2022-07-07 20:11:50 +00:00
|
|
|
/*
|
|
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
package transport
|
|
|
|
|
|
|
|
import (
|
2024-02-24 00:34:55 +00:00
|
|
|
"context"
|
2022-07-07 20:11:50 +00:00
|
|
|
"fmt"
|
|
|
|
"net"
|
|
|
|
"net/http"
|
|
|
|
"strings"
|
|
|
|
"sync"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
utilnet "k8s.io/apimachinery/pkg/util/net"
|
|
|
|
"k8s.io/apimachinery/pkg/util/wait"
|
2024-02-24 00:34:55 +00:00
|
|
|
"k8s.io/client-go/tools/metrics"
|
2022-07-07 20:11:50 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// TlsTransportCache caches TLS http.RoundTrippers different configurations. The
|
|
|
|
// same RoundTripper will be returned for configs with identical TLS options If
|
|
|
|
// the config has no custom TLS options, http.DefaultTransport is returned.
|
|
|
|
type tlsTransportCache struct {
|
|
|
|
mu sync.Mutex
|
|
|
|
transports map[tlsCacheKey]*http.Transport
|
|
|
|
}
|
|
|
|
|
2024-02-24 00:34:55 +00:00
|
|
|
// DialerStopCh is stop channel that is passed down to dynamic cert dialer.
|
|
|
|
// It's exposed as variable for testing purposes to avoid testing for goroutine
|
|
|
|
// leakages.
|
|
|
|
var DialerStopCh = wait.NeverStop
|
|
|
|
|
2022-07-07 20:11:50 +00:00
|
|
|
const idleConnsPerHost = 25
|
|
|
|
|
|
|
|
var tlsCache = &tlsTransportCache{transports: make(map[tlsCacheKey]*http.Transport)}
|
|
|
|
|
|
|
|
type tlsCacheKey struct {
|
|
|
|
insecure bool
|
|
|
|
caData string
|
|
|
|
certData string
|
|
|
|
keyData string `datapolicy:"security-key"`
|
|
|
|
certFile string
|
|
|
|
keyFile string
|
|
|
|
serverName string
|
|
|
|
nextProtos string
|
|
|
|
disableCompression bool
|
2024-02-24 00:34:55 +00:00
|
|
|
// these functions are wrapped to allow them to be used as map keys
|
|
|
|
getCert *GetCertHolder
|
|
|
|
dial *DialHolder
|
2022-07-07 20:11:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (t tlsCacheKey) String() string {
|
|
|
|
keyText := "<none>"
|
|
|
|
if len(t.keyData) > 0 {
|
|
|
|
keyText = "<redacted>"
|
|
|
|
}
|
2024-02-24 00:34:55 +00:00
|
|
|
return fmt.Sprintf("insecure:%v, caData:%#v, certData:%#v, keyData:%s, serverName:%s, disableCompression:%t, getCert:%p, dial:%p",
|
|
|
|
t.insecure, t.caData, t.certData, keyText, t.serverName, t.disableCompression, t.getCert, t.dial)
|
2022-07-07 20:11:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (c *tlsTransportCache) get(config *Config) (http.RoundTripper, error) {
|
|
|
|
key, canCache, err := tlsConfigKey(config)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if canCache {
|
|
|
|
// Ensure we only create a single transport for the given TLS options
|
|
|
|
c.mu.Lock()
|
|
|
|
defer c.mu.Unlock()
|
2024-02-24 00:34:55 +00:00
|
|
|
defer metrics.TransportCacheEntries.Observe(len(c.transports))
|
2022-07-07 20:11:50 +00:00
|
|
|
|
|
|
|
// See if we already have a custom transport for this config
|
|
|
|
if t, ok := c.transports[key]; ok {
|
2024-02-24 00:34:55 +00:00
|
|
|
metrics.TransportCreateCalls.Increment("hit")
|
2022-07-07 20:11:50 +00:00
|
|
|
return t, nil
|
|
|
|
}
|
2024-02-24 00:34:55 +00:00
|
|
|
metrics.TransportCreateCalls.Increment("miss")
|
|
|
|
} else {
|
|
|
|
metrics.TransportCreateCalls.Increment("uncacheable")
|
2022-07-07 20:11:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Get the TLS options for this client config
|
|
|
|
tlsConfig, err := TLSConfigFor(config)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
// The options didn't require a custom TLS config
|
2024-02-24 00:34:55 +00:00
|
|
|
if tlsConfig == nil && config.DialHolder == nil && config.Proxy == nil {
|
2022-07-07 20:11:50 +00:00
|
|
|
return http.DefaultTransport, nil
|
|
|
|
}
|
|
|
|
|
2024-02-24 00:34:55 +00:00
|
|
|
var dial func(ctx context.Context, network, address string) (net.Conn, error)
|
|
|
|
if config.DialHolder != nil {
|
|
|
|
dial = config.DialHolder.Dial
|
|
|
|
} else {
|
2022-07-07 20:11:50 +00:00
|
|
|
dial = (&net.Dialer{
|
|
|
|
Timeout: 30 * time.Second,
|
|
|
|
KeepAlive: 30 * time.Second,
|
|
|
|
}).DialContext
|
|
|
|
}
|
|
|
|
|
|
|
|
// If we use are reloading files, we need to handle certificate rotation properly
|
|
|
|
// TODO(jackkleeman): We can also add rotation here when config.HasCertCallback() is true
|
2024-02-24 00:34:55 +00:00
|
|
|
if config.TLS.ReloadTLSFiles && tlsConfig != nil && tlsConfig.GetClientCertificate != nil {
|
2022-07-07 20:11:50 +00:00
|
|
|
dynamicCertDialer := certRotatingDialer(tlsConfig.GetClientCertificate, dial)
|
|
|
|
tlsConfig.GetClientCertificate = dynamicCertDialer.GetClientCertificate
|
|
|
|
dial = dynamicCertDialer.connDialer.DialContext
|
2024-02-24 00:34:55 +00:00
|
|
|
go dynamicCertDialer.Run(DialerStopCh)
|
2022-07-07 20:11:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
proxy := http.ProxyFromEnvironment
|
|
|
|
if config.Proxy != nil {
|
|
|
|
proxy = config.Proxy
|
|
|
|
}
|
|
|
|
|
|
|
|
transport := utilnet.SetTransportDefaults(&http.Transport{
|
|
|
|
Proxy: proxy,
|
|
|
|
TLSHandshakeTimeout: 10 * time.Second,
|
|
|
|
TLSClientConfig: tlsConfig,
|
|
|
|
MaxIdleConnsPerHost: idleConnsPerHost,
|
|
|
|
DialContext: dial,
|
|
|
|
DisableCompression: config.DisableCompression,
|
|
|
|
})
|
|
|
|
|
|
|
|
if canCache {
|
|
|
|
// Cache a single transport for these options
|
|
|
|
c.transports[key] = transport
|
|
|
|
}
|
|
|
|
|
|
|
|
return transport, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// tlsConfigKey returns a unique key for tls.Config objects returned from TLSConfigFor
|
|
|
|
func tlsConfigKey(c *Config) (tlsCacheKey, bool, error) {
|
|
|
|
// Make sure ca/key/cert content is loaded
|
|
|
|
if err := loadTLSFiles(c); err != nil {
|
|
|
|
return tlsCacheKey{}, false, err
|
|
|
|
}
|
|
|
|
|
2024-02-24 00:34:55 +00:00
|
|
|
if c.Proxy != nil {
|
2022-07-07 20:11:50 +00:00
|
|
|
// cannot determine equality for functions
|
|
|
|
return tlsCacheKey{}, false, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
k := tlsCacheKey{
|
|
|
|
insecure: c.TLS.Insecure,
|
|
|
|
caData: string(c.TLS.CAData),
|
|
|
|
serverName: c.TLS.ServerName,
|
|
|
|
nextProtos: strings.Join(c.TLS.NextProtos, ","),
|
|
|
|
disableCompression: c.DisableCompression,
|
2024-02-24 00:34:55 +00:00
|
|
|
getCert: c.TLS.GetCertHolder,
|
|
|
|
dial: c.DialHolder,
|
2022-07-07 20:11:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if c.TLS.ReloadTLSFiles {
|
|
|
|
k.certFile = c.TLS.CertFile
|
|
|
|
k.keyFile = c.TLS.KeyFile
|
|
|
|
} else {
|
|
|
|
k.certData = string(c.TLS.CertData)
|
|
|
|
k.keyData = string(c.TLS.KeyData)
|
|
|
|
}
|
|
|
|
|
|
|
|
return k, true, nil
|
|
|
|
}
|