Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support upstream via unix socket #209

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

alebedev87
Copy link

@alebedev87 alebedev87 commented Nov 16, 2022

Add support for the proxing to the upstream via a unix socket. This may help to reduce the number of the ports occupied by the POD which uses kube-rbac-proxy (e.g. when POD uses hostnetwork).

Test PR whose e2e targets a POD's container endpoint via kube-rbac-proxy: openshift/node-observability-operator#113

Manual test:

# start upstream which listens on unix socket
$ ./bin/node-observability-agent -unixSocket /tmp/nobagent.sock -preferUnixSocket -crioPreferUnixSocket=false -caCertFile=kubelet.crt -tokenFile=token
INFO[0000] Starting node-observability-agent version: "v0.0.0-unknown", commit: "da7d110", build date: "2022-11-16T09:16:10Z", go version: "go1.19.2", GOOS: "linux", GOARCH: "amd64" at log level info 
INFO[0000] Start listening on unix:///tmp/nobagent.sock  module=server
INFO[0000] Targeting node 192.168.130.11                 module=server

$ sudo ss -lxp | grep node
u_str LISTEN 0      128                                                                /tmp/nobagent.sock 297621            * 0      users:(("node-observabil",pid=95712,fd=3)) 

# start kube-rbac-proxy
$ ./_output/kube-rbac-proxy --kubeconfig=/home/alebedev/.crc/machines/crc/kubeconfig --upstream-unix-socket=/tmp/nobagent.sock --secure-listen-address=0.0.0.0:8443 --tls-cert-file=tls.crt --tls-private-key-file=tls.key
I1116 10:52:57.726306   95991 main.go:209] Valid token audiences: 
I1116 10:52:57.726524   95991 main.go:355] Reading certificate files
I1116 10:52:57.726751   95991 main.go:389] Starting TCP socket on 0.0.0.0:8443
I1116 10:52:57.734420   95991 main.go:396] Listening securely on 0.0.0.0:8443

# send request via proxy
$ curl -k -H "Authorization: Bearer ${TOKEN}" https://localhost:8443/node-observability-status
Service is ready

# see the logs of the upstream to verify it got the request
$ ./bin/node-observability-agent -unixSocket /tmp/nobagent.sock -preferUnixSocket -crioPreferUnixSocket=false -caCertFile=kubelet.crt -tokenFile=token
INFO[0000] Starting node-observability-agent version: "v0.0.0-unknown", commit: "da7d110", build date: "2022-11-16T09:16:10Z", go version: "go1.19.2", GOOS: "linux", GOARCH: "amd64" at log level info 
INFO[0000] Start listening on unix:///tmp/nobagent.sock  module=server
INFO[0000] Targeting node 192.168.130.11                 module=server
INFO[0100] start handling status request                 module=handler
INFO[0100] agent is ready                                module=handler

@ibihim
Copy link
Collaborator

ibihim commented Nov 28, 2022

Sorry, I was busy. I will try to take a look this week.

@alebedev87
Copy link
Author

Fixed merged conflicts, there were quite some changes in main.go and transport.go.

@ibihim
Copy link
Collaborator

ibihim commented May 31, 2023

Firstly, I want to apologize for the delayed response on this.

We value your contribution and think that this feature could be beneficial. However, we're currently in the midst of the k8s sig-auth acceptance process, and adding any new features at this stage could increase the workload on our reviewers.

Once we complete the acceptance process, we would love to revisit your feature. If you're okay with this, we will reach back out to you at that time.

We appreciate your understanding and look forward to your continued contributions. Thank you for your efforts!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants