github.com/kubearmor/cilium@v1.6.12/api/v1/server/server.go (about) 1 // Code generated by go-swagger; DO NOT EDIT. 2 3 package server 4 5 import ( 6 "context" 7 "crypto/tls" 8 "crypto/x509" 9 "errors" 10 "fmt" 11 "io/ioutil" 12 "log" 13 "net" 14 "net/http" 15 "os" 16 "os/signal" 17 "strconv" 18 "sync" 19 "sync/atomic" 20 "syscall" 21 "time" 22 23 "github.com/go-openapi/runtime/flagext" 24 "github.com/go-openapi/swag" 25 flags "github.com/jessevdk/go-flags" 26 "golang.org/x/net/netutil" 27 28 "github.com/cilium/cilium/api/v1/server/restapi" 29 "github.com/cilium/cilium/pkg/api" 30 ) 31 32 const ( 33 schemeHTTP = "http" 34 schemeHTTPS = "https" 35 schemeUnix = "unix" 36 ) 37 38 var defaultSchemes []string 39 40 func init() { 41 defaultSchemes = []string{ 42 schemeUnix, 43 } 44 } 45 46 // NewServer creates a new api cilium server but does not configure it 47 func NewServer(api *restapi.CiliumAPI) *Server { 48 s := new(Server) 49 50 s.shutdown = make(chan struct{}) 51 s.api = api 52 s.interrupt = make(chan os.Signal, 1) 53 return s 54 } 55 56 // ConfigureAPI configures the API and handlers. 57 func (s *Server) ConfigureAPI() { 58 if s.api != nil { 59 s.handler = configureAPI(s.api) 60 } 61 } 62 63 // ConfigureFlags configures the additional flags defined by the handlers. Needs to be called before the parser.Parse 64 func (s *Server) ConfigureFlags() { 65 if s.api != nil { 66 configureFlags(s.api) 67 } 68 } 69 70 // Server for the cilium API 71 type Server struct { 72 EnabledListeners []string `long:"scheme" description:"the listeners to enable, this can be repeated and defaults to the schemes in the swagger spec"` 73 CleanupTimeout time.Duration `long:"cleanup-timeout" description:"grace period for which to wait before killing idle connections" default:"10s"` 74 GracefulTimeout time.Duration `long:"graceful-timeout" description:"grace period for which to wait before shutting down the server" default:"15s"` 75 MaxHeaderSize flagext.ByteSize `long:"max-header-size" description:"controls the maximum number of bytes the server will read parsing the request header's keys and values, including the request line. It does not limit the size of the request body." default:"1MiB"` 76 77 SocketPath flags.Filename `long:"socket-path" description:"the unix socket to listen on" default:"/var/run/cilium.sock"` 78 domainSocketL net.Listener 79 80 Host string `long:"host" description:"the IP to listen on" default:"localhost" env:"HOST"` 81 Port int `long:"port" description:"the port to listen on for insecure connections, defaults to a random value" env:"PORT"` 82 ListenLimit int `long:"listen-limit" description:"limit the number of outstanding requests"` 83 KeepAlive time.Duration `long:"keep-alive" description:"sets the TCP keep-alive timeouts on accepted connections. It prunes dead TCP connections ( e.g. closing laptop mid-download)" default:"3m"` 84 ReadTimeout time.Duration `long:"read-timeout" description:"maximum duration before timing out read of the request" default:"30s"` 85 WriteTimeout time.Duration `long:"write-timeout" description:"maximum duration before timing out write of the response" default:"60s"` 86 httpServerL net.Listener 87 88 TLSHost string `long:"tls-host" description:"the IP to listen on for tls, when not specified it's the same as --host" env:"TLS_HOST"` 89 TLSPort int `long:"tls-port" description:"the port to listen on for secure connections, defaults to a random value" env:"TLS_PORT"` 90 TLSCertificate flags.Filename `long:"tls-certificate" description:"the certificate to use for secure connections" env:"TLS_CERTIFICATE"` 91 TLSCertificateKey flags.Filename `long:"tls-key" description:"the private key to use for secure conections" env:"TLS_PRIVATE_KEY"` 92 TLSCACertificate flags.Filename `long:"tls-ca" description:"the certificate authority file to be used with mutual tls auth" env:"TLS_CA_CERTIFICATE"` 93 TLSListenLimit int `long:"tls-listen-limit" description:"limit the number of outstanding requests"` 94 TLSKeepAlive time.Duration `long:"tls-keep-alive" description:"sets the TCP keep-alive timeouts on accepted connections. It prunes dead TCP connections ( e.g. closing laptop mid-download)"` 95 TLSReadTimeout time.Duration `long:"tls-read-timeout" description:"maximum duration before timing out read of the request"` 96 TLSWriteTimeout time.Duration `long:"tls-write-timeout" description:"maximum duration before timing out write of the response"` 97 httpsServerL net.Listener 98 99 api *restapi.CiliumAPI 100 handler http.Handler 101 hasListeners bool 102 shutdown chan struct{} 103 shuttingDown int32 104 interrupted bool 105 interrupt chan os.Signal 106 } 107 108 // Logf logs message either via defined user logger or via system one if no user logger is defined. 109 func (s *Server) Logf(f string, args ...interface{}) { 110 if s.api != nil && s.api.Logger != nil { 111 s.api.Logger(f, args...) 112 } else { 113 log.Printf(f, args...) 114 } 115 } 116 117 // Fatalf logs message either via defined user logger or via system one if no user logger is defined. 118 // Exits with non-zero status after printing 119 func (s *Server) Fatalf(f string, args ...interface{}) { 120 if s.api != nil && s.api.Logger != nil { 121 s.api.Logger(f, args...) 122 os.Exit(1) 123 } else { 124 log.Fatalf(f, args...) 125 } 126 } 127 128 // SetAPI configures the server with the specified API. Needs to be called before Serve 129 func (s *Server) SetAPI(api *restapi.CiliumAPI) { 130 if api == nil { 131 s.api = nil 132 s.handler = nil 133 return 134 } 135 136 s.api = api 137 s.api.Logger = log.Printf 138 s.handler = configureAPI(api) 139 } 140 141 func (s *Server) hasScheme(scheme string) bool { 142 schemes := s.EnabledListeners 143 if len(schemes) == 0 { 144 schemes = defaultSchemes 145 } 146 147 for _, v := range schemes { 148 if v == scheme { 149 return true 150 } 151 } 152 return false 153 } 154 155 // Serve the api 156 func (s *Server) Serve() (err error) { 157 if !s.hasListeners { 158 if err = s.Listen(); err != nil { 159 return err 160 } 161 } 162 163 // set default handler, if none is set 164 if s.handler == nil { 165 if s.api == nil { 166 return errors.New("can't create the default handler, as no api is set") 167 } 168 169 s.SetHandler(s.api.Serve(nil)) 170 } 171 172 wg := new(sync.WaitGroup) 173 once := new(sync.Once) 174 signalNotify(s.interrupt) 175 go handleInterrupt(once, s) 176 177 servers := []*http.Server{} 178 wg.Add(1) 179 go s.handleShutdown(wg, &servers) 180 181 if s.hasScheme(schemeUnix) { 182 domainSocket := new(http.Server) 183 domainSocket.MaxHeaderBytes = int(s.MaxHeaderSize) 184 domainSocket.Handler = s.handler 185 if int64(s.CleanupTimeout) > 0 { 186 domainSocket.IdleTimeout = s.CleanupTimeout 187 } 188 189 configureServer(domainSocket, "unix", string(s.SocketPath)) 190 191 if os.Getuid() == 0 { 192 err := api.SetDefaultPermissions(string(s.SocketPath)) 193 if err != nil { 194 return err 195 } 196 } 197 servers = append(servers, domainSocket) 198 wg.Add(1) 199 s.Logf("Serving cilium at unix://%s", s.SocketPath) 200 go func(l net.Listener) { 201 defer wg.Done() 202 if err := domainSocket.Serve(l); err != nil && err != http.ErrServerClosed { 203 s.Fatalf("%v", err) 204 } 205 s.Logf("Stopped serving cilium at unix://%s", s.SocketPath) 206 }(s.domainSocketL) 207 } 208 209 if s.hasScheme(schemeHTTP) { 210 httpServer := new(http.Server) 211 httpServer.MaxHeaderBytes = int(s.MaxHeaderSize) 212 httpServer.ReadTimeout = s.ReadTimeout 213 httpServer.WriteTimeout = s.WriteTimeout 214 httpServer.SetKeepAlivesEnabled(int64(s.KeepAlive) > 0) 215 if s.ListenLimit > 0 { 216 s.httpServerL = netutil.LimitListener(s.httpServerL, s.ListenLimit) 217 } 218 219 if int64(s.CleanupTimeout) > 0 { 220 httpServer.IdleTimeout = s.CleanupTimeout 221 } 222 223 httpServer.Handler = s.handler 224 225 configureServer(httpServer, "http", s.httpServerL.Addr().String()) 226 227 servers = append(servers, httpServer) 228 wg.Add(1) 229 s.Logf("Serving cilium at http://%s", s.httpServerL.Addr()) 230 go func(l net.Listener) { 231 defer wg.Done() 232 if err := httpServer.Serve(l); err != nil && err != http.ErrServerClosed { 233 s.Fatalf("%v", err) 234 } 235 s.Logf("Stopped serving cilium at http://%s", l.Addr()) 236 }(s.httpServerL) 237 } 238 239 if s.hasScheme(schemeHTTPS) { 240 httpsServer := new(http.Server) 241 httpsServer.MaxHeaderBytes = int(s.MaxHeaderSize) 242 httpsServer.ReadTimeout = s.TLSReadTimeout 243 httpsServer.WriteTimeout = s.TLSWriteTimeout 244 httpsServer.SetKeepAlivesEnabled(int64(s.TLSKeepAlive) > 0) 245 if s.TLSListenLimit > 0 { 246 s.httpsServerL = netutil.LimitListener(s.httpsServerL, s.TLSListenLimit) 247 } 248 if int64(s.CleanupTimeout) > 0 { 249 httpsServer.IdleTimeout = s.CleanupTimeout 250 } 251 httpsServer.Handler = s.handler 252 253 // Inspired by https://blog.bracebin.com/achieving-perfect-ssl-labs-score-with-go 254 httpsServer.TLSConfig = &tls.Config{ 255 // Causes servers to use Go's default ciphersuite preferences, 256 // which are tuned to avoid attacks. Does nothing on clients. 257 PreferServerCipherSuites: true, 258 // Only use curves which have assembly implementations 259 // https://github.com/golang/go/tree/master/src/crypto/elliptic 260 CurvePreferences: []tls.CurveID{tls.CurveP256}, 261 // Use modern tls mode https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility 262 NextProtos: []string{"http/1.1", "h2"}, 263 // https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Protocols 264 MinVersion: tls.VersionTLS12, 265 // These ciphersuites support Forward Secrecy: https://en.wikipedia.org/wiki/Forward_secrecy 266 CipherSuites: []uint16{ 267 tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 268 tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 269 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 270 tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 271 tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 272 tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 273 }, 274 } 275 276 // build standard config from server options 277 if s.TLSCertificate != "" && s.TLSCertificateKey != "" { 278 httpsServer.TLSConfig.Certificates = make([]tls.Certificate, 1) 279 httpsServer.TLSConfig.Certificates[0], err = tls.LoadX509KeyPair(string(s.TLSCertificate), string(s.TLSCertificateKey)) 280 if err != nil { 281 return err 282 } 283 } 284 285 if s.TLSCACertificate != "" { 286 // include specified CA certificate 287 caCert, caCertErr := ioutil.ReadFile(string(s.TLSCACertificate)) 288 if caCertErr != nil { 289 return caCertErr 290 } 291 caCertPool := x509.NewCertPool() 292 ok := caCertPool.AppendCertsFromPEM(caCert) 293 if !ok { 294 return fmt.Errorf("cannot parse CA certificate") 295 } 296 httpsServer.TLSConfig.ClientCAs = caCertPool 297 httpsServer.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert 298 } 299 300 // call custom TLS configurator 301 configureTLS(httpsServer.TLSConfig) 302 303 if len(httpsServer.TLSConfig.Certificates) == 0 { 304 // after standard and custom config are passed, this ends up with no certificate 305 if s.TLSCertificate == "" { 306 if s.TLSCertificateKey == "" { 307 s.Fatalf("the required flags `--tls-certificate` and `--tls-key` were not specified") 308 } 309 s.Fatalf("the required flag `--tls-certificate` was not specified") 310 } 311 if s.TLSCertificateKey == "" { 312 s.Fatalf("the required flag `--tls-key` was not specified") 313 } 314 // this happens with a wrong custom TLS configurator 315 s.Fatalf("no certificate was configured for TLS") 316 } 317 318 // must have at least one certificate or panics 319 httpsServer.TLSConfig.BuildNameToCertificate() 320 321 configureServer(httpsServer, "https", s.httpsServerL.Addr().String()) 322 323 servers = append(servers, httpsServer) 324 wg.Add(1) 325 s.Logf("Serving cilium at https://%s", s.httpsServerL.Addr()) 326 go func(l net.Listener) { 327 defer wg.Done() 328 if err := httpsServer.Serve(l); err != nil && err != http.ErrServerClosed { 329 s.Fatalf("%v", err) 330 } 331 s.Logf("Stopped serving cilium at https://%s", l.Addr()) 332 }(tls.NewListener(s.httpsServerL, httpsServer.TLSConfig)) 333 } 334 335 wg.Wait() 336 return nil 337 } 338 339 // Listen creates the listeners for the server 340 func (s *Server) Listen() error { 341 if s.hasListeners { // already done this 342 return nil 343 } 344 345 if s.hasScheme(schemeHTTPS) { 346 // Use http host if https host wasn't defined 347 if s.TLSHost == "" { 348 s.TLSHost = s.Host 349 } 350 // Use http listen limit if https listen limit wasn't defined 351 if s.TLSListenLimit == 0 { 352 s.TLSListenLimit = s.ListenLimit 353 } 354 // Use http tcp keep alive if https tcp keep alive wasn't defined 355 if int64(s.TLSKeepAlive) == 0 { 356 s.TLSKeepAlive = s.KeepAlive 357 } 358 // Use http read timeout if https read timeout wasn't defined 359 if int64(s.TLSReadTimeout) == 0 { 360 s.TLSReadTimeout = s.ReadTimeout 361 } 362 // Use http write timeout if https write timeout wasn't defined 363 if int64(s.TLSWriteTimeout) == 0 { 364 s.TLSWriteTimeout = s.WriteTimeout 365 } 366 } 367 368 if s.hasScheme(schemeUnix) { 369 domSockListener, err := net.Listen("unix", string(s.SocketPath)) 370 if err != nil { 371 return err 372 } 373 s.domainSocketL = domSockListener 374 } 375 376 if s.hasScheme(schemeHTTP) { 377 listener, err := net.Listen("tcp", net.JoinHostPort(s.Host, strconv.Itoa(s.Port))) 378 if err != nil { 379 return err 380 } 381 382 h, p, err := swag.SplitHostPort(listener.Addr().String()) 383 if err != nil { 384 return err 385 } 386 s.Host = h 387 s.Port = p 388 s.httpServerL = listener 389 } 390 391 if s.hasScheme(schemeHTTPS) { 392 tlsListener, err := net.Listen("tcp", net.JoinHostPort(s.TLSHost, strconv.Itoa(s.TLSPort))) 393 if err != nil { 394 return err 395 } 396 397 sh, sp, err := swag.SplitHostPort(tlsListener.Addr().String()) 398 if err != nil { 399 return err 400 } 401 s.TLSHost = sh 402 s.TLSPort = sp 403 s.httpsServerL = tlsListener 404 } 405 406 s.hasListeners = true 407 return nil 408 } 409 410 // Shutdown server and clean up resources 411 func (s *Server) Shutdown() error { 412 if atomic.CompareAndSwapInt32(&s.shuttingDown, 0, 1) { 413 close(s.shutdown) 414 } 415 return nil 416 } 417 418 func (s *Server) handleShutdown(wg *sync.WaitGroup, serversPtr *[]*http.Server) { 419 // wg.Done must occur last, after s.api.ServerShutdown() 420 // (to preserve old behaviour) 421 defer wg.Done() 422 423 <-s.shutdown 424 425 servers := *serversPtr 426 427 ctx, cancel := context.WithTimeout(context.TODO(), s.GracefulTimeout) 428 defer cancel() 429 430 shutdownChan := make(chan bool) 431 for i := range servers { 432 server := servers[i] 433 go func() { 434 var success bool 435 defer func() { 436 shutdownChan <- success 437 }() 438 if err := server.Shutdown(ctx); err != nil { 439 // Error from closing listeners, or context timeout: 440 s.Logf("HTTP server Shutdown: %v", err) 441 } else { 442 success = true 443 } 444 }() 445 } 446 447 // Wait until all listeners have successfully shut down before calling ServerShutdown 448 success := true 449 for range servers { 450 success = success && <-shutdownChan 451 } 452 if success { 453 s.api.ServerShutdown() 454 } 455 } 456 457 // GetHandler returns a handler useful for testing 458 func (s *Server) GetHandler() http.Handler { 459 return s.handler 460 } 461 462 // SetHandler allows for setting a http handler on this server 463 func (s *Server) SetHandler(handler http.Handler) { 464 s.handler = handler 465 } 466 467 // UnixListener returns the domain socket listener 468 func (s *Server) UnixListener() (net.Listener, error) { 469 if !s.hasListeners { 470 if err := s.Listen(); err != nil { 471 return nil, err 472 } 473 } 474 return s.domainSocketL, nil 475 } 476 477 // HTTPListener returns the http listener 478 func (s *Server) HTTPListener() (net.Listener, error) { 479 if !s.hasListeners { 480 if err := s.Listen(); err != nil { 481 return nil, err 482 } 483 } 484 return s.httpServerL, nil 485 } 486 487 // TLSListener returns the https listener 488 func (s *Server) TLSListener() (net.Listener, error) { 489 if !s.hasListeners { 490 if err := s.Listen(); err != nil { 491 return nil, err 492 } 493 } 494 return s.httpsServerL, nil 495 } 496 497 func handleInterrupt(once *sync.Once, s *Server) { 498 once.Do(func() { 499 for range s.interrupt { 500 if s.interrupted { 501 s.Logf("Server already shutting down") 502 continue 503 } 504 s.interrupted = true 505 s.Logf("Shutting down... ") 506 if err := s.Shutdown(); err != nil { 507 s.Logf("HTTP server Shutdown: %v", err) 508 } 509 } 510 }) 511 } 512 513 func signalNotify(interrupt chan<- os.Signal) { 514 signal.Notify(interrupt, syscall.SIGINT, syscall.SIGTERM) 515 }