Skip to content

Commit

Permalink
Disable TLS
Browse files Browse the repository at this point in the history
Somehow running mtls is very expensive when using the GKE deployer.
Disable TLS completely for now and revisit once srdjan is back in the
office.
  • Loading branch information
rgrandl committed Jun 6, 2024
1 parent 73d0819 commit 5b96f64
Show file tree
Hide file tree
Showing 9 changed files with 185 additions and 90 deletions.
7 changes: 4 additions & 3 deletions cmd/weaver-gke/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,9 @@ import (
)

var (
controllerFlags = flag.NewFlagSet("controller", flag.ContinueOnError)
controllerPort = controllerFlags.Int("port", 0, "Controller port")
controllerFlags = flag.NewFlagSet("controller", flag.ContinueOnError)
controllerPort = controllerFlags.Int("port", 0, "Controller port")
controllerMtlsEnabled = controllerFlags.Bool("mtls", false, "Whether controller uses MTLS")
)

var controllerCmd = tool.Command{
Expand All @@ -37,7 +38,7 @@ var controllerCmd = tool.Command{
Flags:
-h, --help Print this help message.`,
Fn: func(ctx context.Context, args []string) error {
return gke.RunController(ctx, *controllerPort)
return gke.RunController(ctx, *controllerPort, *controllerMtlsEnabled)
},
Hidden: true,
}
7 changes: 4 additions & 3 deletions cmd/weaver-gke/distributor.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,9 @@ import (
)

var (
distributorFlags = flag.NewFlagSet("distributor", flag.ContinueOnError)
distributorPort = distributorFlags.Int("port", 0, "Distributor port")
distributorFlags = flag.NewFlagSet("distributor", flag.ContinueOnError)
distributorPort = distributorFlags.Int("port", 0, "Distributor port")
distributorMtlsEnabled = distributorFlags.Bool("mtls", false, "Whether distributor uses MTLS")
)

var distributorCmd = tool.Command{
Expand All @@ -37,7 +38,7 @@ var distributorCmd = tool.Command{
Flags:
-h, --help Print this help message.`,
Fn: func(ctx context.Context, args []string) error {
return gke.RunDistributor(ctx, *distributorPort)
return gke.RunDistributor(ctx, *distributorPort, *distributorMtlsEnabled)
},
Hidden: true,
}
7 changes: 4 additions & 3 deletions cmd/weaver-gke/manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,9 @@ import (
)

var (
managerFlags = flag.NewFlagSet("manager", flag.ContinueOnError)
managerPort = managerFlags.Int("port", 0, "Manager port")
managerFlags = flag.NewFlagSet("manager", flag.ContinueOnError)
managerPort = managerFlags.Int("port", 0, "Manager port")
managerMtlsEnabled = managerFlags.Bool("mtls", false, "Whether manager uses MTLS")
)

var managerCmd = tool.Command{
Expand All @@ -37,7 +38,7 @@ var managerCmd = tool.Command{
Flags:
-h, --help Print this help message.`,
Fn: func(ctx context.Context, args []string) error {
return gke.RunManager(ctx, *managerPort)
return gke.RunManager(ctx, *managerPort, *managerMtlsEnabled)
},
Hidden: true,
}
32 changes: 24 additions & 8 deletions internal/gke/babysitter.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ package gke

import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"log/slog"
"net"
Expand Down Expand Up @@ -137,16 +139,22 @@ func RunBabysitter(ctx context.Context) error {
return metricsExporter.Export(ctx, metrics, cfg.Telemetry.Metrics.AutoGenerateMetrics)
}

caCert, getSelfCert, err := getPodCerts()
if err != nil {
return err
var caCert *x509.Certificate
var getSelfCert func() ([]byte, []byte, error)
var tlsConfig *tls.Config
if meta.MtlsEnabled {
caCert, getSelfCert, err = getPodCerts()
if err != nil {
return err
}
tlsConfig = mtls.ClientTLSConfig(meta.Project, caCert, getSelfCert, "manager")
}

// Create an unique http client to the manager, that will be reused across all
// the http requests to the manager.
m := &manager.HttpClient{
Addr: cfg.ManagerAddr,
Client: makeHttpClient(mtls.ClientTLSConfig(meta.Project, caCert, getSelfCert, "manager")),
Client: makeHttpClient(tlsConfig),
}
mux := http.NewServeMux()
host, err := os.Hostname()
Expand All @@ -158,17 +166,25 @@ func RunBabysitter(ctx context.Context) error {
if err != nil {
return err
}
selfAddr := fmt.Sprintf("https://%s", lis.Addr())
var selfAddr string
if meta.MtlsEnabled {
selfAddr = fmt.Sprintf("https://%s", lis.Addr())
} else {
selfAddr = fmt.Sprintf("http://%s", lis.Addr())
}
_, err = babysitter.Start(ctx, logger, cfg, replicaSet, meta.Project, meta.PodName, internalAddress, mux, selfAddr, m, caCert, getSelfCert, logSaver, traceSaver, metricSaver)
if err != nil {
return err
}

server := &http.Server{
Handler: mux,
TLSConfig: mtls.ServerTLSConfig(meta.Project, caCert, getSelfCert, "manager", "distributor"),
Handler: mux,
}
if meta.MtlsEnabled {
server.TLSConfig = mtls.ServerTLSConfig(meta.Project, caCert, getSelfCert, "manager", "distributor")
return server.ServeTLS(lis, "", "")
}
return server.ServeTLS(lis, "", "")
return server.Serve(lis)
}

// gkeConfigFromEnv reads config.GKEConfig from the Service Weaver internal
Expand Down
21 changes: 16 additions & 5 deletions internal/gke/container.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions internal/gke/container.proto
Original file line number Diff line number Diff line change
Expand Up @@ -65,4 +65,5 @@ message ContainerMetadata {
string container_name = 7; // Kubernetes container name
string app = 8; // Kubernetes app label
config.Telemetry telemetry = 9; // Options to configure the telemetry
bool mtls_enabled = 10; // Whether MTLS should be enabled
}
78 changes: 47 additions & 31 deletions internal/gke/deploy.go
Original file line number Diff line number Diff line change
Expand Up @@ -452,8 +452,10 @@ func prepareProject(ctx context.Context, config CloudConfig, cfg *config.GKEConf
}

// Setup the Certificate Authority.
if err := ensureCA(ctx, config); err != nil {
return nil, "", err
if cfg.Mtls {
if err := ensureCA(ctx, config); err != nil {
return nil, "", err
}
}

// Ensure the Service Weaver configuration cluster is setup.
Expand Down Expand Up @@ -481,8 +483,14 @@ func buildRolloutRequest(cfg *config.GKEConfig) *controller.RolloutRequest {
for _, region := range cfg.Regions {
// NOTE: distributor address must be resolvable from anywhere inside
// the project's VPC.
distributorAddr :=
fmt.Sprintf("https://distributor.%s.svc.%s-%s:80", namespaceName, applicationClusterName, region)
var distributorAddr string
if cfg.Mtls {
distributorAddr =
fmt.Sprintf("https://distributor.%s.svc.%s-%s:80", namespaceName, applicationClusterName, region)
} else {
distributorAddr =
fmt.Sprintf("http://distributor.%s.svc.%s-%s:80", namespaceName, applicationClusterName, region)
}
req.Locations = append(req.Locations, &controller.RolloutRequest_Location{
Name: region,
DistributorAddr: distributorAddr,
Expand Down Expand Up @@ -1042,7 +1050,7 @@ func ensureConfigCluster(ctx context.Context, config CloudConfig, cfg *config.GK
if err != nil {
return nil, "", err
}
cluster, err := ensureManagedCluster(ctx, config, name, region)
cluster, err := ensureManagedCluster(ctx, config, name, region, cfg.Mtls)
if err != nil {
return nil, "", err
}
Expand Down Expand Up @@ -1110,7 +1118,7 @@ func ensureConfigCluster(ctx context.Context, config CloudConfig, cfg *config.GK
// It returns the cluster information and the IP address of the gateway that
// routes internal traffic to Service Weaver applications in the cluster.
func ensureApplicationCluster(ctx context.Context, config CloudConfig, cfg *config.GKEConfig, region string) (*ClusterInfo, string, error) {
cluster, err := ensureManagedCluster(ctx, config, applicationClusterName, region)
cluster, err := ensureManagedCluster(ctx, config, applicationClusterName, region, cfg.Mtls)
if err != nil {
return nil, "", err
}
Expand Down Expand Up @@ -1254,7 +1262,7 @@ func ensureApplicationCluster(ctx context.Context, config CloudConfig, cfg *conf

// ensureManagedCluster ensures that a Service Weaver managed cluster is available
// and running in the given region.
func ensureManagedCluster(ctx context.Context, config CloudConfig, name, region string) (*ClusterInfo, error) {
func ensureManagedCluster(ctx context.Context, config CloudConfig, name, region string, mtlsEnabled bool) (*ClusterInfo, error) {
exists, err := hasCluster(ctx, config, name, region)
if err != nil {
return nil, err
Expand Down Expand Up @@ -1380,14 +1388,16 @@ func ensureManagedCluster(ctx context.Context, config CloudConfig, name, region
return nil, err
}

// Setup the workload certificate config in the cluster.
if err := ensureWorkloadCertificateConfig(ctx, cluster); err != nil {
return nil, err
}
if mtlsEnabled {
// Setup the workload certificate config in the cluster.
if err := ensureWorkloadCertificateConfig(ctx, cluster); err != nil {
return nil, err
}

// Setup the trust config in the cluster.
if err := ensureTrustConfig(ctx, cluster); err != nil {
return nil, err
// Setup the trust config in the cluster.
if err := ensureTrustConfig(ctx, cluster); err != nil {
return nil, err
}
}

// Scale down resources used by system services.
Expand Down Expand Up @@ -1848,18 +1858,18 @@ func ensureWeaverServices(ctx context.Context, config CloudConfig, cfg *config.G
if err != nil {
return err
}
if err := ensureController(ctx, config, name, region, cfg.Telemetry, toolImageURL); err != nil {
if err := ensureController(ctx, config, name, region, cfg.Telemetry, cfg.Mtls, toolImageURL); err != nil {
return err
}
for _, region := range cfg.Regions {
cluster, err := GetClusterInfo(ctx, config, applicationClusterName, region)
if err != nil {
return err
}
if err := ensureDistributor(ctx, cluster, cfg.Telemetry, toolImageURL); err != nil {
if err := ensureDistributor(ctx, cluster, cfg.Telemetry, cfg.Mtls, toolImageURL); err != nil {
return err
}
if err := ensureManager(ctx, cluster, cfg.Telemetry, toolImageURL); err != nil {
if err := ensureManager(ctx, cluster, cfg.Telemetry, cfg.Mtls, toolImageURL); err != nil {
return err
}
}
Expand All @@ -1868,13 +1878,13 @@ func ensureWeaverServices(ctx context.Context, config CloudConfig, cfg *config.G

// ensureController ensures that a controller is running in the config cluster.
func ensureController(ctx context.Context, config CloudConfig, clusterName, region string,
telemetry *config.Telemetry, toolImageURL string) error {
telemetry *config.Telemetry, mtlsEnabled bool, toolImageURL string) error {
cluster, err := GetClusterInfo(ctx, config, clusterName, region)
if err != nil {
return err
}
const name = "controller"
if err := ensureNannyDeployment(ctx, cluster, name, controllerKubeServiceAccount, telemetry, toolImageURL); err != nil {
if err := ensureNannyDeployment(ctx, cluster, name, controllerKubeServiceAccount, telemetry, mtlsEnabled, toolImageURL); err != nil {
return err
}
if err := ensureNannyVerticalPodAutoscaler(ctx, cluster, name); err != nil {
Expand All @@ -1885,9 +1895,9 @@ func ensureController(ctx context.Context, config CloudConfig, clusterName, regi

// ensureDistributor ensures that a distributor is running in the given cluster.
func ensureDistributor(ctx context.Context, cluster *ClusterInfo,
telemetry *config.Telemetry, toolImageURL string) error {
telemetry *config.Telemetry, mtlsEnabled bool, toolImageURL string) error {
const name = "distributor"
if err := ensureNannyDeployment(ctx, cluster, name, distributorKubeServiceAccount, telemetry, toolImageURL); err != nil {
if err := ensureNannyDeployment(ctx, cluster, name, distributorKubeServiceAccount, telemetry, mtlsEnabled, toolImageURL); err != nil {
return err
}
if err := ensureNannyVerticalPodAutoscaler(ctx, cluster, name); err != nil {
Expand All @@ -1898,9 +1908,9 @@ func ensureDistributor(ctx context.Context, cluster *ClusterInfo,

// ensureManager ensures that a manager is running in the given cluster.
func ensureManager(ctx context.Context, cluster *ClusterInfo,
telemetry *config.Telemetry, toolImageURL string) error {
telemetry *config.Telemetry, mtlsEnabled bool, toolImageURL string) error {
const name = "manager"
if err := ensureNannyDeployment(ctx, cluster, name, managerKubeServiceAccount, telemetry, toolImageURL); err != nil {
if err := ensureNannyDeployment(ctx, cluster, name, managerKubeServiceAccount, telemetry, mtlsEnabled, toolImageURL); err != nil {
return err
}
if err := ensureNannyVerticalPodAutoscaler(ctx, cluster, name); err != nil {
Expand All @@ -1912,7 +1922,7 @@ func ensureManager(ctx context.Context, cluster *ClusterInfo,
// ensureNannyDeployment ensures that a nanny deployment with the given name
// and service account is running in the given cluster.
func ensureNannyDeployment(ctx context.Context, cluster *ClusterInfo, name string,
serviceAccount string, telemetry *config.Telemetry, toolImageURL string) error {
serviceAccount string, telemetry *config.Telemetry, mtlsEnabled bool, toolImageURL string) error {
meta := ContainerMetadata{
Project: cluster.CloudConfig.Project,
ClusterName: cluster.Name,
Expand All @@ -1921,6 +1931,7 @@ func ensureNannyDeployment(ctx context.Context, cluster *ClusterInfo, name strin
ContainerName: nannyContainerName,
App: name,
Telemetry: telemetry,
MtlsEnabled: mtlsEnabled,
}
metaStr, err := proto.ToEnv(&meta)
if err != nil {
Expand Down Expand Up @@ -1950,6 +1961,16 @@ func ensureNannyDeployment(ctx context.Context, cluster *ClusterInfo, name strin
}
return oldTag < newTag, nil
}

objectMetaTmpl := metav1.ObjectMeta{
Labels: map[string]string{"app": name},
}
if mtlsEnabled {
objectMetaTmpl.Annotations = map[string]string{
"security.cloud.google.com/use-workload-certificates": "",
}
}

return patchDeployment(ctx, cluster, patchOptions{}, shouldUpdate, &appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand All @@ -1960,20 +1981,15 @@ func ensureNannyDeployment(ctx context.Context, cluster *ClusterInfo, name strin
MatchLabels: map[string]string{"app": name},
},
Template: v1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Labels: map[string]string{"app": name},
Annotations: map[string]string{
"security.cloud.google.com/use-workload-certificates": "",
},
},
ObjectMeta: objectMetaTmpl,
Spec: v1.PodSpec{
PriorityClassName: controlPriorityClassName,
Containers: []v1.Container{
{
Name: name,
Image: toolImageURL,
Args: []string{
fmt.Sprintf("/weaver/weaver-gke %s --port=%d", name, nannyServingPort),
fmt.Sprintf("/weaver/weaver-gke %s --port=%d --mtls=%v", name, nannyServingPort, mtlsEnabled),
},
Resources: v1.ResourceRequirements{
Requests: v1.ResourceList{
Expand Down
Loading

0 comments on commit 5b96f64

Please sign in to comment.