From 4526fcff4b335ddb97c22ea6521555907d447f45 Mon Sep 17 00:00:00 2001 From: everettraven Date: Thu, 18 Jan 2024 14:59:01 -0500 Subject: [PATCH 1/2] rapid reset cve scaffold remediations Signed-off-by: everettraven --- .../testdata/project/cmd/main.go | 31 +++++++++++++++++-- .../v3/scaffolds/internal/templates/main.go | 18 +++++++++++ .../v4/scaffolds/internal/templates/main.go | 29 ++++++++++++++++- testdata/project-v3/main.go | 22 +++++++++++-- .../cmd/main.go | 31 +++++++++++++++++-- testdata/project-v4-multigroup/cmd/main.go | 31 +++++++++++++++++-- .../project-v4-with-deploy-image/cmd/main.go | 31 +++++++++++++++++-- testdata/project-v4-with-grafana/cmd/main.go | 31 +++++++++++++++++-- testdata/project-v4/cmd/main.go | 31 +++++++++++++++++-- 9 files changed, 240 insertions(+), 15 deletions(-) diff --git a/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go b/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go index aa6b647db9..0405212ed7 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go +++ b/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go @@ -18,6 +18,7 @@ limitations under the License. package main import ( + "crypto/tls" "flag" "os" @@ -32,6 +33,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" batchv1 "tutorial.kubebuilder.io/project/api/v1" "tutorial.kubebuilder.io/project/internal/controller" @@ -72,11 +74,17 @@ func main() { var metricsAddr string var enableLeaderElection bool var probeAddr string + var secureMetrics bool + var enableHTTP2 bool flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&secureMetrics, "metrics-secure", false, + "Whether or not the metrics endpoint should be served securely") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -85,9 +93,28 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + tlsOpts := []func(*tls.Config){} + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + webhookServer := webhook.NewServer(webhook.Options{ + TLSOpts: tlsOpts, + }) + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ - Scheme: scheme, - Metrics: metricsserver.Options{BindAddress: metricsAddr}, + Scheme: scheme, + Metrics: metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + }, + WebhookServer: webhookServer, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "80807133.tutorial.kubebuilder.io", diff --git a/pkg/plugins/golang/v3/scaffolds/internal/templates/main.go b/pkg/plugins/golang/v3/scaffolds/internal/templates/main.go index e450584fbb..57d38c21ff 100644 --- a/pkg/plugins/golang/v3/scaffolds/internal/templates/main.go +++ b/pkg/plugins/golang/v3/scaffolds/internal/templates/main.go @@ -185,6 +185,7 @@ var mainTemplate = `{{ .Boilerplate }} package main import ( + "crypto/tls" "flag" "os" @@ -198,6 +199,7 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/controller-runtime/pkg/healthz" + "sigs.k8s.io/controller-runtime/pkg/webhook" %s ) @@ -217,11 +219,14 @@ func main() { var metricsAddr string var enableLeaderElection bool var probeAddr string + var enableHTTP2 bool flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. " + "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") {{- else }} var configFile string flag.StringVar(&configFile, "config", "", @@ -238,9 +243,22 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) {{ if not .ComponentConfig }} + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + tlsOpts := []func(*tls.Config){} + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, MetricsBindAddress: metricsAddr, + WebhookServer: &webhook.Server{ + TLSOpts: tlsOpts, + }, Port: 9443, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, diff --git a/pkg/plugins/golang/v4/scaffolds/internal/templates/main.go b/pkg/plugins/golang/v4/scaffolds/internal/templates/main.go index 2ad545a334..e987ed0156 100644 --- a/pkg/plugins/golang/v4/scaffolds/internal/templates/main.go +++ b/pkg/plugins/golang/v4/scaffolds/internal/templates/main.go @@ -187,6 +187,7 @@ var mainTemplate = `{{ .Boilerplate }} package main import ( + "crypto/tls" "flag" "os" @@ -200,6 +201,7 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/controller-runtime/pkg/healthz" + "sigs.k8s.io/controller-runtime/pkg/webhook" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" %s ) @@ -220,11 +222,17 @@ func main() { var metricsAddr string var enableLeaderElection bool var probeAddr string + var secureMetrics bool + var enableHTTP2 bool flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. " + "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&secureMetrics, "metrics-secure", false, + "Whether or not the metrics endpoint should be served securely") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") {{- else }} var configFile string flag.StringVar(&configFile, "config", "", @@ -241,9 +249,28 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) {{ if not .ComponentConfig }} + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + tlsOpts := []func(*tls.Config){} + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + webhookServer := webhook.NewServer(webhook.Options{ + TLSOpts: tlsOpts, + }) + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, - Metrics: metricsserver.Options{BindAddress: metricsAddr}, + Metrics: metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + }, + WebhookServer: webhookServer, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "{{ hashFNV .Repo }}.{{ .Domain }}", diff --git a/testdata/project-v3/main.go b/testdata/project-v3/main.go index f5db463a5b..b99c0d5e69 100644 --- a/testdata/project-v3/main.go +++ b/testdata/project-v3/main.go @@ -17,6 +17,7 @@ limitations under the License. package main import ( + "crypto/tls" "flag" "os" @@ -30,6 +31,7 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/webhook" crewv1 "sigs.k8s.io/kubebuilder/testdata/project-v3/api/v1" "sigs.k8s.io/kubebuilder/testdata/project-v3/controllers" @@ -52,11 +54,14 @@ func main() { var metricsAddr string var enableLeaderElection bool var probeAddr string + var enableHTTP2 bool flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -65,9 +70,22 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + tlsOpts := []func(*tls.Config){} + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ - Scheme: scheme, - MetricsBindAddress: metricsAddr, + Scheme: scheme, + MetricsBindAddress: metricsAddr, + WebhookServer: &webhook.Server{ + TLSOpts: tlsOpts, + }, Port: 9443, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, diff --git a/testdata/project-v4-multigroup-with-deploy-image/cmd/main.go b/testdata/project-v4-multigroup-with-deploy-image/cmd/main.go index b34cb9a648..6c0ab6a22d 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/cmd/main.go +++ b/testdata/project-v4-multigroup-with-deploy-image/cmd/main.go @@ -17,6 +17,7 @@ limitations under the License. package main import ( + "crypto/tls" "flag" "os" @@ -31,6 +32,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" crewv1 "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup-with-deploy-image/api/crew/v1" fizv1 "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup-with-deploy-image/api/fiz/v1" @@ -78,11 +80,17 @@ func main() { var metricsAddr string var enableLeaderElection bool var probeAddr string + var secureMetrics bool + var enableHTTP2 bool flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&secureMetrics, "metrics-secure", false, + "Whether or not the metrics endpoint should be served securely") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -91,9 +99,28 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + tlsOpts := []func(*tls.Config){} + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + webhookServer := webhook.NewServer(webhook.Options{ + TLSOpts: tlsOpts, + }) + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ - Scheme: scheme, - Metrics: metricsserver.Options{BindAddress: metricsAddr}, + Scheme: scheme, + Metrics: metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + }, + WebhookServer: webhookServer, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "65c8a5ec.testproject.org", diff --git a/testdata/project-v4-multigroup/cmd/main.go b/testdata/project-v4-multigroup/cmd/main.go index a3f5c1a933..188f8950b1 100644 --- a/testdata/project-v4-multigroup/cmd/main.go +++ b/testdata/project-v4-multigroup/cmd/main.go @@ -17,6 +17,7 @@ limitations under the License. package main import ( + "crypto/tls" "flag" "os" @@ -31,6 +32,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" crewv1 "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/api/crew/v1" fizv1 "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/api/fiz/v1" @@ -78,11 +80,17 @@ func main() { var metricsAddr string var enableLeaderElection bool var probeAddr string + var secureMetrics bool + var enableHTTP2 bool flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&secureMetrics, "metrics-secure", false, + "Whether or not the metrics endpoint should be served securely") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -91,9 +99,28 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + tlsOpts := []func(*tls.Config){} + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + webhookServer := webhook.NewServer(webhook.Options{ + TLSOpts: tlsOpts, + }) + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ - Scheme: scheme, - Metrics: metricsserver.Options{BindAddress: metricsAddr}, + Scheme: scheme, + Metrics: metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + }, + WebhookServer: webhookServer, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "3e9f67a9.testproject.org", diff --git a/testdata/project-v4-with-deploy-image/cmd/main.go b/testdata/project-v4-with-deploy-image/cmd/main.go index a63dc6febf..c18a71483f 100644 --- a/testdata/project-v4-with-deploy-image/cmd/main.go +++ b/testdata/project-v4-with-deploy-image/cmd/main.go @@ -17,6 +17,7 @@ limitations under the License. package main import ( + "crypto/tls" "flag" "os" @@ -31,6 +32,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" examplecomv1alpha1 "sigs.k8s.io/kubebuilder/testdata/project-v4-with-deploy-image/api/v1alpha1" "sigs.k8s.io/kubebuilder/testdata/project-v4-with-deploy-image/internal/controller" @@ -53,11 +55,17 @@ func main() { var metricsAddr string var enableLeaderElection bool var probeAddr string + var secureMetrics bool + var enableHTTP2 bool flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&secureMetrics, "metrics-secure", false, + "Whether or not the metrics endpoint should be served securely") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -66,9 +74,28 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + tlsOpts := []func(*tls.Config){} + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + webhookServer := webhook.NewServer(webhook.Options{ + TLSOpts: tlsOpts, + }) + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ - Scheme: scheme, - Metrics: metricsserver.Options{BindAddress: metricsAddr}, + Scheme: scheme, + Metrics: metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + }, + WebhookServer: webhookServer, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "1836d577.testproject.org", diff --git a/testdata/project-v4-with-grafana/cmd/main.go b/testdata/project-v4-with-grafana/cmd/main.go index 7456c74b3e..0b5510432c 100644 --- a/testdata/project-v4-with-grafana/cmd/main.go +++ b/testdata/project-v4-with-grafana/cmd/main.go @@ -17,6 +17,7 @@ limitations under the License. package main import ( + "crypto/tls" "flag" "os" @@ -31,6 +32,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" //+kubebuilder:scaffold:imports ) @@ -49,11 +51,17 @@ func main() { var metricsAddr string var enableLeaderElection bool var probeAddr string + var secureMetrics bool + var enableHTTP2 bool flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&secureMetrics, "metrics-secure", false, + "Whether or not the metrics endpoint should be served securely") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -62,9 +70,28 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + tlsOpts := []func(*tls.Config){} + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + webhookServer := webhook.NewServer(webhook.Options{ + TLSOpts: tlsOpts, + }) + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ - Scheme: scheme, - Metrics: metricsserver.Options{BindAddress: metricsAddr}, + Scheme: scheme, + Metrics: metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + }, + WebhookServer: webhookServer, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "bc2db930.testproject.org", diff --git a/testdata/project-v4/cmd/main.go b/testdata/project-v4/cmd/main.go index ed6a90ee95..86f9efdc72 100644 --- a/testdata/project-v4/cmd/main.go +++ b/testdata/project-v4/cmd/main.go @@ -17,6 +17,7 @@ limitations under the License. package main import ( + "crypto/tls" "flag" "os" @@ -31,6 +32,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" crewv1 "sigs.k8s.io/kubebuilder/testdata/project-v4/api/v1" "sigs.k8s.io/kubebuilder/testdata/project-v4/internal/controller" @@ -53,11 +55,17 @@ func main() { var metricsAddr string var enableLeaderElection bool var probeAddr string + var secureMetrics bool + var enableHTTP2 bool flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&secureMetrics, "metrics-secure", false, + "Whether or not the metrics endpoint should be served securely") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -66,9 +74,28 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + tlsOpts := []func(*tls.Config){} + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + webhookServer := webhook.NewServer(webhook.Options{ + TLSOpts: tlsOpts, + }) + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ - Scheme: scheme, - Metrics: metricsserver.Options{BindAddress: metricsAddr}, + Scheme: scheme, + Metrics: metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + }, + WebhookServer: webhookServer, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "da1d9c86.testproject.org", From 2375fa34d34e520eded52b4ac0e1c63795d9a5a9 Mon Sep 17 00:00:00 2001 From: everettraven Date: Thu, 18 Jan 2024 15:45:58 -0500 Subject: [PATCH 2/2] address review comments Signed-off-by: everettraven --- .../src/cronjob-tutorial/testdata/project/cmd/main.go | 10 ++++++++-- .../golang/v3/scaffolds/internal/templates/main.go | 8 +++++++- .../golang/v4/scaffolds/internal/templates/main.go | 10 ++++++++-- testdata/project-v3/main.go | 8 +++++++- .../cmd/main.go | 10 ++++++++-- testdata/project-v4-multigroup/cmd/main.go | 10 ++++++++-- testdata/project-v4-with-deploy-image/cmd/main.go | 10 ++++++++-- testdata/project-v4-with-grafana/cmd/main.go | 10 ++++++++-- testdata/project-v4/cmd/main.go | 10 ++++++++-- 9 files changed, 70 insertions(+), 16 deletions(-) diff --git a/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go b/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go index 0405212ed7..14317caacd 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go +++ b/docs/book/src/cronjob-tutorial/testdata/project/cmd/main.go @@ -82,9 +82,9 @@ func main() { "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", false, - "Whether or not the metrics endpoint should be served securely") + "If set the metrics endpoint is served securely") flag.BoolVar(&enableHTTP2, "enable-http2", false, - "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") + "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -93,6 +93,12 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancelation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 disableHTTP2 := func(c *tls.Config) { setupLog.Info("disabling http/2") c.NextProtos = []string{"http/1.1"} diff --git a/pkg/plugins/golang/v3/scaffolds/internal/templates/main.go b/pkg/plugins/golang/v3/scaffolds/internal/templates/main.go index 57d38c21ff..e5fdbbf76e 100644 --- a/pkg/plugins/golang/v3/scaffolds/internal/templates/main.go +++ b/pkg/plugins/golang/v3/scaffolds/internal/templates/main.go @@ -226,7 +226,7 @@ func main() { "Enable leader election for controller manager. " + "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&enableHTTP2, "enable-http2", false, - "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") + "If set, HTTP/2 will be enabled for the metrics and webhook servers") {{- else }} var configFile string flag.StringVar(&configFile, "config", "", @@ -243,6 +243,12 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) {{ if not .ComponentConfig }} + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancelation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 disableHTTP2 := func(c *tls.Config) { setupLog.Info("disabling http/2") c.NextProtos = []string{"http/1.1"} diff --git a/pkg/plugins/golang/v4/scaffolds/internal/templates/main.go b/pkg/plugins/golang/v4/scaffolds/internal/templates/main.go index e987ed0156..82e0694239 100644 --- a/pkg/plugins/golang/v4/scaffolds/internal/templates/main.go +++ b/pkg/plugins/golang/v4/scaffolds/internal/templates/main.go @@ -230,9 +230,9 @@ func main() { "Enable leader election for controller manager. " + "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", false, - "Whether or not the metrics endpoint should be served securely") + "If set the metrics endpoint is served securely") flag.BoolVar(&enableHTTP2, "enable-http2", false, - "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") + "If set, HTTP/2 will be enabled for the metrics and webhook servers") {{- else }} var configFile string flag.StringVar(&configFile, "config", "", @@ -249,6 +249,12 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) {{ if not .ComponentConfig }} + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancelation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 disableHTTP2 := func(c *tls.Config) { setupLog.Info("disabling http/2") c.NextProtos = []string{"http/1.1"} diff --git a/testdata/project-v3/main.go b/testdata/project-v3/main.go index b99c0d5e69..5586c89112 100644 --- a/testdata/project-v3/main.go +++ b/testdata/project-v3/main.go @@ -61,7 +61,7 @@ func main() { "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&enableHTTP2, "enable-http2", false, - "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") + "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -70,6 +70,12 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancelation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 disableHTTP2 := func(c *tls.Config) { setupLog.Info("disabling http/2") c.NextProtos = []string{"http/1.1"} diff --git a/testdata/project-v4-multigroup-with-deploy-image/cmd/main.go b/testdata/project-v4-multigroup-with-deploy-image/cmd/main.go index 6c0ab6a22d..e387e978fc 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/cmd/main.go +++ b/testdata/project-v4-multigroup-with-deploy-image/cmd/main.go @@ -88,9 +88,9 @@ func main() { "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", false, - "Whether or not the metrics endpoint should be served securely") + "If set the metrics endpoint is served securely") flag.BoolVar(&enableHTTP2, "enable-http2", false, - "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") + "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -99,6 +99,12 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancelation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 disableHTTP2 := func(c *tls.Config) { setupLog.Info("disabling http/2") c.NextProtos = []string{"http/1.1"} diff --git a/testdata/project-v4-multigroup/cmd/main.go b/testdata/project-v4-multigroup/cmd/main.go index 188f8950b1..eaf0f69d2e 100644 --- a/testdata/project-v4-multigroup/cmd/main.go +++ b/testdata/project-v4-multigroup/cmd/main.go @@ -88,9 +88,9 @@ func main() { "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", false, - "Whether or not the metrics endpoint should be served securely") + "If set the metrics endpoint is served securely") flag.BoolVar(&enableHTTP2, "enable-http2", false, - "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") + "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -99,6 +99,12 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancelation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 disableHTTP2 := func(c *tls.Config) { setupLog.Info("disabling http/2") c.NextProtos = []string{"http/1.1"} diff --git a/testdata/project-v4-with-deploy-image/cmd/main.go b/testdata/project-v4-with-deploy-image/cmd/main.go index c18a71483f..319c3d8605 100644 --- a/testdata/project-v4-with-deploy-image/cmd/main.go +++ b/testdata/project-v4-with-deploy-image/cmd/main.go @@ -63,9 +63,9 @@ func main() { "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", false, - "Whether or not the metrics endpoint should be served securely") + "If set the metrics endpoint is served securely") flag.BoolVar(&enableHTTP2, "enable-http2", false, - "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") + "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -74,6 +74,12 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancelation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 disableHTTP2 := func(c *tls.Config) { setupLog.Info("disabling http/2") c.NextProtos = []string{"http/1.1"} diff --git a/testdata/project-v4-with-grafana/cmd/main.go b/testdata/project-v4-with-grafana/cmd/main.go index 0b5510432c..38dd02fbb0 100644 --- a/testdata/project-v4-with-grafana/cmd/main.go +++ b/testdata/project-v4-with-grafana/cmd/main.go @@ -59,9 +59,9 @@ func main() { "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", false, - "Whether or not the metrics endpoint should be served securely") + "If set the metrics endpoint is served securely") flag.BoolVar(&enableHTTP2, "enable-http2", false, - "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") + "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -70,6 +70,12 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancelation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 disableHTTP2 := func(c *tls.Config) { setupLog.Info("disabling http/2") c.NextProtos = []string{"http/1.1"} diff --git a/testdata/project-v4/cmd/main.go b/testdata/project-v4/cmd/main.go index 86f9efdc72..a8606888c6 100644 --- a/testdata/project-v4/cmd/main.go +++ b/testdata/project-v4/cmd/main.go @@ -63,9 +63,9 @@ func main() { "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&secureMetrics, "metrics-secure", false, - "Whether or not the metrics endpoint should be served securely") + "If set the metrics endpoint is served securely") flag.BoolVar(&enableHTTP2, "enable-http2", false, - "Whether or not HTTP/2 should be enabled for the metrics and webhook servers") + "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -74,6 +74,12 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancelation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 disableHTTP2 := func(c *tls.Config) { setupLog.Info("disabling http/2") c.NextProtos = []string{"http/1.1"}