From 897093b5a71d526ed1bdadb1c215882bc8d5f54d Mon Sep 17 00:00:00 2001 From: knative-automation Date: Thu, 16 Feb 2023 09:52:52 -0500 Subject: [PATCH] upgrade to latest dependencies (#722) bumping knative.dev/pkg fb44e94...2f55fe0: > 2f55fe0 Fix potential slowloris attack (# 2682) > 8d1efe1 Update community files (# 2683) > 4a80605 Add health checks (# 2671) > 33e6b88 fix: `reconcilerImpl.updateStatus` calculates state difference in debug mode only (# 2678) > c889c5b upgrade to latest dependencies (# 2679) Signed-off-by: Knative Automation --- go.mod | 2 +- go.sum | 4 +- .../caching/v1alpha1/image/reconciler.go | 11 +- .../generators/reconciler_reconciler.go | 14 ++- .../knative.dev/pkg/injection/health_check.go | 109 ++++++++++++++++++ .../pkg/metrics/prometheus_exporter.go | 7 +- vendor/knative.dev/pkg/network/h2c.go | 7 +- vendor/modules.txt | 2 +- 8 files changed, 138 insertions(+), 18 deletions(-) create mode 100644 vendor/knative.dev/pkg/injection/health_check.go diff --git a/go.mod b/go.mod index bf5c79b7..9c858f7d 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( k8s.io/code-generator v0.25.4 k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 knative.dev/hack v0.0.0-20230210215449-d71d569c4308 - knative.dev/pkg v0.0.0-20230210013552-fb44e94cccb1 + knative.dev/pkg v0.0.0-20230215234751-2f55fe00c5a1 ) require ( diff --git a/go.sum b/go.sum index 7f113505..8ef19deb 100644 --- a/go.sum +++ b/go.sum @@ -800,8 +800,8 @@ k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJ k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= knative.dev/hack v0.0.0-20230210215449-d71d569c4308 h1:zH5OedRfo9SB22o25VNQ+vygceTvOujsnLYaALb8jos= knative.dev/hack v0.0.0-20230210215449-d71d569c4308/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= -knative.dev/pkg v0.0.0-20230210013552-fb44e94cccb1 h1:VUjBhCMWbugVNWkGIbgW6yfjvAuEPCN7UE1xzMeHJvE= -knative.dev/pkg v0.0.0-20230210013552-fb44e94cccb1/go.mod h1:VO/fcEsq43seuONRQxZyftWHjpMabYzRHDtpSEQ/eoQ= +knative.dev/pkg v0.0.0-20230215234751-2f55fe00c5a1 h1:uFmSftQza1crgKoZWRvPthuGynJgVEN3aFcXORqZpDQ= +knative.dev/pkg v0.0.0-20230215234751-2f55fe00c5a1/go.mod h1:YVKzsxts9YjMq9xbG1GrMWwwGmkJRpJxqCa6iIOKb28= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/pkg/client/injection/reconciler/caching/v1alpha1/image/reconciler.go b/pkg/client/injection/reconciler/caching/v1alpha1/image/reconciler.go index 938681f6..167db244 100644 --- a/pkg/client/injection/reconciler/caching/v1alpha1/image/reconciler.go +++ b/pkg/client/injection/reconciler/caching/v1alpha1/image/reconciler.go @@ -24,6 +24,7 @@ import ( fmt "fmt" zap "go.uber.org/zap" + "go.uber.org/zap/zapcore" v1 "k8s.io/api/core/v1" equality "k8s.io/apimachinery/pkg/api/equality" errors "k8s.io/apimachinery/pkg/api/errors" @@ -272,7 +273,7 @@ func (r *reconcilerImpl) Reconcile(ctx context.Context, key string) error { // the elected leader is expected to write modifications. logger.Warn("Saw status changes when we aren't the leader!") default: - if err = r.updateStatus(ctx, original, resource); err != nil { + if err = r.updateStatus(ctx, logger, original, resource); err != nil { logger.Warnw("Failed to update resource status", zap.Error(err)) r.Recorder.Eventf(resource, v1.EventTypeWarning, "UpdateFailed", "Failed to update status for %q: %v", resource.Name, err) @@ -308,7 +309,7 @@ func (r *reconcilerImpl) Reconcile(ctx context.Context, key string) error { return nil } -func (r *reconcilerImpl) updateStatus(ctx context.Context, existing *v1alpha1.Image, desired *v1alpha1.Image) error { +func (r *reconcilerImpl) updateStatus(ctx context.Context, logger *zap.SugaredLogger, existing *v1alpha1.Image, desired *v1alpha1.Image) error { existing = existing.DeepCopy() return reconciler.RetryUpdateConflicts(func(attempts int) (err error) { // The first iteration tries to use the injectionInformer's state, subsequent attempts fetch the latest state via API. @@ -327,8 +328,10 @@ func (r *reconcilerImpl) updateStatus(ctx context.Context, existing *v1alpha1.Im return nil } - if diff, err := kmp.SafeDiff(existing.Status, desired.Status); err == nil && diff != "" { - logging.FromContext(ctx).Debug("Updating status with: ", diff) + if logger.Desugar().Core().Enabled(zapcore.DebugLevel) { + if diff, err := kmp.SafeDiff(existing.Status, desired.Status); err == nil && diff != "" { + logger.Debug("Updating status with: ", diff) + } } existing.Status = desired.Status diff --git a/vendor/knative.dev/pkg/codegen/cmd/injection-gen/generators/reconciler_reconciler.go b/vendor/knative.dev/pkg/codegen/cmd/injection-gen/generators/reconciler_reconciler.go index 28bc3185..f27c1563 100644 --- a/vendor/knative.dev/pkg/codegen/cmd/injection-gen/generators/reconciler_reconciler.go +++ b/vendor/knative.dev/pkg/codegen/cmd/injection-gen/generators/reconciler_reconciler.go @@ -150,6 +150,10 @@ func (g *reconcilerReconcilerGenerator) GenerateType(c *generator.Context, t *ty Package: "go.uber.org/zap", Name: "SugaredLogger", }), + "zapDebugLevel": c.Universe.Type(types.Name{ + Package: "go.uber.org/zapcore", + Name: "DebugLevel", + }), "setsNewString": c.Universe.Function(types.Name{ Package: "k8s.io/apimachinery/pkg/util/sets", Name: "NewString", @@ -520,7 +524,7 @@ func (r *reconcilerImpl) Reconcile(ctx {{.contextContext|raw}}, key string) erro // the elected leader is expected to write modifications. logger.Warn("Saw status changes when we aren't the leader!") default: - if err = r.updateStatus(ctx, original, resource); err != nil { + if err = r.updateStatus(ctx, logger, original, resource); err != nil { logger.Warnw("Failed to update resource status", zap.Error(err)) r.Recorder.Eventf(resource, {{.corev1EventTypeWarning|raw}}, "UpdateFailed", "Failed to update status for %q: %v", resource.Name, err) @@ -559,7 +563,7 @@ func (r *reconcilerImpl) Reconcile(ctx {{.contextContext|raw}}, key string) erro ` var reconcilerStatusFactory = ` -func (r *reconcilerImpl) updateStatus(ctx {{.contextContext|raw}}, existing *{{.type|raw}}, desired *{{.type|raw}}) error { +func (r *reconcilerImpl) updateStatus(ctx {{.contextContext|raw}}, logger *{{.zapSugaredLogger|raw}}, existing *{{.type|raw}}, desired *{{.type|raw}}) error { existing = existing.DeepCopy() return {{.reconcilerRetryUpdateConflicts|raw}}(func(attempts int) (err error) { // The first iteration tries to use the injectionInformer's state, subsequent attempts fetch the latest state via API. @@ -580,8 +584,10 @@ func (r *reconcilerImpl) updateStatus(ctx {{.contextContext|raw}}, existing *{{. return nil } - if diff, err := {{.kmpSafeDiff|raw}}(existing.Status, desired.Status); err == nil && diff != "" { - {{.loggingFromContext|raw}}(ctx).Debug("Updating status with: ", diff) + if logger.Desugar().Core().Enabled(zapcore.DebugLevel) { + if diff, err := {{.kmpSafeDiff|raw}}(existing.Status, desired.Status); err == nil && diff != "" { + logger.Debug("Updating status with: ", diff) + } } existing.Status = desired.Status diff --git a/vendor/knative.dev/pkg/injection/health_check.go b/vendor/knative.dev/pkg/injection/health_check.go new file mode 100644 index 00000000..2899c7e3 --- /dev/null +++ b/vendor/knative.dev/pkg/injection/health_check.go @@ -0,0 +1,109 @@ +/* +Copyright 2023 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package injection + +import ( + "context" + "errors" + "net/http" + "strconv" + "time" + + "knative.dev/pkg/logging" +) + +// HealthCheckDefaultPort defines the default port number for health probes +const HealthCheckDefaultPort = 8080 + +// ServeHealthProbes sets up liveness and readiness probes. +// If user sets no probes explicitly via the context then defaults are added. +func ServeHealthProbes(ctx context.Context, port int) error { + logger := logging.FromContext(ctx) + server := http.Server{ReadHeaderTimeout: time.Minute, Handler: muxWithHandles(ctx), Addr: ":" + strconv.Itoa(port)} + go func() { + <-ctx.Done() + _ = server.Shutdown(ctx) + }() + + // start the web server on port and accept requests + logger.Infof("Probes server listening on port %s", port) + if err := server.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) { + return err + } + return nil +} + +func muxWithHandles(ctx context.Context) *http.ServeMux { + mux := http.NewServeMux() + readiness := getReadinessHandleOrDefault(ctx) + liveness := getLivenessHandleOrDefault(ctx) + mux.HandleFunc("/readiness", *readiness) + mux.HandleFunc("/health", *liveness) + return mux +} + +func newDefaultProbesHandle(sigCtx context.Context) http.HandlerFunc { + logger := logging.FromContext(sigCtx) + return func(w http.ResponseWriter, r *http.Request) { + f := func() error { + select { + // When we get SIGTERM (sigCtx done), let readiness probes start failing. + case <-sigCtx.Done(): + logger.Info("Signal context canceled") + return errors.New("received SIGTERM from kubelet") + default: + return nil + } + } + if err := f(); err != nil { + logger.Errorf("Healthcheck failed: %v", err) + http.Error(w, err.Error(), http.StatusInternalServerError) + } else { + w.WriteHeader(http.StatusOK) + } + } +} + +type addReadinessKey struct{} + +// AddReadiness signals to probe setup logic to add a user provided probe handler +func AddReadiness(ctx context.Context, handlerFunc http.HandlerFunc) context.Context { + return context.WithValue(ctx, addReadinessKey{}, &handlerFunc) +} + +func getReadinessHandleOrDefault(ctx context.Context) *http.HandlerFunc { + if ctx.Value(addReadinessKey{}) != nil { + return ctx.Value(addReadinessKey{}).(*http.HandlerFunc) + } + defaultHandle := newDefaultProbesHandle(ctx) + return &defaultHandle +} + +type addLivenessKey struct{} + +// AddLiveness signals to probe setup logic to add a user provided probe handler +func AddLiveness(ctx context.Context, handlerFunc http.HandlerFunc) context.Context { + return context.WithValue(ctx, addLivenessKey{}, &handlerFunc) +} + +func getLivenessHandleOrDefault(ctx context.Context) *http.HandlerFunc { + if ctx.Value(addLivenessKey{}) != nil { + return ctx.Value(addLivenessKey{}).(*http.HandlerFunc) + } + defaultHandle := newDefaultProbesHandle(ctx) + return &defaultHandle +} diff --git a/vendor/knative.dev/pkg/metrics/prometheus_exporter.go b/vendor/knative.dev/pkg/metrics/prometheus_exporter.go index aec6c09a..5f11c12e 100644 --- a/vendor/knative.dev/pkg/metrics/prometheus_exporter.go +++ b/vendor/knative.dev/pkg/metrics/prometheus_exporter.go @@ -20,6 +20,7 @@ import ( "net/http" "strconv" "sync" + "time" prom "contrib.go.opencensus.io/exporter/prometheus" "go.opencensus.io/resource" @@ -82,10 +83,10 @@ func startNewPromSrv(e *prom.Exporter, host string, port int) *http.Server { if curPromSrv != nil { curPromSrv.Close() } - //nolint:gosec curPromSrv = &http.Server{ - Addr: host + ":" + strconv.Itoa(port), - Handler: sm, + Addr: host + ":" + strconv.Itoa(port), + Handler: sm, + ReadHeaderTimeout: time.Minute, //https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6 } return curPromSrv } diff --git a/vendor/knative.dev/pkg/network/h2c.go b/vendor/knative.dev/pkg/network/h2c.go index 4620b084..ebf1ee8a 100644 --- a/vendor/knative.dev/pkg/network/h2c.go +++ b/vendor/knative.dev/pkg/network/h2c.go @@ -21,6 +21,7 @@ import ( "crypto/tls" "net" "net/http" + "time" "golang.org/x/net/http2" "golang.org/x/net/http2/h2c" @@ -28,10 +29,10 @@ import ( // NewServer returns a new HTTP Server with HTTP2 handler. func NewServer(addr string, h http.Handler) *http.Server { - //nolint:gosec h1s := &http.Server{ - Addr: addr, - Handler: h2c.NewHandler(h, &http2.Server{}), + Addr: addr, + Handler: h2c.NewHandler(h, &http2.Server{}), + ReadHeaderTimeout: time.Minute, //https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6 } return h1s diff --git a/vendor/modules.txt b/vendor/modules.txt index c2c2f764..d36304a4 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -690,7 +690,7 @@ k8s.io/utils/trace # knative.dev/hack v0.0.0-20230210215449-d71d569c4308 ## explicit; go 1.18 knative.dev/hack -# knative.dev/pkg v0.0.0-20230210013552-fb44e94cccb1 +# knative.dev/pkg v0.0.0-20230215234751-2f55fe00c5a1 ## explicit; go 1.18 knative.dev/pkg/apis knative.dev/pkg/apis/duck