github.imxd.top/operator-framework/operator-sdk@v0.8.2/pkg/ansible/proxy/kubectl.go (about)

     1  /*
     2  Copyright 2014 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  // This code was retrieved from
    18  // https://github.com/kubernetes/kubernetes/blob/204d994/pkg/kubectl/proxy/proxy_server.go
    19  // and modified for use in this project.
    20  
    21  package proxy
    22  
    23  import (
    24  	"fmt"
    25  	"net"
    26  	"net/http"
    27  	"net/url"
    28  	"os"
    29  	"regexp"
    30  	"strings"
    31  	"time"
    32  
    33  	utilnet "k8s.io/apimachinery/pkg/util/net"
    34  	k8sproxy "k8s.io/apimachinery/pkg/util/proxy"
    35  	"k8s.io/client-go/rest"
    36  	"k8s.io/client-go/transport"
    37  	"k8s.io/kubernetes/pkg/kubectl/util"
    38  	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
    39  )
    40  
    41  var log = logf.Log.WithName("proxy")
    42  
    43  const (
    44  	// DefaultHostAcceptRE is the default value for which hosts to accept.
    45  	DefaultHostAcceptRE = "^localhost$,^127\\.0\\.0\\.1$,^\\[::1\\]$"
    46  	// DefaultPathAcceptRE is the default path to accept.
    47  	DefaultPathAcceptRE = "^.*"
    48  	// DefaultPathRejectRE is the default set of paths to reject.
    49  	DefaultPathRejectRE = "^/api/.*/pods/.*/exec,^/api/.*/pods/.*/attach"
    50  	// DefaultMethodRejectRE is the set of HTTP methods to reject by default.
    51  	DefaultMethodRejectRE = "^$"
    52  )
    53  
    54  var (
    55  	// ReverseProxyFlushInterval is the frequency to flush the reverse proxy.
    56  	// Only matters for long poll connections like the one used to watch. With an
    57  	// interval of 0 the reverse proxy will buffer content sent on any connection
    58  	// with transfer-encoding=chunked.
    59  	// TODO: Flush after each chunk so the client doesn't suffer a 100ms latency per
    60  	// watch event.
    61  	ReverseProxyFlushInterval = 100 * time.Millisecond
    62  )
    63  
    64  // FilterServer rejects requests which don't match one of the specified regular expressions
    65  type FilterServer struct {
    66  	// Only paths that match this regexp will be accepted
    67  	AcceptPaths []*regexp.Regexp
    68  	// Paths that match this regexp will be rejected, even if they match the above
    69  	RejectPaths []*regexp.Regexp
    70  	// Hosts are required to match this list of regexp
    71  	AcceptHosts []*regexp.Regexp
    72  	// Methods that match this regexp are rejected
    73  	RejectMethods []*regexp.Regexp
    74  	// The delegate to call to handle accepted requests.
    75  	delegate http.Handler
    76  }
    77  
    78  // MakeRegexpArray splits a comma separated list of regexps into an array of Regexp objects.
    79  func MakeRegexpArray(str string) ([]*regexp.Regexp, error) {
    80  	parts := strings.Split(str, ",")
    81  	result := make([]*regexp.Regexp, len(parts))
    82  	for ix := range parts {
    83  		re, err := regexp.Compile(parts[ix])
    84  		if err != nil {
    85  			return nil, err
    86  		}
    87  		result[ix] = re
    88  	}
    89  	return result, nil
    90  }
    91  
    92  // MakeRegexpArrayOrDie creates an array of regular expression objects from a string or exits.
    93  func MakeRegexpArrayOrDie(str string) []*regexp.Regexp {
    94  	result, err := MakeRegexpArray(str)
    95  	if err != nil {
    96  		log.Error(err, "Error compiling re")
    97  		os.Exit(1)
    98  	}
    99  	return result
   100  }
   101  
   102  func matchesRegexp(str string, regexps []*regexp.Regexp) bool {
   103  	for _, re := range regexps {
   104  		if re.MatchString(str) {
   105  			log.Info("Matched found", "MatchString", str, "Regexp", re)
   106  			return true
   107  		}
   108  	}
   109  	return false
   110  }
   111  
   112  func (f *FilterServer) accept(method, path, host string) bool {
   113  	if matchesRegexp(path, f.RejectPaths) {
   114  		return false
   115  	}
   116  	if matchesRegexp(method, f.RejectMethods) {
   117  		return false
   118  	}
   119  	if matchesRegexp(path, f.AcceptPaths) && matchesRegexp(host, f.AcceptHosts) {
   120  		return true
   121  	}
   122  	return false
   123  }
   124  
   125  // HandlerFor makes a shallow copy of f which passes its requests along to the
   126  // new delegate.
   127  func (f *FilterServer) HandlerFor(delegate http.Handler) *FilterServer {
   128  	f2 := *f
   129  	f2.delegate = delegate
   130  	return &f2
   131  }
   132  
   133  // Get host from a host header value like "localhost" or "localhost:8080"
   134  func extractHost(header string) (host string) {
   135  	host, _, err := net.SplitHostPort(header)
   136  	if err != nil {
   137  		host = header
   138  	}
   139  	return host
   140  }
   141  
   142  func (f *FilterServer) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
   143  	host := extractHost(req.Host)
   144  	if f.accept(req.Method, req.URL.Path, host) {
   145  		log.Info("Filter acception", "Request.Method", req.Method, "Request.URL", req.URL.Path, "Host", host)
   146  		f.delegate.ServeHTTP(rw, req)
   147  		return
   148  	}
   149  	log.Info("Filter rejection", "Request.Method", req.Method, "Request.URL", req.URL.Path, "Host", host)
   150  	rw.WriteHeader(http.StatusForbidden)
   151  	if _, err := rw.Write([]byte("<h3>Unauthorized</h3>")); err != nil {
   152  		log.Error(err, "Failed to write response body")
   153  	}
   154  }
   155  
   156  // Server is a http.Handler which proxies Kubernetes APIs to remote API server.
   157  type server struct {
   158  	Handler http.Handler
   159  }
   160  
   161  type responder struct{}
   162  
   163  func (r *responder) Error(w http.ResponseWriter, req *http.Request, err error) {
   164  	log.Error(err, "Error while proxying request")
   165  	http.Error(w, err.Error(), http.StatusInternalServerError)
   166  }
   167  
   168  // makeUpgradeTransport creates a transport that explicitly bypasses HTTP2 support
   169  // for proxy connections that must upgrade.
   170  func makeUpgradeTransport(config *rest.Config) (k8sproxy.UpgradeRequestRoundTripper, error) {
   171  	transportConfig, err := config.TransportConfig()
   172  	if err != nil {
   173  		return nil, err
   174  	}
   175  	tlsConfig, err := transport.TLSConfigFor(transportConfig)
   176  	if err != nil {
   177  		return nil, err
   178  	}
   179  	rt := utilnet.SetOldTransportDefaults(&http.Transport{
   180  		TLSClientConfig: tlsConfig,
   181  		DialContext: (&net.Dialer{
   182  			Timeout: 30 * time.Second,
   183  		}).DialContext,
   184  	})
   185  
   186  	upgrader, err := transport.HTTPWrappersForConfig(transportConfig, k8sproxy.MirrorRequest)
   187  	if err != nil {
   188  		return nil, err
   189  	}
   190  	return k8sproxy.NewUpgradeRequestRoundTripper(rt, upgrader), nil
   191  }
   192  
   193  // NewServer creates and installs a new Server.
   194  func newServer(apiProxyPrefix string, cfg *rest.Config) (*server, error) {
   195  	host := cfg.Host
   196  	if !strings.HasSuffix(host, "/") {
   197  		host = host + "/"
   198  	}
   199  	target, err := url.Parse(host)
   200  	if err != nil {
   201  		return nil, err
   202  	}
   203  
   204  	responder := &responder{}
   205  	transport, err := rest.TransportFor(cfg)
   206  	if err != nil {
   207  		return nil, err
   208  	}
   209  	upgradeTransport, err := makeUpgradeTransport(cfg)
   210  	if err != nil {
   211  		return nil, err
   212  	}
   213  	proxy := k8sproxy.NewUpgradeAwareHandler(target, transport, false, false, responder)
   214  	proxy.UpgradeTransport = upgradeTransport
   215  	proxy.UseRequestLocation = true
   216  
   217  	proxyServer := http.Handler(proxy)
   218  
   219  	if !strings.HasPrefix(apiProxyPrefix, "/api") {
   220  		proxyServer = stripLeaveSlash(apiProxyPrefix, proxyServer)
   221  	}
   222  
   223  	mux := http.NewServeMux()
   224  	mux.Handle(apiProxyPrefix, proxyServer)
   225  	return &server{Handler: mux}, nil
   226  }
   227  
   228  // Listen is a simple wrapper around net.Listen.
   229  func (s *server) Listen(address string, port int) (net.Listener, error) {
   230  	return net.Listen("tcp", fmt.Sprintf("%s:%d", address, port))
   231  }
   232  
   233  // ListenUnix does net.Listen for a unix socket
   234  func (s *server) ListenUnix(path string) (net.Listener, error) {
   235  	// Remove any socket, stale or not, but fall through for other files
   236  	fi, err := os.Stat(path)
   237  	if err == nil && (fi.Mode()&os.ModeSocket) != 0 {
   238  		if err := os.Remove(path); err != nil {
   239  			return nil, err
   240  		}
   241  	}
   242  	// Default to only user accessible socket, caller can open up later if desired
   243  	oldmask, _ := util.Umask(0077)
   244  	l, err := net.Listen("unix", path)
   245  	util.Umask(oldmask)
   246  	return l, err
   247  }
   248  
   249  // ServeOnListener starts the server using given listener, loops forever.
   250  func (s *server) ServeOnListener(l net.Listener) error {
   251  	server := http.Server{
   252  		Handler: s.Handler,
   253  	}
   254  	return server.Serve(l)
   255  }
   256  
   257  // like http.StripPrefix, but always leaves an initial slash. (so that our
   258  // regexps will work.)
   259  func stripLeaveSlash(prefix string, h http.Handler) http.Handler {
   260  	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
   261  		p := strings.TrimPrefix(req.URL.Path, prefix)
   262  		if len(p) >= len(req.URL.Path) {
   263  			http.NotFound(w, req)
   264  			return
   265  		}
   266  		if len(p) > 0 && p[:1] != "/" {
   267  			p = "/" + p
   268  		}
   269  		req.URL.Path = p
   270  		h.ServeHTTP(w, req)
   271  	})
   272  }