Merge pull request #272 from k8stopologyawareschedwg/backport-fixes-0.18

[release-0.18][manual] Backport fixes to branch 0.18

.github/workflows/e2e.yml

@@ -18,6 +18,7 @@ jobs:
       E2E_TOPOLOGY_MANAGER_POLICY: single-numa-node
       E2E_TOPOLOGY_MANAGER_SCOPE: container
       RTE_CONTAINER_IMAGE: quay.io/k8stopologyawarewg/resource-topology-exporter:ci
+      RTE_METRICS_CLI_AUTH: false
       RTE_METRICS_MODE: http
       RTE_POLL_INTERVAL: 10s
       RTE_VERBOSE: 4
@@ -49,6 +50,7 @@ jobs:
     - name: generate manifests
       run: |
         RTE_CONTAINER_IMAGE=${RTE_CONTAINER_IMAGE} \
+        RTE_METRICS_CLI_AUTH=${RTE_METRICS_CLI_AUTH} \
         RTE_METRICS_MODE=${RTE_METRICS_MODE} \
         RTE_POLL_INTERVAL=${RTE_POLL_INTERVAL} \
         RTE_VERBOSE=${RTE_VERBOSE} \
@@ -103,6 +105,7 @@ jobs:
       E2E_TOPOLOGY_MANAGER_POLICY: single-numa-node
       E2E_TOPOLOGY_MANAGER_SCOPE: container
       RTE_CONTAINER_IMAGE: quay.io/k8stopologyawarewg/resource-topology-exporter:ci
+      RTE_METRICS_CLI_AUTH: false
       RTE_METRICS_MODE: httptls
       RTE_POLL_INTERVAL: 10s
       RTE_VERBOSE: 6
@@ -134,6 +137,7 @@ jobs:
     - name: generate manifests
       run: |
         RTE_CONTAINER_IMAGE=${RTE_CONTAINER_IMAGE} \
+        RTE_METRICS_CLI_AUTH=${RTE_METRICS_CLI_AUTH} \
         RTE_METRICS_MODE=${RTE_METRICS_MODE} \
         RTE_POLL_INTERVAL=${RTE_POLL_INTERVAL} \
         RTE_VERBOSE=${RTE_VERBOSE} \

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/google/go-cmp v0.6.0
-	github.com/jaypipes/ghw v0.9.0
+	github.com/jaypipes/ghw v0.12.0
 	github.com/jeremywohl/flatten/v2 v2.0.0-20211013061545-07e4a09fb8e4
 	github.com/k8stopologyawareschedwg/noderesourcetopology-api v0.1.1
 	github.com/k8stopologyawareschedwg/podfingerprint v0.2.2

go.sum

@@ -863,11 +863,10 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
 github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/jaypipes/ghw v0.9.0 h1:TWF4wNIGtZcgDJaiNcFgby5BR8s2ixcUe0ydxNO2McY=
-github.com/jaypipes/ghw v0.9.0/go.mod h1:dXMo19735vXOjpIBDyDYSp31sB2u4hrtRCMxInqQ64k=
+github.com/jaypipes/ghw v0.12.0 h1:xU2/MDJfWmBhJnujHY9qwXQLs3DBsf0/Xa9vECY0Tho=
+github.com/jaypipes/ghw v0.12.0/go.mod h1:jeJGbkRB2lL3/gxYzNYzEDETV1ZJ56OKr+CSeSEym+g=
 github.com/jaypipes/pcidb v1.0.0 h1:vtZIfkiCUE42oYbJS0TAq9XSfSmcsgo9IdxSm9qzYU8=
 github.com/jaypipes/pcidb v1.0.0/go.mod h1:TnYUvqhPBzCKnH34KrIX22kAeEbDCSRJ9cqLRCuNDfk=
 github.com/jeremywohl/flatten/v2 v2.0.0-20211013061545-07e4a09fb8e4 h1:eA9wi6ZzpIRobvXkn/S2Lyw1hr2pc71zxzOPl7Xjs4w=
@@ -918,7 +917,6 @@ github.com/mdomke/git-semver v1.0.0 h1:cg/a+bI/D2EtPWlx4pKSUKz9G9bTOHEBdF2EjbV0b
 github.com/mdomke/git-semver v1.0.0/go.mod h1:fNw8giSaJDzhF/Gvxe7JSZJVDlkRR+/a8y1b3g6SGZ8=
 github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY=
 github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE=
-github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8=
@@ -1021,10 +1019,8 @@ github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTd
 github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
-github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
 github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
-github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

hack/get-manifests.sh

@@ -9,5 +9,6 @@ export RTE_CONTAINER_IMAGE=${RTE_CONTAINER_IMAGE:-quay.io/${REPOOWNER}/${IMAGENA
 export RTE_POLL_INTERVAL="${RTE_POLL_INTERVAL:-60s}"
 export RTE_VERBOSE="${RTE_VERBOSE:-5}"
 export RTE_METRICS_MODE="${RTE_METRICS_MODE:-disabled}"
+export RTE_METRICS_CLI_AUTH="${RTE_METRICS_CLI_AUTH:-true}"
 export METRICS_PORT="${METRICS_PORT:-2112}"
 envsubst < ${DIRNAME}/../manifests/resource-topology-exporter.yaml

manifests/resource-topology-exporter.yaml

@@ -64,6 +64,7 @@ data:
       podReadinessEnable: true
       metricsTLS:
         certsDir: /etc/secrets/rte
+        wantCliAuth: true
 ---
 apiVersion: apps/v1
 kind: DaemonSet
@@ -91,6 +92,7 @@ spec:
           - --dump-config=.log
           - --sleep-interval=${RTE_POLL_INTERVAL}
           - --metrics-mode=${RTE_METRICS_MODE}
+          - --metrics-want-cli-auth=${RTE_METRICS_CLI_AUTH}
           - --sysfs=/host-sys
           - --kubelet-config-file=/host-var/lib/kubelet/config.yaml
           - --podresources-socket=unix:///host-var/lib/kubelet/pod-resources/kubelet.sock

pkg/config/cfgdispatch.go

@@ -129,6 +129,7 @@ func dispatchConfObj(obj map[string]interface{}, pArgs *ProgArgs) error {
 		{key: "topologyExporter.metricsTLS.certsDir", out: &pArgs.RTE.MetricsTLSCfg.CertsDir},
 		{key: "topologyExporter.metricsTLS.certFile", out: &pArgs.RTE.MetricsTLSCfg.CertFile},
 		{key: "topologyExporter.metricsTLS.keyFile", out: &pArgs.RTE.MetricsTLSCfg.KeyFile},
+		{key: "topologyExporter.metricsTLS.wantCliAuth", out: &pArgs.RTE.MetricsTLSCfg.WantCliAuth},
 	}
 
 	for _, cb := range cbs {

pkg/config/flags.go

@@ -66,6 +66,7 @@ func FromFlags(pArgs *ProgArgs, args ...string) (string, string, error) {
 	flags.StringVar(&pArgs.RTE.MetricsTLSCfg.CertsDir, "metrics-certs-dir", pArgs.RTE.MetricsTLSCfg.CertsDir, "certificates directory for TLS metrics serving")
 	flags.StringVar(&pArgs.RTE.MetricsTLSCfg.CertFile, "metrics-cert-file", pArgs.RTE.MetricsTLSCfg.CertFile, "certificate file name for TLS metrics serving")
 	flags.StringVar(&pArgs.RTE.MetricsTLSCfg.KeyFile, "metrics-key-file", pArgs.RTE.MetricsTLSCfg.KeyFile, "key file name for TLS metrics serving")
+	flags.BoolVar(&pArgs.RTE.MetricsTLSCfg.WantCliAuth, "metrics-want-cli-auth", pArgs.RTE.MetricsTLSCfg.WantCliAuth, "Toggle if client certificate and authentication is required")
 
 	flags.StringVar(&refCnt, "reference-container", pArgs.RTE.ReferenceContainer.String(), "Reference container, used to learn about the shared cpu pool\n See: https://github.com/kubernetes/kubernetes/issues/102190\n format of spec is namespace/podname/containername.\n Alternatively, you can use the env vars REFERENCE_NAMESPACE, REFERENCE_POD_NAME, REFERENCE_CONTAINER_NAME.")
 

pkg/metrics/server/setup.go

@@ -18,6 +18,7 @@ package metrics
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"os"
 	"strconv"
@@ -52,9 +53,10 @@ func NewDefaultTLSConfig() TLSConfig {
 }
 
 type TLSConfig struct {
-	CertsDir string `json:"certsDir,omitempty"`
-	CertFile string `json:"certFile,omitempty"`
-	KeyFile  string `json:"keyFile,omitempty"`
+	CertsDir    string `json:"certsDir,omitempty"`
+	CertFile    string `json:"certFile,omitempty"`
+	KeyFile     string `json:"keyFile,omitempty"`
+	WantCliAuth bool   `json:"wantCliAuth,omitempty"`
 }
 
 type Config struct {
@@ -154,6 +156,9 @@ func Setup(mode string, conf Config) error {
 		CertDir:       conf.TLS.CertsDir,
 		CertName:      conf.TLS.CertFile,
 		KeyName:       conf.TLS.KeyFile,
+		TLSOpts: []func(*tls.Config){
+			WithClientAuth(conf.TLS.WantCliAuth),
+		},
 	}
 	srv, err := ctrlmetricssrv.NewServer(opts, nil, nil)
 	if err != nil {
@@ -171,3 +176,15 @@ func Setup(mode string, conf Config) error {
 
 	return nil
 }
+
+func WithClientAuth(cliAuth bool) func(tlscfg *tls.Config) {
+	return func(tlscfg *tls.Config) {
+		if !cliAuth {
+			tlscfg.ClientAuth = tls.NoClientCert
+			klog.InfoS("metrics server configuration", "client authentication", "disabled")
+			return
+		}
+		tlscfg.ClientAuth = tls.RequireAndVerifyClientCert
+		klog.InfoS("metrics server configuration", "client authentication", "enabled")
+	}
+}