From 8f47965b35e414112279369d19d4cae1dad5e01b Mon Sep 17 00:00:00 2001 From: Vihang Mehta Date: Mon, 11 Apr 2022 16:01:23 -0700 Subject: [PATCH] Remove certmgr from vizier Summary: As direct mode is now being removed vizier no longer need a certmgr service. Remove certmgr. Test Plan: Test vizier RC with an operator RC Reviewers: michelle, philkuz Reviewed By: michelle JIRA Issues: PP-3334 Signed-off-by: Vihang Mehta Differential Revision: https://phab.corp.pixielabs.ai/D11204 GitOrigin-RevId: 90b0053e0ee6cedbdb619a5d3b5fb2e88ff1d958 --- .fossa.yml | 20 - BUILD.bazel | 1 - k8s/vizier/BUILD.bazel | 1 - k8s/vizier/base/certmgr_deployment.yaml | 84 -- k8s/vizier/base/certmgr_role.yaml | 45 -- k8s/vizier/base/certmgr_service.yaml | 14 - k8s/vizier/base/kustomization.yaml | 3 - skaffold/skaffold_vizier.yaml | 6 - src/vizier/services/certmgr/BUILD.bazel | 63 -- src/vizier/services/certmgr/certmgr_server.go | 113 --- .../services/certmgr/certmgrenv/BUILD.bazel | 25 - src/vizier/services/certmgr/certmgrenv/env.go | 36 - .../services/certmgr/certmgrpb/BUILD.bazel | 33 - .../services/certmgr/certmgrpb/service.pb.go | 730 ------------------ .../services/certmgr/certmgrpb/service.proto | 42 - .../services/certmgr/controllers/BUILD.bazel | 57 -- .../services/certmgr/controllers/k8s_api.go | 116 --- .../services/certmgr/controllers/mock.go | 21 - .../certmgr/controllers/mock/BUILD.bazel | 25 - .../controllers/mock/mock_k8s_api.gen.go | 77 -- .../services/certmgr/controllers/server.go | 234 ------ .../certmgr/controllers/server_test.go | 143 ---- 22 files changed, 1889 deletions(-) delete mode 100644 k8s/vizier/base/certmgr_deployment.yaml delete mode 100644 k8s/vizier/base/certmgr_role.yaml delete mode 100644 k8s/vizier/base/certmgr_service.yaml delete mode 100644 src/vizier/services/certmgr/BUILD.bazel delete mode 100644 src/vizier/services/certmgr/certmgr_server.go delete mode 100644 src/vizier/services/certmgr/certmgrenv/BUILD.bazel delete mode 100644 src/vizier/services/certmgr/certmgrenv/env.go delete mode 100644 src/vizier/services/certmgr/certmgrpb/BUILD.bazel delete mode 100755 src/vizier/services/certmgr/certmgrpb/service.pb.go delete mode 100644 src/vizier/services/certmgr/certmgrpb/service.proto delete mode 100644 src/vizier/services/certmgr/controllers/BUILD.bazel delete mode 100644 src/vizier/services/certmgr/controllers/k8s_api.go delete mode 100644 src/vizier/services/certmgr/controllers/mock.go delete mode 100644 src/vizier/services/certmgr/controllers/mock/BUILD.bazel delete mode 100644 src/vizier/services/certmgr/controllers/mock/mock_k8s_api.gen.go delete mode 100644 src/vizier/services/certmgr/controllers/server.go delete mode 100644 src/vizier/services/certmgr/controllers/server_test.go diff --git a/.fossa.yml b/.fossa.yml index 8c69d93c0ae..34b30623efe 100755 --- a/.fossa.yml +++ b/.fossa.yml @@ -812,26 +812,6 @@ analyze: type: go target: px.dev/pixie/src/vizier/messages/messagespb path: src/vizier/messages/messagespb - - name: px.dev/pixie/src/vizier/services/certmgr - type: go - target: px.dev/pixie/src/vizier/services/certmgr - path: src/vizier/services/certmgr - - name: px.dev/pixie/src/vizier/services/certmgr/certmgrenv - type: go - target: px.dev/pixie/src/vizier/services/certmgr/certmgrenv - path: src/vizier/services/certmgr/certmgrenv - - name: px.dev/pixie/src/vizier/services/certmgr/certmgrpb - type: go - target: px.dev/pixie/src/vizier/services/certmgr/certmgrpb - path: src/vizier/services/certmgr/certmgrpb - - name: px.dev/pixie/src/vizier/services/certmgr/controller - type: go - target: px.dev/pixie/src/vizier/services/certmgr/controller - path: src/vizier/services/certmgr/controller - - name: px.dev/pixie/src/vizier/services/certmgr/controllers/mock - type: go - target: px.dev/pixie/src/vizier/services/certmgr/controllers/mock - path: src/vizier/services/certmgr/controllers/mock - name: px.dev/pixie/src/vizier/services/cloud_connector type: go target: px.dev/pixie/src/vizier/services/cloud_connector diff --git a/BUILD.bazel b/BUILD.bazel index bfdccef1ab5..913ac649e40 100644 --- a/BUILD.bazel +++ b/BUILD.bazel @@ -88,7 +88,6 @@ gazelle( # gazelle:resolve go px.dev/pixie/src/stirling/testing/demo_apps/hipster_shop/proto //src/stirling/testing/demo_apps/hipster_shop/proto:demo_pl_go_proto # gazelle:resolve go px.dev/pixie/src/table_store/schemapb //src/table_store/schemapb:schema_pl_go_proto # gazelle:resolve go px.dev/pixie/src/vizier/messages/messagespb //src/vizier/messages/messagespb:messages_pl_go_proto -# gazelle:resolve go px.dev/pixie/src/vizier/services/certmgr/certmgrpb //src/vizier/services/certmgr/certmgrpb:service_pl_go_proto # gazelle:resolve go px.dev/pixie/src/vizier/services/metadata/metadatapb //src/vizier/services/metadata/metadatapb:service_pl_go_proto # gazelle:resolve go px.dev/pixie/src/vizier/services/metadata/storepb //src/vizier/services/metadata/storepb:store_pl_go_proto # gazelle:resolve go px.dev/pixie/src/vizier/services/shared/agentpb //src/vizier/services/shared/agentpb:agent_pl_go_proto diff --git a/k8s/vizier/BUILD.bazel b/k8s/vizier/BUILD.bazel index d7a19c6be24..8effe5fb473 100644 --- a/k8s/vizier/BUILD.bazel +++ b/k8s/vizier/BUILD.bazel @@ -23,7 +23,6 @@ package(default_visibility = ["//visibility:public"]) VIZIER_IMAGE_MAP = { "gcr.io/pixie-oss/pixie-dev/vizier/cert_provisioner_image": "//src/utils/cert_provisioner:cert_provisioner_image", - "gcr.io/pixie-oss/pixie-dev/vizier/certmgr_server_image": "//src/vizier/services/certmgr:certmgr_server_image", "gcr.io/pixie-oss/pixie-dev/vizier/cloud_connector_server_image": "//src/vizier/services/cloud_connector:cloud_connector_server_image", "gcr.io/pixie-oss/pixie-dev/vizier/kelvin_image": "//src/vizier/services/agent/kelvin:kelvin_image", "gcr.io/pixie-oss/pixie-dev/vizier/metadata_server_image": "//src/vizier/services/metadata:metadata_server_image", diff --git a/k8s/vizier/base/certmgr_deployment.yaml b/k8s/vizier/base/certmgr_deployment.yaml deleted file mode 100644 index 4e04cc72bb4..00000000000 --- a/k8s/vizier/base/certmgr_deployment.yaml +++ /dev/null @@ -1,84 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vizier-certmgr -spec: - replicas: 1 - selector: - matchLabels: - name: vizier-certmgr - template: - metadata: - labels: - name: vizier-certmgr - plane: control - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: Exists - - key: kubernetes.io/os - operator: In - values: - - linux - - matchExpressions: - - key: beta.kubernetes.io/os - operator: Exists - - key: beta.kubernetes.io/os - operator: In - values: - - linux - serviceAccountName: certmgr-service-account - initContainers: - - name: nats-wait - image: gcr.io/pixie-oss/pixie-dev-public/curl:1.0 - # yamllint disable - command: ['sh', '-c', 'set -xe; - URL="${PROTOCOL}://${SERVICE_NAME}:${SERVICE_PORT}${HEALTH_PATH}"; - until [ $(curl -m 0.5 -s -o /dev/null -w "%{http_code}" -k ${URL}) -eq 200 ]; do - echo "waiting for ${URL}"; - sleep 2; - done;'] - env: - - name: SERVICE_NAME - value: "pl-nats-mgmt" - - name: SERVICE_PORT - value: "8222" - - name: HEALTH_PATH - value: "" - - name: PROTOCOL - value: "http" - containers: - - name: app - image: gcr.io/pixie-oss/pixie-dev/vizier/certmgr_server_image:latest - env: - - name: PL_JWT_SIGNING_KEY - valueFrom: - secretKeyRef: - key: jwt-signing-key - name: pl-cluster-secrets - - name: PL_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - envFrom: - - configMapRef: - name: pl-tls-config - ports: - - containerPort: 50900 - volumeMounts: - - mountPath: /certs - name: certs - livenessProbe: - httpGet: - scheme: HTTPS - path: /healthz - port: 50900 - volumes: - - name: certs - secret: - secretName: service-tls-certs diff --git a/k8s/vizier/base/certmgr_role.yaml b/k8s/vizier/base/certmgr_role.yaml deleted file mode 100644 index fe667c76d98..00000000000 --- a/k8s/vizier/base/certmgr_role.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: certmgr-service-account ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: pl-vizier-certmgr -rules: -- apiGroups: - - "" - resources: - - pods - - secrets - - services - verbs: - - "*" ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: pl-vizier-certmgr-cluster-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: pl-vizier-certmgr -subjects: -- kind: ServiceAccount - name: certmgr-service-account - namespace: pl ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: pl-vizier-crd-certmgr-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: pl-vizier-crd-role -subjects: -- kind: ServiceAccount - name: certmgr-service-account - namespace: pl diff --git a/k8s/vizier/base/certmgr_service.yaml b/k8s/vizier/base/certmgr_service.yaml deleted file mode 100644 index c061718b5d8..00000000000 --- a/k8s/vizier/base/certmgr_service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: vizier-certmgr-svc -spec: - type: ClusterIP - ports: - - name: tcp-http2 - port: 50900 - protocol: TCP - targetPort: 50900 - selector: - name: vizier-certmgr diff --git a/k8s/vizier/base/kustomization.yaml b/k8s/vizier/base/kustomization.yaml index 240290eaea4..24423c3ef95 100644 --- a/k8s/vizier/base/kustomization.yaml +++ b/k8s/vizier/base/kustomization.yaml @@ -13,9 +13,6 @@ patches: resources: - ../bootstrap - proxy_envoy.yaml -- certmgr_role.yaml -- certmgr_deployment.yaml -- certmgr_service.yaml - kelvin_deployment.yaml - kelvin_service.yaml - metadata_role.yaml diff --git a/skaffold/skaffold_vizier.yaml b/skaffold/skaffold_vizier.yaml index 243ca1cb8f9..55fbcd459f7 100644 --- a/skaffold/skaffold_vizier.yaml +++ b/skaffold/skaffold_vizier.yaml @@ -36,12 +36,6 @@ build: target: //src/vizier/services/cloud_connector:cloud_connector_server_image.tar args: - --compilation_mode=dbg - - image: gcr.io/pixie-oss/pixie-dev/vizier/certmgr_server_image - context: . - bazel: - target: //src/vizier/services/certmgr:certmgr_server_image.tar - args: - - --compilation_mode=dbg - image: gcr.io/pixie-oss/pixie-dev/vizier/cert_provisioner_image context: . bazel: diff --git a/src/vizier/services/certmgr/BUILD.bazel b/src/vizier/services/certmgr/BUILD.bazel deleted file mode 100644 index 69649fb22f8..00000000000 --- a/src/vizier/services/certmgr/BUILD.bazel +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright 2018- The Pixie Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -load("@io_bazel_rules_docker//container:container.bzl", "container_push") -load("@io_bazel_rules_docker//go:image.bzl", "go_image") -load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library") - -go_library( - name = "certmgr_lib", - srcs = ["certmgr_server.go"], - importpath = "px.dev/pixie/src/vizier/services/certmgr", - visibility = ["//visibility:private"], - deps = [ - "//src/shared/services", - "//src/shared/services/healthz", - "//src/shared/services/server", - "//src/vizier/services/certmgr/certmgrenv", - "//src/vizier/services/certmgr/certmgrpb:service_pl_go_proto", - "//src/vizier/services/certmgr/controllers", - "@com_github_gofrs_uuid//:uuid", - "@com_github_nats_io_nats_go//:nats_go", - "@com_github_sirupsen_logrus//:logrus", - "@com_github_spf13_pflag//:pflag", - "@com_github_spf13_viper//:viper", - ], -) - -go_binary( - name = "certmgr", - embed = [":certmgr_lib"], - visibility = ["//visibility:public"], -) - -go_image( - name = "certmgr_server_image", - binary = ":certmgr", - visibility = [ - "//k8s:__subpackages__", - "//src/vizier:__subpackages__", - ], -) - -container_push( - name = "push_certmgr_server_image", - format = "Docker", - image = ":certmgr_server_image", - registry = "gcr.io", - repository = "pixie-oss/pixie-dev/vizier/certmgr_server_image", - tag = "{STABLE_BUILD_TAG}", -) diff --git a/src/vizier/services/certmgr/certmgr_server.go b/src/vizier/services/certmgr/certmgr_server.go deleted file mode 100644 index 3457c8596cf..00000000000 --- a/src/vizier/services/certmgr/certmgr_server.go +++ /dev/null @@ -1,113 +0,0 @@ -/* - * Copyright 2018- The Pixie Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * SPDX-License-Identifier: Apache-2.0 - */ - -package main - -import ( - "net/http" - "time" - - "github.com/gofrs/uuid" - "github.com/nats-io/nats.go" - log "github.com/sirupsen/logrus" - "github.com/spf13/pflag" - "github.com/spf13/viper" - - "px.dev/pixie/src/shared/services" - "px.dev/pixie/src/shared/services/healthz" - "px.dev/pixie/src/shared/services/server" - "px.dev/pixie/src/vizier/services/certmgr/certmgrenv" - "px.dev/pixie/src/vizier/services/certmgr/certmgrpb" - "px.dev/pixie/src/vizier/services/certmgr/controllers" -) - -func init() { - pflag.String("namespace", "pl", "The namespace of Vizier") - pflag.String("cluster_id", "", "The Cluster ID to use for Pixie Cloud") - pflag.String("nats_url", "pl-nats", "The URL of NATS") -} - -func main() { - services.SetupService("certmgr-service", 50900) - services.SetupSSLClientFlags() - services.PostFlagSetupAndParse() - services.CheckServiceFlags() - services.CheckSSLClientFlags() - services.SetupServiceLogging() - - flush := services.InitSentryFromCRD(viper.GetString("cluster_id"), - viper.GetString("namespace")) - defer flush() - - natsWait := make(chan struct{}) - var nc *nats.Conn - var err error - - go func() { - nc, err = nats.Connect(viper.GetString("nats_url"), - nats.ClientCert(viper.GetString("client_tls_cert"), viper.GetString("client_tls_key")), - nats.RootCAs(viper.GetString("tls_ca_cert"))) - if err != nil { - log.WithError(err).Fatal("Failed to connect to NATS.") - } - close(natsWait) - }() - - select { - case <-natsWait: - log.Info("Connected to NATS") - case <-time.After(1 * time.Minute): - log.WithError(err).Fatal("Timed out: failed to connect to NATS.") - } - - clusterID, err := uuid.FromString(viper.GetString("cluster_id")) - if err != nil { - log.WithError(err).Fatal("Failed to parse passed in cluster ID") - } - - mux := http.NewServeMux() - healthz.RegisterDefaultChecks(mux) - - k8sWait := make(chan struct{}) - var k8sAPI *controllers.K8sAPIImpl - - go func() { - k8sAPI, err = controllers.NewK8sAPI(viper.GetString("namespace")) - if err != nil { - log.WithError(err).Fatal("Failed to connect to K8S API") - } - close(k8sWait) - }() - - select { - case <-k8sWait: - log.Info("Connected to K8s API") - case <-time.After(1 * time.Minute): - log.WithError(err).Fatal("Timed out: failed to connect to K8s API.") - } - - env := certmgrenv.New("vizier") - svr := controllers.NewServer(env, clusterID, nc, k8sAPI) - go svr.CertRequester() - defer svr.StopCertRequester() - - s := server.NewPLServer(env, mux) - certmgrpb.RegisterCertMgrServiceServer(s.GRPCServer(), svr) - s.Start() - s.StopOnInterrupt() -} diff --git a/src/vizier/services/certmgr/certmgrenv/BUILD.bazel b/src/vizier/services/certmgr/certmgrenv/BUILD.bazel deleted file mode 100644 index 2f1eaa088ab..00000000000 --- a/src/vizier/services/certmgr/certmgrenv/BUILD.bazel +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright 2018- The Pixie Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -load("@io_bazel_rules_go//go:def.bzl", "go_library") - -go_library( - name = "certmgrenv", - srcs = ["env.go"], - importpath = "px.dev/pixie/src/vizier/services/certmgr/certmgrenv", - visibility = ["//src/vizier:__subpackages__"], - deps = ["//src/shared/services/env"], -) diff --git a/src/vizier/services/certmgr/certmgrenv/env.go b/src/vizier/services/certmgr/certmgrenv/env.go deleted file mode 100644 index be326ce18f0..00000000000 --- a/src/vizier/services/certmgr/certmgrenv/env.go +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright 2018- The Pixie Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * SPDX-License-Identifier: Apache-2.0 - */ - -package certmgrenv - -import "px.dev/pixie/src/shared/services/env" - -// CertMgrEnv is the interface for the certmgr service environment. -type CertMgrEnv interface { - env.Env -} - -// Impl is an implementation of the CertMgrEnv interface -type Impl struct { - *env.BaseEnv -} - -// New creates a new certmgr env. -func New(audience string) *Impl { - return &Impl{env.New(audience)} -} diff --git a/src/vizier/services/certmgr/certmgrpb/BUILD.bazel b/src/vizier/services/certmgr/certmgrpb/BUILD.bazel deleted file mode 100644 index c6c0beedff6..00000000000 --- a/src/vizier/services/certmgr/certmgrpb/BUILD.bazel +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 2018- The Pixie Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -load("//bazel:proto_compile.bzl", "pl_go_proto_library", "pl_proto_library") - -pl_proto_library( - name = "service_pl_proto", - srcs = ["service.proto"], - visibility = ["//src/vizier:__subpackages__"], - deps = [ - "@gogo_grpc_proto//github.com/gogo/protobuf/gogoproto:gogo_pl_proto", - ], -) - -pl_go_proto_library( - name = "service_pl_go_proto", - importpath = "px.dev/pixie/src/vizier/services/certmgr/certmgrpb", - proto = ":service_pl_proto", - visibility = ["//src/vizier:__subpackages__"], -) diff --git a/src/vizier/services/certmgr/certmgrpb/service.pb.go b/src/vizier/services/certmgr/certmgrpb/service.pb.go deleted file mode 100755 index 2b9a53a68a0..00000000000 --- a/src/vizier/services/certmgr/certmgrpb/service.pb.go +++ /dev/null @@ -1,730 +0,0 @@ -// Code generated by protoc-gen-gogo. DO NOT EDIT. -// source: src/vizier/services/certmgr/certmgrpb/service.proto - -package certmgrpb - -import ( - context "context" - fmt "fmt" - _ "github.com/gogo/protobuf/gogoproto" - proto "github.com/gogo/protobuf/proto" - grpc "google.golang.org/grpc" - codes "google.golang.org/grpc/codes" - status "google.golang.org/grpc/status" - io "io" - math "math" - math_bits "math/bits" - reflect "reflect" - strings "strings" -) - -// Reference imports to suppress errors if they are not otherwise used. -var _ = proto.Marshal -var _ = fmt.Errorf -var _ = math.Inf - -// This is a compile-time assertion to ensure that this generated file -// is compatible with the proto package it is being compiled against. -// A compilation error at this line likely means your copy of the -// proto package needs to be updated. -const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package - -type UpdateCertsRequest struct { - Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` - Cert string `protobuf:"bytes,2,opt,name=cert,proto3" json:"cert,omitempty"` -} - -func (m *UpdateCertsRequest) Reset() { *m = UpdateCertsRequest{} } -func (*UpdateCertsRequest) ProtoMessage() {} -func (*UpdateCertsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_d4e716f5f2a68de5, []int{0} -} -func (m *UpdateCertsRequest) XXX_Unmarshal(b []byte) error { - return m.Unmarshal(b) -} -func (m *UpdateCertsRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_UpdateCertsRequest.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalToSizedBuffer(b) - if err != nil { - return nil, err - } - return b[:n], nil - } -} -func (m *UpdateCertsRequest) XXX_Merge(src proto.Message) { - xxx_messageInfo_UpdateCertsRequest.Merge(m, src) -} -func (m *UpdateCertsRequest) XXX_Size() int { - return m.Size() -} -func (m *UpdateCertsRequest) XXX_DiscardUnknown() { - xxx_messageInfo_UpdateCertsRequest.DiscardUnknown(m) -} - -var xxx_messageInfo_UpdateCertsRequest proto.InternalMessageInfo - -func (m *UpdateCertsRequest) GetKey() string { - if m != nil { - return m.Key - } - return "" -} - -func (m *UpdateCertsRequest) GetCert() string { - if m != nil { - return m.Cert - } - return "" -} - -type UpdateCertsResponse struct { - OK bool `protobuf:"varint,1,opt,name=ok,proto3" json:"ok,omitempty"` -} - -func (m *UpdateCertsResponse) Reset() { *m = UpdateCertsResponse{} } -func (*UpdateCertsResponse) ProtoMessage() {} -func (*UpdateCertsResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_d4e716f5f2a68de5, []int{1} -} -func (m *UpdateCertsResponse) XXX_Unmarshal(b []byte) error { - return m.Unmarshal(b) -} -func (m *UpdateCertsResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_UpdateCertsResponse.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalToSizedBuffer(b) - if err != nil { - return nil, err - } - return b[:n], nil - } -} -func (m *UpdateCertsResponse) XXX_Merge(src proto.Message) { - xxx_messageInfo_UpdateCertsResponse.Merge(m, src) -} -func (m *UpdateCertsResponse) XXX_Size() int { - return m.Size() -} -func (m *UpdateCertsResponse) XXX_DiscardUnknown() { - xxx_messageInfo_UpdateCertsResponse.DiscardUnknown(m) -} - -var xxx_messageInfo_UpdateCertsResponse proto.InternalMessageInfo - -func (m *UpdateCertsResponse) GetOK() bool { - if m != nil { - return m.OK - } - return false -} - -func init() { - proto.RegisterType((*UpdateCertsRequest)(nil), "px.services.UpdateCertsRequest") - proto.RegisterType((*UpdateCertsResponse)(nil), "px.services.UpdateCertsResponse") -} - -func init() { - proto.RegisterFile("src/vizier/services/certmgr/certmgrpb/service.proto", fileDescriptor_d4e716f5f2a68de5) -} - -var fileDescriptor_d4e716f5f2a68de5 = []byte{ - // 285 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0x32, 0x2e, 0x2e, 0x4a, 0xd6, - 0x2f, 0xcb, 0xac, 0xca, 0x4c, 0x2d, 0xd2, 0x2f, 0x4e, 0x2d, 0x2a, 0xcb, 0x4c, 0x4e, 0x2d, 0xd6, - 0x4f, 0x4e, 0x2d, 0x2a, 0xc9, 0x4d, 0x2f, 0x82, 0xd1, 0x05, 0x49, 0x30, 0x29, 0xbd, 0x82, 0xa2, - 0xfc, 0x92, 0x7c, 0x21, 0xee, 0x82, 0x0a, 0x3d, 0x98, 0x62, 0x29, 0xdd, 0xf4, 0xcc, 0x92, 0x8c, - 0xd2, 0x24, 0xbd, 0xe4, 0xfc, 0x5c, 0xfd, 0xf4, 0xfc, 0xf4, 0x7c, 0x7d, 0xb0, 0x9a, 0xa4, 0xd2, - 0x34, 0x30, 0x0f, 0xcc, 0x01, 0xb3, 0x20, 0x7a, 0x95, 0xac, 0xb8, 0x84, 0x42, 0x0b, 0x52, 0x12, - 0x4b, 0x52, 0x9d, 0x53, 0x8b, 0x4a, 0x8a, 0x83, 0x52, 0x0b, 0x4b, 0x53, 0x8b, 0x4b, 0x84, 0x04, - 0xb8, 0x98, 0xb3, 0x53, 0x2b, 0x25, 0x18, 0x15, 0x18, 0x35, 0x38, 0x83, 0x40, 0x4c, 0x21, 0x21, - 0x2e, 0x16, 0x90, 0xf5, 0x12, 0x4c, 0x60, 0x21, 0x30, 0x5b, 0x49, 0x97, 0x4b, 0x18, 0x45, 0x6f, - 0x71, 0x41, 0x7e, 0x5e, 0x71, 0xaa, 0x90, 0x18, 0x17, 0x53, 0x7e, 0x36, 0x58, 0x2f, 0x87, 0x13, - 0xdb, 0xa3, 0x7b, 0xf2, 0x4c, 0xfe, 0xde, 0x41, 0x4c, 0xf9, 0xd9, 0x46, 0x49, 0x5c, 0x7c, 0x20, - 0x85, 0xbe, 0xe9, 0x45, 0xc1, 0x10, 0xc7, 0x0a, 0x05, 0x70, 0x71, 0x23, 0x19, 0x20, 0x24, 0xaf, - 0x87, 0xe4, 0x11, 0x3d, 0x4c, 0x67, 0x49, 0x29, 0xe0, 0x56, 0x00, 0xb1, 0xdb, 0xc9, 0xfe, 0xc2, - 0x43, 0x39, 0x86, 0x1b, 0x0f, 0xe5, 0x18, 0x3e, 0x3c, 0x94, 0x63, 0x6c, 0x78, 0x24, 0xc7, 0xb8, - 0xe2, 0x91, 0x1c, 0xe3, 0x89, 0x47, 0x72, 0x8c, 0x17, 0x1e, 0xc9, 0x31, 0x3e, 0x78, 0x24, 0xc7, - 0xf8, 0xe2, 0x91, 0x1c, 0xc3, 0x87, 0x47, 0x72, 0x8c, 0x13, 0x1e, 0xcb, 0x31, 0x5c, 0x78, 0x2c, - 0xc7, 0x70, 0xe3, 0xb1, 0x1c, 0x43, 0x14, 0x27, 0x3c, 0x64, 0x93, 0xd8, 0xc0, 0xc1, 0x62, 0x0c, - 0x08, 0x00, 0x00, 0xff, 0xff, 0x34, 0x04, 0xb4, 0xe3, 0x89, 0x01, 0x00, 0x00, -} - -func (this *UpdateCertsRequest) Equal(that interface{}) bool { - if that == nil { - return this == nil - } - - that1, ok := that.(*UpdateCertsRequest) - if !ok { - that2, ok := that.(UpdateCertsRequest) - if ok { - that1 = &that2 - } else { - return false - } - } - if that1 == nil { - return this == nil - } else if this == nil { - return false - } - if this.Key != that1.Key { - return false - } - if this.Cert != that1.Cert { - return false - } - return true -} -func (this *UpdateCertsResponse) Equal(that interface{}) bool { - if that == nil { - return this == nil - } - - that1, ok := that.(*UpdateCertsResponse) - if !ok { - that2, ok := that.(UpdateCertsResponse) - if ok { - that1 = &that2 - } else { - return false - } - } - if that1 == nil { - return this == nil - } else if this == nil { - return false - } - if this.OK != that1.OK { - return false - } - return true -} -func (this *UpdateCertsRequest) GoString() string { - if this == nil { - return "nil" - } - s := make([]string, 0, 6) - s = append(s, "&certmgrpb.UpdateCertsRequest{") - s = append(s, "Key: "+fmt.Sprintf("%#v", this.Key)+",\n") - s = append(s, "Cert: "+fmt.Sprintf("%#v", this.Cert)+",\n") - s = append(s, "}") - return strings.Join(s, "") -} -func (this *UpdateCertsResponse) GoString() string { - if this == nil { - return "nil" - } - s := make([]string, 0, 5) - s = append(s, "&certmgrpb.UpdateCertsResponse{") - s = append(s, "OK: "+fmt.Sprintf("%#v", this.OK)+",\n") - s = append(s, "}") - return strings.Join(s, "") -} -func valueToGoStringService(v interface{}, typ string) string { - rv := reflect.ValueOf(v) - if rv.IsNil() { - return "nil" - } - pv := reflect.Indirect(rv).Interface() - return fmt.Sprintf("func(v %v) *%v { return &v } ( %#v )", typ, typ, pv) -} - -// Reference imports to suppress errors if they are not otherwise used. -var _ context.Context -var _ grpc.ClientConn - -// This is a compile-time assertion to ensure that this generated file -// is compatible with the grpc package it is being compiled against. -const _ = grpc.SupportPackageIsVersion4 - -// CertMgrServiceClient is the client API for CertMgrService service. -// -// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream. -type CertMgrServiceClient interface { - UpdateCerts(ctx context.Context, in *UpdateCertsRequest, opts ...grpc.CallOption) (*UpdateCertsResponse, error) -} - -type certMgrServiceClient struct { - cc *grpc.ClientConn -} - -func NewCertMgrServiceClient(cc *grpc.ClientConn) CertMgrServiceClient { - return &certMgrServiceClient{cc} -} - -func (c *certMgrServiceClient) UpdateCerts(ctx context.Context, in *UpdateCertsRequest, opts ...grpc.CallOption) (*UpdateCertsResponse, error) { - out := new(UpdateCertsResponse) - err := c.cc.Invoke(ctx, "/px.services.CertMgrService/UpdateCerts", in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -// CertMgrServiceServer is the server API for CertMgrService service. -type CertMgrServiceServer interface { - UpdateCerts(context.Context, *UpdateCertsRequest) (*UpdateCertsResponse, error) -} - -// UnimplementedCertMgrServiceServer can be embedded to have forward compatible implementations. -type UnimplementedCertMgrServiceServer struct { -} - -func (*UnimplementedCertMgrServiceServer) UpdateCerts(ctx context.Context, req *UpdateCertsRequest) (*UpdateCertsResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method UpdateCerts not implemented") -} - -func RegisterCertMgrServiceServer(s *grpc.Server, srv CertMgrServiceServer) { - s.RegisterService(&_CertMgrService_serviceDesc, srv) -} - -func _CertMgrService_UpdateCerts_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(UpdateCertsRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(CertMgrServiceServer).UpdateCerts(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: "/px.services.CertMgrService/UpdateCerts", - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(CertMgrServiceServer).UpdateCerts(ctx, req.(*UpdateCertsRequest)) - } - return interceptor(ctx, in, info, handler) -} - -var _CertMgrService_serviceDesc = grpc.ServiceDesc{ - ServiceName: "px.services.CertMgrService", - HandlerType: (*CertMgrServiceServer)(nil), - Methods: []grpc.MethodDesc{ - { - MethodName: "UpdateCerts", - Handler: _CertMgrService_UpdateCerts_Handler, - }, - }, - Streams: []grpc.StreamDesc{}, - Metadata: "src/vizier/services/certmgr/certmgrpb/service.proto", -} - -func (m *UpdateCertsRequest) Marshal() (dAtA []byte, err error) { - size := m.Size() - dAtA = make([]byte, size) - n, err := m.MarshalToSizedBuffer(dAtA[:size]) - if err != nil { - return nil, err - } - return dAtA[:n], nil -} - -func (m *UpdateCertsRequest) MarshalTo(dAtA []byte) (int, error) { - size := m.Size() - return m.MarshalToSizedBuffer(dAtA[:size]) -} - -func (m *UpdateCertsRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) { - i := len(dAtA) - _ = i - var l int - _ = l - if len(m.Cert) > 0 { - i -= len(m.Cert) - copy(dAtA[i:], m.Cert) - i = encodeVarintService(dAtA, i, uint64(len(m.Cert))) - i-- - dAtA[i] = 0x12 - } - if len(m.Key) > 0 { - i -= len(m.Key) - copy(dAtA[i:], m.Key) - i = encodeVarintService(dAtA, i, uint64(len(m.Key))) - i-- - dAtA[i] = 0xa - } - return len(dAtA) - i, nil -} - -func (m *UpdateCertsResponse) Marshal() (dAtA []byte, err error) { - size := m.Size() - dAtA = make([]byte, size) - n, err := m.MarshalToSizedBuffer(dAtA[:size]) - if err != nil { - return nil, err - } - return dAtA[:n], nil -} - -func (m *UpdateCertsResponse) MarshalTo(dAtA []byte) (int, error) { - size := m.Size() - return m.MarshalToSizedBuffer(dAtA[:size]) -} - -func (m *UpdateCertsResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) { - i := len(dAtA) - _ = i - var l int - _ = l - if m.OK { - i-- - if m.OK { - dAtA[i] = 1 - } else { - dAtA[i] = 0 - } - i-- - dAtA[i] = 0x8 - } - return len(dAtA) - i, nil -} - -func encodeVarintService(dAtA []byte, offset int, v uint64) int { - offset -= sovService(v) - base := offset - for v >= 1<<7 { - dAtA[offset] = uint8(v&0x7f | 0x80) - v >>= 7 - offset++ - } - dAtA[offset] = uint8(v) - return base -} -func (m *UpdateCertsRequest) Size() (n int) { - if m == nil { - return 0 - } - var l int - _ = l - l = len(m.Key) - if l > 0 { - n += 1 + l + sovService(uint64(l)) - } - l = len(m.Cert) - if l > 0 { - n += 1 + l + sovService(uint64(l)) - } - return n -} - -func (m *UpdateCertsResponse) Size() (n int) { - if m == nil { - return 0 - } - var l int - _ = l - if m.OK { - n += 2 - } - return n -} - -func sovService(x uint64) (n int) { - return (math_bits.Len64(x|1) + 6) / 7 -} -func sozService(x uint64) (n int) { - return sovService(uint64((x << 1) ^ uint64((int64(x) >> 63)))) -} -func (this *UpdateCertsRequest) String() string { - if this == nil { - return "nil" - } - s := strings.Join([]string{`&UpdateCertsRequest{`, - `Key:` + fmt.Sprintf("%v", this.Key) + `,`, - `Cert:` + fmt.Sprintf("%v", this.Cert) + `,`, - `}`, - }, "") - return s -} -func (this *UpdateCertsResponse) String() string { - if this == nil { - return "nil" - } - s := strings.Join([]string{`&UpdateCertsResponse{`, - `OK:` + fmt.Sprintf("%v", this.OK) + `,`, - `}`, - }, "") - return s -} -func valueToStringService(v interface{}) string { - rv := reflect.ValueOf(v) - if rv.IsNil() { - return "nil" - } - pv := reflect.Indirect(rv).Interface() - return fmt.Sprintf("*%v", pv) -} -func (m *UpdateCertsRequest) Unmarshal(dAtA []byte) error { - l := len(dAtA) - iNdEx := 0 - for iNdEx < l { - preIndex := iNdEx - var wire uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowService - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - wire |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - fieldNum := int32(wire >> 3) - wireType := int(wire & 0x7) - if wireType == 4 { - return fmt.Errorf("proto: UpdateCertsRequest: wiretype end group for non-group") - } - if fieldNum <= 0 { - return fmt.Errorf("proto: UpdateCertsRequest: illegal tag %d (wire type %d)", fieldNum, wire) - } - switch fieldNum { - case 1: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowService - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthService - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthService - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Key = string(dAtA[iNdEx:postIndex]) - iNdEx = postIndex - case 2: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Cert", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowService - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthService - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthService - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Cert = string(dAtA[iNdEx:postIndex]) - iNdEx = postIndex - default: - iNdEx = preIndex - skippy, err := skipService(dAtA[iNdEx:]) - if err != nil { - return err - } - if (skippy < 0) || (iNdEx+skippy) < 0 { - return ErrInvalidLengthService - } - if (iNdEx + skippy) > l { - return io.ErrUnexpectedEOF - } - iNdEx += skippy - } - } - - if iNdEx > l { - return io.ErrUnexpectedEOF - } - return nil -} -func (m *UpdateCertsResponse) Unmarshal(dAtA []byte) error { - l := len(dAtA) - iNdEx := 0 - for iNdEx < l { - preIndex := iNdEx - var wire uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowService - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - wire |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - fieldNum := int32(wire >> 3) - wireType := int(wire & 0x7) - if wireType == 4 { - return fmt.Errorf("proto: UpdateCertsResponse: wiretype end group for non-group") - } - if fieldNum <= 0 { - return fmt.Errorf("proto: UpdateCertsResponse: illegal tag %d (wire type %d)", fieldNum, wire) - } - switch fieldNum { - case 1: - if wireType != 0 { - return fmt.Errorf("proto: wrong wireType = %d for field OK", wireType) - } - var v int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowService - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - v |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - m.OK = bool(v != 0) - default: - iNdEx = preIndex - skippy, err := skipService(dAtA[iNdEx:]) - if err != nil { - return err - } - if (skippy < 0) || (iNdEx+skippy) < 0 { - return ErrInvalidLengthService - } - if (iNdEx + skippy) > l { - return io.ErrUnexpectedEOF - } - iNdEx += skippy - } - } - - if iNdEx > l { - return io.ErrUnexpectedEOF - } - return nil -} -func skipService(dAtA []byte) (n int, err error) { - l := len(dAtA) - iNdEx := 0 - depth := 0 - for iNdEx < l { - var wire uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return 0, ErrIntOverflowService - } - if iNdEx >= l { - return 0, io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - wire |= (uint64(b) & 0x7F) << shift - if b < 0x80 { - break - } - } - wireType := int(wire & 0x7) - switch wireType { - case 0: - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return 0, ErrIntOverflowService - } - if iNdEx >= l { - return 0, io.ErrUnexpectedEOF - } - iNdEx++ - if dAtA[iNdEx-1] < 0x80 { - break - } - } - case 1: - iNdEx += 8 - case 2: - var length int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return 0, ErrIntOverflowService - } - if iNdEx >= l { - return 0, io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - length |= (int(b) & 0x7F) << shift - if b < 0x80 { - break - } - } - if length < 0 { - return 0, ErrInvalidLengthService - } - iNdEx += length - case 3: - depth++ - case 4: - if depth == 0 { - return 0, ErrUnexpectedEndOfGroupService - } - depth-- - case 5: - iNdEx += 4 - default: - return 0, fmt.Errorf("proto: illegal wireType %d", wireType) - } - if iNdEx < 0 { - return 0, ErrInvalidLengthService - } - if depth == 0 { - return iNdEx, nil - } - } - return 0, io.ErrUnexpectedEOF -} - -var ( - ErrInvalidLengthService = fmt.Errorf("proto: negative length found during unmarshaling") - ErrIntOverflowService = fmt.Errorf("proto: integer overflow") - ErrUnexpectedEndOfGroupService = fmt.Errorf("proto: unexpected end of group") -) diff --git a/src/vizier/services/certmgr/certmgrpb/service.proto b/src/vizier/services/certmgr/certmgrpb/service.proto deleted file mode 100644 index e3b56366e19..00000000000 --- a/src/vizier/services/certmgr/certmgrpb/service.proto +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright 2018- The Pixie Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * SPDX-License-Identifier: Apache-2.0 - */ - -syntax = "proto3"; - -package px.services; - -option go_package = "certmgrpb"; - -import "github.com/gogo/protobuf/gogoproto/gogo.proto"; - -// CertMgrService manages Vizier's proxy certs. -service CertMgrService { - rpc UpdateCerts(UpdateCertsRequest) returns (UpdateCertsResponse); -} - -// This request is from CloudConnector -> CrtMgr. In the future, we may -// want CrtMgr to be the one initiating the request when it detects that its certs are -// expiring. -message UpdateCertsRequest { - string key = 1; - string cert = 2; -} - -message UpdateCertsResponse { - bool ok = 1 [(gogoproto.customname) = "OK"]; -} diff --git a/src/vizier/services/certmgr/controllers/BUILD.bazel b/src/vizier/services/certmgr/controllers/BUILD.bazel deleted file mode 100644 index 2753bd6efe4..00000000000 --- a/src/vizier/services/certmgr/controllers/BUILD.bazel +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright 2018- The Pixie Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") - -go_library( - name = "controllers", - srcs = [ - "k8s_api.go", - "server.go", - ], - importpath = "px.dev/pixie/src/vizier/services/certmgr/controllers", - visibility = ["//src/vizier:__subpackages__"], - deps = [ - "//src/shared/cvmsgspb:cvmsgs_pl_go_proto", - "//src/utils", - "//src/vizier/services/certmgr/certmgrenv", - "//src/vizier/services/certmgr/certmgrpb:service_pl_go_proto", - "//src/vizier/utils/messagebus", - "@com_github_gofrs_uuid//:uuid", - "@com_github_gogo_protobuf//types", - "@com_github_nats_io_nats_go//:nats_go", - "@com_github_sirupsen_logrus//:logrus", - "@io_k8s_api//core/v1:core", - "@io_k8s_apimachinery//pkg/apis/meta/v1:meta", - "@io_k8s_apimachinery//pkg/labels", - "@io_k8s_client_go//kubernetes", - "@io_k8s_client_go//rest", - ], -) - -go_test( - name = "controllers_test", - srcs = ["server_test.go"], - deps = [ - ":controllers", - "//src/vizier/services/certmgr/certmgrpb:service_pl_go_proto", - "//src/vizier/services/certmgr/controllers/mock", - "@com_github_gofrs_uuid//:uuid", - "@com_github_golang_mock//gomock", - "@com_github_stretchr_testify//assert", - "@com_github_stretchr_testify//require", - ], -) diff --git a/src/vizier/services/certmgr/controllers/k8s_api.go b/src/vizier/services/certmgr/controllers/k8s_api.go deleted file mode 100644 index cdc0e318f56..00000000000 --- a/src/vizier/services/certmgr/controllers/k8s_api.go +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright 2018- The Pixie Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * SPDX-License-Identifier: Apache-2.0 - */ - -package controllers - -import ( - "context" - "crypto/tls" - "fmt" - - log "github.com/sirupsen/logrus" - v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/client-go/kubernetes" - "k8s.io/client-go/rest" -) - -// K8sAPIImpl is a wrapper around the k8s API. -type K8sAPIImpl struct { - clientset *kubernetes.Clientset - namespace string -} - -// NewK8sAPI creates a new K8sAPIImpl. -func NewK8sAPI(namespace string) (*K8sAPIImpl, error) { - // There is a specific config for services running in the cluster. - kubeConfig, err := rest.InClusterConfig() - if err != nil { - return nil, err - } - log.Info("Got cluster config") - - // Create k8s client. - clientset, err := kubernetes.NewForConfig(kubeConfig) - if err != nil { - return nil, err - } - log.Info("Created k8s client") - - k8sAPI := &K8sAPIImpl{clientset: clientset, namespace: namespace} - return k8sAPI, nil -} - -// CreateTLSSecret creates a new TLS secret with the given key and cert. -func (k *K8sAPIImpl) CreateTLSSecret(name string, key string, cert string) error { - // Delete secret before creating. - err := k.clientset.CoreV1().Secrets(k.namespace).Delete(context.Background(), name, metav1.DeleteOptions{}) - if err != nil { - log.WithError(err).Debug("could not delete secret") - } else { - log.Info(fmt.Sprintf("Deleted secret: %s", name)) - } - - if _, err := tls.X509KeyPair([]byte(cert), []byte(key)); err != nil { - return err - } - - secret := &v1.Secret{} - secret.Name = name - secret.Type = v1.SecretTypeTLS - secret.Data = map[string][]byte{} - secret.Data[v1.TLSCertKey] = []byte(cert) - secret.Data[v1.TLSPrivateKeyKey] = []byte(key) - - _, err = k.clientset.CoreV1().Secrets(k.namespace).Create(context.Background(), secret, metav1.CreateOptions{}) - if err != nil { - return err - } - - log.Info(fmt.Sprintf("Created TLS secret: %s", name)) - return nil -} - -// GetPodNamesForService gets the pod names for the given service. -func (k *K8sAPIImpl) GetPodNamesForService(name string) ([]string, error) { - svc, err := k.clientset.CoreV1().Services(k.namespace).Get(context.Background(), name, metav1.GetOptions{}) - if err != nil { - return []string{}, err - } - - set := labels.Set(svc.Spec.Selector) - - pods, err := k.clientset.CoreV1().Pods(k.namespace).List(context.Background(), metav1.ListOptions{LabelSelector: set.String()}) - if err != nil { - return []string{}, err - } - - podNames := make([]string, len(pods.Items)) - for idx, v := range pods.Items { - podNames[idx] = v.GetName() - } - - return podNames, nil -} - -// DeletePod deletes the pod with the given name. -func (k *K8sAPIImpl) DeletePod(name string) error { - err := k.clientset.CoreV1().Pods(k.namespace).Delete(context.Background(), name, metav1.DeleteOptions{}) - return err -} diff --git a/src/vizier/services/certmgr/controllers/mock.go b/src/vizier/services/certmgr/controllers/mock.go deleted file mode 100644 index 8ecc9be71ea..00000000000 --- a/src/vizier/services/certmgr/controllers/mock.go +++ /dev/null @@ -1,21 +0,0 @@ -/* - * Copyright 2018- The Pixie Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * SPDX-License-Identifier: Apache-2.0 - */ - -package controllers - -//go:generate mockgen -source=server.go -destination=mock/mock_k8s_api.gen.go K8sAPI diff --git a/src/vizier/services/certmgr/controllers/mock/BUILD.bazel b/src/vizier/services/certmgr/controllers/mock/BUILD.bazel deleted file mode 100644 index 11539e26096..00000000000 --- a/src/vizier/services/certmgr/controllers/mock/BUILD.bazel +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright 2018- The Pixie Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -load("@io_bazel_rules_go//go:def.bzl", "go_library") - -go_library( - name = "mock", - srcs = ["mock_k8s_api.gen.go"], - importpath = "px.dev/pixie/src/vizier/services/certmgr/controllers/mock", - visibility = ["//src/vizier:__subpackages__"], - deps = ["@com_github_golang_mock//gomock"], -) diff --git a/src/vizier/services/certmgr/controllers/mock/mock_k8s_api.gen.go b/src/vizier/services/certmgr/controllers/mock/mock_k8s_api.gen.go deleted file mode 100644 index cb2b629e32c..00000000000 --- a/src/vizier/services/certmgr/controllers/mock/mock_k8s_api.gen.go +++ /dev/null @@ -1,77 +0,0 @@ -// Code generated by MockGen. DO NOT EDIT. -// Source: server.go - -// Package mock_controllers is a generated GoMock package. -package mock_controllers - -import ( - reflect "reflect" - - gomock "github.com/golang/mock/gomock" -) - -// MockK8sAPI is a mock of K8sAPI interface. -type MockK8sAPI struct { - ctrl *gomock.Controller - recorder *MockK8sAPIMockRecorder -} - -// MockK8sAPIMockRecorder is the mock recorder for MockK8sAPI. -type MockK8sAPIMockRecorder struct { - mock *MockK8sAPI -} - -// NewMockK8sAPI creates a new mock instance. -func NewMockK8sAPI(ctrl *gomock.Controller) *MockK8sAPI { - mock := &MockK8sAPI{ctrl: ctrl} - mock.recorder = &MockK8sAPIMockRecorder{mock} - return mock -} - -// EXPECT returns an object that allows the caller to indicate expected use. -func (m *MockK8sAPI) EXPECT() *MockK8sAPIMockRecorder { - return m.recorder -} - -// CreateTLSSecret mocks base method. -func (m *MockK8sAPI) CreateTLSSecret(name, key, cert string) error { - m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "CreateTLSSecret", name, key, cert) - ret0, _ := ret[0].(error) - return ret0 -} - -// CreateTLSSecret indicates an expected call of CreateTLSSecret. -func (mr *MockK8sAPIMockRecorder) CreateTLSSecret(name, key, cert interface{}) *gomock.Call { - mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateTLSSecret", reflect.TypeOf((*MockK8sAPI)(nil).CreateTLSSecret), name, key, cert) -} - -// DeletePod mocks base method. -func (m *MockK8sAPI) DeletePod(name string) error { - m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "DeletePod", name) - ret0, _ := ret[0].(error) - return ret0 -} - -// DeletePod indicates an expected call of DeletePod. -func (mr *MockK8sAPIMockRecorder) DeletePod(name interface{}) *gomock.Call { - mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeletePod", reflect.TypeOf((*MockK8sAPI)(nil).DeletePod), name) -} - -// GetPodNamesForService mocks base method. -func (m *MockK8sAPI) GetPodNamesForService(name string) ([]string, error) { - m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "GetPodNamesForService", name) - ret0, _ := ret[0].([]string) - ret1, _ := ret[1].(error) - return ret0, ret1 -} - -// GetPodNamesForService indicates an expected call of GetPodNamesForService. -func (mr *MockK8sAPIMockRecorder) GetPodNamesForService(name interface{}) *gomock.Call { - mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPodNamesForService", reflect.TypeOf((*MockK8sAPI)(nil).GetPodNamesForService), name) -} diff --git a/src/vizier/services/certmgr/controllers/server.go b/src/vizier/services/certmgr/controllers/server.go deleted file mode 100644 index 9c541d092d7..00000000000 --- a/src/vizier/services/certmgr/controllers/server.go +++ /dev/null @@ -1,234 +0,0 @@ -/* - * Copyright 2018- The Pixie Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * SPDX-License-Identifier: Apache-2.0 - */ - -package controllers - -import ( - "context" - "errors" - "time" - - "github.com/gofrs/uuid" - "github.com/gogo/protobuf/types" - "github.com/nats-io/nats.go" - log "github.com/sirupsen/logrus" - - "px.dev/pixie/src/shared/cvmsgspb" - "px.dev/pixie/src/utils" - "px.dev/pixie/src/vizier/services/certmgr/certmgrenv" - "px.dev/pixie/src/vizier/services/certmgr/certmgrpb" - "px.dev/pixie/src/vizier/utils/messagebus" -) - -// K8sAPI is responsible for handing k8s requests. -type K8sAPI interface { - CreateTLSSecret(name string, key string, cert string) error - GetPodNamesForService(name string) ([]string, error) - DeletePod(name string) error -} - -// Server is an implementation of GRPC server for certmgr service. -type Server struct { - env certmgrenv.CertMgrEnv - clusterID uuid.UUID - k8sAPI K8sAPI - nc *nats.Conn - done chan bool -} - -// NewServer creates a new GRPC certmgr server. -func NewServer(env certmgrenv.CertMgrEnv, clusterID uuid.UUID, nc *nats.Conn, k8sAPI K8sAPI) *Server { - return &Server{ - env: env, - clusterID: clusterID, - nc: nc, - k8sAPI: k8sAPI, - done: make(chan bool), - } -} - -// UpdateCerts updates the proxy certs with the given DNS address. -func (s *Server) UpdateCerts(ctx context.Context, req *certmgrpb.UpdateCertsRequest) (*certmgrpb.UpdateCertsResponse, error) { - // Load secrets. - err := s.k8sAPI.CreateTLSSecret("proxy-tls-certs", req.Key, req.Cert) - if err != nil { - return nil, err - } - - // Bounce proxy service. - pods, err := s.k8sAPI.GetPodNamesForService("vizier-proxy-service") - if err != nil { - return nil, err - } - - if len(pods) == 0 { - return nil, errors.New("No pods exist for proxy service") - } - - for _, pod := range pods { - err = s.k8sAPI.DeletePod(pod) - - if err != nil { - return nil, err - } - } - - return &certmgrpb.UpdateCertsResponse{ - OK: true, - }, nil -} - -func (s *Server) sendSSLCertRequest() error { - // Send over a request for SSL certs. - regReq := &cvmsgspb.VizierSSLCertRequest{ - VizierID: utils.ProtoFromUUID(s.clusterID), - } - - regReqAny, err := types.MarshalAny(regReq) - if err != nil { - return err - } - - c2vMsg := &cvmsgspb.V2CMessage{ - Msg: regReqAny, - } - - b, err := c2vMsg.Marshal() - if err != nil { - return err - } - - return s.nc.Publish(messagebus.V2CTopic("ssl"), b) -} - -// CertRequester is a routine to go loop through cert requests. It's should be run in a go routine. -func (s *Server) CertRequester() { - log.Info("Requesting SSL certs") - sslCh := make(chan *nats.Msg) - sub, err := s.nc.ChanSubscribe(messagebus.C2VTopic("sslResp"), sslCh) - if err != nil { - log.WithError(err).Warn("Failed to subscribe to sslResp channel") - } - defer func() { - err := sub.Unsubscribe() - if err != nil { - log.WithError(err).Error("Failed to unsubscribe from sslResp channel") - } - }() - - configCh := make(chan *nats.Msg) - sub, err = s.nc.ChanSubscribe(messagebus.C2VTopic("sslVizierConfigResp"), configCh) - if err != nil { - log.WithError(err).Warn("Failed to subscribe to sslVizierConfigResp channel") - } - defer func() { - err := sub.Unsubscribe() - if err != nil { - log.WithError(err).Error("Failed to unsubscribe from sslVizierConfigResp channel") - } - }() - - err = s.sendSSLCertRequest() - if err != nil { - log.WithError(err).Warn("Failed to send message to request SSL certs") - } - - t := time.NewTicker(30 * time.Second) - defer t.Stop() - - sslResp := cvmsgspb.VizierSSLCertResponse{} - vizConf := cvmsgspb.VizierConfig{} - - for { - select { - case <-s.done: - return - case <-t.C: - log.Info("Timeout waiting for SSL certs. Re-requesting") - err = s.sendSSLCertRequest() - if err != nil { - log.WithError(err).Warn("Failed to send message to request SSL certs") - } - case confMsg := <-configCh: - log.Info("Got Vizier Config message") - envelope := &cvmsgspb.C2VMessage{} - err := envelope.Unmarshal(confMsg.Data) - if err != nil { - log.WithError(err).Error("Got bad Vizier Config") - break - } - - err = types.UnmarshalAny(envelope.Msg, &vizConf) - if err != nil { - log.WithError(err).Error("Got bad Vizier Config") - break - } - if vizConf.GetPassthroughEnabled() { - // Reset timer to a longer duration since we don't need - // to do anything in passthrough mode. - // If the mode changes, we should get a message on the - // config channel. - t.Reset(1 * time.Hour) - } else { - t.Reset(30 * time.Second) - err = s.sendSSLCertRequest() - if err != nil { - log.WithError(err).Warn("Failed to send message to request SSL certs") - } - } - case sslMsg := <-sslCh: - log.Info("Got SSL message") - envelope := &cvmsgspb.C2VMessage{} - err := envelope.Unmarshal(sslMsg.Data) - if err != nil { - // jump out and wait for timeout. - log.WithError(err).Error("Got bad SSL response") - break - } - - err = types.UnmarshalAny(envelope.Msg, &sslResp) - if err != nil { - log.WithError(err).Error("Got bad SSL response") - break - } - - certMgrReq := &certmgrpb.UpdateCertsRequest{ - Key: sslResp.Key, - Cert: sslResp.Cert, - } - - ctx := context.Background() - certMgrResp, err := s.UpdateCerts(ctx, certMgrReq) - if err != nil { - log.WithError(err).Fatal("Failed to update certs") - } - - if !certMgrResp.OK { - log.Fatal("Failed to update certs") - } - log.WithField("reply", certMgrResp.String()).Info("Certs Updated") - - t.Reset(5 * time.Minute) - } - } -} - -// StopCertRequester stops the cert requester. -func (s *Server) StopCertRequester() { - close(s.done) -} diff --git a/src/vizier/services/certmgr/controllers/server_test.go b/src/vizier/services/certmgr/controllers/server_test.go deleted file mode 100644 index 5b0f2cf7e3b..00000000000 --- a/src/vizier/services/certmgr/controllers/server_test.go +++ /dev/null @@ -1,143 +0,0 @@ -/* - * Copyright 2018- The Pixie Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * SPDX-License-Identifier: Apache-2.0 - */ - -package controllers_test - -import ( - "context" - "errors" - "testing" - - "github.com/gofrs/uuid" - "github.com/golang/mock/gomock" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - "px.dev/pixie/src/vizier/services/certmgr/certmgrpb" - "px.dev/pixie/src/vizier/services/certmgr/controllers" - mock_controllers "px.dev/pixie/src/vizier/services/certmgr/controllers/mock" -) - -func TestServer_UpdateCerts(t *testing.T) { - ctrl := gomock.NewController(t) - defer ctrl.Finish() - mockK8s := mock_controllers.NewMockK8sAPI(ctrl) - - s := controllers.NewServer(nil, uuid.Must(uuid.NewV4()), nil, mockK8s) - - req := &certmgrpb.UpdateCertsRequest{ - Key: "abc", - Cert: "def", - } - - mockK8s.EXPECT(). - CreateTLSSecret("proxy-tls-certs", "abc", "def"). - Return(nil) - - mockK8s.EXPECT(). - GetPodNamesForService("vizier-proxy-service"). - Return([]string{"vizier-proxy-service-pod", "test"}, nil) - - mockK8s.EXPECT(). - DeletePod("vizier-proxy-service-pod"). - Return(nil) - - mockK8s.EXPECT(). - DeletePod("test"). - Return(nil) - - resp, err := s.UpdateCerts(context.Background(), req) - require.NoError(t, err) - assert.NotNil(t, resp) - assert.Equal(t, true, resp.OK) -} - -func TestServer_UpdateCerts_SecretsFailed(t *testing.T) { - ctrl := gomock.NewController(t) - defer ctrl.Finish() - mockK8s := mock_controllers.NewMockK8sAPI(ctrl) - - s := controllers.NewServer(nil, uuid.Must(uuid.NewV4()), nil, mockK8s) - - req := &certmgrpb.UpdateCertsRequest{ - Key: "abc", - Cert: "def", - } - - mockK8s.EXPECT(). - CreateTLSSecret("proxy-tls-certs", "abc", "def"). - Return(errors.New("Could not create secret")) - - resp, err := s.UpdateCerts(context.Background(), req) - assert.Nil(t, resp) - assert.NotNil(t, err) -} - -func TestServer_UpdateCerts_NoPods(t *testing.T) { - ctrl := gomock.NewController(t) - defer ctrl.Finish() - mockK8s := mock_controllers.NewMockK8sAPI(ctrl) - - s := controllers.NewServer(nil, uuid.Must(uuid.NewV4()), nil, mockK8s) - - req := &certmgrpb.UpdateCertsRequest{ - Key: "abc", - Cert: "def", - } - - mockK8s.EXPECT(). - CreateTLSSecret("proxy-tls-certs", "abc", "def"). - Return(nil) - - mockK8s.EXPECT(). - GetPodNamesForService("vizier-proxy-service"). - Return([]string{}, nil) - - resp, err := s.UpdateCerts(context.Background(), req) - assert.Nil(t, resp) - assert.NotNil(t, err) -} - -func TestServer_UpdateCerts_FailedPodDeletion(t *testing.T) { - ctrl := gomock.NewController(t) - defer ctrl.Finish() - mockK8s := mock_controllers.NewMockK8sAPI(ctrl) - - s := controllers.NewServer(nil, uuid.Must(uuid.NewV4()), nil, mockK8s) - - req := &certmgrpb.UpdateCertsRequest{ - Key: "abc", - Cert: "def", - } - - mockK8s.EXPECT(). - CreateTLSSecret("proxy-tls-certs", "abc", "def"). - Return(nil) - - mockK8s.EXPECT(). - GetPodNamesForService("vizier-proxy-service"). - Return([]string{"vizier-proxy-service-pod"}, nil) - - mockK8s.EXPECT(). - DeletePod("vizier-proxy-service-pod"). - Return(errors.New("Could not delete pod")) - - resp, err := s.UpdateCerts(context.Background(), req) - assert.Nil(t, resp) - assert.NotNil(t, err) -}