Merge pull request #103 from zhuje/OU-539-reload-cert

OU-539: Dynamically Reload Certificates

Author: openshift-merge-bot[bot]

cmd/plugin-backend.go

@@ -18,7 +18,7 @@ var (
 	staticPathArg   = flag.String("static-path", "", "static files path to serve frontend (default: './web/dist')")
 	configPathArg   = flag.String("config-path", "", "config files path (default: './config')")
 	pluginConfigArg = flag.String("plugin-config-path", "", "plugin yaml configuration")
-	logLevelArg     = flag.String("log-level", "error", "verbosity of logs\noptions: ['panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace']\n'trace' level will log all incoming requests\n(default 'error')")
+	logLevelArg     = flag.String("log-level", logrus.InfoLevel.String(), "verbosity of logs\noptions: ['panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace']\n'trace' level will log all incoming requests\n(default 'error')")
 	log             = logrus.WithField("module", "main")
 )
 
@@ -32,14 +32,21 @@ func main() {
 	staticPath := mergeEnvValue("TROUBLESHOOTING_PANEL_CONSOLE_PLUGIN_STATIC_PATH", *staticPathArg, "opt/app-root/web/dist")
 	configPath := mergeEnvValue("TROUBLESHOOTING_PANEL_CONSOLE_PLUGIN_MANIFEST_CONFIG_PATH", *configPathArg, "opt/app-root/web/dist")
 	pluginConfigPath := mergeEnvValue("TROUBLESHOOTING_PANEL_CONSOLE_PLUGIN_CONFIG_PATH", *pluginConfigArg, "/etc/plugin/config.yaml")
-	logLevel := mergeEnvValue("TROUBLESHOOTING_PANEL_CONSOLE_PLUGIN_LOG_LEVEL", *logLevelArg, "error")
+	logLevel := mergeEnvValue("TROUBLESHOOTING_PANEL_CONSOLE_PLUGIN_LOG_LEVEL", *logLevelArg, logrus.InfoLevel.String())
 	featuresList := strings.Fields(strings.Join(strings.Split(strings.ToLower(features), ","), " "))
 
 	featuresSet := make(map[string]bool)
 	for _, s := range featuresList {
 		featuresSet[s] = true
 	}
 
+	logrusLevel, err := logrus.ParseLevel(logLevel)
+	if err != nil {
+		logrusLevel = logrus.ErrorLevel
+		logrus.WithError(err).Warnf("Invalid log level. Defaulting to %q", logrusLevel.String())
+	}
+	logrus.SetLevel(logrusLevel)
+
 	log.Infof("enabled features: %+q\n", featuresList)
 
 	server.Start(&server.Config{
@@ -50,7 +57,6 @@ func main() {
 		StaticPath:       staticPath,
 		ConfigPath:       configPath,
 		PluginConfigPath: pluginConfigPath,
-		LogLevel:         logLevel,
 	})
 }
 

pkg/server.go

@@ -14,7 +14,10 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v2"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/tools/record"
 )
 
 var log = logrus.WithField("module", "server")
@@ -27,7 +30,6 @@ type Config struct {
 	StaticPath       string
 	ConfigPath       string
 	PluginConfigPath string
-	LogLevel         string
 }
 
 type PluginConfig struct {
@@ -60,33 +62,42 @@ func Start(cfg *Config) {
 
 	tlsEnabled := cfg.CertFile != "" && cfg.PrivateKeyFile != ""
 	if tlsEnabled {
+		ctx := context.Background()
 		// Build and run the controller which reloads the certificate and key
 		// files whenever they change.
 		certKeyPair, err := dynamiccertificates.NewDynamicServingContentFromFiles("serving-cert", cfg.CertFile, cfg.PrivateKeyFile)
 		if err != nil {
-			logrus.WithError(err).Fatal("unable to create TLS controller")
+			log.WithError(err).Fatal("unable to create TLS controller")
+		}
+
+		if err := certKeyPair.RunOnce(ctx); err != nil {
+			log.WithError(err).Fatal("failed to initialize cert/key content")
 		}
+
+		eventBroadcaster := record.NewBroadcaster()
+		eventBroadcaster.StartLogging(func(format string, args ...interface{}) {
+			log.Infof(format, args...)
+		})
+
 		ctrl := dynamiccertificates.NewDynamicServingCertificateController(
 			tlsConfig,
 			nil,
 			certKeyPair,
 			nil,
-			nil,
+			record.NewEventRecorderAdapter(
+				eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: "troubleshooting-panel-console-plugin"}),
+			),
 		)
 
-		// Check that the cert and key files are valid.
-		if err := ctrl.RunOnce(); err != nil {
-			logrus.WithError(err).Fatal("invalid certificate/key files")
-		}
+		// Configure the server to use the cert/key pair for all client connections.
+		tlsConfig.GetConfigForClient = ctrl.GetConfigForClient
+
+		// Notify cert/key file changes to the controller.
+		certKeyPair.AddListener(ctrl)
 
-		ctx := context.Background()
 		go ctrl.Run(1, ctx.Done())
-	}
+		go certKeyPair.Run(ctx, 1)
 
-	logrusLevel, err := logrus.ParseLevel(cfg.LogLevel)
-	if err != nil {
-		logrus.WithError(err).Fatal("unable to set the log level")
-		logrusLevel = logrus.ErrorLevel
 	}
 
 	httpServer := &http.Server{
@@ -97,18 +108,16 @@ func Start(cfg *Config) {
 		WriteTimeout: timeout,
 	}
 
-	if logrusLevel == logrus.TraceLevel {
+	if logrus.GetLevel() == logrus.TraceLevel {
 		loggedRouter := handlers.LoggingHandler(log.Logger.Out, router)
 		httpServer.Handler = loggedRouter
 	}
 
 	if tlsEnabled {
-		log.Infof("listening on https://:%d", cfg.Port)
-		logrus.SetLevel(logrusLevel)
+		log.Infof("listening for https on %s", httpServer.Addr)
 		panic(httpServer.ListenAndServeTLS(cfg.CertFile, cfg.PrivateKeyFile))
 	} else {
-		log.Infof("listening on http://:%d", cfg.Port)
-		logrus.SetLevel(logrusLevel)
+		log.Infof("listening for http on %s", httpServer.Addr)
 		panic(httpServer.ListenAndServe())
 	}
 }