k3s/pkg/agent/https/https.go

package https

import (
	"context"
	"strconv"
	"sync"

	"github.com/gorilla/mux"
	"github.com/k3s-io/k3s/pkg/daemons/config"
	"github.com/k3s-io/k3s/pkg/server/auth"
	"github.com/k3s-io/k3s/pkg/util"
	"k8s.io/apiserver/pkg/server"
	"k8s.io/apiserver/pkg/server/options"
)

// RouterFunc provides a hook for components to register additional routes to a request router
type RouterFunc func(ctx context.Context, nodeConfig *config.Node) (*mux.Router, error)

var once sync.Once
var router *mux.Router
var err error

// Start returns a router with authn/authz filters applied.
// The first time it is called, the router is created and a new HTTPS listener is started if the handler is nil.
// Subsequent calls will return the same router.
func Start(ctx context.Context, nodeConfig *config.Node, runtime *config.ControlRuntime) (*mux.Router, error) {
	once.Do(func() {
		router = mux.NewRouter().SkipClean(true)
		config := &server.Config{}

		if runtime == nil {
			// If we do not have an existing handler, set up a new listener
			tcp, lerr := util.ListenWithLoopback(ctx, nodeConfig.AgentConfig.ListenAddress, strconv.Itoa(nodeConfig.SupervisorPort))
			if lerr != nil {
				err = lerr
				return
			}

			serving := options.NewSecureServingOptions()
			serving.Listener = tcp
			serving.CipherSuites = nodeConfig.AgentConfig.CipherSuites
			serving.MinTLSVersion = nodeConfig.AgentConfig.MinTLSVersion
			serving.ServerCert = options.GeneratableKeyCert{
				CertKey: options.CertKey{
					CertFile: nodeConfig.AgentConfig.ServingKubeletCert,
					KeyFile:  nodeConfig.AgentConfig.ServingKubeletKey,
				},
			}
			if aerr := serving.ApplyTo(&config.SecureServing); aerr != nil {
				err = aerr
				return
			}
		} else {
			// If we have an existing handler, wrap it
			router.NotFoundHandler = runtime.Handler
			runtime.Handler = router
		}

		router.Use(auth.Delegated(nodeConfig.AgentConfig.ClientCA, nodeConfig.AgentConfig.KubeConfigKubelet, config))

		if config.SecureServing != nil {
			_, _, err = config.SecureServing.Serve(router, 0, ctx.Done())
		}
	})

	return router, err
}
Refactor supervisor listener startup and add metrics * Refactor agent supervisor listener startup and authn/authz to use upstream auth delegators to perform for SubjectAccessReview for access to metrics. * Convert spegel and pprof handlers over to new structure. * Promote bind-address to agent flag to allow setting supervisor bind address for both agent and server. * Promote enable-pprof to agent flag to allow profiling agents. Access to the pprof endpoint now requires client cert auth, similar to the spegel registry api endpoint. * Add prometheus metrics handler. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-04-24 21:02:05 -04:00			`package https`

			`import (`
			`"context"`
			`"strconv"`
			`"sync"`

			`"github.com/gorilla/mux"`
			`"github.com/k3s-io/k3s/pkg/daemons/config"`
Move delegating auth middleware into common package and add MaxInFlight Adds maximum in-flight request limits to agent join and p2p peer info request request handlers. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2025-04-16 16:45:22 -04:00			`"github.com/k3s-io/k3s/pkg/server/auth"`
Refactor supervisor listener startup and add metrics * Refactor agent supervisor listener startup and authn/authz to use upstream auth delegators to perform for SubjectAccessReview for access to metrics. * Convert spegel and pprof handlers over to new structure. * Promote bind-address to agent flag to allow setting supervisor bind address for both agent and server. * Promote enable-pprof to agent flag to allow profiling agents. Access to the pprof endpoint now requires client cert auth, similar to the spegel registry api endpoint. * Add prometheus metrics handler. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-04-24 21:02:05 -04:00			`"github.com/k3s-io/k3s/pkg/util"`
			`"k8s.io/apiserver/pkg/server"`
			`"k8s.io/apiserver/pkg/server/options"`
			`)`

			`// RouterFunc provides a hook for components to register additional routes to a request router`
			`type RouterFunc func(ctx context.Context, nodeConfig config.Node) (mux.Router, error)`

			`var once sync.Once`
			`var router *mux.Router`
			`var err error`

			`// Start returns a router with authn/authz filters applied.`
			`// The first time it is called, the router is created and a new HTTPS listener is started if the handler is nil.`
			`// Subsequent calls will return the same router.`
			`func Start(ctx context.Context, nodeConfig config.Node, runtime config.ControlRuntime) (*mux.Router, error) {`
			`once.Do(func() {`
			`router = mux.NewRouter().SkipClean(true)`
Move delegating auth middleware into common package and add MaxInFlight Adds maximum in-flight request limits to agent join and p2p peer info request request handlers. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2025-04-16 16:45:22 -04:00			`config := &server.Config{}`
Refactor supervisor listener startup and add metrics * Refactor agent supervisor listener startup and authn/authz to use upstream auth delegators to perform for SubjectAccessReview for access to metrics. * Convert spegel and pprof handlers over to new structure. * Promote bind-address to agent flag to allow setting supervisor bind address for both agent and server. * Promote enable-pprof to agent flag to allow profiling agents. Access to the pprof endpoint now requires client cert auth, similar to the spegel registry api endpoint. * Add prometheus metrics handler. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-04-24 21:02:05 -04:00
			`if runtime == nil {`
			`// If we do not have an existing handler, set up a new listener`
Fix agent supervisor port using apiserver port instead Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-06-13 16:27:33 -04:00			`tcp, lerr := util.ListenWithLoopback(ctx, nodeConfig.AgentConfig.ListenAddress, strconv.Itoa(nodeConfig.SupervisorPort))`
Refactor supervisor listener startup and add metrics * Refactor agent supervisor listener startup and authn/authz to use upstream auth delegators to perform for SubjectAccessReview for access to metrics. * Convert spegel and pprof handlers over to new structure. * Promote bind-address to agent flag to allow setting supervisor bind address for both agent and server. * Promote enable-pprof to agent flag to allow profiling agents. Access to the pprof endpoint now requires client cert auth, similar to the spegel registry api endpoint. * Add prometheus metrics handler. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-04-24 21:02:05 -04:00			`if lerr != nil {`
			`err = lerr`
			`return`
			`}`

			`serving := options.NewSecureServingOptions()`
			`serving.Listener = tcp`
			`serving.CipherSuites = nodeConfig.AgentConfig.CipherSuites`
			`serving.MinTLSVersion = nodeConfig.AgentConfig.MinTLSVersion`
			`serving.ServerCert = options.GeneratableKeyCert{`
			`CertKey: options.CertKey{`
			`CertFile: nodeConfig.AgentConfig.ServingKubeletCert,`
			`KeyFile: nodeConfig.AgentConfig.ServingKubeletKey,`
			`},`
			`}`
			`if aerr := serving.ApplyTo(&config.SecureServing); aerr != nil {`
			`err = aerr`
			`return`
			`}`
			`} else {`
			`// If we have an existing handler, wrap it`
			`router.NotFoundHandler = runtime.Handler`
			`runtime.Handler = router`
			`}`

Move delegating auth middleware into common package and add MaxInFlight Adds maximum in-flight request limits to agent join and p2p peer info request request handlers. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2025-04-16 16:45:22 -04:00			`router.Use(auth.Delegated(nodeConfig.AgentConfig.ClientCA, nodeConfig.AgentConfig.KubeConfigKubelet, config))`
Refactor supervisor listener startup and add metrics * Refactor agent supervisor listener startup and authn/authz to use upstream auth delegators to perform for SubjectAccessReview for access to metrics. * Convert spegel and pprof handlers over to new structure. * Promote bind-address to agent flag to allow setting supervisor bind address for both agent and server. * Promote enable-pprof to agent flag to allow profiling agents. Access to the pprof endpoint now requires client cert auth, similar to the spegel registry api endpoint. * Add prometheus metrics handler. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-04-24 21:02:05 -04:00
			`if config.SecureServing != nil {`
			`_, _, err = config.SecureServing.Serve(router, 0, ctx.Done())`
			`}`
			`})`

			`return router, err`
			`}`