/* Copyright 2018 The CDI Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package main import ( "crypto/tls" "flag" "fmt" "os" "runtime" "strconv" popv1beta1 "github.com/kubernetes-csi/volume-data-source-validator/client/apis/volumepopulator/v1beta1" ocpconfigv1 "github.com/openshift/api/config/v1" routev1 "github.com/openshift/api/route/v1" secv1 "github.com/openshift/api/security/v1" promv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" "go.uber.org/zap/zapcore" extv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1" "sigs.k8s.io/controller-runtime/pkg/cache" "sigs.k8s.io/controller-runtime/pkg/client/config" "sigs.k8s.io/controller-runtime/pkg/healthz" logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/manager/signals" "sigs.k8s.io/controller-runtime/pkg/metrics/server" cdiv1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1" forklift "kubevirt.io/containerized-data-importer-api/pkg/apis/forklift/v1beta1" cdiclient "kubevirt.io/containerized-data-importer/pkg/client/clientset/versioned" "kubevirt.io/containerized-data-importer/pkg/operator/controller" "kubevirt.io/containerized-data-importer/pkg/util" cryptowatch "kubevirt.io/containerized-data-importer/pkg/util/tls-crypto-watch" ) var log = logf.Log.WithName("cmd") func printVersion() { log.Info(fmt.Sprintf("Go Version: %s", runtime.Version())) log.Info(fmt.Sprintf("Go OS/Arch: %s/%s", runtime.GOOS, runtime.GOARCH)) } func main() { flag.Parse() defVerbose := fmt.Sprintf("%d", 1) // note flag values are strings verbose := defVerbose // visit actual flags passed in and if passed check -v and set verbose if verboseEnvVarVal := os.Getenv("VERBOSITY"); verboseEnvVarVal != "" { verbose = verboseEnvVarVal } if verbose == defVerbose { log.V(1).Info(fmt.Sprintf("Note: increase the -v level in the controller deployment for more detailed logging, eg. -v=%d or -v=%d\n", 2, 3)) } verbosityLevel, err := strconv.Atoi(verbose) debug := false if err == nil && verbosityLevel > 1 { debug = true } // The logger instantiated here can be changed to any logger // implementing the logr.Logger interface. This logger will // be propagated through the whole operator, generating // uniform and structured logs. logf.SetLogger(zap.New(zap.Level(zapcore.Level(-1*verbosityLevel)), zap.UseDevMode(debug))) printVersion() namespace := util.GetNamespace() // Get a config to talk to the apiserver cfg, err := config.GetConfig() if err != nil { log.Error(err, "") os.Exit(1) } managedTLSWatcher := cryptowatch.NewManagedTLSWatcher(cdiclient.NewForConfigOrDie(cfg)) managerOpts := manager.Options{ Cache: cache.Options{ DefaultNamespaces: map[string]cache.Config{ namespace: {}, }, }, LeaderElection: true, LeaderElectionNamespace: namespace, LeaderElectionID: "cdi-operator-leader-election-helper", LeaderElectionResourceLock: "leases", HealthProbeBindAddress: ":8444", Metrics: server.Options{ BindAddress: ":8443", SecureServing: true, // Disable HTTP/2 to prevent rapid reset vulnerability // See CVE-2023-44487, CVE-2023-39325 TLSOpts: []func(*tls.Config){func(c *tls.Config) { c.NextProtos = []string{"http/1.1"} c.GetConfigForClient = func(t *tls.ClientHelloInfo) (*tls.Config, error) { config := c.Clone() if w := managedTLSWatcher.Watcher(); w != nil { cryptoConfig := w.GetCdiTLSConfig() config.CipherSuites = cryptoConfig.CipherSuites config.MinVersion = cryptoConfig.MinVersion } return config, nil } }}, }, } // Create a new Manager to provide shared dependencies and start components mgr, err := manager.New(cfg, managerOpts) if err != nil { log.Error(err, "") os.Exit(1) } log.Info("Registering Components.") if err := cdiv1.AddToScheme(mgr.GetScheme()); err != nil { log.Error(err, "") os.Exit(1) } if err := extv1.AddToScheme(mgr.GetScheme()); err != nil { log.Error(err, "") os.Exit(1) } if err := apiregistrationv1.AddToScheme(mgr.GetScheme()); err != nil { log.Error(err, "") os.Exit(1) } if err := promv1.AddToScheme(mgr.GetScheme()); err != nil { log.Error(err, "") os.Exit(1) } if err := secv1.Install(mgr.GetScheme()); err != nil { log.Error(err, "") os.Exit(1) } if err := routev1.Install(mgr.GetScheme()); err != nil { log.Error(err, "") os.Exit(1) } if err := forklift.AddToScheme(mgr.GetScheme()); err != nil { log.Error(err, "") os.Exit(1) } if err := popv1beta1.AddToScheme(mgr.GetScheme()); err != nil { log.Error(err, "") os.Exit(1) } if err := ocpconfigv1.Install(mgr.GetScheme()); err != nil { log.Error(err, "") os.Exit(1) } // Setup the controller if err := controller.Add(mgr); err != nil { log.Error(err, "") os.Exit(1) } managedTLSWatcher.SetCache(mgr.GetCache()) if err := mgr.Add(managedTLSWatcher); err != nil { log.Error(err, "unable to add watcher to manager") os.Exit(1) } if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { log.Error(err, "unable to set up health check") os.Exit(1) } if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { log.Error(err, "unable to set up ready check") os.Exit(1) } log.Info("Starting the Manager.") // Start the Manager if err := mgr.Start(signals.SetupSignalHandler()); err != nil { log.Error(err, "manager exited non-zero") os.Exit(1) } }