proxy/README.md

@@ -183,6 +183,7 @@ If you only need to make minor customizations, you can specify them on the comma
 | options.extraArgs | list | `[]` | A list of extra arguments to add to the capsule-proxy. |
 | options.generateCertificates | bool | `true` | Specify if capsule-proxy will generate self-signed SSL certificates |
 | options.ignoredUserGroups | list | `[]` | Define which groups must be ignored while proxying requests |
+| options.leaderElection | bool | `false` | Set leader election to true if you are running n-replicas |
 | options.listeningPort | int | `9001` | Set the listening port of the capsule-proxy |
 | options.logLevel | string | `"4"` | Set the log verbosity of the capsule-proxy with a value from 1 to 10 |
 | options.oidcUsernameClaim | string | `"preferred_username"` | Specify if capsule-proxy will use SSL |

charts/capsule-proxy/ci/deploy-values.yaml

@@ -6,7 +6,7 @@ rbac:
     extra: annotation
   labels:
     extra: label
-kind: DaemonSet
+kind: Deployment
 imagePullSecrets: []
 certManager:
   generateCertificates: true
@@ -19,7 +19,6 @@ certManager:
     name: "" #  Name of the ClusterIssuer
 replicaCount: 1
 podAnnotations:
-  scheduler.alpha.kubernetes.io/critical-pod: ''
   extra: annotation
 podLabels:
   extra: label
@@ -44,7 +43,7 @@ autoscaling:
     example: annotation
   labels:
     example: label
-  minReplicas: 1
+  minReplicas: 3
   maxReplicas: 5
   targetCPUUtilizationPercentage: 80
   metrics:
@@ -64,19 +63,11 @@ autoscaling:
       - type: Percent
         value: 10
         periodSeconds: 60
-nodeSelector:
-  node-role.kubernetes.io/master: ""
-tolerations:
-  - key: CriticalAddonsOnly
-    operator: Exists
-  - effect: NoSchedule
-    key: node-role.kubernetes.io/master
 service:
   annotations:
     example: annotation
   labels:
     example: label
-# Ingress
 ingress:
   enabled: true
   ingressClassName: "nginx"

charts/capsule-proxy/ci/ds-values.yaml

@@ -17,7 +17,6 @@ certManager:
     name: "" #  Name of the ClusterIssuer
 replicaCount: 1
 podAnnotations:
-  scheduler.alpha.kubernetes.io/critical-pod: ''
   extra: annotation
 podLabels:
   extra: label

charts/capsule-proxy/templates/_pod.tpl

@@ -70,6 +70,7 @@ spec:
     - --client-connection-qps={{ .Values.options.clientConnectionQPS }}
     - --client-connection-burst={{ .Values.options.clientConnectionBurst }}
     - --enable-pprof={{ .Values.options.pprof }}
+    - --enable-leader-election={{ .Values.options.leaderElection }}
     {{- if .Values.webhooks.enabled }}
       {{- if .Values.webhooks.watchdog.enabled }}
     - --webhooks=watchdog
@@ -78,8 +79,12 @@ spec:
     {{- with .Values.options.extraArgs }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
+    env:
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
     {{- with .Values.env }}
-    env: 
       {{- toYaml . | nindent 4 }}
     {{- end }}
     ports:

charts/capsule-proxy/values.schema.json

@@ -487,9 +487,6 @@
             "properties": {
                 "extra": {
                     "type": "string"
-                },
-                "scheduler.alpha.kubernetes.io/critical-pod": {
-                    "type": "string"
                 }
             },
             "type": "object"

charts/capsule-proxy/values.yaml

@@ -240,6 +240,8 @@ volumeMounts: []
 options:
   # -- Set the listening port of the capsule-proxy
   listeningPort: 9001
+  # -- Set leader election to true if you are running n-replicas
+  leaderElection: false
   # -- Set the log verbosity of the capsule-proxy with a value from 1 to 10
   logLevel: '4'
   # -- Name of the CapsuleConfiguration custom resource used by Capsule, required to identify the user groups

internal/webserver/webserver.go

@@ -59,7 +59,14 @@ import (
 	"github.com/projectcapsule/capsule-proxy/internal/webserver/middleware"
 )
 
-func NewKubeFilter(opts options.ListenerOpts, srv options.ServerOptions, gates featuregate.FeatureGate, rbReflector *controllers.RoleBindingReflector, clientOverride client.Reader, client client.Client) (Filter, error) {
+func NewKubeFilter(
+	opts options.ListenerOpts,
+	srv options.ServerOptions,
+	gates featuregate.FeatureGate,
+	rbReflector *controllers.RoleBindingReflector,
+	clientOverride client.Reader,
+	mgr ctrl.Manager,
+) (Filter, error) {
 	reverseProxy := httputil.NewSingleHostReverseProxy(opts.KubernetesControlPlaneURL())
 	reverseProxy.FlushInterval = time.Millisecond * 100
 
@@ -71,10 +78,11 @@ func NewKubeFilter(opts options.ListenerOpts, srv options.ServerOptions, gates f
 	reverseProxy.Transport = reverseProxyTransport
 
 	return &kubeFilter{
+		mgr:                        mgr,
 		gates:                      gates,
 		reader:                     clientOverride,
-		writer:                     client,
-		managerReader:              client,
+		writer:                     mgr.GetClient(),
+		managerReader:              mgr.GetClient(),
 		allowedPaths:               sets.New("/api", "/apis", "/version"),
 		authTypes:                  opts.AuthTypes(),
 		ignoredUserGroups:          sets.New(opts.IgnoredGroupNames()...),
@@ -93,6 +101,7 @@ func NewKubeFilter(opts options.ListenerOpts, srv options.ServerOptions, gates f
 }
 
 type kubeFilter struct {
+	mgr                        ctrl.Manager
 	allowedPaths               sets.Set[string]
 	authTypes                  []req.AuthType
 	ignoredUserGroups          sets.Set[string]
@@ -113,11 +122,86 @@ type kubeFilter struct {
 	writer                client.Writer
 }
 
+//nolint:funlen
+func (n *kubeFilter) Start(ctx context.Context) error {
+	r := mux.NewRouter()
+	r.Use(handlers.RecoveryHandler())
+
+	r.Path("/_healthz").Subrouter().HandleFunc("", func(writer http.ResponseWriter, _ *http.Request) {
+		writer.WriteHeader(http.StatusOK)
+		_, _ = writer.Write([]byte("ok"))
+	})
+
+	root := r.PathPrefix("").Subrouter()
+	n.registerModules(ctx, root)
+	root.Use(
+		n.reverseProxyMiddleware,
+		middleware.CheckPaths(n.log, n.allowedPaths, n.impersonateHandler),
+		middleware.CheckJWTMiddleware(n.writer),
+	)
+	root.PathPrefix("/").HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
+		n.impersonateHandler(writer, request)
+	})
+
+	var srv *http.Server
+
+	go func() {
+		var err error
+
+		addr := fmt.Sprintf("0.0.0.0:%d", n.serverOptions.ListeningPort())
+
+		if n.serverOptions.IsListeningTLS() {
+			tlsConfig := &tls.Config{
+				MinVersion: tls.VersionTLS12,
+				ClientCAs:  n.serverOptions.GetCertificateAuthorityPool(),
+			}
+
+			for _, authType := range n.authTypes {
+				if authType == req.TLSCertificate {
+					tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven
+
+					break
+				}
+			}
+
+			srv = &http.Server{
+				Handler:           r,
+				Addr:              addr,
+				TLSConfig:         tlsConfig,
+				ReadHeaderTimeout: 5 * time.Second,
+			}
+			err = srv.ListenAndServeTLS(n.serverOptions.TLSCertificatePath(), n.serverOptions.TLSCertificateKeyPath())
+		} else {
+			srv = &http.Server{
+				Handler:           r,
+				Addr:              addr,
+				ReadHeaderTimeout: 5 * time.Second,
+			}
+			err = srv.ListenAndServe()
+		}
+
+		if err != nil {
+			panic(err)
+		}
+	}()
+
+	<-ctx.Done()
+
+	return srv.Shutdown(ctx)
+}
+
 func (n *kubeFilter) LivenessProbe(*http.Request) error {
 	return nil
 }
 
 func (n *kubeFilter) ReadinessProbe(req *http.Request) (err error) {
+	select {
+	case <-n.mgr.Elected():
+		// OK, we're the leader..
+	default:
+		return nil
+	}
+
 	scheme := "http"
 	clt := &http.Client{}
 
@@ -158,6 +242,17 @@ func (n *kubeFilter) ReadinessProbe(req *http.Request) (err error) {
 	return nil
 }
 
+func (n *kubeFilter) BearerToken() string {
+	if time.Now().After(n.bearerTokenExpirationTime) {
+		n.log.V(5).Info("Token expired. Reading new token from file", "token", n.bearerToken, "token file", n.bearerTokenFile)
+		token, _ := os.ReadFile(n.bearerTokenFile)
+		n.bearerToken = string(token)
+		n.bearerTokenExpirationTime = bearerExpirationTime(string(token))
+	}
+
+	return n.bearerToken
+}
+
 func (n *kubeFilter) reverseProxyMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
 		next.ServeHTTP(writer, request)
@@ -346,74 +441,6 @@ func (n *kubeFilter) registerModules(ctx context.Context, root *mux.Router) {
 	}
 }
 
-//nolint:funlen
-func (n *kubeFilter) Start(ctx context.Context) error {
-	r := mux.NewRouter()
-	r.Use(handlers.RecoveryHandler())
-
-	r.Path("/_healthz").Subrouter().HandleFunc("", func(writer http.ResponseWriter, _ *http.Request) {
-		writer.WriteHeader(http.StatusOK)
-		_, _ = writer.Write([]byte("ok"))
-	})
-
-	root := r.PathPrefix("").Subrouter()
-	n.registerModules(ctx, root)
-	root.Use(
-		n.reverseProxyMiddleware,
-		middleware.CheckPaths(n.log, n.allowedPaths, n.impersonateHandler),
-		middleware.CheckJWTMiddleware(n.writer),
-	)
-	root.PathPrefix("/").HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
-		n.impersonateHandler(writer, request)
-	})
-
-	var srv *http.Server
-
-	go func() {
-		var err error
-
-		addr := fmt.Sprintf("0.0.0.0:%d", n.serverOptions.ListeningPort())
-
-		if n.serverOptions.IsListeningTLS() {
-			tlsConfig := &tls.Config{
-				MinVersion: tls.VersionTLS12,
-				ClientCAs:  n.serverOptions.GetCertificateAuthorityPool(),
-			}
-
-			for _, authType := range n.authTypes {
-				if authType == req.TLSCertificate {
-					tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven
-
-					break
-				}
-			}
-
-			srv = &http.Server{
-				Handler:           r,
-				Addr:              addr,
-				TLSConfig:         tlsConfig,
-				ReadHeaderTimeout: 5 * time.Second,
-			}
-			err = srv.ListenAndServeTLS(n.serverOptions.TLSCertificatePath(), n.serverOptions.TLSCertificateKeyPath())
-		} else {
-			srv = &http.Server{
-				Handler:           r,
-				Addr:              addr,
-				ReadHeaderTimeout: 5 * time.Second,
-			}
-			err = srv.ListenAndServe()
-		}
-
-		if err != nil {
-			panic(err)
-		}
-	}()
-
-	<-ctx.Done()
-
-	return srv.Shutdown(ctx)
-}
-
 func (n *kubeFilter) getTenantsForOwner(ctx context.Context, username string, groups []string) (proxyTenants []*tenant.ProxyTenant, err error) {
 	if strings.HasPrefix(username, serviceaccount.ServiceAccountUsernamePrefix) {
 		proxyTenants, err = n.getProxyTenantsForOwnerKind(ctx, capsulev1beta2.ServiceAccountOwner, username)
@@ -547,17 +574,6 @@ func (n *kubeFilter) removingHopByHopHeaders(request *http.Request) {
 	request.Header.Del(connectionHeaderName)
 }
 
-func (n *kubeFilter) BearerToken() string {
-	if time.Now().After(n.bearerTokenExpirationTime) {
-		n.log.V(5).Info("Token expired. Reading new token from file", "token", n.bearerToken, "token file", n.bearerTokenFile)
-		token, _ := os.ReadFile(n.bearerTokenFile)
-		n.bearerToken = string(token)
-		n.bearerTokenExpirationTime = bearerExpirationTime(string(token))
-	}
-
-	return n.bearerToken
-}
-
 func bearerExpirationTime(tokenString string) time.Time {
 	token, _, _ := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
 	claims, _ := token.Claims.(jwt.MapClaims)