From f46d396deb4d4659875b1884b36285b82c13b14b Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Thu, 21 Nov 2024 10:18:03 +0000 Subject: [PATCH] Pass the context to the Venafi clients Add the client-go debug round tripper to the venafi clients Signed-off-by: Richard Wall --- pkg/agent/run.go | 16 +++------------- pkg/client/client.go | 7 ++++--- pkg/client/client_api_token.go | 19 +++++++++++------- pkg/client/client_oauth.go | 32 ++++++++++++++++++------------- pkg/client/client_venafi_cloud.go | 27 +++++++++++++++----------- pkg/client/client_venconn.go | 15 ++++++++------- 6 files changed, 62 insertions(+), 54 deletions(-) diff --git a/pkg/agent/run.go b/pkg/agent/run.go index 54832dbe..2a00a3d5 100644 --- a/pkg/agent/run.go +++ b/pkg/agent/run.go @@ -148,7 +148,6 @@ func Run(cmd *cobra.Command, args []string) (returnErr error) { if err != nil { return fmt.Errorf("failed to start a controller-runtime component: %v", err) } - // The agent must stop if the controller-runtime component stops. cancel() return nil @@ -231,8 +230,6 @@ func Run(cmd *cobra.Command, args []string) (returnErr error) { // If any of the go routines exit (with nil or error) the main context will // be cancelled, which will cause this blocking loop to exit // instead of waiting for the time period. - // TODO(wallrj): Pass a context to gatherAndOutputData, so that we don't - // have to wait for it to finish before exiting the process. for { if err := gatherAndOutputData(klog.NewContext(ctx, log), eventf, config, preflightClient, dataGatherers); err != nil { return err @@ -397,9 +394,7 @@ func postData(ctx context.Context, config CombinedConfig, preflightClient client if config.AuthMode == VenafiCloudKeypair || config.AuthMode == VenafiCloudVenafiConnection { // orgID and clusterID are not required for Venafi Cloud auth - // TODO(wallrj): Pass the context to PostDataReadingsWithOptions, so - // that its network operations can be cancelled. - err := preflightClient.PostDataReadingsWithOptions(readings, client.Options{ + err := preflightClient.PostDataReadingsWithOptions(ctx, readings, client.Options{ ClusterName: config.ClusterID, ClusterDescription: config.ClusterDescription, }) @@ -427,10 +422,7 @@ func postData(ctx context.Context, config CombinedConfig, preflightClient client if path == "" { path = "/api/v1/datareadings" } - // TODO(wallrj): Pass the context to Post, so that its network - // operations can be cancelled. - res, err := preflightClient.Post(path, bytes.NewBuffer(data)) - + res, err := preflightClient.Post(ctx, path, bytes.NewBuffer(data)) if err != nil { return fmt.Errorf("failed to post data: %+v", err) } @@ -453,9 +445,7 @@ func postData(ctx context.Context, config CombinedConfig, preflightClient client return fmt.Errorf("post to server failed: missing clusterID from agent configuration") } - // TODO(wallrj): Pass the context to PostDataReadings, so - // that its network operations can be cancelled. - err := preflightClient.PostDataReadings(config.OrganizationID, config.ClusterID, readings) + err := preflightClient.PostDataReadings(ctx, config.OrganizationID, config.ClusterID, readings) if err != nil { return fmt.Errorf("post to server failed: %+v", err) } diff --git a/pkg/client/client.go b/pkg/client/client.go index fef5be65..fea102bb 100644 --- a/pkg/client/client.go +++ b/pkg/client/client.go @@ -1,6 +1,7 @@ package client import ( + "context" "fmt" "io" "net/http" @@ -29,9 +30,9 @@ type ( // The Client interface describes types that perform requests against the Jetstack Secure backend. Client interface { - PostDataReadings(orgID, clusterID string, readings []*api.DataReading) error - PostDataReadingsWithOptions(readings []*api.DataReading, options Options) error - Post(path string, body io.Reader) (*http.Response, error) + PostDataReadings(ctx context.Context, orgID, clusterID string, readings []*api.DataReading) error + PostDataReadingsWithOptions(ctx context.Context, readings []*api.DataReading, options Options) error + Post(ctx context.Context, path string, body io.Reader) (*http.Response, error) } // The Credentials interface describes methods for credential types to implement for verification. diff --git a/pkg/client/client_api_token.go b/pkg/client/client_api_token.go index 2ee04cb1..33588d34 100644 --- a/pkg/client/client_api_token.go +++ b/pkg/client/client_api_token.go @@ -2,6 +2,7 @@ package client import ( "bytes" + "context" "encoding/json" "fmt" "io" @@ -10,6 +11,7 @@ import ( "time" "github.com/jetstack/preflight/api" + "k8s.io/client-go/transport" ) type ( @@ -34,19 +36,22 @@ func NewAPITokenClient(agentMetadata *api.AgentMetadata, apiToken, baseURL strin apiToken: apiToken, agentMetadata: agentMetadata, baseURL: baseURL, - client: &http.Client{Timeout: time.Minute}, + client: &http.Client{ + Timeout: time.Minute, + Transport: transport.DebugWrappers(http.DefaultTransport), + }, }, nil } // PostDataReadingsWithOptions uploads the slice of api.DataReading to the Jetstack Secure backend to be processed for later // viewing in the user-interface. -func (c *APITokenClient) PostDataReadingsWithOptions(readings []*api.DataReading, opts Options) error { - return c.PostDataReadings(opts.OrgID, opts.ClusterID, readings) +func (c *APITokenClient) PostDataReadingsWithOptions(ctx context.Context, readings []*api.DataReading, opts Options) error { + return c.PostDataReadings(ctx, opts.OrgID, opts.ClusterID, readings) } // PostDataReadings uploads the slice of api.DataReading to the Jetstack Secure backend to be processed for later // viewing in the user-interface. -func (c *APITokenClient) PostDataReadings(orgID, clusterID string, readings []*api.DataReading) error { +func (c *APITokenClient) PostDataReadings(ctx context.Context, orgID, clusterID string, readings []*api.DataReading) error { payload := api.DataReadingsPost{ AgentMetadata: c.agentMetadata, DataGatherTime: time.Now().UTC(), @@ -57,7 +62,7 @@ func (c *APITokenClient) PostDataReadings(orgID, clusterID string, readings []*a return err } - res, err := c.Post(filepath.Join("/api/v1/org", orgID, "datareadings", clusterID), bytes.NewBuffer(data)) + res, err := c.Post(ctx, filepath.Join("/api/v1/org", orgID, "datareadings", clusterID), bytes.NewBuffer(data)) if err != nil { return err } @@ -77,8 +82,8 @@ func (c *APITokenClient) PostDataReadings(orgID, clusterID string, readings []*a } // Post performs an HTTP POST request. -func (c *APITokenClient) Post(path string, body io.Reader) (*http.Response, error) { - req, err := http.NewRequest(http.MethodPost, fullURL(c.baseURL, path), body) +func (c *APITokenClient) Post(ctx context.Context, path string, body io.Reader) (*http.Response, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodPost, fullURL(c.baseURL, path), body) if err != nil { return nil, err } diff --git a/pkg/client/client_oauth.go b/pkg/client/client_oauth.go index 89aca601..9c5ceff6 100644 --- a/pkg/client/client_oauth.go +++ b/pkg/client/client_oauth.go @@ -2,6 +2,7 @@ package client import ( "bytes" + "context" "encoding/json" "fmt" "io" @@ -13,6 +14,7 @@ import ( "github.com/hashicorp/go-multierror" "github.com/pkg/errors" + "k8s.io/client-go/transport" "github.com/jetstack/preflight/api" ) @@ -93,17 +95,20 @@ func NewOAuthClient(agentMetadata *api.AgentMetadata, credentials *OAuthCredenti credentials: credentials, baseURL: baseURL, accessToken: &accessToken{}, - client: &http.Client{Timeout: time.Minute}, + client: &http.Client{ + Timeout: time.Minute, + Transport: transport.DebugWrappers(http.DefaultTransport), + }, }, nil } -func (c *OAuthClient) PostDataReadingsWithOptions(readings []*api.DataReading, opts Options) error { - return c.PostDataReadings(opts.OrgID, opts.ClusterID, readings) +func (c *OAuthClient) PostDataReadingsWithOptions(ctx context.Context, readings []*api.DataReading, opts Options) error { + return c.PostDataReadings(ctx, opts.OrgID, opts.ClusterID, readings) } // PostDataReadings uploads the slice of api.DataReading to the Jetstack Secure backend to be processed for later // viewing in the user-interface. -func (c *OAuthClient) PostDataReadings(orgID, clusterID string, readings []*api.DataReading) error { +func (c *OAuthClient) PostDataReadings(ctx context.Context, orgID, clusterID string, readings []*api.DataReading) error { payload := api.DataReadingsPost{ AgentMetadata: c.agentMetadata, DataGatherTime: time.Now().UTC(), @@ -114,7 +119,7 @@ func (c *OAuthClient) PostDataReadings(orgID, clusterID string, readings []*api. return err } - res, err := c.Post(filepath.Join("/api/v1/org", orgID, "datareadings", clusterID), bytes.NewBuffer(data)) + res, err := c.Post(ctx, filepath.Join("/api/v1/org", orgID, "datareadings", clusterID), bytes.NewBuffer(data)) if err != nil { return err } @@ -134,13 +139,13 @@ func (c *OAuthClient) PostDataReadings(orgID, clusterID string, readings []*api. } // Post performs an HTTP POST request. -func (c *OAuthClient) Post(path string, body io.Reader) (*http.Response, error) { - token, err := c.getValidAccessToken() +func (c *OAuthClient) Post(ctx context.Context, path string, body io.Reader) (*http.Response, error) { + token, err := c.getValidAccessToken(ctx) if err != nil { return nil, err } - req, err := http.NewRequest(http.MethodPost, fullURL(c.baseURL, path), body) + req, err := http.NewRequestWithContext(ctx, http.MethodPost, fullURL(c.baseURL, path), body) if err != nil { return nil, err } @@ -157,9 +162,9 @@ func (c *OAuthClient) Post(path string, body io.Reader) (*http.Response, error) // getValidAccessToken returns a valid access token. It will fetch a new access // token from the auth server in case the current access token does not exist // or it is expired. -func (c *OAuthClient) getValidAccessToken() (*accessToken, error) { +func (c *OAuthClient) getValidAccessToken(ctx context.Context) (*accessToken, error) { if c.accessToken.needsRenew() { - err := c.renewAccessToken() + err := c.renewAccessToken(ctx) if err != nil { return nil, err } @@ -168,7 +173,7 @@ func (c *OAuthClient) getValidAccessToken() (*accessToken, error) { return c.accessToken, nil } -func (c *OAuthClient) renewAccessToken() error { +func (c *OAuthClient) renewAccessToken(ctx context.Context) error { tokenURL := fmt.Sprintf("https://%s/oauth/token", c.credentials.AuthServerDomain) audience := "https://preflight.jetstack.io/api/v1" payload := url.Values{} @@ -178,7 +183,7 @@ func (c *OAuthClient) renewAccessToken() error { payload.Set("audience", audience) payload.Set("username", c.credentials.UserID) payload.Set("password", c.credentials.UserSecret) - req, err := http.NewRequest("POST", tokenURL, strings.NewReader(payload.Encode())) + req, err := http.NewRequestWithContext(ctx, "POST", tokenURL, strings.NewReader(payload.Encode())) if err != nil { return errors.WithStack(err) } @@ -188,7 +193,8 @@ func (c *OAuthClient) renewAccessToken() error { if err != nil { return errors.WithStack(err) } - + // TODO(wallrj): This will block. Read the body incrementally and check for + // context cancellation. body, err := io.ReadAll(res.Body) if err != nil { return errors.WithStack(err) diff --git a/pkg/client/client_venafi_cloud.go b/pkg/client/client_venafi_cloud.go index 7e317faf..459099d6 100644 --- a/pkg/client/client_venafi_cloud.go +++ b/pkg/client/client_venafi_cloud.go @@ -2,6 +2,7 @@ package client import ( "bytes" + "context" "crypto" "crypto/ecdsa" "crypto/ed25519" @@ -26,6 +27,7 @@ import ( "github.com/google/uuid" "github.com/hashicorp/go-multierror" "github.com/microcosm-cc/bluemonday" + "k8s.io/client-go/transport" "github.com/jetstack/preflight/api" ) @@ -111,7 +113,10 @@ func NewVenafiCloudClient(agentMetadata *api.AgentMetadata, credentials *VenafiS credentials: credentials, baseURL: baseURL, accessToken: &venafiCloudAccessToken{}, - Client: &http.Client{Timeout: time.Minute}, + Client: &http.Client{ + Timeout: time.Minute, + Transport: transport.DebugWrappers(http.DefaultTransport), + }, uploaderID: uploaderID, uploadPath: uploadPath, privateKey: privateKey, @@ -168,7 +173,7 @@ func (c *VenafiSvcAccountCredentials) IsClientSet() (ok bool, why string) { // PostDataReadingsWithOptions uploads the slice of api.DataReading to the Venafi Cloud backend to be processed. // The Options are then passed as URL params in the request -func (c *VenafiCloudClient) PostDataReadingsWithOptions(readings []*api.DataReading, opts Options) error { +func (c *VenafiCloudClient) PostDataReadingsWithOptions(ctx context.Context, readings []*api.DataReading, opts Options) error { payload := api.DataReadingsPost{ AgentMetadata: c.agentMetadata, DataGatherTime: time.Now().UTC(), @@ -199,7 +204,7 @@ func (c *VenafiCloudClient) PostDataReadingsWithOptions(readings []*api.DataRead } venafiCloudUploadURL.RawQuery = query.Encode() - res, err := c.Post(venafiCloudUploadURL.String(), bytes.NewBuffer(data)) + res, err := c.Post(ctx, venafiCloudUploadURL.String(), bytes.NewBuffer(data)) if err != nil { return err } @@ -219,7 +224,7 @@ func (c *VenafiCloudClient) PostDataReadingsWithOptions(readings []*api.DataRead // PostDataReadings uploads the slice of api.DataReading to the Venafi Cloud backend to be processed for later // viewing in the user-interface. -func (c *VenafiCloudClient) PostDataReadings(_ string, _ string, readings []*api.DataReading) error { +func (c *VenafiCloudClient) PostDataReadings(ctx context.Context, _ string, _ string, readings []*api.DataReading) error { // orgID and clusterID are ignored in Venafi Cloud auth payload := api.DataReadingsPost{ @@ -235,7 +240,7 @@ func (c *VenafiCloudClient) PostDataReadings(_ string, _ string, readings []*api if !strings.HasSuffix(c.uploadPath, "/") { c.uploadPath = fmt.Sprintf("%s/", c.uploadPath) } - res, err := c.Post(filepath.Join(c.uploadPath, c.uploaderID), bytes.NewBuffer(data)) + res, err := c.Post(ctx, filepath.Join(c.uploadPath, c.uploaderID), bytes.NewBuffer(data)) if err != nil { return err } @@ -254,8 +259,8 @@ func (c *VenafiCloudClient) PostDataReadings(_ string, _ string, readings []*api } // Post performs an HTTP POST request. -func (c *VenafiCloudClient) Post(path string, body io.Reader) (*http.Response, error) { - token, err := c.getValidAccessToken() +func (c *VenafiCloudClient) Post(ctx context.Context, path string, body io.Reader) (*http.Response, error) { + token, err := c.getValidAccessToken(ctx) if err != nil { return nil, err } @@ -278,9 +283,9 @@ func (c *VenafiCloudClient) Post(path string, body io.Reader) (*http.Response, e // getValidAccessToken returns a valid access token. It will fetch a new access // token from the auth server in case the current access token does not exist // or it is expired. -func (c *VenafiCloudClient) getValidAccessToken() (*venafiCloudAccessToken, error) { +func (c *VenafiCloudClient) getValidAccessToken(ctx context.Context) (*venafiCloudAccessToken, error) { if c.accessToken == nil || time.Now().Add(time.Minute).After(c.accessToken.expirationTime) { - err := c.updateAccessToken() + err := c.updateAccessToken(ctx) if err != nil { return nil, err } @@ -289,7 +294,7 @@ func (c *VenafiCloudClient) getValidAccessToken() (*venafiCloudAccessToken, erro return c.accessToken, nil } -func (c *VenafiCloudClient) updateAccessToken() error { +func (c *VenafiCloudClient) updateAccessToken(ctx context.Context) error { jwtToken, err := c.generateAndSignJwtToken() if err != nil { return err @@ -302,7 +307,7 @@ func (c *VenafiCloudClient) updateAccessToken() error { tokenURL := fullURL(c.baseURL, accessTokenEndpoint) encoded := values.Encode() - request, err := http.NewRequest(http.MethodPost, tokenURL, strings.NewReader(encoded)) + request, err := http.NewRequestWithContext(ctx, http.MethodPost, tokenURL, strings.NewReader(encoded)) if err != nil { return err } diff --git a/pkg/client/client_venconn.go b/pkg/client/client_venconn.go index d8553624..a0ee8646 100644 --- a/pkg/client/client_venconn.go +++ b/pkg/client/client_venconn.go @@ -19,6 +19,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/rest" + "k8s.io/client-go/transport" "sigs.k8s.io/controller-runtime/pkg/client/apiutil" "github.com/jetstack/preflight/api" @@ -99,11 +100,11 @@ func NewVenConnClient(restcfg *rest.Config, agentMetadata *api.AgentMetadata, in } vcpClient := &http.Client{} + tr := http.DefaultTransport.(*http.Transport).Clone() if trustedCAs != nil { - tr := http.DefaultTransport.(*http.Transport).Clone() tr.TLSClientConfig.RootCAs = trustedCAs - vcpClient.Transport = tr } + vcpClient.Transport = transport.DebugWrappers(tr) return &VenConnClient{ agentMetadata: agentMetadata, @@ -123,12 +124,12 @@ func (c *VenConnClient) Start(ctx context.Context) error { // `opts.ClusterName` and `opts.ClusterDescription` are the only values used // from the Options struct. OrgID and ClusterID are not used in Venafi Cloud. -func (c *VenConnClient) PostDataReadingsWithOptions(readings []*api.DataReading, opts Options) error { +func (c *VenConnClient) PostDataReadingsWithOptions(ctx context.Context, readings []*api.DataReading, opts Options) error { if opts.ClusterName == "" { return fmt.Errorf("programmer mistake: the cluster name (aka `cluster_id` in the config file) cannot be left empty") } - _, token, err := c.connHandler.Get(context.Background(), c.installNS, auth.Scope{}, types.NamespacedName{Name: c.venConnName, Namespace: c.venConnNS}) + _, token, err := c.connHandler.Get(ctx, c.installNS, auth.Scope{}, types.NamespacedName{Name: c.venConnName, Namespace: c.venConnNS}) if err != nil { return fmt.Errorf("while loading the VenafiConnection %s/%s: %w", c.venConnNS, c.venConnName, err) } @@ -161,7 +162,7 @@ func (c *VenConnClient) PostDataReadingsWithOptions(readings []*api.DataReading, // The path parameter "no" is a dummy parameter to make the Venafi Cloud // backend happy. This parameter, named `uploaderID` in the backend, is not // actually used by the backend. - req, err := http.NewRequest(http.MethodPost, fullURL(token.BaseURL, "/v1/tlspk/upload/clusterdata/no"), encodedBody) + req, err := http.NewRequestWithContext(ctx, http.MethodPost, fullURL(token.BaseURL, "/v1/tlspk/upload/clusterdata/no"), encodedBody) if err != nil { return err } @@ -206,13 +207,13 @@ func (c *VenConnClient) PostDataReadingsWithOptions(readings []*api.DataReading, // Cloud needs a `clusterName` and `clusterDescription`, but this function can // only pass `orgID` and `clusterID` which are both useless in Venafi Cloud. Use // PostDataReadingsWithOptions instead. -func (c *VenConnClient) PostDataReadings(_orgID, _clusterID string, readings []*api.DataReading) error { +func (c *VenConnClient) PostDataReadings(_ context.Context, _orgID, _clusterID string, readings []*api.DataReading) error { return fmt.Errorf("programmer mistake: PostDataReadings is not implemented for Venafi Cloud") } // Post isn't implemented for Venafi Cloud because /v1/tlspk/upload/clusterdata // requires using the query parameters `name` and `description` which can't be // set using Post. Use PostDataReadingsWithOptions instead. -func (c *VenConnClient) Post(path string, body io.Reader) (*http.Response, error) { +func (c *VenConnClient) Post(_ context.Context, path string, body io.Reader) (*http.Response, error) { return nil, fmt.Errorf("programmer mistake: Post is not implemented for Venafi Cloud") }