-
Notifications
You must be signed in to change notification settings - Fork 84
OPRUN-4541,OPRUN-4544: add lifecycle-server for serving FBC catalog lifecycle metadata #1284
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
perdasilva
wants to merge
1
commit into
openshift:main
Choose a base branch
from
perdasilva:lifecycle-server
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| package main | ||
|
|
||
| import ( | ||
| "fmt" | ||
| "os" | ||
|
|
||
| "github.com/spf13/cobra" | ||
| ) | ||
|
|
||
| func main() { | ||
| rootCmd := &cobra.Command{ | ||
| Use: "lifecycle-server", | ||
| Short: "Lifecycle Metadata Server for OLM", | ||
| } | ||
|
|
||
| rootCmd.AddCommand(newStartCmd()) | ||
|
|
||
| if err := rootCmd.Execute(); err != nil { | ||
| fmt.Fprintf(os.Stderr, "error running lifecycle-server: %v\n", err) | ||
| os.Exit(1) | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,244 @@ | ||
| package main | ||
|
|
||
| import ( | ||
| "context" | ||
| "crypto/tls" | ||
| "errors" | ||
| "fmt" | ||
| "net/http" | ||
| "time" | ||
|
|
||
| "github.com/openshift/library-go/pkg/crypto" | ||
| "github.com/spf13/cobra" | ||
| "golang.org/x/sync/errgroup" | ||
| "k8s.io/client-go/rest" | ||
| ctrl "sigs.k8s.io/controller-runtime" | ||
| "sigs.k8s.io/controller-runtime/pkg/metrics/filters" | ||
|
|
||
| "k8s.io/klog/v2" | ||
|
|
||
| server "github.com/openshift/operator-framework-olm/pkg/lifecycle-server" | ||
| ) | ||
|
|
||
| const ( | ||
| defaultFBCPath = "/catalog/configs" | ||
| defaultListenAddr = ":8443" | ||
| defaultHealthAddr = ":8081" | ||
| defaultTLSCertPath = "/var/run/secrets/serving-cert/tls.crt" | ||
| defaultTLSKeyPath = "/var/run/secrets/serving-cert/tls.key" | ||
| shutdownTimeout = 10 * time.Second | ||
| readHeaderTimeout = 5 * time.Second | ||
| readTimeout = 10 * time.Second | ||
| writeTimeout = 30 * time.Second | ||
| idleTimeout = 120 * time.Second | ||
| ) | ||
|
|
||
| var ( | ||
| fbcPath string | ||
| listenAddr string | ||
| healthAddr string | ||
| tlsCertPath string | ||
| tlsKeyPath string | ||
| tlsMinVersionStr string | ||
| tlsCipherSuiteStrs []string | ||
| ) | ||
|
|
||
| // newStartCmd creates the "start" subcommand with all CLI flags. | ||
| func newStartCmd() *cobra.Command { | ||
| cmd := &cobra.Command{ | ||
| Use: "start", | ||
| Short: "Start the Lifecycle Server", | ||
| SilenceUsage: true, | ||
| RunE: run, | ||
| } | ||
|
|
||
| cmd.Flags().StringVar(&fbcPath, "fbc-path", defaultFBCPath, "path to FBC catalog data") | ||
| cmd.Flags().StringVar(&listenAddr, "listen", defaultListenAddr, "address to listen on for HTTPS API") | ||
| cmd.Flags().StringVar(&healthAddr, "health", defaultHealthAddr, "address to listen on for health checks") | ||
| cmd.Flags().StringVar(&tlsCertPath, "tls-cert", defaultTLSCertPath, "path to TLS certificate") | ||
| cmd.Flags().StringVar(&tlsKeyPath, "tls-key", defaultTLSKeyPath, "path to TLS private key") | ||
| cmd.Flags().StringVar(&tlsMinVersionStr, "tls-min-version", "", "minimum TLS version") | ||
| cmd.Flags().StringSliceVar(&tlsCipherSuiteStrs, "tls-cipher-suites", nil, "comma-separated list of cipher suites") | ||
|
|
||
| return cmd | ||
| } | ||
|
|
||
| // parseTLSFlags builds a tls.Config from the provided cert/key paths, minimum | ||
| // version, and cipher suite names. The returned config uses GetCertificate to | ||
| // reload the keypair on each handshake, supporting certificate rotation. | ||
| func parseTLSFlags(certPath, keyPath, minVersionStr string, cipherSuiteStrs []string) (*tls.Config, error) { | ||
| // Using a function to load the keypair each time means that we automatically pick up the new certificate when it reloads. | ||
| getCertificate := func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) { | ||
| cert, err := tls.LoadX509KeyPair(certPath, keyPath) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| return &cert, nil | ||
| } | ||
| if _, err := getCertificate(nil); err != nil { | ||
| return nil, fmt.Errorf("unable to load TLS certificate: %v", err) | ||
| } | ||
|
|
||
| minVersion, err := crypto.TLSVersion(minVersionStr) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("invalid TLS minimum version: %s", minVersionStr) | ||
| } | ||
|
|
||
| var ( | ||
| cipherSuites []uint16 | ||
| cipherSuiteErrs []error | ||
| ) | ||
| for _, tlsCipherSuiteStr := range cipherSuiteStrs { | ||
| tlsCipherSuite, err := crypto.CipherSuite(tlsCipherSuiteStr) | ||
| if err != nil { | ||
| cipherSuiteErrs = append(cipherSuiteErrs, err) | ||
| } else { | ||
| cipherSuites = append(cipherSuites, tlsCipherSuite) | ||
| } | ||
| } | ||
| if len(cipherSuiteErrs) != 0 { | ||
| return nil, fmt.Errorf("invalid TLS cipher suites: %v", errors.Join(cipherSuiteErrs...)) | ||
| } | ||
|
|
||
| return &tls.Config{ | ||
| GetCertificate: getCertificate, | ||
| MinVersion: minVersion, | ||
| CipherSuites: cipherSuites, | ||
| }, nil | ||
| } | ||
|
|
||
| // run is the main entrypoint for the "start" command. It loads FBC data, | ||
| // sets up authn/authz, and starts the API and health servers. | ||
| func run(_ *cobra.Command, _ []string) error { | ||
| log := klog.NewKlogr() | ||
| log.Info("starting lifecycle-server") | ||
|
|
||
| tlsConfig, err := parseTLSFlags(tlsCertPath, tlsKeyPath, tlsMinVersionStr, tlsCipherSuiteStrs) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to parse tls flags: %w", err) | ||
| } | ||
|
|
||
| // Create Kubernetes client for authn/authz | ||
| restCfg := ctrl.GetConfigOrDie() | ||
| httpClient, err := rest.HTTPClientFor(restCfg) | ||
| if err != nil { | ||
| log.Error(err, "failed to create http client") | ||
| return err | ||
| } | ||
|
|
||
| authnzFilter, err := filters.WithAuthenticationAndAuthorization(restCfg, httpClient) | ||
| if err != nil { | ||
| log.Error(err, "failed to create authorization filter") | ||
| return err | ||
| } | ||
|
|
||
| // Load lifecycle data from FBC | ||
| log.Info("loading lifecycle data from FBC", "path", fbcPath) | ||
| data, err := server.LoadLifecycleData(fbcPath, log) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to load lifecycle data: %w", err) | ||
| } | ||
| log.Info("loaded lifecycle data", | ||
| "packageCount", data.CountPackages(), | ||
| "blobCount", data.CountBlobs(), | ||
| "versions", data.ListVersions(), | ||
| ) | ||
|
|
||
| // Create HTTP apiHandler with authn/authz middleware | ||
| baseHandler := server.NewHandler(data, log) | ||
| apiHandler, err := authnzFilter(log, baseHandler) | ||
| if err != nil { | ||
| log.Error(err, "failed to create api handler") | ||
| return err | ||
| } | ||
|
|
||
| // Create health handler (no auth required) | ||
| healthHandler := server.NewHealthHandler(data) | ||
|
|
||
| // Create servers | ||
| apiServer := cancelableServer{ | ||
| Server: &http.Server{ | ||
| Addr: listenAddr, | ||
| Handler: apiHandler, | ||
| TLSConfig: tlsConfig, | ||
| ReadHeaderTimeout: readHeaderTimeout, | ||
| ReadTimeout: readTimeout, | ||
| WriteTimeout: writeTimeout, | ||
| IdleTimeout: idleTimeout, | ||
| }, | ||
| ShutdownTimeout: shutdownTimeout, | ||
| } | ||
| healthServer := cancelableServer{ | ||
| Server: &http.Server{ | ||
| Addr: healthAddr, | ||
| Handler: healthHandler, | ||
| ReadHeaderTimeout: readHeaderTimeout, | ||
| ReadTimeout: readTimeout, | ||
| WriteTimeout: writeTimeout, | ||
| IdleTimeout: idleTimeout, | ||
| }, | ||
| ShutdownTimeout: shutdownTimeout, | ||
| } | ||
|
coderabbitai[bot] marked this conversation as resolved.
|
||
|
|
||
| eg, ctx := errgroup.WithContext(ctrl.SetupSignalHandler()) | ||
| eg.Go(func() error { | ||
| if err := apiServer.ListenAndServeTLS(ctx, "", ""); err != nil { | ||
| return fmt.Errorf("api server error: %w", err) | ||
| } | ||
| return nil | ||
| }) | ||
| eg.Go(func() error { | ||
| if err := healthServer.ListenAndServe(ctx); err != nil { | ||
| return fmt.Errorf("health server error: %w", err) | ||
| } | ||
| return nil | ||
| }) | ||
| return eg.Wait() | ||
| } | ||
|
|
||
| // cancelableServer wraps http.Server with context-aware listen methods | ||
| // that initiate graceful shutdown when the context is cancelled. | ||
| type cancelableServer struct { | ||
| *http.Server | ||
| ShutdownTimeout time.Duration | ||
| } | ||
|
|
||
| // ListenAndServe starts the server and shuts it down when ctx is cancelled. | ||
| func (s *cancelableServer) ListenAndServe(ctx context.Context) error { | ||
| return s.listenAndServe(ctx, | ||
| func() error { | ||
| return s.Server.ListenAndServe() | ||
| }, | ||
| s.Server.Shutdown, | ||
| ) | ||
| } | ||
| // ListenAndServeTLS starts the TLS server and shuts it down when ctx is cancelled. | ||
| func (s *cancelableServer) ListenAndServeTLS(ctx context.Context, certFile, keyFile string) error { | ||
| return s.listenAndServe(ctx, | ||
| func() error { | ||
| return s.Server.ListenAndServeTLS(certFile, keyFile) | ||
| }, | ||
| s.Server.Shutdown, | ||
| ) | ||
| } | ||
|
|
||
| // listenAndServe runs the server via runFunc and waits for either a server | ||
| // error or context cancellation, calling cancelFunc for graceful shutdown. | ||
| func (s *cancelableServer) listenAndServe(ctx context.Context, runFunc func() error, cancelFunc func(context.Context) error) error { | ||
| errChan := make(chan error, 1) | ||
| go func() { | ||
| errChan <- runFunc() | ||
| }() | ||
|
|
||
| select { | ||
| case err := <-errChan: | ||
| return err | ||
| case <-ctx.Done(): | ||
| shutdownCtx, cancel := context.WithTimeout(context.Background(), s.ShutdownTimeout) | ||
| defer cancel() | ||
| if err := cancelFunc(shutdownCtx); err != nil { | ||
| return err | ||
| } | ||
| return nil | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
You are viewing a condensed version of this merge commit. You can view the full changes here.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.