github.com/cilium/cilium@v1.16.2/pkg/hubble/server/serveroption/option.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Hubble 3 4 // Copyright Authors of Cilium 5 6 package serveroption 7 8 import ( 9 "crypto/tls" 10 "fmt" 11 "net" 12 "os" 13 "strings" 14 15 grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus" 16 "golang.org/x/sys/unix" 17 "google.golang.org/grpc" 18 "google.golang.org/grpc/health" 19 healthpb "google.golang.org/grpc/health/grpc_health_v1" 20 21 observerpb "github.com/cilium/cilium/api/v1/observer" 22 peerpb "github.com/cilium/cilium/api/v1/peer" 23 recorderpb "github.com/cilium/cilium/api/v1/recorder" 24 "github.com/cilium/cilium/pkg/api" 25 "github.com/cilium/cilium/pkg/crypto/certloader" 26 v1 "github.com/cilium/cilium/pkg/hubble/api/v1" 27 ) 28 29 // MinTLSVersion defines the minimum TLS version clients are expected to 30 // support in order to establish a connection to the hubble server. 31 const MinTLSVersion = tls.VersionTLS13 32 33 // Options stores all the configuration values for the hubble server. 34 type Options struct { 35 Listener net.Listener 36 HealthService healthpb.HealthServer 37 ObserverService observerpb.ObserverServer 38 PeerService peerpb.PeerServer 39 RecorderService recorderpb.RecorderServer 40 ServerTLSConfig certloader.ServerConfigBuilder 41 Insecure bool 42 GRPCMetrics *grpc_prometheus.ServerMetrics 43 GRPCUnaryInterceptors []grpc.UnaryServerInterceptor 44 GRPCStreamInterceptors []grpc.StreamServerInterceptor 45 } 46 47 // Option customizes the hubble server's configuration. 48 type Option func(o *Options) error 49 50 // WithTCPListener configures a TCP listener with the address. 51 func WithTCPListener(address string) Option { 52 return func(o *Options) error { 53 socket, err := net.Listen("tcp", address) 54 if err != nil { 55 return err 56 } 57 if o.Listener != nil { 58 socket.Close() 59 return fmt.Errorf("listener already configured: %s", address) 60 } 61 o.Listener = socket 62 return nil 63 } 64 } 65 66 // WithUnixSocketListener configures a unix domain socket listener with the 67 // given file path. When the process runs in privileged mode, the file group 68 // owner is set to socketGroup. 69 func WithUnixSocketListener(path string) Option { 70 return func(o *Options) error { 71 if o.Listener != nil { 72 return fmt.Errorf("listener already configured") 73 } 74 socketPath := strings.TrimPrefix(path, "unix://") 75 unix.Unlink(socketPath) 76 socket, err := net.Listen("unix", socketPath) 77 if err != nil { 78 return err 79 } 80 if os.Getuid() == 0 { 81 if err := api.SetDefaultPermissions(socketPath); err != nil { 82 socket.Close() 83 return err 84 } 85 } 86 o.Listener = socket 87 return nil 88 } 89 } 90 91 // WithHealthService configures the server to expose the gRPC health service. 92 func WithHealthService() Option { 93 return func(o *Options) error { 94 healthSvc := health.NewServer() 95 healthSvc.SetServingStatus(v1.ObserverServiceName, healthpb.HealthCheckResponse_SERVING) 96 o.HealthService = healthSvc 97 return nil 98 } 99 } 100 101 // WithObserverService configures the server to expose the given observer server service. 102 func WithObserverService(svc observerpb.ObserverServer) Option { 103 return func(o *Options) error { 104 o.ObserverService = svc 105 return nil 106 } 107 } 108 109 // WithPeerService configures the server to expose the given peer server service. 110 func WithPeerService(svc peerpb.PeerServer) Option { 111 return func(o *Options) error { 112 o.PeerService = svc 113 return nil 114 } 115 } 116 117 // WithInsecure disables transport security. Transport security is required 118 // unless WithInsecure is set. Use WithTLS to set transport credentials for 119 // transport security. 120 func WithInsecure() Option { 121 return func(o *Options) error { 122 o.Insecure = true 123 return nil 124 } 125 } 126 127 // WithServerTLS sets the transport credentials for the server based on TLS. 128 func WithServerTLS(cfg certloader.ServerConfigBuilder) Option { 129 return func(o *Options) error { 130 o.ServerTLSConfig = cfg 131 return nil 132 } 133 } 134 135 // WithRecorderService configures the server to expose the given recorder 136 // server service. 137 func WithRecorderService(svc recorderpb.RecorderServer) Option { 138 return func(o *Options) error { 139 o.RecorderService = svc 140 return nil 141 } 142 } 143 144 // WithGRPCMetrics configures the server with the specified prometheus gPRC 145 // ServerMetrics. 146 func WithGRPCMetrics(grpcMetrics *grpc_prometheus.ServerMetrics) Option { 147 return func(o *Options) error { 148 o.GRPCMetrics = grpcMetrics 149 return nil 150 } 151 } 152 153 // WithGRPCStreamInterceptor configures the server with the given gRPC server stream interceptors 154 func WithGRPCStreamInterceptor(interceptors ...grpc.StreamServerInterceptor) Option { 155 return func(o *Options) error { 156 o.GRPCStreamInterceptors = append(o.GRPCStreamInterceptors, interceptors...) 157 return nil 158 } 159 } 160 161 // WithGRPCUnaryInterceptor configures the server with the given gRPC server stream interceptors 162 func WithGRPCUnaryInterceptor(interceptors ...grpc.UnaryServerInterceptor) Option { 163 return func(o *Options) error { 164 o.GRPCUnaryInterceptors = append(o.GRPCUnaryInterceptors, interceptors...) 165 return nil 166 } 167 }