nolint:gocyclo
()
| 57 | |
| 58 | // nolint:gocyclo |
| 59 | func main() { |
| 60 | var metricsAddr string |
| 61 | var metricsCertPath, metricsCertName, metricsCertKey string |
| 62 | var webhookCertPath, webhookCertName, webhookCertKey string |
| 63 | var enableLeaderElection bool |
| 64 | var probeAddr string |
| 65 | var secureMetrics bool |
| 66 | var enableHTTP2 bool |
| 67 | var tlsOpts []func(*tls.Config) |
| 68 | flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+ |
| 69 | "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") |
| 70 | flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") |
| 71 | flag.BoolVar(&enableLeaderElection, "leader-elect", false, |
| 72 | "Enable leader election for controller manager. "+ |
| 73 | "Enabling this will ensure there is only one active controller manager.") |
| 74 | flag.BoolVar(&secureMetrics, "metrics-secure", true, |
| 75 | "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") |
| 76 | flag.StringVar(&webhookCertPath, "webhook-cert-path", "", "The directory that contains the webhook certificate.") |
| 77 | flag.StringVar(&webhookCertName, "webhook-cert-name", "tls.crt", "The name of the webhook certificate file.") |
| 78 | flag.StringVar(&webhookCertKey, "webhook-cert-key", "tls.key", "The name of the webhook key file.") |
| 79 | flag.StringVar(&metricsCertPath, "metrics-cert-path", "", |
| 80 | "The directory that contains the metrics server certificate.") |
| 81 | flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") |
| 82 | flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") |
| 83 | flag.BoolVar(&enableHTTP2, "enable-http2", false, |
| 84 | "If set, HTTP/2 will be enabled for the metrics and webhook servers") |
| 85 | opts := zap.Options{ |
| 86 | Development: true, |
| 87 | } |
| 88 | opts.BindFlags(flag.CommandLine) |
| 89 | flag.Parse() |
| 90 | |
| 91 | ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) |
| 92 | |
| 93 | // if the enable-http2 flag is false (the default), http/2 should be disabled |
| 94 | // due to its vulnerabilities. More specifically, disabling http/2 will |
| 95 | // prevent from being vulnerable to the HTTP/2 Stream Cancellation and |
| 96 | // Rapid Reset CVEs. For more information see: |
| 97 | // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 |
| 98 | // - https://github.com/advisories/GHSA-4374-p667-p6c8 |
| 99 | disableHTTP2 := func(c *tls.Config) { |
| 100 | setupLog.Info("disabling http/2") |
| 101 | c.NextProtos = []string{"http/1.1"} |
| 102 | } |
| 103 | |
| 104 | if !enableHTTP2 { |
| 105 | tlsOpts = append(tlsOpts, disableHTTP2) |
| 106 | } |
| 107 | |
| 108 | // Create watchers for metrics and webhooks certificates |
| 109 | var metricsCertWatcher, webhookCertWatcher *certwatcher.CertWatcher |
| 110 | |
| 111 | // Initial webhook TLS options |
| 112 | webhookTLSOpts := tlsOpts |
| 113 | |
| 114 | if len(webhookCertPath) > 0 { |
| 115 | setupLog.Info("Initializing webhook certificate watcher using provided certificates", |
| 116 | "webhook-cert-path", webhookCertPath, "webhook-cert-name", webhookCertName, "webhook-cert-key", webhookCertKey) |
nothing calls this directly
no test coverage detected