metrics-server: inherit TLS options from CDI TLSSecurityProfile (#4033)

Previously the metrics-server would be initiated with default TLS
configuration. This change makes it so the TLS configuration is updated
during runtime for every request according to the CDI
TLSSecurityProfile.

Signed-off-by: Adi Aloni <[email protected]>

Author: Acedus

cmd/cdi-controller/BUILD.bazel

@@ -8,6 +8,7 @@ go_library(
     importpath = "kubevirt.io/containerized-data-importer/cmd/cdi-controller",
     visibility = ["//visibility:private"],
     deps = [
+        "//pkg/client/clientset/versioned:go_default_library",
         "//pkg/common:go_default_library",
         "//pkg/controller:go_default_library",
         "//pkg/controller/datavolume:go_default_library",
@@ -18,6 +19,7 @@ go_library(
         "//pkg/util/cert:go_default_library",
         "//pkg/util/cert/fetcher:go_default_library",
         "//pkg/util/cert/generator:go_default_library",
+        "//pkg/util/tls-crypto-watch:go_default_library",
         "//staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1:go_default_library",
         "//staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/forklift/v1beta1:go_default_library",
         "//vendor/github.com/kelseyhightower/envconfig:go_default_library",

cmd/cdi-controller/controller.go

@@ -41,6 +41,7 @@ import (
 
 	cdiv1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1"
 	forklift "kubevirt.io/containerized-data-importer-api/pkg/apis/forklift/v1beta1"
+	cdiclient "kubevirt.io/containerized-data-importer/pkg/client/clientset/versioned"
 	"kubevirt.io/containerized-data-importer/pkg/common"
 	"kubevirt.io/containerized-data-importer/pkg/controller"
 	dvc "kubevirt.io/containerized-data-importer/pkg/controller/datavolume"
@@ -51,6 +52,7 @@ import (
 	"kubevirt.io/containerized-data-importer/pkg/util/cert"
 	"kubevirt.io/containerized-data-importer/pkg/util/cert/fetcher"
 	"kubevirt.io/containerized-data-importer/pkg/util/cert/generator"
+	cryptowatch "kubevirt.io/containerized-data-importer/pkg/util/tls-crypto-watch"
 )
 
 const (
@@ -193,6 +195,8 @@ func start() {
 		klog.Fatalf("Unable to get uncached client: %v\n", errors.WithStack(err))
 	}
 
+	managedTLSWatcher := cryptowatch.NewManagedTLSWatcher(cdiclient.NewForConfigOrDie(cfg))
+
 	opts := manager.Options{
 		LeaderElection:             true,
 		LeaderElectionNamespace:    namespace,
@@ -207,6 +211,15 @@ func start() {
 			// See CVE-2023-44487, CVE-2023-39325
 			TLSOpts: []func(*tls.Config){func(c *tls.Config) {
 				c.NextProtos = []string{"http/1.1"}
+				c.GetConfigForClient = func(t *tls.ClientHelloInfo) (*tls.Config, error) {
+					config := c.Clone()
+					if w := managedTLSWatcher.Watcher(); w != nil {
+						cryptoConfig := w.GetCdiTLSConfig()
+						config.CipherSuites = cryptoConfig.CipherSuites
+						config.MinVersion = cryptoConfig.MinVersion
+					}
+					return config, nil
+				}
 			}},
 		},
 	}
@@ -322,6 +335,12 @@ func start() {
 		os.Exit(1)
 	}
 
+	managedTLSWatcher.SetCache(mgr.GetCache())
+	if err := mgr.Add(managedTLSWatcher); err != nil {
+		log.Error(err, "unable to add watcher to manager")
+		os.Exit(1)
+	}
+
 	klog.V(1).Infoln("created cdi controllers")
 
 	if err := mgr.Start(ctx); err != nil {

cmd/cdi-operator/BUILD.bazel

@@ -8,8 +8,10 @@ go_library(
     importpath = "kubevirt.io/containerized-data-importer/cmd/cdi-operator",
     visibility = ["//visibility:private"],
     deps = [
+        "//pkg/client/clientset/versioned:go_default_library",
         "//pkg/operator/controller:go_default_library",
         "//pkg/util:go_default_library",
+        "//pkg/util/tls-crypto-watch:go_default_library",
         "//staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1:go_default_library",
         "//staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/forklift/v1beta1:go_default_library",
         "//vendor/github.com/kubernetes-csi/volume-data-source-validator/client/apis/volumepopulator/v1beta1:go_default_library",

cmd/cdi-operator/operator.go

@@ -45,8 +45,10 @@ import (
 
 	cdiv1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1"
 	forklift "kubevirt.io/containerized-data-importer-api/pkg/apis/forklift/v1beta1"
+	cdiclient "kubevirt.io/containerized-data-importer/pkg/client/clientset/versioned"
 	"kubevirt.io/containerized-data-importer/pkg/operator/controller"
 	"kubevirt.io/containerized-data-importer/pkg/util"
+	cryptowatch "kubevirt.io/containerized-data-importer/pkg/util/tls-crypto-watch"
 )
 
 var log = logf.Log.WithName("cmd")
@@ -91,6 +93,8 @@ func main() {
 		os.Exit(1)
 	}
 
+	managedTLSWatcher := cryptowatch.NewManagedTLSWatcher(cdiclient.NewForConfigOrDie(cfg))
+
 	managerOpts := manager.Options{
 		Cache: cache.Options{
 			DefaultNamespaces: map[string]cache.Config{
@@ -109,6 +113,15 @@ func main() {
 			// See CVE-2023-44487, CVE-2023-39325
 			TLSOpts: []func(*tls.Config){func(c *tls.Config) {
 				c.NextProtos = []string{"http/1.1"}
+				c.GetConfigForClient = func(t *tls.ClientHelloInfo) (*tls.Config, error) {
+					config := c.Clone()
+					if w := managedTLSWatcher.Watcher(); w != nil {
+						cryptoConfig := w.GetCdiTLSConfig()
+						config.CipherSuites = cryptoConfig.CipherSuites
+						config.MinVersion = cryptoConfig.MinVersion
+					}
+					return config, nil
+				}
 			}},
 		},
 	}
@@ -173,6 +186,12 @@ func main() {
 		os.Exit(1)
 	}
 
+	managedTLSWatcher.SetCache(mgr.GetCache())
+	if err := mgr.Add(managedTLSWatcher); err != nil {
+		log.Error(err, "unable to add watcher to manager")
+		os.Exit(1)
+	}
+
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 		log.Error(err, "unable to set up health check")
 		os.Exit(1)

pkg/util/tls-crypto-watch/BUILD.bazel

@@ -14,5 +14,6 @@ go_library(
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//vendor/k8s.io/client-go/tools/cache:go_default_library",
         "//vendor/k8s.io/klog/v2:go_default_library",
+        "//vendor/sigs.k8s.io/controller-runtime/pkg/cache:go_default_library",
     ],
 )

pkg/util/tls-crypto-watch/tls-crypto-watch.go

@@ -22,6 +22,7 @@ package tlscryptowatch
 import (
 	"context"
 	"crypto/tls"
+	"fmt"
 	"sync"
 
 	ocpcrypto "github.com/openshift/library-go/pkg/crypto"
@@ -30,6 +31,8 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2"
 
+	runtimecache "sigs.k8s.io/controller-runtime/pkg/cache"
+
 	cdiv1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1"
 	cdiclient "kubevirt.io/containerized-data-importer/pkg/client/clientset/versioned"
 	informers "kubevirt.io/containerized-data-importer/pkg/client/informers/externalversions"
@@ -125,6 +128,49 @@ func (ctw *cdiConfigTLSWatcher) updateConfig(config *cdiv1.CDIConfig) {
 	ctw.config = newConfig
 }
 
+type ManagedTLSWatcher struct {
+	client  cdiclient.Interface
+	cache   runtimecache.Cache
+	mu      sync.RWMutex
+	watcher CdiConfigTLSWatcher
+}
+
+func NewManagedTLSWatcher(cdiClient cdiclient.Interface) *ManagedTLSWatcher {
+	return &ManagedTLSWatcher{
+		client: cdiClient,
+	}
+}
+
+func (m *ManagedTLSWatcher) Start(ctx context.Context) error {
+	if !m.cache.WaitForCacheSync(ctx) {
+		return fmt.Errorf("failed to wait for caches to sync")
+	}
+
+	w, err := NewCdiConfigTLSWatcher(ctx, m.client)
+	if err != nil {
+		return fmt.Errorf("failed to create TLS watcher: %w", err)
+	}
+
+	m.mu.Lock()
+	m.watcher = w
+	m.mu.Unlock()
+
+	<-ctx.Done()
+	return nil
+}
+
+func (m *ManagedTLSWatcher) Watcher() CdiConfigTLSWatcher {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	return m.watcher
+}
+
+func (m *ManagedTLSWatcher) SetCache(cache runtimecache.Cache) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.cache = cache
+}
+
 // SelectCipherSuitesAndMinTLSVersion returns cipher names and minimal TLS version according to the input profile
 func SelectCipherSuitesAndMinTLSVersion(profile *cdiv1.TLSSecurityProfile) ([]string, cdiv1.TLSProtocolVersion) {
 	if profile == nil {