Merge pull request #636 from cbgbt/chores-and-updates

Update dependencies, Fix clippy warnings
bottlerocket-os · Jun 28, 2024 · a2b36d4 · a2b36d4
2 parents 5002a9c + 7e04b41
commit a2b36d4
Show file tree

Hide file tree

Showing 20 changed files with 566 additions and 299 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -7,3 +7,68 @@ members = [
     "deploy",
     "integ",
 ]
+
+[workspace.lints.clippy]
+# tracing::instrument macro unhelpfully triggers this clippy warning
+blocks_in_conditions = "allow"
+
+[workspace.dependencies]
+argh = "0.1"
+async-trait = "0.1"
+awc = "3"
+aws-config = "0.56.1"
+aws-sdk-ec2 = "0.33.1"
+aws-sdk-eks = "0.34.0"
+aws-sdk-iam = "0.30.0"
+aws-sdk-ssm = "0.30.0"
+base64 = "0.21.0"
+chrono = { version = "0.4", default-features = false, features = ["serde", "std"] }
+console_log = { version = "1.0", features = ["color"] }
+cron = "0.12"
+env_logger = "0.10"
+futures = "0.3"
+governor = "0.6"
+hex ="0.4.3"
+insta = { version = "1.34.0", features = ["yaml"] }
+lazy_static = "1"
+log = "0.4"
+http = "0.2"
+maplit = "1"
+mockall = { version = "0.11" }
+nonzero_ext = "0.3"
+
+# actix & opentelemetry dependencies
+# these package versions should be moved in lockstep to match upstream
+actix-web = { version = "4.8", features = ["rustls-0_23"] }
+tracing-actix-web = "0.7"
+actix-web-opentelemetry = { version = "0.18", features = ["metrics", "metrics-prometheus"] }
+
+# opentelemetry dependencies
+opentelemetry = { version = "0.23"}
+opentelemetry_sdk = { version = "0.23", features = ["rt-tokio-current-thread"]}
+opentelemetry-prometheus = "0.16"
+prometheus = "0.13.0"
+
+# k8s-openapi must match the version required by kube and enable a k8s version feature
+k8s-openapi = { version = "0.21", default-features = false, features = ["v1_24"] }
+kube = { version = "0.88", default-features = false, features = [ "derive", "runtime", "rustls-tls" ] }
+
+regex = "1.9"
+reqwest = { version = "0.12", default-features = false, features =  [ "json", "rustls-tls" ] }
+rustls = { version = "0.23", default-features = false, features = ["ring", "logging", "std", "tls12"] }
+rustls-pemfile = { version = "2" }
+schemars = "0.8.11"
+semver = "1.0"
+serde = "1"
+serde_json = "1"
+serde_plain = "1"
+serde_yaml = "0.9"
+snafu = "0.7"
+strum_macros = "0.24.3"
+tokio = { version = "1", features = ["macros", "rt-multi-thread", "time"] }
+tokio-retry = "0.3"
+tracing = "0.1"
+tracing-subscriber = { version = "0.3", features = ["registry", "env-filter", "json"] }
+uuid = { version = "0.8", default-features = false, features = ["serde", "v4"] }
+validator = { version = "0.16", features = ["derive"] }
+webpki = { version = "0.22.4", features = ["std"] }
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 TOP := $(dir $(abspath $(firstword $(MAKEFILE_LIST))))
 
-.PHONY: image fetch check-licenses build brupop-image clean
+.PHONY: image fetch check-licenses build brupop-image clean check clippy fmt
 
 # IMAGE_NAME is the full name of the container image being built. This may be
 # specified to fully control the name of the container image's tag.
@@ -74,8 +74,16 @@ check-licenses: fetch
 		"$(BUILDER_IMAGE)" \
 		bash -c "$(CARGO_ENV_VARS) cargo deny --all-features check --disable-fetch licenses bans sources"
 
+fmt:
+	cargo fmt --check
+
+clippy:
+	cargo clippy --locked -- -D warnings --no-deps
+
+check: fmt clippy check-licenses
+
 # Builds, Lints, and Tests the Rust workspace locally
-build: check-licenses
+build: check
 	$(CARGO_ENV_VARS) cargo fmt -- --check
 	$(CARGO_ENV_VARS) cargo test --locked
 	$(CARGO_ENV_VARS) cargo build --locked

diff --git a/agent/Cargo.toml b/agent/Cargo.toml
@@ -5,25 +5,26 @@ license = "Apache-2.0 OR MIT"
 edition = "2018"
 publish = false
 
+[lints]
+workspace = true
+
 [dependencies]
 models = { path = "../models", version = "0.1.0" }
 apiserver = { path = "../apiserver", version = "0.1.0", default-features = false, features = ["client"] }
 
-dotenv = "0.15"
-futures = "0.3"
-governor = "0.6"
-lazy_static = "1"
-nonzero_ext = "0.3"
-tracing = "0.1"
+futures = { workspace = true }
+governor = { workspace = true }
+lazy_static = { workspace = true }
+nonzero_ext = { workspace = true }
+tracing = { workspace = true }
 
-# k8s-openapi must match the version required by kube and enable a k8s version feature
-k8s-openapi = { version = "0.21", default-features = false, features = ["v1_24"] }
-kube = { version = "0.88", default-features = false, features = [ "derive", "runtime", "rustls-tls" ] }
+k8s-openapi = { workspace = true }
+kube = { workspace = true }
 
-semver = { version = "1.0", features = [ "serde" ] }
-serde = { version = "1", features = [ "derive" ] }
-serde_json = "1"
-snafu = "0.7"
-tokio = { version = "1", features = ["macros", "rt-multi-thread", "time"] }
-chrono = { version = "0.4", default-features = false, features = ["serde"] }
-tokio-retry = "0.3"
+semver = { workspace = true, features = [ "serde" ] }
+serde = { workspace = true, features = [ "derive" ] }
+serde_json = { workspace = true }
+snafu = { workspace = true }
+tokio = { workspace = true }
+chrono = { workspace = true }
+tokio-retry = { workspace = true }
diff --git a/agent/src/main.rs b/agent/src/main.rs
@@ -30,6 +30,13 @@ async fn main() {
     let termination_log =
         env::var("TERMINATION_LOG").unwrap_or_else(|_| TERMINATION_LOG.to_string());
 
+    if let Err(error) = models::crypto::install_default_crypto_provider() {
+        event!(Level::ERROR, %error);
+        fs::write(&termination_log, format!("{}", error))
+            .expect("Could not write k8s termination log.");
+        return;
+    }
+
     if let Err(error) = run_agent().await {
         fs::write(&termination_log, format!("{}", error))
             .expect("Could not write k8s termination log.");

diff --git a/apiserver/Cargo.toml b/apiserver/Cargo.toml
@@ -5,50 +5,50 @@ edition = "2018"
 publish = false
 license = "Apache-2.0 OR MIT"
 
+[lints]
+workspace = true
+
 [features]
 default = ["client", "server"]
 client = []
 server = []
 
-
 [dependencies]
 models = { path = "../models", version = "0.1.0" }
 
-# tracing-actix-web version must align with actix-web version
-actix-web = { version = "4.4", features = ["rustls-0_21"] }
-awc = "3"
-actix-web-opentelemetry = { version = "0.17", features = ["metrics", "metrics-prometheus"] }
-rustls = { version = "0.21" }
-rustls-pemfile = { version = "1" }
-webpki = { version = "0.22.4", features = ["std"] }
-opentelemetry = { version = "0.22"}
-opentelemetry_sdk = {version = "0.22", features = ["rt-tokio-current-thread"]}
-opentelemetry-prometheus = "0.15"
-tracing = "0.1"
-tracing-actix-web = "0.7"
-prometheus = "0.13.0"
+actix-web = { workspace = true }
+awc = { workspace = true }
+actix-web-opentelemetry = { workspace = true }
+rustls = { workspace = true }
+rustls-pemfile = { workspace = true }
+webpki = { workspace = true }
+opentelemetry = { workspace = true }
+opentelemetry_sdk = { workspace = true }
+opentelemetry-prometheus = { workspace = true }
+tracing = { workspace = true }
+tracing-actix-web = { workspace = true }
+prometheus = { workspace = true }
 
-# k8s-openapi must match the version required by kube and enable a k8s version feature
-k8s-openapi = { version = "0.21", default-features = false, features = ["v1_24"] }
-kube = { version = "0.88", default-features = false, features = [ "client", "derive", "runtime", "rustls-tls" ] }
+k8s-openapi = { workspace = true }
+kube = { workspace = true, features = ["client"] }
 
-async-trait = "0.1"
-futures = "0.3"
-governor = "0.6"
-lazy_static = "1.4"
-log = "0.4"
-mockall = { version = "0.11", optional = true }
-nonzero_ext = "0.3"
-reqwest = { version = "0.11", default-features = false, features =  [ "json", "rustls-tls" ] }
+async-trait = { workspace = true }
+futures = { workspace = true }
+governor = { workspace = true }
+lazy_static = { workspace = true }
+log = { workspace = true }
+mockall = { workspace = true, optional = true }
+nonzero_ext = { workspace = true }
+reqwest = { workspace = true }
 schemars = "0.8.11"
-serde = { version = "1", features = [ "derive" ] }
-serde_json = "1"
-snafu = "0.7"
-tokio = { version = "1", features = ["macros", "rt-multi-thread", "time"] }
-tokio-retry = "0.3"
+serde = { workspace = true, features = [ "derive" ] }
+serde_json = { workspace = true }
+snafu = { workspace = true }
+tokio = { workspace = true }
+tokio-retry = { workspace = true }
 
 [dev-dependencies]
-http = "0.2"
-maplit = "1.0"
-mockall = "0.11"
+http = { workspace = true }
+maplit = { workspace = true }
+mockall = { workspace = true }
 models = { path = "../models", version = "0.1.0", features = [ "mockall" ] }
diff --git a/apiserver/src/api/error.rs b/apiserver/src/api/error.rs
@@ -58,6 +58,15 @@ pub enum Error {
     #[snafu(display("Failed to build TLS config from loaded certs: {}", source))]
     TLSConfigBuild { source: rustls::Error },
 
+    #[snafu(display(
+        "More than one private key for tls configured for apiserver in '{}'",
+        path
+    ))]
+    MultiplePrivateKeys { path: String },
+
+    #[snafu(display("No private key for tls provided in  '{}'", path))]
+    NoPrivateKeys { path: String },
+
     #[snafu(display("Failed to serialize Webhook response: {}", source))]
     WebhookError { source: serde_json::error::Error },
 }

diff --git a/apiserver/src/api/mod.rs b/apiserver/src/api/mod.rs
@@ -15,8 +15,8 @@ use crate::{
     telemetry,
 };
 use models::constants::{
-    AGENT, APISERVER_HEALTH_CHECK_ROUTE, APISERVER_SERVICE_NAME, CA_NAME, LABEL_COMPONENT,
-    PRIVATE_KEY_NAME, PUBLIC_KEY_NAME, TLS_KEY_MOUNT_PATH,
+    AGENT, APISERVER_HEALTH_CHECK_ROUTE, APISERVER_SERVICE_NAME, LABEL_COMPONENT, PRIVATE_KEY_NAME,
+    PUBLIC_KEY_NAME, TLS_KEY_MOUNT_PATH,
 };
 use models::node::{read_certificate, BottlerocketShadowClient, BottlerocketShadowSelector};
 
@@ -39,13 +39,10 @@ use kube::{
     ResourceExt,
 };
 
-use rustls::{
-    server::AllowAnyAnonymousOrAuthenticatedClient, Certificate, PrivateKey, RootCertStore,
-    ServerConfig,
-};
+use rustls::ServerConfig;
 use rustls_pemfile::{certs, pkcs8_private_keys};
 use snafu::{OptionExt, ResultExt};
-use std::{env, fs::File, io::BufReader, sync::Arc};
+use std::{env, fs::File, io::BufReader};
 use tokio::time::{sleep, Duration};
 use tracing::{event, Level};
 use tracing_actix_web::TracingLogger;
@@ -176,50 +173,35 @@ pub async fn run_server<T: 'static + BottlerocketShadowClient>(
             path: key_file_path.to_string(),
         })?);
 
-    // Certificate authority file so a client can authenticate the server
-    let ca_file_path = format!("{}/{}", TLS_KEY_MOUNT_PATH, CA_NAME);
-    let ca_file = &mut BufReader::new(File::open(&ca_file_path).context(error::FileOpenSnafu {
-        path: ca_file_path.to_string(),
-    })?);
-
     // convert files to key/cert objects
     let cert_chain = certs(cert_file)
-        .context(error::CertExtractSnafu {
-            path: cert_file_path.to_string(),
-        })?
-        .into_iter()
-        .map(Certificate)
-        .collect();
-    let mut keys: Vec<PrivateKey> = pkcs8_private_keys(key_file)
+        .collect::<std::result::Result<Vec<_>, _>>()
         .context(error::CertExtractSnafu {
             path: key_file_path.to_string(),
-        })?
-        .into_iter()
-        .map(PrivateKey)
-        .collect();
-    let cas: Vec<Certificate> = certs(ca_file)
+        })?;
+
+    let mut keys = pkcs8_private_keys(key_file)
+        .collect::<std::result::Result<Vec<_>, _>>()
         .context(error::CertExtractSnafu {
-            path: ca_file_path.to_string(),
+            path: key_file_path.to_string(),
         })?
-        .into_iter()
-        .map(Certificate)
-        .collect();
-
-    let mut cert_store = RootCertStore::empty();
-    for ca in cas {
-        cert_store.add(&ca).context(error::CertStoreSnafu)?;
-    }
+        .into_iter();
 
-    let verifier = Arc::new(AllowAnyAnonymousOrAuthenticatedClient::new(cert_store));
+    let private_key = keys.next().context(error::NoPrivateKeysSnafu {
+        path: key_file_path.clone(),
+    })?;
 
-    let tls_config_builder = ServerConfig::builder()
-        .with_safe_defaults()
-        .with_client_cert_verifier(verifier);
+    snafu::ensure!(
+        keys.next().is_none(),
+        error::MultiplePrivateKeysSnafu {
+            path: key_file_path
+        }
+    );
 
-    let tls_config = tls_config_builder
-        .with_single_cert(cert_chain, keys.remove(0))
-        .context(error::TLSConfigBuildSnafu)
-        .unwrap();
+    let tls_config = ServerConfig::builder()
+        .with_no_client_auth()
+        .with_single_cert(cert_chain, private_key.into())
+        .context(error::TLSConfigBuildSnafu)?;
 
     let server = HttpServer::new(move || {
         App::new()
@@ -270,7 +252,7 @@ pub async fn run_server<T: 'static + BottlerocketShadowClient>(
                 web::get().to(ping::health_check),
             )
     })
-    .bind_rustls_021(server_addr, tls_config)
+    .bind_rustls_0_23(server_addr, tls_config)
     .context(error::HttpServerSnafu)?
     .run();
 

diff --git a/apiserver/src/lib.rs b/apiserver/src/lib.rs
@@ -1,7 +1,7 @@
 #[cfg(feature = "server")]
 pub mod api;
 #[cfg(feature = "server")]
-mod auth;
+pub mod auth;
 #[cfg(feature = "server")]
 pub mod telemetry;