-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
webhook: Implement controller-runtime webhook server with CipherSuite…
…s knob (#65) * webhook: Override the controller-runtime server The current controller-runtime allow to configure TLS min version but it does not allow to configure the cipher suites. This change copy the server from the controller-runtime library to allow modifications. Signed-off-by: Quique Llorente <[email protected]> * webhook: Add CipherSuites to server To configure TLS CipherSuites this change add a new field to the Server struct to set the strings representing them, they will be passed to the underlaying tls.Config. Signed-off-by: Quique Llorente <[email protected]>
- Loading branch information
Showing
5 changed files
with
727 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| /* | ||
| Copyright 2022 The Kube Admission Webhook Authors. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| package httpserver | ||
|
|
||
| import ( | ||
| "net/http" | ||
| "time" | ||
| ) | ||
|
|
||
| // New returns a new server with sane defaults. | ||
| func New(handler http.Handler) *http.Server { | ||
| return &http.Server{ | ||
| Handler: handler, | ||
| MaxHeaderBytes: 1 << 20, | ||
| IdleTimeout: 90 * time.Second, // matches http.DefaultTransport keep-alive timeout | ||
| ReadHeaderTimeout: 32 * time.Second, | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| /* | ||
| Copyright 2022 The Kube Admission Webhook Authors. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| package metrics | ||
|
|
||
| import ( | ||
| "net/http" | ||
|
|
||
| "github.com/prometheus/client_golang/prometheus" | ||
| "github.com/prometheus/client_golang/prometheus/promhttp" | ||
|
|
||
| "sigs.k8s.io/controller-runtime/pkg/metrics" | ||
| ) | ||
|
|
||
| var ( | ||
| // RequestLatency is a prometheus metric which is a histogram of the latency | ||
| // of processing admission requests. | ||
| RequestLatency = prometheus.NewHistogramVec( | ||
| prometheus.HistogramOpts{ | ||
| Name: "kaw_latency_seconds", | ||
| Help: "Histogram of the latency of processing admission requests", | ||
| }, | ||
| []string{"webhook"}, | ||
| ) | ||
|
|
||
| // RequestTotal is a prometheus metric which is a counter of the total processed admission requests. | ||
| RequestTotal = func() *prometheus.CounterVec { | ||
| return prometheus.NewCounterVec( | ||
| prometheus.CounterOpts{ | ||
| Name: "kaw_requests_total", | ||
| Help: "Total number of admission requests by HTTP status code.", | ||
| }, | ||
| []string{"webhook", "code"}, | ||
| ) | ||
| }() | ||
|
|
||
| // RequestInFlight is a prometheus metric which is a gauge of the in-flight admission requests. | ||
| RequestInFlight = func() *prometheus.GaugeVec { | ||
| return prometheus.NewGaugeVec( | ||
| prometheus.GaugeOpts{ | ||
| Name: "kaw_requests_in_flight", | ||
| Help: "Current number of admission requests being served.", | ||
| }, | ||
| []string{"webhook"}, | ||
| ) | ||
| }() | ||
| ) | ||
|
|
||
| func init() { | ||
| metrics.Registry.MustRegister(RequestLatency, RequestTotal, RequestInFlight) | ||
| } | ||
|
|
||
| // InstrumentedHook adds some instrumentation on top of the given webhook. | ||
| func InstrumentedHook(path string, hookRaw http.Handler) http.Handler { | ||
| lbl := prometheus.Labels{"webhook": path} | ||
|
|
||
| lat := RequestLatency.MustCurryWith(lbl) | ||
| cnt := RequestTotal.MustCurryWith(lbl) | ||
| gge := RequestInFlight.With(lbl) | ||
|
|
||
| // Initialize the most likely HTTP status codes. | ||
| cnt.WithLabelValues("200") | ||
| cnt.WithLabelValues("500") | ||
|
|
||
| return promhttp.InstrumentHandlerDuration( | ||
| lat, | ||
| promhttp.InstrumentHandlerCounter( | ||
| cnt, | ||
| promhttp.InstrumentHandlerInFlight(gge, hookRaw), | ||
| ), | ||
| ) | ||
| } |
Oops, something went wrong.