Split streaming config from runtime config

Signed-off-by: Derek McGowan <derek@mcg.dev>
2024-01-28 22:00:11 -08:00
parent 58ff9d368d
commit 65b3922df7
18 changed files with 433 additions and 412 deletions
--- a/pkg/cri/server/container_update_resources_linux_test.go
+++ b/pkg/cri/server/container_update_resources_linux_test.go
@@ -239,7 +239,7 @@ func TestUpdateOCILinuxResource(t *testing.T) {
 		test := test
 		t.Run(test.desc, func(t *testing.T) {
 			config := criconfig.Config{
-				PluginConfig: criconfig.PluginConfig{
+				RuntimeConfig: criconfig.RuntimeConfig{
 					TolerateMissingHugetlbController: true,
 					DisableHugetlbController:         false,
 				},
--- a/pkg/cri/server/podsandbox/controller_test.go
+++ b/pkg/cri/server/podsandbox/controller_test.go
@@ -38,7 +38,7 @@ const (
 var testConfig = criconfig.Config{
 	RootDir:  testRootDir,
 	StateDir: testStateDir,
-	PluginConfig: criconfig.PluginConfig{
+	RuntimeConfig: criconfig.RuntimeConfig{
 		TolerateMissingHugetlbController: true,
 	},
 }
--- a/pkg/cri/server/runtime_config_linux_test.go
+++ b/pkg/cri/server/runtime_config_linux_test.go
@@ -94,8 +94,8 @@ func TestRuntimeConfig(t *testing.T) {
 		test := test
 		t.Run(test.desc, func(t *testing.T) {
 			c := newTestCRIService()
-			c.config.PluginConfig.ContainerdConfig.DefaultRuntimeName = test.defaultRuntime
-			c.config.PluginConfig.ContainerdConfig.Runtimes = test.runtimes
+			c.config.RuntimeConfig.ContainerdConfig.DefaultRuntimeName = test.defaultRuntime
+			c.config.RuntimeConfig.ContainerdConfig.Runtimes = test.runtimes

 			resp, err := c.RuntimeConfig(context.TODO(), &runtime.RuntimeConfigRequest{})
 			assert.NoError(t, err)
--- a/pkg/cri/server/service.go
+++ b/pkg/cri/server/service.go
@@ -142,6 +142,8 @@ type CRIServiceOptions struct {

 	ImageService ImageService

+	StreamingConfig streaming.Config
+
 	NRI *nri.API

 	// SandboxControllers is a map of all the loaded sandbox controllers
@@ -189,7 +191,7 @@ func NewCRIService(options *CRIServiceOptions) (CRIService, runtime.RuntimeServi
 	}

 	// prepare streaming server
-	c.streamServer, err = newStreamServer(c, config.StreamServerAddress, config.StreamServerPort, config.StreamIdleTimeout)
+	c.streamServer, err = streaming.NewServer(options.StreamingConfig, newStreamRuntime(c))
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to create stream server: %w", err)
 	}
--- a/pkg/cri/server/streaming.go
+++ b/pkg/cri/server/streaming.go
@@ -18,104 +18,18 @@ package server

 import (
 	"context"
-	"crypto/tls"
-	"errors"
 	"fmt"
 	"io"
 	"math"
-	"net"
-	"os"
-	"time"

-	k8snet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/tools/remotecommand"
-	k8scert "k8s.io/client-go/util/cert"
 	"k8s.io/utils/exec"

 	ctrdutil "github.com/containerd/containerd/v2/pkg/cri/util"
 	"k8s.io/kubelet/pkg/cri/streaming"
 )

-type streamListenerMode int
-
-const (
-	x509KeyPairTLS streamListenerMode = iota
-	selfSignTLS
-	withoutTLS
-)
-
-func getStreamListenerMode(c *criService) (streamListenerMode, error) {
-	if c.config.EnableTLSStreaming {
-		if c.config.X509KeyPairStreaming.TLSCertFile != "" && c.config.X509KeyPairStreaming.TLSKeyFile != "" {
-			return x509KeyPairTLS, nil
-		}
-		if c.config.X509KeyPairStreaming.TLSCertFile != "" && c.config.X509KeyPairStreaming.TLSKeyFile == "" {
-			return -1, errors.New("must set X509KeyPairStreaming.TLSKeyFile")
-		}
-		if c.config.X509KeyPairStreaming.TLSCertFile == "" && c.config.X509KeyPairStreaming.TLSKeyFile != "" {
-			return -1, errors.New("must set X509KeyPairStreaming.TLSCertFile")
-		}
-		return selfSignTLS, nil
-	}
-	if c.config.X509KeyPairStreaming.TLSCertFile != "" {
-		return -1, errors.New("X509KeyPairStreaming.TLSCertFile is set but EnableTLSStreaming is not set")
-	}
-	if c.config.X509KeyPairStreaming.TLSKeyFile != "" {
-		return -1, errors.New("X509KeyPairStreaming.TLSKeyFile is set but EnableTLSStreaming is not set")
-	}
-	return withoutTLS, nil
-}
-
-func newStreamServer(c *criService, addr, port, streamIdleTimeout string) (streaming.Server, error) {
-	if addr == "" {
-		a, err := k8snet.ResolveBindAddress(nil)
-		if err != nil {
-			return nil, fmt.Errorf("failed to get stream server address: %w", err)
-		}
-		addr = a.String()
-	}
-	config := streaming.DefaultConfig
-	if streamIdleTimeout != "" {
-		var err error
-		config.StreamIdleTimeout, err = time.ParseDuration(streamIdleTimeout)
-		if err != nil {
-			return nil, fmt.Errorf("invalid stream idle timeout: %w", err)
-		}
-	}
-	config.Addr = net.JoinHostPort(addr, port)
-	run := newStreamRuntime(c)
-	tlsMode, err := getStreamListenerMode(c)
-	if err != nil {
-		return nil, fmt.Errorf("invalid stream server configuration: %w", err)
-	}
-	switch tlsMode {
-	case x509KeyPairTLS:
-		tlsCert, err := tls.LoadX509KeyPair(c.config.X509KeyPairStreaming.TLSCertFile, c.config.X509KeyPairStreaming.TLSKeyFile)
-		if err != nil {
-			return nil, fmt.Errorf("failed to load x509 key pair for stream server: %w", err)
-		}
-		config.TLSConfig = &tls.Config{
-			Certificates: []tls.Certificate{tlsCert},
-		}
-		return streaming.NewServer(config, run)
-	case selfSignTLS:
-		tlsCert, err := newTLSCert()
-		if err != nil {
-			return nil, fmt.Errorf("failed to generate tls certificate for stream server: %w", err)
-		}
-		config.TLSConfig = &tls.Config{
-			Certificates:       []tls.Certificate{tlsCert},
-			InsecureSkipVerify: true,
-		}
-		return streaming.NewServer(config, run)
-	case withoutTLS:
-		return streaming.NewServer(config, run)
-	default:
-		return nil, errors.New("invalid configuration for the stream listener")
-	}
-}
-
 type streamRuntime struct {
 	c *criService
 }
@@ -187,54 +101,3 @@ func handleResizing(ctx context.Context, resize <-chan remotecommand.TerminalSiz
 		}
 	}()
 }
-
-// newTLSCert returns a self CA signed tls.certificate.
-// TODO (mikebrow): replace / rewrite this function to support using CA
-// signing of the certificate. Requires a security plan for kubernetes regarding
-// CRI connections / streaming, etc. For example, kubernetes could configure or
-// require a CA service and pass a configuration down through CRI.
-func newTLSCert() (tls.Certificate, error) {
-	fail := func(err error) (tls.Certificate, error) { return tls.Certificate{}, err }
-
-	hostName, err := os.Hostname()
-	if err != nil {
-		return fail(fmt.Errorf("failed to get hostname: %w", err))
-	}
-
-	addrs, err := net.InterfaceAddrs()
-	if err != nil {
-		return fail(fmt.Errorf("failed to get host IP addresses: %w", err))
-	}
-
-	var alternateIPs []net.IP
-	var alternateDNS []string
-	for _, addr := range addrs {
-		var ip net.IP
-
-		switch v := addr.(type) {
-		case *net.IPNet:
-			ip = v.IP
-		case *net.IPAddr:
-			ip = v.IP
-		default:
-			continue
-		}
-
-		alternateIPs = append(alternateIPs, ip)
-		alternateDNS = append(alternateDNS, ip.String())
-	}
-
-	// Generate a self signed certificate key (CA is self)
-	certPem, keyPem, err := k8scert.GenerateSelfSignedCertKey(hostName, alternateIPs, alternateDNS)
-	if err != nil {
-		return fail(fmt.Errorf("certificate key could not be created: %w", err))
-	}
-
-	// Load the tls certificate
-	tlsCert, err := tls.X509KeyPair(certPem, keyPem)
-	if err != nil {
-		return fail(fmt.Errorf("certificate could not be loaded: %w", err))
-	}
-
-	return tlsCert, nil
-}
--- a/pkg/cri/server/streaming_test.go
+++ b/pkg/cri/server/streaming_test.go
@@ -1,163 +0,0 @@
-/*
-   Copyright The containerd Authors.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package server
-
-import (
-	"testing"
-
-	"github.com/containerd/containerd/v2/pkg/cri/config"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestValidateStreamServer(t *testing.T) {
-	for _, test := range []struct {
-		desc string
-		*criService
-		tlsMode   streamListenerMode
-		expectErr bool
-	}{
-		{
-			desc: "should pass with default withoutTLS",
-			criService: &criService{
-				config: config.Config{
-					PluginConfig: config.DefaultConfig(),
-				},
-			},
-			tlsMode:   withoutTLS,
-			expectErr: false,
-		},
-		{
-			desc: "should pass with x509KeyPairTLS",
-			criService: &criService{
-				config: config.Config{
-					PluginConfig: config.PluginConfig{
-						EnableTLSStreaming: true,
-						X509KeyPairStreaming: config.X509KeyPairStreaming{
-							TLSKeyFile:  "non-empty",
-							TLSCertFile: "non-empty",
-						},
-					},
-				},
-			},
-			tlsMode:   x509KeyPairTLS,
-			expectErr: false,
-		},
-		{
-			desc: "should pass with selfSign",
-			criService: &criService{
-				config: config.Config{
-					PluginConfig: config.PluginConfig{
-						EnableTLSStreaming: true,
-					},
-				},
-			},
-			tlsMode:   selfSignTLS,
-			expectErr: false,
-		},
-		{
-			desc: "should return error with X509 keypair but not EnableTLSStreaming",
-			criService: &criService{
-				config: config.Config{
-					PluginConfig: config.PluginConfig{
-						EnableTLSStreaming: false,
-						X509KeyPairStreaming: config.X509KeyPairStreaming{
-							TLSKeyFile:  "non-empty",
-							TLSCertFile: "non-empty",
-						},
-					},
-				},
-			},
-			tlsMode:   -1,
-			expectErr: true,
-		},
-		{
-			desc: "should return error with X509 TLSCertFile empty",
-			criService: &criService{
-				config: config.Config{
-					PluginConfig: config.PluginConfig{
-						EnableTLSStreaming: true,
-						X509KeyPairStreaming: config.X509KeyPairStreaming{
-							TLSKeyFile:  "non-empty",
-							TLSCertFile: "",
-						},
-					},
-				},
-			},
-			tlsMode:   -1,
-			expectErr: true,
-		},
-		{
-			desc: "should return error with X509 TLSKeyFile empty",
-			criService: &criService{
-				config: config.Config{
-					PluginConfig: config.PluginConfig{
-						EnableTLSStreaming: true,
-						X509KeyPairStreaming: config.X509KeyPairStreaming{
-							TLSKeyFile:  "",
-							TLSCertFile: "non-empty",
-						},
-					},
-				},
-			},
-			tlsMode:   -1,
-			expectErr: true,
-		},
-		{
-			desc: "should return error without EnableTLSStreaming and only TLSCertFile set",
-			criService: &criService{
-				config: config.Config{
-					PluginConfig: config.PluginConfig{
-						EnableTLSStreaming: false,
-						X509KeyPairStreaming: config.X509KeyPairStreaming{
-							TLSKeyFile:  "",
-							TLSCertFile: "non-empty",
-						},
-					},
-				},
-			},
-			tlsMode:   -1,
-			expectErr: true,
-		},
-		{
-			desc: "should return error without EnableTLSStreaming and only TLSKeyFile set",
-			criService: &criService{
-				config: config.Config{
-					PluginConfig: config.PluginConfig{
-						EnableTLSStreaming: false,
-						X509KeyPairStreaming: config.X509KeyPairStreaming{
-							TLSKeyFile:  "non-empty",
-							TLSCertFile: "",
-						},
-					},
-				},
-			},
-			tlsMode:   -1,
-			expectErr: true,
-		},
-	} {
-		test := test
-		t.Run(test.desc, func(t *testing.T) {
-			tlsMode, err := getStreamListenerMode(test.criService)
-			if test.expectErr {
-				assert.Error(t, err)
-				return
-			}
-			assert.NoError(t, err)
-			assert.Equal(t, test.tlsMode, tlsMode)
-		})
-	}
-}
--- a/pkg/cri/server/test_config.go
+++ b/pkg/cri/server/test_config.go
@@ -26,7 +26,7 @@ const (
 var testConfig = criconfig.Config{
 	RootDir:  testRootDir,
 	StateDir: testStateDir,
-	PluginConfig: criconfig.PluginConfig{
+	RuntimeConfig: criconfig.RuntimeConfig{
 		TolerateMissingHugetlbController: true,
 		ContainerdConfig: criconfig.ContainerdConfig{
 			DefaultRuntimeName: "runc",