pilot/pkg/bootstrap/webhook.go - dubbo-go-pixiu - Git at Google

 // Copyright Istio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package bootstrap

 import (
 	"crypto/tls"
 	"net/http"
 	"net/url"
 	"time"
 )

 import (
 	"istio.io/pkg/log"
 )

 const (
 	HTTPSHandlerReadyPath = "/httpsReady"
 )

 // initSSecureWebhookServer handles initialization for the HTTPS webhook server.
 // If https address is off the injection handlers will be registered on the main http endpoint, with
 // TLS handled by a proxy/gateway in front of Istiod.
 func (s *Server) initSecureWebhookServer(args *PilotArgs) {
 	// create the https server for hosting the k8s injectionWebhook handlers.
 	if args.ServerOptions.HTTPSAddr == "" {
 		s.httpsMux = s.httpMux
 		log.Info("HTTPS port is disabled, multiplexing webhooks on the httpAddr ", args.ServerOptions.HTTPAddr)
 		return
 	}

 	log.Info("initializing secure webhook server for istiod webhooks")
 	// create the https server for hosting the k8s injectionWebhook handlers.
 	s.httpsMux = http.NewServeMux()
 	s.httpsServer = &http.Server{
 		Addr:    args.ServerOptions.HTTPSAddr,
 		Handler: s.httpsMux,
 		TLSConfig: &tls.Config{
 			GetCertificate: s.getIstiodCertificate,
 			MinVersion:     tls.VersionTLS12,
 			CipherSuites:   args.ServerOptions.TLSOptions.CipherSuits,
 		},
 	}

 	// setup our readiness handler and the corresponding client we'll use later to check it with.
 	s.httpsMux.HandleFunc(HTTPSHandlerReadyPath, func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	})
 	s.httpsReadyClient = &http.Client{
 		Timeout: time.Second,
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: true,
 			},
 		},
 	}
 	s.addReadinessProbe("Secure Webhook Server", s.webhookReadyHandler)
 }

 func (s *Server) webhookReadyHandler() (bool, error) {
 	req := &http.Request{
 		Method: http.MethodGet,
 		URL: &url.URL{
 			Scheme: "https",
 			Host:   s.httpsServer.Addr,
 			Path:   HTTPSHandlerReadyPath,
 		},
 	}

 	response, err := s.httpsReadyClient.Do(req)
 	if err != nil {
 		return false, err
 	}
 	defer response.Body.Close()

 	return response.StatusCode == http.StatusOK, nil
 }
	// Copyright Istio Authors
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package bootstrap

	import (
	"crypto/tls"
	"net/http"
	"net/url"
	"time"
	)

	import (
	"istio.io/pkg/log"
	)

	const (
	HTTPSHandlerReadyPath = "/httpsReady"
	)

	// initSSecureWebhookServer handles initialization for the HTTPS webhook server.
	// If https address is off the injection handlers will be registered on the main http endpoint, with
	// TLS handled by a proxy/gateway in front of Istiod.
	func (s Server) initSecureWebhookServer(args PilotArgs) {
	// create the https server for hosting the k8s injectionWebhook handlers.
	if args.ServerOptions.HTTPSAddr == "" {
	s.httpsMux = s.httpMux
	log.Info("HTTPS port is disabled, multiplexing webhooks on the httpAddr ", args.ServerOptions.HTTPAddr)
	return
	}

	log.Info("initializing secure webhook server for istiod webhooks")
	// create the https server for hosting the k8s injectionWebhook handlers.
	s.httpsMux = http.NewServeMux()
	s.httpsServer = &http.Server{
	Addr: args.ServerOptions.HTTPSAddr,
	Handler: s.httpsMux,
	TLSConfig: &tls.Config{
	GetCertificate: s.getIstiodCertificate,
	MinVersion: tls.VersionTLS12,
	CipherSuites: args.ServerOptions.TLSOptions.CipherSuits,
	},
	}

	// setup our readiness handler and the corresponding client we'll use later to check it with.
	s.httpsMux.HandleFunc(HTTPSHandlerReadyPath, func(w http.ResponseWriter, _ *http.Request) {
	w.WriteHeader(http.StatusOK)
	})
	s.httpsReadyClient = &http.Client{
	Timeout: time.Second,
	Transport: &http.Transport{
	TLSClientConfig: &tls.Config{
	InsecureSkipVerify: true,
	},
	},
	}
	s.addReadinessProbe("Secure Webhook Server", s.webhookReadyHandler)
	}

	func (s *Server) webhookReadyHandler() (bool, error) {
	req := &http.Request{
	Method: http.MethodGet,
	URL: &url.URL{
	Scheme: "https",
	Host: s.httpsServer.Addr,
	Path: HTTPSHandlerReadyPath,
	},
	}

	response, err := s.httpsReadyClient.Do(req)
	if err != nil {
	return false, err
	}
	defer response.Body.Close()

	return response.StatusCode == http.StatusOK, nil
	}