istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/bootstrap/webhook.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/bootstrap/webhook.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package bootstrap
    16  
    17  import (
    18  	"crypto/tls"
    19  	"log"
    20  	"net/http"
    21  	"strings"
    22  
    23  	sec_model "istio.io/istio/pilot/pkg/security/model"
    24  	istiolog "istio.io/istio/pkg/log"
    25  )
    26  
    27  type httpServerErrorLogWriter struct{}
    28  
    29  // Webhook http.Server.ErrorLog handler specifically to filter
    30  // http: TLS handshake error from 127.0.0.1:<PORT>: EOF
    31  // messages that occur when clients send RST while TLS handshake is still in progress.
    32  // httpsReadyClient can trigger this periodically when multiple concurrent probes are hitting this endpoint.
    33  func (*httpServerErrorLogWriter) Write(p []byte) (int, error) {
    34  	m := strings.TrimSuffix(string(p), "\n")
    35  	if strings.HasPrefix(m, "http: TLS handshake error") && strings.HasSuffix(m, ": EOF") {
    36  		istiolog.Debug(m)
    37  	} else {
    38  		istiolog.Info(m)
    39  	}
    40  	return len(p), nil
    41  }
    42  
    43  // initSSecureWebhookServer handles initialization for the HTTPS webhook server.
    44  // If https address is off the injection handlers will be registered on the main http endpoint, with
    45  // TLS handled by a proxy/gateway in front of Istiod.
    46  func (s *Server) initSecureWebhookServer(args *PilotArgs) {
    47  	// create the https server for hosting the k8s injectionWebhook handlers.
    48  	if args.ServerOptions.HTTPSAddr == "" {
    49  		s.httpsMux = s.httpMux
    50  		istiolog.Infof("HTTPS port is disabled, multiplexing webhooks on the httpAddr %v", args.ServerOptions.HTTPAddr)
    51  		return
    52  	}
    53  
    54  	tlsConfig := &tls.Config{
    55  		GetCertificate: s.getIstiodCertificate,
    56  		MinVersion:     tls.VersionTLS12,
    57  		CipherSuites:   args.ServerOptions.TLSOptions.CipherSuits,
    58  	}
    59  	// Compliance for control plane validation and injection webhook server.
    60  	sec_model.EnforceGoCompliance(tlsConfig)
    61  
    62  	istiolog.Info("initializing secure webhook server for istiod webhooks")
    63  	// create the https server for hosting the k8s injectionWebhook handlers.
    64  	s.httpsMux = http.NewServeMux()
    65  	s.httpsServer = &http.Server{
    66  		Addr:      args.ServerOptions.HTTPSAddr,
    67  		ErrorLog:  log.New(&httpServerErrorLogWriter{}, "", 0),
    68  		Handler:   s.httpsMux,
    69  		TLSConfig: tlsConfig,
    70  	}
    71  }