fixed TLS instrumentation (issue 70)

omrikiei · Jan 29, 2022 · e0f6538 · e0f6538
1 parent cf536ae
commit e0f6538
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 10 deletions.
diff --git a/cmd/expose.go b/cmd/expose.go
@@ -55,7 +55,7 @@ ktunnel expose redis 6379
 				nodeSelectorTags[parsed[0]] = parsed[1]
 			}
 		}
-		err := k8s.ExposeAsService(&Namespace, &svcName, port, Scheme, ports, ServerImage, Reuse, readyChan, nodeSelectorTags)
+		err := k8s.ExposeAsService(&Namespace, &svcName, port, Scheme, ports, ServerImage, Reuse, readyChan, nodeSelectorTags, CaFile, KeyFile)
 		if err != nil {
 			log.Fatalf("Failed to expose local machine as a service: %v", err)
 		}
@@ -129,6 +129,8 @@ func init() {
 	exposeCmd.Flags().StringVarP(&ServerHostOverride, "server-host-override", "o", "", "Server name use to verify the hostname returned by the TLS handshake")
 	exposeCmd.Flags().StringVarP(&Namespace, "namespace", "n", "default", "Namespace")
 	exposeCmd.Flags().StringVarP(&ServerImage, "server-image", "i", fmt.Sprintf("%s:v%s", k8s.Image, version), "Ktunnel server image to use")
+	exposeCmd.Flags().StringVar(&CertFile, "cert", "", "TLS certificate file")
+	exposeCmd.Flags().StringVar(&KeyFile, "key", "", "TLS key file")
 	exposeCmd.Flags().BoolVarP(&Reuse, "reuse", "r", false, "deployment & service will be reused if exists or they will be created (tunnel)")
 	exposeCmd.Flags().StringSliceVarP(&NodeSelectorTags,"node-selector-tags", "q", []string{}, "tag and value seperated by the '=' character (i.e kubernetes.io/os=linux)")
 	rootCmd.AddCommand(exposeCmd)

diff --git a/cmd/inject.go b/cmd/inject.go
@@ -44,7 +44,7 @@ ktunnel inject deploymeny mydeployment 3306 6379
 		// Inject
 		deployment := args[0]
 		readyChan := make(chan bool, 1)
-		_, err := k8s.InjectSidecar(&Namespace, &deployment, &port, ServerImage, readyChan)
+		_, err := k8s.InjectSidecar(&Namespace, &deployment, &port, ServerImage, CertFile, KeyFile, readyChan)
 		if err != nil {
 			log.Fatalf("failed injecting sidecar: %v", err)
 		}
@@ -125,11 +125,15 @@ func init() {
 	injectCmd.Flags().StringVarP(&Scheme, "scheme", "s", "tcp", "Connection scheme")
 	injectCmd.Flags().StringVarP(&ServerHostOverride, "server-host-override", "o", "", "Server name use to verify the hostname returned by the TLS handshake")
 	injectCmd.Flags().StringVarP(&Namespace, "namespace", "n", "default", "Namespace")
+	injectCmd.Flags().StringVar(&CertFile, "cert", "", "TLS certificate file")
+	injectCmd.Flags().StringVar(&KeyFile, "key", "", "TLS key file")
 	injectDeploymentCmd.Flags().StringVarP(&CaFile, "ca-file", "c", "", "tls cert auth file")
 	injectDeploymentCmd.Flags().StringVarP(&Scheme, "scheme", "s", "tcp", "Connection scheme")
 	injectDeploymentCmd.Flags().StringVarP(&ServerHostOverride, "server-host-override", "o", "", "Server name use to verify the hostname returned by the TLS handshake")
 	injectDeploymentCmd.Flags().StringVarP(&Namespace, "namespace", "n", "default", "Namespace")
 	injectDeploymentCmd.Flags().StringVarP(&ServerImage, "server-image", "i", fmt.Sprintf("%s:v%s", k8s.Image, version), "Ktunnel server image to use")
+	injectDeploymentCmd.Flags().StringVar(&CertFile, "cert", "", "TLS certificate file")
+	injectDeploymentCmd.Flags().StringVar(&KeyFile, "key", "", "TLS key file")
 	injectDeploymentCmd.Flags().BoolVarP(&eject, "eject", "e", true, "Eject the sidecar when finished")
 	injectCmd.AddCommand(injectDeploymentCmd)
 	rootCmd.AddCommand(injectCmd)

diff --git a/cmd/root.go b/cmd/root.go
@@ -9,7 +9,7 @@ import (
 )
 
 const (
-	version = "1.4.5"
+	version = "1.4.6"
 )
 
 var port int

diff --git a/pkg/k8s/common.go b/pkg/k8s/common.go
@@ -132,11 +132,17 @@ func hasSidecar(podSpec apiv1.PodSpec, image string) bool {
 	return false
 }
 
-func newContainer(port int, image string, containerPorts []apiv1.ContainerPort) *apiv1.Container {
+func newContainer(port int, image string, containerPorts []apiv1.ContainerPort, cert, key string) *apiv1.Container {
 	args := []string{"server", "-p", strconv.FormatInt(int64(port), 10)}
 	if Verbose == true {
 		args = append(args, "-v")
 	}
+	if cert != "" {
+		args = append(args, fmt.Sprintf("--cert %s", cert))
+	}
+	if key != "" {
+		args = append(args, fmt.Sprintf("--key %s", key))
+	}
 	cpuRequest, cpuLimit, memRequest, memLimit := resource.Quantity{}, resource.Quantity{}, resource.Quantity{}, resource.Quantity{}
 	cpuRequest.SetMilli(int64(500))
 	cpuLimit.SetMilli(int64(1000))
@@ -162,9 +168,9 @@ func newContainer(port int, image string, containerPorts []apiv1.ContainerPort)
 	}
 }
 
-func newDeployment(namespace, name string, port int, image string, ports []apiv1.ContainerPort, selector map[string]string) *appsv1.Deployment {
+func newDeployment(namespace, name string, port int, image string, ports []apiv1.ContainerPort, selector map[string]string, cert, key string) *appsv1.Deployment {
 	replicas := int32(1)
-	co := newContainer(port, image, ports)
+	co := newContainer(port, image, ports, cert, key)
 	return &appsv1.Deployment{
 		TypeMeta: metav1.TypeMeta{},
 		ObjectMeta: metav1.ObjectMeta{

diff --git a/pkg/k8s/exposer.go b/pkg/k8s/exposer.go
@@ -23,7 +23,7 @@ var supportedSchemes = map[string]v12.Protocol{
 	"udp": v12.ProtocolUDP,
 }
 
-func ExposeAsService(namespace, name *string, tunnelPort int, scheme string, rawPorts []string, image string, Reuse bool, readyChan chan<- bool, nodeSelectorTags map[string]string) error {
+func ExposeAsService(namespace, name *string, tunnelPort int, scheme string, rawPorts []string, image string, Reuse bool, readyChan chan<- bool, nodeSelectorTags map[string]string, cert, key string) error {
 	getClients(namespace)
 
 	ports := make([]v12.ServicePort, len(rawPorts))
@@ -56,7 +56,7 @@ func ExposeAsService(namespace, name *string, tunnelPort int, scheme string, raw
 		}
 	}
 
-	deployment := newDeployment(*namespace, *name, tunnelPort, image, ctrPorts, nodeSelectorTags)
+	deployment := newDeployment(*namespace, *name, tunnelPort, image, ctrPorts, nodeSelectorTags, cert, key)
 
 	service := newService(*namespace, *name, ports)
 

diff --git a/pkg/k8s/injector.go b/pkg/k8s/injector.go
@@ -30,10 +30,10 @@ func injectToDeployment(o *appsv1.Deployment, c *apiv1.Container, image string,
 	return true, nil
 }
 
-func InjectSidecar(namespace, objectName *string, port *int, image string, readyChan chan<- bool) (bool, error) {
+func InjectSidecar(namespace, objectName *string, port *int, image string, cert string, key string, readyChan chan<- bool) (bool, error) {
 	log.Infof("Injecting tunnel sidecar to %s/%s", *namespace, *objectName)
 	getClients(namespace)
-	co := newContainer(*port, image, []apiv1.ContainerPort{})
+	co := newContainer(*port, image, []apiv1.ContainerPort{}, cert, key)
 	obj, err := deploymentsClient.Get(context.Background(), *objectName, metav1.GetOptions{})
 	if err != nil {
 		return false, err
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,7 +9,7 @@ import ( @@
     )
     const (
-    	version = "1.4.5"
+    	version = "1.4.6"
     )
     var port int
@@ Expand Down @@