Added a new 'disableTLS' flag and changed 'disableMTLS' to only disab…

cmd/allocator/main.go

@@ -43,6 +43,7 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/keepalive"
 	"google.golang.org/grpc/status"
 	"gopkg.in/fsnotify.v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -88,7 +89,7 @@ func main() {
 		return err
 	})
 
-	h := newServiceHandler(kubeClient, agonesClient, health, conf.MTLSDisabled)
+	h := newServiceHandler(kubeClient, agonesClient, health, conf.MTLSDisabled, conf.TLSDisabled)
 
 	listener, err := net.Listen("tcp", fmt.Sprintf(":%s", sslPort))
 	if err != nil {
@@ -106,6 +107,30 @@ func main() {
 			logger.WithError(err).Fatalf("cannot watch folder %s for secret changes", certDir)
 		}
 
+		go func() {
+			for {
+				select {
+				// watch for events
+				case event := <-watcher.Events:
+					h.certMutex.Lock()
+					caCertPool, err := getCACertPool(certDir)
+					if err != nil {
+						logger.WithError(err).Error("could not load CA certs; keeping old ones")
+					} else {
+						h.caCertPool = caCertPool
+					}
+					logger.Infof("Certificate directory change event %v", event)
+					h.certMutex.Unlock()
+
+				// watch for errors
+				case err := <-watcher.Errors:
+					logger.WithError(err).Error("error watching for certificate directory")
+				}
+			}
+		}()
+	}
+
+	if !h.tlsDisabled {
 		watcherTLS, err := fsnotify.NewWatcher()
 		if err != nil {
 			logger.WithError(err).Fatal("could not create watcher for tls certs")
@@ -130,20 +155,10 @@ func main() {
 						h.tlsMutex.Unlock()
 					}
 					logger.Infof("Tls directory change event %v", event)
-				case event := <-watcher.Events:
-					h.certMutex.Lock()
-					caCertPool, err := getCACertPool(certDir)
-					if err != nil {
-						logger.WithError(err).Error("could not load CA certs; keeping old ones")
-					} else {
-						h.caCertPool = caCertPool
-					}
-					logger.Infof("Certificate directory change event %v", event)
-					h.certMutex.Unlock()
 
-					// watch for errors
-				case err := <-watcher.Errors:
-					logger.WithError(err).Error("error watching for certificate directory")
+				// watch for errors
+				case err := <-watcherTLS.Errors:
+					logger.WithError(err).Error("error watching for TLS directory")
 				}
 			}
 		}()
@@ -167,7 +182,7 @@ func main() {
 	logger.WithError(err).Fatal("allocation service crashed")
 }
 
-func newServiceHandler(kubeClient kubernetes.Interface, agonesClient versioned.Interface, health healthcheck.Handler, mTLSDisabled bool) *serviceHandler {
+func newServiceHandler(kubeClient kubernetes.Interface, agonesClient versioned.Interface, health healthcheck.Handler, mTLSDisabled bool, tlsDisabled bool) *serviceHandler {
 	defaultResync := 30 * time.Second
 	agonesInformerFactory := externalversions.NewSharedInformerFactory(agonesClient, defaultResync)
 	kubeInformerFactory := informers.NewSharedInformerFactory(kubeClient, defaultResync)
@@ -185,6 +200,7 @@ func newServiceHandler(kubeClient kubernetes.Interface, agonesClient versioned.I
 			return allocator.Allocate(gsa, stop)
 		},
 		mTLSDisabled: mTLSDisabled,
+		tlsDisabled:  tlsDisabled,
 	}
 
 	kubeInformerFactory.Start(stop)
@@ -201,7 +217,9 @@ func newServiceHandler(kubeClient kubernetes.Interface, agonesClient versioned.I
 		h.certMutex.Lock()
 		h.caCertPool = caCertPool
 		h.certMutex.Unlock()
+	}
 
+	if !h.tlsDisabled {
 		tlsCert, err := readTLSCert()
 		if err != nil {
 			logger.WithError(err).Fatal("could not load TLS certs.")
@@ -225,17 +243,32 @@ func readTLSCert() (*tls.Certificate, error) {
 // getServerOptions returns a list of GRPC server options.
 // Current options are TLS certs and opencensus stats handler.
 func (h *serviceHandler) getServerOptions() []grpc.ServerOption {
-	if h.mTLSDisabled {
+	if h.tlsDisabled {
 		return []grpc.ServerOption{grpc.StatsHandler(&ocgrpc.ServerHandler{})}
 	}
 
 	cfg := &tls.Config{
-		GetCertificate:        h.getTLSCert,
-		ClientAuth:            tls.RequireAnyClientCert,
-		VerifyPeerCertificate: h.verifyClientCertificate,
+		GetCertificate: h.getTLSCert,
+	}
+
+	if !h.mTLSDisabled {
+		cfg.ClientAuth = tls.RequireAnyClientCert
+		cfg.VerifyPeerCertificate = h.verifyClientCertificate
+	}
+
+	// Add options for creds, OpenCensus stats handler to enable stats and tracing, and keepalive for health checks.
+	return []grpc.ServerOption{
+		grpc.Creds(credentials.NewTLS(cfg)),
+		grpc.StatsHandler(&ocgrpc.ServerHandler{}),
+		grpc.KeepaliveEnforcementPolicy(keepalive.EnforcementPolicy{
+			MinTime:             1 * time.Minute,
+			PermitWithoutStream: true,
+		}),
+		grpc.KeepaliveParams(keepalive.ServerParameters{
+			MaxConnectionIdle: 5 * time.Minute,
+			Timeout:           10 * time.Minute,
+		}),
 	}
-	// Add options for creds and OpenCensus stats handler to enable stats and tracing.
-	return []grpc.ServerOption{grpc.Creds(credentials.NewTLS(cfg)), grpc.StatsHandler(&ocgrpc.ServerHandler{})}
 }
 
 func (h *serviceHandler) getTLSCert(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
@@ -333,6 +366,7 @@ type serviceHandler struct {
 	tlsCert  *tls.Certificate
 
 	mTLSDisabled bool
+	tlsDisabled  bool
 }
 
 // Allocate implements the Allocate gRPC method definition

cmd/allocator/metrics.go

@@ -33,13 +33,15 @@ const (
 	projectIDFlag                = "gcp-project-id"
 	stackdriverLabels            = "stackdriver-labels"
 	mTLSDisabledFlag             = "disable-mtls"
+	tlsDisabledFlag              = "disable-tls"
 )
 
 func init() {
 	registerMetricViews()
 }
 
 type config struct {
+	TLSDisabled       bool
 	MTLSDisabled      bool
 	PrometheusMetrics bool
 	Stackdriver       bool
@@ -54,12 +56,14 @@ func parseEnvFlags() config {
 	viper.SetDefault(projectIDFlag, "")
 	viper.SetDefault(stackdriverLabels, "")
 	viper.SetDefault(mTLSDisabledFlag, false)
+	viper.SetDefault(tlsDisabledFlag, false)
 
 	pflag.Bool(enablePrometheusMetricsFlag, viper.GetBool(enablePrometheusMetricsFlag), "Flag to activate metrics of Agones. Can also use PROMETHEUS_EXPORTER env variable.")
 	pflag.Bool(enableStackdriverMetricsFlag, viper.GetBool(enableStackdriverMetricsFlag), "Flag to activate stackdriver monitoring metrics for Agones. Can also use STACKDRIVER_EXPORTER env variable.")
 	pflag.String(projectIDFlag, viper.GetString(projectIDFlag), "GCP ProjectID used for Stackdriver, if not specified ProjectID from Application Default Credentials would be used. Can also use GCP_PROJECT_ID env variable.")
 	pflag.String(stackdriverLabels, viper.GetString(stackdriverLabels), "A set of default labels to add to all stackdriver metrics generated. By default metadata are automatically added using Kubernetes API and GCP metadata enpoint.")
 	pflag.Bool(mTLSDisabledFlag, viper.GetBool(mTLSDisabledFlag), "Flag to enable/disable mTLS in the allocator.")
+	pflag.Bool(tlsDisabledFlag, viper.GetBool(tlsDisabledFlag), "Flag to enable/disable TLS in the allocator.")
 	runtime.FeaturesBindFlags()
 	pflag.Parse()
 
@@ -69,6 +73,7 @@ func parseEnvFlags() config {
 	runtime.Must(viper.BindEnv(projectIDFlag))
 	runtime.Must(viper.BindEnv(stackdriverLabels))
 	runtime.Must(viper.BindEnv(mTLSDisabledFlag))
+	runtime.Must(viper.BindEnv(tlsDisabledFlag))
 	runtime.Must(viper.BindPFlags(pflag.CommandLine))
 	runtime.Must(runtime.FeaturesBindEnv())
 
@@ -80,6 +85,7 @@ func parseEnvFlags() config {
 		GCPProjectID:      viper.GetString(projectIDFlag),
 		StackdriverLabels: viper.GetString(stackdriverLabels),
 		MTLSDisabled:      viper.GetBool(mTLSDisabledFlag),
+		TLSDisabled:       viper.GetBool(tlsDisabledFlag),
 	}
 }
 

install/helm/agones/templates/service/allocation.yaml

@@ -124,6 +124,8 @@ spec:
           value: {{ .Values.agones.metrics.stackdriverLabels | quote }}
         - name: DISABLE_MTLS
           value: {{ .Values.agones.allocator.disableMTLS | quote }}
+        - name: DISABLE_TLS
+          value: {{ .Values.agones.allocator.disableTLS | quote }}
         - name: POD_NAME
           valueFrom:
             fieldRef:

install/helm/agones/values.yaml

@@ -129,6 +129,7 @@ agones:
     generateTLS: true
     generateClientTLS: true
     disableMTLS: false
+    disableTLS: false
   image:
     registry: gcr.io/agones-images
     tag: 1.9.0-dev

install/yaml/install.yaml

@@ -1576,6 +1576,8 @@ spec:
           value: ""
         - name: DISABLE_MTLS
           value: "false"
+        - name: DISABLE_TLS
+          value: "false"
         - name: POD_NAME
           valueFrom:
             fieldRef: