From ca42a2c003c2de4e80a38166142b6fe6177d2aa3 Mon Sep 17 00:00:00 2001 From: clux Date: Sun, 6 Aug 2023 20:29:16 +0100 Subject: [PATCH 1/2] Switch to rustls and remove kube2rbac experiment Signed-off-by: clux --- Cargo.lock | 239 +++++++++++++++++++++++++++++++++-------------------- Cargo.toml | 5 +- justfile | 51 +----------- 3 files changed, 155 insertions(+), 140 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 554c5f8..c31196c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -551,6 +551,16 @@ dependencies = [ "version_check", ] +[[package]] +name = "core-foundation" +version = "0.9.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "194a7a9e6de53fa55116934067c844d9d749312f75c6f6d0980e8c252f8c2146" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "core-foundation-sys" version = "0.8.4" @@ -716,21 +726,6 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" -[[package]] -name = "foreign-types" -version = "0.3.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" -dependencies = [ - "foreign-types-shared", -] - -[[package]] -name = "foreign-types-shared" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" - [[package]] name = "form_urlencoded" version = "1.2.0" @@ -971,21 +966,19 @@ dependencies = [ ] [[package]] -name = "hyper-openssl" -version = "0.9.2" +name = "hyper-rustls" +version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d6ee5d7a8f718585d1c3c61dfde28ef5b0bb14734b4db13f5ada856cdc6c612b" +checksum = "8d78e1e73ec14cf7375674f74d7dde185c8206fd9dea6fb6295e8a98098aaa97" dependencies = [ + "futures-util", "http", "hyper", - "linked_hash_set", - "once_cell", - "openssl", - "openssl-sys", - "parking_lot", + "log", + "rustls", + "rustls-native-certs", "tokio", - "tokio-openssl", - "tower-layer", + "tokio-rustls", ] [[package]] @@ -1166,14 +1159,15 @@ dependencies = [ "http", "http-body", "hyper", - "hyper-openssl", + "hyper-rustls", "hyper-timeout", "jsonpath_lib", "k8s-openapi", "kube-core", - "openssl", "pem", "pin-project", + "rustls", + "rustls-pemfile", "secrecy", "serde", "serde_json", @@ -1261,21 +1255,6 @@ version = "0.2.147" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b4668fb0ea861c1df094127ac5f1da3409a82116a4ba74fca2e58ef927159bb3" -[[package]] -name = "linked-hash-map" -version = "0.5.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0717cef1bc8b636c6e1c1bbdefc09e6322da8a9321966e8928ef80d20f7f770f" - -[[package]] -name = "linked_hash_set" -version = "0.1.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "47186c6da4d81ca383c7c47c1bfc80f4b95f4720514d860a5407aaf4233f9588" -dependencies = [ - "linked-hash-map", -] - [[package]] name = "local-channel" version = "0.1.3" @@ -1403,42 +1382,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" [[package]] -name = "openssl" -version = "0.10.55" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "345df152bc43501c5eb9e4654ff05f794effb78d4efe3d53abc158baddc0703d" -dependencies = [ - "bitflags 1.3.2", - "cfg-if", - "foreign-types", - "libc", - "once_cell", - "openssl-macros", - "openssl-sys", -] - -[[package]] -name = "openssl-macros" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" -dependencies = [ - "proc-macro2", - "quote", - "syn 2.0.28", -] - -[[package]] -name = "openssl-sys" -version = "0.9.90" +name = "openssl-probe" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "374533b0e45f3a7ced10fcaeccca020e66656bc03dac384f852e4e5a7a8104a6" -dependencies = [ - "cc", - "libc", - "pkg-config", - "vcpkg", -] +checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" [[package]] name = "opentelemetry" @@ -1786,6 +1733,21 @@ version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e5ea92a5b6195c6ef2a0295ea818b312502c6fc94dde986c5553242e18fd4ce2" +[[package]] +name = "ring" +version = "0.16.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" +dependencies = [ + "cc", + "libc", + "once_cell", + "spin", + "untrusted", + "web-sys", + "winapi", +] + [[package]] name = "rustc-demangle" version = "0.1.23" @@ -1801,6 +1763,49 @@ dependencies = [ "semver", ] +[[package]] +name = "rustls" +version = "0.21.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1d1feddffcfcc0b33f5c6ce9a29e341e4cd59c3f78e7ee45f4a40c038b1d6cbb" +dependencies = [ + "log", + "ring", + "rustls-webpki", + "sct", +] + +[[package]] +name = "rustls-native-certs" +version = "0.6.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00" +dependencies = [ + "openssl-probe", + "rustls-pemfile", + "schannel", + "security-framework", +] + +[[package]] +name = "rustls-pemfile" +version = "1.0.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2d3987094b1d07b653b7dfdc3f70ce9a1da9c51ac18c1b06b662e4f9a0e9f4b2" +dependencies = [ + "base64 0.21.2", +] + +[[package]] +name = "rustls-webpki" +version = "0.101.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "513722fd73ad80a71f72b61009ea1b584bcfa1483ca93949c8f290298837fa59" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "rustversion" version = "1.0.14" @@ -1813,6 +1818,15 @@ version = "1.0.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1ad4cc8da4ef723ed60bced201181d83791ad433213d8c24efffda1eec85d741" +[[package]] +name = "schannel" +version = "0.1.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c3733bf4cf7ea0880754e19cb5a462007c4a8c1914bff372ccc95b464f1df88" +dependencies = [ + "windows-sys", +] + [[package]] name = "schemars" version = "0.8.12" @@ -1844,6 +1858,16 @@ version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" +[[package]] +name = "sct" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "secrecy" version = "0.8.0" @@ -1854,6 +1878,29 @@ dependencies = [ "zeroize", ] +[[package]] +name = "security-framework" +version = "2.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "05b64fb303737d99b81884b2c63433e9ae28abebe5eb5045dcdd175dc2ecf4de" +dependencies = [ + "bitflags 1.3.2", + "core-foundation", + "core-foundation-sys", + "libc", + "security-framework-sys", +] + +[[package]] +name = "security-framework-sys" +version = "2.9.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e932934257d3b408ed8f30db49d85ea163bfe74961f017f405b025af298f0c7a" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "semver" version = "1.0.17" @@ -1992,6 +2039,12 @@ dependencies = [ "winapi", ] +[[package]] +name = "spin" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" + [[package]] name = "strsim" version = "0.10.0" @@ -2151,14 +2204,12 @@ dependencies = [ ] [[package]] -name = "tokio-openssl" -version = "0.6.3" +name = "tokio-rustls" +version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c08f9ffb7809f1b20c1b398d92acf4cc719874b3b2b2d9ea2f09b4a80350878a" +checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" dependencies = [ - "futures-util", - "openssl", - "openssl-sys", + "rustls", "tokio", ] @@ -2434,6 +2485,12 @@ version = "0.2.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f28467d3e1d3c6586d8f25fa243f544f5800fec42d97032474e17222c2b75cfa" +[[package]] +name = "untrusted" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" + [[package]] name = "url" version = "2.4.0" @@ -2457,12 +2514,6 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" -[[package]] -name = "vcpkg" -version = "0.2.15" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" - [[package]] name = "version_check" version = "0.9.4" @@ -2544,6 +2595,16 @@ version = "0.2.87" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ca6ad05a4870b2bf5fe995117d3728437bd27d7cd5f06f13c17443ef369775a1" +[[package]] +name = "web-sys" +version = "0.3.64" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9b85cbef8c220a6abc02aefd892dfc0fc23afb1c6a426316ec33253a3877249b" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + [[package]] name = "winapi" version = "0.3.9" diff --git a/Cargo.toml b/Cargo.toml index 97f57ad..7d65bf2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -41,7 +41,7 @@ tracing-subscriber = { version = "0.3.17", features = ["json", "env-filter"] } tracing-opentelemetry = "0.20.0" opentelemetry = { version = "0.20.0", features = ["trace", "rt-tokio"] } opentelemetry-otlp = { version = "0.13.0", features = ["tokio"], optional = true } -tonic = { version = "0.9", optional = true } # 0.9 blocked on opentelemetry-otlp release +tonic = { version = "0.9", optional = true } thiserror = "1.0.44" anyhow = "1.0.72" @@ -52,8 +52,9 @@ hyper = "0.14.27" tower-test = "0.4.0" [dependencies.kube] -features = ["runtime", "client", "derive"] +features = ["runtime", "client", "derive", "rustls-tls"] version = "0.85.0" +default-features = false # testing new releases - ignore #git = "https://github.com/kube-rs/kube.git" diff --git a/justfile b/justfile index b44ac7c..9039f31 100644 --- a/justfile +++ b/justfile @@ -12,7 +12,7 @@ generate: # run with opentelemetry run-telemetry: - OPENTELEMETRY_ENDPOINT_URL=https://0.0.0.0:55680 RUST_LOG=info,kube=trace,controller=debug cargo run --features=telemetry + OPENTELEMETRY_ENDPOINT_URL=http://127.0.0.1:55680 RUST_LOG=info,kube=trace,controller=debug cargo run --features=telemetry # run without opentelemetry run: @@ -54,56 +54,9 @@ build-base: (_build "") build-otel: (_build "telemetry") - -# local helpers for debugging traces - # forward grpc otel port from svc/promstack-tempo in monitoring forward-tempo: - kubectl port-forward -n monitoring svc/promstack-tempo 55680:55680 - -# forward http port from svc/promstack-grafana in monitoring -forward-grafana: - kubectl port-forward -n monitoring svc/promstack-grafana 8000:80 - -# constrain rbac based on audit logs using audit2rbac -gen-rbac: - #!/usr/bin/env bash - set -euxo pipefail - cat << EOF > audit.yaml - kind: "Policy" - apiVersion: "audit.k8s.io/v1" - rules: - - level: Metadata - users: - - system:admin - - system:serviceaccount:default:doc-controller - omitStages: - - RequestReceived - - ResponseStarted - - Panic - EOF - mkdir -p audit - rm -f audit/audit.log - k3d cluster create auditrbac \ - --k3s-arg '--kube-apiserver-arg=audit-policy-file=/var/lib/rancher/k3s/server/manifests/audit.yaml@server:*' \ - --k3s-arg '--kube-apiserver-arg=audit-log-path=/var/log/kubernetes/audit/audit.log@server:*' \ - --volume "$(pwd)/audit.yaml:/var/lib/rancher/k3s/server/manifests/audit.yaml" \ - --volume "$(pwd)/audit:/var/log/kubernetes/audit" - export KUBECONFIG="$(k3d kubeconfig write auditrbac)" - kubectl apply -f yaml/crd.yaml - kubectl wait --for=condition=established crd/documents.kube.rs --timeout=10s - kubectl apply -f yaml/deployment.yaml - kubectl wait --for=condition=available deploy/doc-controller --timeout=60s - # install stuff in multiple namespaces with multiple names - kubectl apply -f yaml/instance-samuel.yaml - kubectl apply -f yaml/instance-samuel.yaml -n kube-system - kubectl apply -f yaml/instance-lorem.yaml - sleep 1 - kubectl delete -f yaml/instance-samuel.yaml - sleep 1 - # Needs https://github.com/liggitt/audit2rbac installed on PATH - audit2rbac -f audit/audit.log --serviceaccount=default:doc-controller \ - --generate-labels="" --generate-annotations="" --generate-name=doc-controller + kubectl port-forward -n monitoring svc/promstack-tempo 55680:4317 # mode: makefile # End: From 3981f850976bcef61d7d512ef1dbaf26f303276a Mon Sep 17 00:00:00 2001 From: clux Date: Sun, 6 Aug 2023 20:38:07 +0100 Subject: [PATCH 2/2] consistency Signed-off-by: clux --- justfile | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/justfile b/justfile index 9039f31..2437f95 100644 --- a/justfile +++ b/justfile @@ -30,7 +30,7 @@ test-integration: install-crd cargo test -- --ignored # run telemetry tests test-telemetry: - OPENTELEMETRY_ENDPOINT_URL=https://0.0.0.0:55680 cargo test --lib --all-features -- get_trace_id_returns_valid_traces --ignored + OPENTELEMETRY_ENDPOINT_URL=http://127.0.0.1:55680 cargo test --lib --all-features -- get_trace_id_returns_valid_traces --ignored # compile for musl (for docker image) compile features="": @@ -53,11 +53,7 @@ build-base: (_build "") # docker build with telemetry build-otel: (_build "telemetry") - +# local helper for test-telemetry and run-telemetry # forward grpc otel port from svc/promstack-tempo in monitoring forward-tempo: kubectl port-forward -n monitoring svc/promstack-tempo 55680:4317 - -# mode: makefile -# End: -# vim: set ft=make :