k3s/pkg/agent/https/https.go

package https

import (
	"context"
	"strconv"
	"sync"

	"github.com/gorilla/mux"
	"github.com/k3s-io/k3s/pkg/daemons/config"
	"github.com/k3s-io/k3s/pkg/server/auth"
	"github.com/k3s-io/k3s/pkg/util"
	"k8s.io/apiserver/pkg/server"
	"k8s.io/apiserver/pkg/server/options"
)

// RouterFunc provides a hook for components to register additional routes to a request router
type RouterFunc func(ctx context.Context, nodeConfig *config.Node) (*mux.Router, error)

var once sync.Once
var router *mux.Router
var err error

// Start returns a router with authn/authz filters applied.
// The first time it is called, the router is created and a new HTTPS listener is started if the handler is nil.
// Subsequent calls will return the same router.
func Start(ctx context.Context, nodeConfig *config.Node, runtime *config.ControlRuntime) (*mux.Router, error) {
	once.Do(func() {
		router = mux.NewRouter().SkipClean(true)
		config := &server.Config{}

		if runtime == nil {
			// If we do not have an existing handler, set up a new listener
			tcp, lerr := util.ListenWithLoopback(ctx, nodeConfig.AgentConfig.ListenAddress, strconv.Itoa(nodeConfig.SupervisorPort))
			if lerr != nil {
				err = lerr
				return
			}

			serving := options.NewSecureServingOptions()
			serving.Listener = tcp
			serving.CipherSuites = nodeConfig.AgentConfig.CipherSuites
			serving.MinTLSVersion = nodeConfig.AgentConfig.MinTLSVersion
			serving.ServerCert = options.GeneratableKeyCert{
				CertKey: options.CertKey{
					CertFile: nodeConfig.AgentConfig.ServingKubeletCert,
					KeyFile:  nodeConfig.AgentConfig.ServingKubeletKey,
				},
			}
			if aerr := serving.ApplyTo(&config.SecureServing); aerr != nil {
				err = aerr
				return
			}
		} else {
			// If we have an existing handler, wrap it
			router.NotFoundHandler = runtime.Handler
			runtime.Handler = router
		}

		router.Use(auth.RequestInfo(), auth.Delegated(nodeConfig.AgentConfig.ClientCA, nodeConfig.AgentConfig.KubeConfigKubelet, config))

		if config.SecureServing != nil {
			_, _, err = config.SecureServing.Serve(router, 0, ctx.Done())
		}
	})

	return router, err
}
Refactor supervisor listener startup and add metrics * Refactor agent supervisor listener startup and authn/authz to use upstream auth delegators to perform for SubjectAccessReview for access to metrics. * Convert spegel and pprof handlers over to new structure. * Promote bind-address to agent flag to allow setting supervisor bind address for both agent and server. * Promote enable-pprof to agent flag to allow profiling agents. Access to the pprof endpoint now requires client cert auth, similar to the spegel registry api endpoint. * Add prometheus metrics handler. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-04-24 21:02:05 -04:00			`package https`

			`import (`
			`"context"`
			`"strconv"`
			`"sync"`

			`"github.com/gorilla/mux"`
			`"github.com/k3s-io/k3s/pkg/daemons/config"`
Move delegating auth middleware into common package and add MaxInFlight Adds maximum in-flight request limits to agent join and p2p peer info request request handlers. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2025-04-16 16:45:22 -04:00			`"github.com/k3s-io/k3s/pkg/server/auth"`
Refactor supervisor listener startup and add metrics * Refactor agent supervisor listener startup and authn/authz to use upstream auth delegators to perform for SubjectAccessReview for access to metrics. * Convert spegel and pprof handlers over to new structure. * Promote bind-address to agent flag to allow setting supervisor bind address for both agent and server. * Promote enable-pprof to agent flag to allow profiling agents. Access to the pprof endpoint now requires client cert auth, similar to the spegel registry api endpoint. * Add prometheus metrics handler. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-04-24 21:02:05 -04:00			`"github.com/k3s-io/k3s/pkg/util"`
			`"k8s.io/apiserver/pkg/server"`
			`"k8s.io/apiserver/pkg/server/options"`
			`)`

			`// RouterFunc provides a hook for components to register additional routes to a request router`
			`type RouterFunc func(ctx context.Context, nodeConfig config.Node) (mux.Router, error)`

			`var once sync.Once`
			`var router *mux.Router`
			`var err error`

			`// Start returns a router with authn/authz filters applied.`
			`// The first time it is called, the router is created and a new HTTPS listener is started if the handler is nil.`
			`// Subsequent calls will return the same router.`
			`func Start(ctx context.Context, nodeConfig config.Node, runtime config.ControlRuntime) (*mux.Router, error) {`
			`once.Do(func() {`
			`router = mux.NewRouter().SkipClean(true)`
Move delegating auth middleware into common package and add MaxInFlight Adds maximum in-flight request limits to agent join and p2p peer info request request handlers. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2025-04-16 16:45:22 -04:00			`config := &server.Config{}`
Refactor supervisor listener startup and add metrics * Refactor agent supervisor listener startup and authn/authz to use upstream auth delegators to perform for SubjectAccessReview for access to metrics. * Convert spegel and pprof handlers over to new structure. * Promote bind-address to agent flag to allow setting supervisor bind address for both agent and server. * Promote enable-pprof to agent flag to allow profiling agents. Access to the pprof endpoint now requires client cert auth, similar to the spegel registry api endpoint. * Add prometheus metrics handler. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-04-24 21:02:05 -04:00
			`if runtime == nil {`
			`// If we do not have an existing handler, set up a new listener`
Fix agent supervisor port using apiserver port instead Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-06-13 16:27:33 -04:00			`tcp, lerr := util.ListenWithLoopback(ctx, nodeConfig.AgentConfig.ListenAddress, strconv.Itoa(nodeConfig.SupervisorPort))`
Refactor supervisor listener startup and add metrics * Refactor agent supervisor listener startup and authn/authz to use upstream auth delegators to perform for SubjectAccessReview for access to metrics. * Convert spegel and pprof handlers over to new structure. * Promote bind-address to agent flag to allow setting supervisor bind address for both agent and server. * Promote enable-pprof to agent flag to allow profiling agents. Access to the pprof endpoint now requires client cert auth, similar to the spegel registry api endpoint. * Add prometheus metrics handler. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-04-24 21:02:05 -04:00			`if lerr != nil {`
			`err = lerr`
			`return`
			`}`

			`serving := options.NewSecureServingOptions()`
			`serving.Listener = tcp`
			`serving.CipherSuites = nodeConfig.AgentConfig.CipherSuites`
			`serving.MinTLSVersion = nodeConfig.AgentConfig.MinTLSVersion`
			`serving.ServerCert = options.GeneratableKeyCert{`
			`CertKey: options.CertKey{`
			`CertFile: nodeConfig.AgentConfig.ServingKubeletCert,`
			`KeyFile: nodeConfig.AgentConfig.ServingKubeletKey,`
			`},`
			`}`
			`if aerr := serving.ApplyTo(&config.SecureServing); aerr != nil {`
			`err = aerr`
			`return`
			`}`
			`} else {`
			`// If we have an existing handler, wrap it`
			`router.NotFoundHandler = runtime.Handler`
			`runtime.Handler = router`
			`}`

Fix handler panic when bootstrapper returned empty peer list Panic gets rescued by the http server, and was only visible when running in debug mode, but should be handled properly. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2025-04-18 03:55:58 -04:00			`router.Use(auth.RequestInfo(), auth.Delegated(nodeConfig.AgentConfig.ClientCA, nodeConfig.AgentConfig.KubeConfigKubelet, config))`
Refactor supervisor listener startup and add metrics * Refactor agent supervisor listener startup and authn/authz to use upstream auth delegators to perform for SubjectAccessReview for access to metrics. * Convert spegel and pprof handlers over to new structure. * Promote bind-address to agent flag to allow setting supervisor bind address for both agent and server. * Promote enable-pprof to agent flag to allow profiling agents. Access to the pprof endpoint now requires client cert auth, similar to the spegel registry api endpoint. * Add prometheus metrics handler. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2024-04-24 21:02:05 -04:00
			`if config.SecureServing != nil {`
			`_, _, err = config.SecureServing.Serve(router, 0, ctx.Done())`
			`}`
			`})`

			`return router, err`
			`}`