attest-provider/main.go

package main

import (
	"crypto/tls"
	"crypto/x509"
	"flag"
	"fmt"
	"net/http"
	"os"
	"path/filepath"
	"time"

	"github.com/open-policy-agent/gatekeeper-external-data-provider/pkg/handler"
	"github.com/open-policy-agent/gatekeeper-external-data-provider/pkg/utils"

	"k8s.io/klog/v2"
)

const (
	handlerTimeout    = 15 * time.Second
	readHeaderTimeout = 1 * time.Second
)

const (
	defaultPort = 8090

	certName = "tls.crt"
	keyName  = "tls.key"
)

var (
	certDir      string
	clientCAFile string
	port         int
)

var timeoutError = string(utils.GatekeeperError("operation timed out"))

func init() {
	klog.InitFlags(nil)
	flag.StringVar(&certDir, "cert-dir", "", "path to directory containing TLS certificates")
	flag.StringVar(&clientCAFile, "client-ca-file", "", "path to client CA certificate")
	flag.IntVar(&port, "port", defaultPort, "Port for the server to listen on")
	flag.Parse()
}

func main() {
	mux := http.NewServeMux()
	mux.Handle("POST /validate", http.TimeoutHandler(handler.Validate(), handlerTimeout, timeoutError))
	mux.Handle("POST /mutate", http.TimeoutHandler(handler.Mutate(), handlerTimeout, timeoutError))

	server := &http.Server{
		Addr:              fmt.Sprintf(":%d", port),
		Handler:           mux,
		ReadHeaderTimeout: readHeaderTimeout,
	}

	config := &tls.Config{
		MinVersion: tls.VersionTLS13,
	}
	if clientCAFile != "" {
		klog.InfoS("loading Gatekeeper's CA certificate", "clientCAFile", clientCAFile)
		caCert, err := os.ReadFile(clientCAFile)
		if err != nil {
			klog.ErrorS(err, "unable to load Gatekeeper's CA certificate", "clientCAFile", clientCAFile)
			os.Exit(1)
		}

		clientCAs := x509.NewCertPool()
		clientCAs.AppendCertsFromPEM(caCert)

		config.ClientCAs = clientCAs
		config.ClientAuth = tls.RequireAndVerifyClientCert
		server.TLSConfig = config
	}

	if certDir != "" {
		certFile := filepath.Join(certDir, certName)
		keyFile := filepath.Join(certDir, keyName)

		klog.InfoS("starting external data provider server", "port", port, "certFile", certFile, "keyFile", keyFile)
		if err := server.ListenAndServeTLS(certFile, keyFile); err != nil {
			klog.ErrorS(err, "unable to start external data provider server")
			os.Exit(1)
		}
	} else {
		klog.Error("TLS certificates are not provided, the server will not be started")
		os.Exit(1)
	}
}
Initial commit 2024-05-23 10:19:55 -05:00			`package main`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"flag"`
			`"fmt"`
			`"net/http"`
			`"os"`
			`"path/filepath"`
			`"time"`

			`"github.com/open-policy-agent/gatekeeper-external-data-provider/pkg/handler"`
Swap buggy timeout code for http.TimeoutHandler 2024-06-11 11:19:52 +01:00			`"github.com/open-policy-agent/gatekeeper-external-data-provider/pkg/utils"`
Initial commit 2024-05-23 10:19:55 -05:00
			`"k8s.io/klog/v2"`
			`)`

			`const (`
Use lower timeout for reading headers 2024-06-12 11:51:36 +01:00			`handlerTimeout = 15 * time.Second`
			`readHeaderTimeout = 1 * time.Second`
			`)`

			`const (`
Initial commit 2024-05-23 10:19:55 -05:00			`defaultPort = 8090`

			`certName = "tls.crt"`
			`keyName = "tls.key"`
			`)`

			`var (`
			`certDir string`
			`clientCAFile string`
			`port int`
			`)`

Swap buggy timeout code for http.TimeoutHandler 2024-06-11 11:19:52 +01:00			`var timeoutError = string(utils.GatekeeperError("operation timed out"))`

Initial commit 2024-05-23 10:19:55 -05:00			`func init() {`
			`klog.InitFlags(nil)`
			`flag.StringVar(&certDir, "cert-dir", "", "path to directory containing TLS certificates")`
			`flag.StringVar(&clientCAFile, "client-ca-file", "", "path to client CA certificate")`
			`flag.IntVar(&port, "port", defaultPort, "Port for the server to listen on")`
			`flag.Parse()`
			`}`

			`func main() {`
			`mux := http.NewServeMux()`
Add mutation for adding digest to image spec 2024-06-20 12:25:04 +01:00			`mux.Handle("POST /validate", http.TimeoutHandler(handler.Validate(), handlerTimeout, timeoutError))`
			`mux.Handle("POST /mutate", http.TimeoutHandler(handler.Mutate(), handlerTimeout, timeoutError))`
Initial commit 2024-05-23 10:19:55 -05:00
			`server := &http.Server{`
			`Addr: fmt.Sprintf(":%d", port),`
			`Handler: mux,`
Use lower timeout for reading headers 2024-06-12 11:51:36 +01:00			`ReadHeaderTimeout: readHeaderTimeout,`
Initial commit 2024-05-23 10:19:55 -05:00			`}`

			`config := &tls.Config{`
			`MinVersion: tls.VersionTLS13,`
			`}`
			`if clientCAFile != "" {`
			`klog.InfoS("loading Gatekeeper's CA certificate", "clientCAFile", clientCAFile)`
			`caCert, err := os.ReadFile(clientCAFile)`
			`if err != nil {`
			`klog.ErrorS(err, "unable to load Gatekeeper's CA certificate", "clientCAFile", clientCAFile)`
			`os.Exit(1)`
			`}`

			`clientCAs := x509.NewCertPool()`
			`clientCAs.AppendCertsFromPEM(caCert)`

			`config.ClientCAs = clientCAs`
			`config.ClientAuth = tls.RequireAndVerifyClientCert`
			`server.TLSConfig = config`
			`}`

			`if certDir != "" {`
			`certFile := filepath.Join(certDir, certName)`
			`keyFile := filepath.Join(certDir, keyName)`

			`klog.InfoS("starting external data provider server", "port", port, "certFile", certFile, "keyFile", keyFile)`
			`if err := server.ListenAndServeTLS(certFile, keyFile); err != nil {`
			`klog.ErrorS(err, "unable to start external data provider server")`
			`os.Exit(1)`
			`}`
			`} else {`
			`klog.Error("TLS certificates are not provided, the server will not be started")`
			`os.Exit(1)`
			`}`
			`}`