From d67238d46f160010a4e48221166c20d246964c7a Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Fri, 26 Apr 2024 11:50:00 -0500 Subject: [PATCH] Remove code related to deprecated config params logLevel and HTTP networking --- internal/config/concierge/config.go | 3 +- internal/config/concierge/config_test.go | 10 +- internal/config/concierge/types.go | 6 +- internal/config/supervisor/config.go | 48 +--- internal/config/supervisor/config_test.go | 261 +--------------------- internal/config/supervisor/types.go | 34 +-- internal/plog/config.go | 9 +- internal/plog/config_test.go | 4 +- internal/supervisor/server/server.go | 107 ++++----- 9 files changed, 69 insertions(+), 413 deletions(-) diff --git a/internal/config/concierge/config.go b/internal/config/concierge/config.go index ee4c97e1d..a95619565 100644 --- a/internal/config/concierge/config.go +++ b/internal/config/concierge/config.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package concierge contains functionality to load/store Config's from/to @@ -79,7 +79,6 @@ func FromPath(ctx context.Context, path string) (*Config, error) { return nil, fmt.Errorf("validate names: %w", err) } - plog.MaybeSetDeprecatedLogLevel(config.LogLevel, &config.Log) if err := plog.ValidateAndSetLogLevelAndFormatGlobally(ctx, config.Log); err != nil { return nil, fmt.Errorf("validate log level: %w", err) } diff --git a/internal/config/concierge/config_test.go b/internal/config/concierge/config_test.go index 61b145166..7f51cde33 100644 --- a/internal/config/concierge/config_test.go +++ b/internal/config/concierge/config_test.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package concierge @@ -57,7 +57,8 @@ func TestFromPath(t *testing.T) { namePrefix: kube-cert-agent-name-prefix- image: kube-cert-agent-image imagePullSecrets: [kube-cert-agent-image-pull-secret] - logLevel: debug + log: + level: debug `), wantConfig: &Config{ DiscoveryInfo: DiscoveryInfoSpec{ @@ -94,7 +95,6 @@ func TestFromPath(t *testing.T) { Image: ptr.To("kube-cert-agent-image"), ImagePullSecrets: []string{"kube-cert-agent-image-pull-secret"}, }, - LogLevel: func(level plog.LogLevel) *plog.LogLevel { return &level }(plog.LevelDebug), Log: plog.LogSpec{ Level: plog.LevelDebug, }, @@ -215,7 +215,6 @@ func TestFromPath(t *testing.T) { namePrefix: kube-cert-agent-name-prefix- image: kube-cert-agent-image imagePullSecrets: [kube-cert-agent-image-pull-secret] - logLevel: debug log: level: all format: json @@ -255,9 +254,8 @@ func TestFromPath(t *testing.T) { Image: ptr.To("kube-cert-agent-image"), ImagePullSecrets: []string{"kube-cert-agent-image-pull-secret"}, }, - LogLevel: func(level plog.LogLevel) *plog.LogLevel { return &level }(plog.LevelDebug), Log: plog.LogSpec{ - Level: plog.LevelDebug, + Level: plog.LevelAll, Format: plog.FormatJSON, }, }, diff --git a/internal/config/concierge/types.go b/internal/config/concierge/types.go index 967a38787..ffcaac5b0 100644 --- a/internal/config/concierge/types.go +++ b/internal/config/concierge/types.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package concierge @@ -15,9 +15,7 @@ type Config struct { NamesConfig NamesConfigSpec `json:"names"` KubeCertAgentConfig KubeCertAgentSpec `json:"kubeCertAgent"` Labels map[string]string `json:"labels"` - // Deprecated: use log.level instead - LogLevel *plog.LogLevel `json:"logLevel"` - Log plog.LogSpec `json:"log"` + Log plog.LogSpec `json:"log"` } // DiscoveryInfoSpec contains configuration knobs specific to diff --git a/internal/config/supervisor/config.go b/internal/config/supervisor/config.go index 36be3fb51..4ae0d6083 100644 --- a/internal/config/supervisor/config.go +++ b/internal/config/supervisor/config.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package supervisor contains functionality to load/store Config's from/to @@ -66,7 +66,6 @@ func FromPath(ctx context.Context, path string) (*Config, error) { return nil, fmt.Errorf("validate names: %w", err) } - plog.MaybeSetDeprecatedLogLevel(config.LogLevel, &config.Log) if err := plog.ValidateAndSetLogLevelAndFormatGlobally(ctx, config.Log); err != nil { return nil, fmt.Errorf("validate log level: %w", err) } @@ -80,23 +79,10 @@ func FromPath(ctx context.Context, path string) (*Config, error) { Network: NetworkTCP, Address: ":8443", }) - maybeSetEndpointDefault(&config.Endpoints.HTTP, Endpoint{ - Network: NetworkDisabled, - }) if err := validateEndpoint(*config.Endpoints.HTTPS); err != nil { return nil, fmt.Errorf("validate https endpoint: %w", err) } - if err := validateEndpoint(*config.Endpoints.HTTP); err != nil { - return nil, fmt.Errorf("validate http endpoint: %w", err) - } - if err := validateAdditionalHTTPEndpointRequirements(*config.Endpoints.HTTP, config.AllowExternalHTTP); err != nil { - return nil, fmt.Errorf("validate http endpoint: %w", err) - } - if err := validateAtLeastOneEnabledEndpoint(*config.Endpoints.HTTPS, *config.Endpoints.HTTP); err != nil { - return nil, fmt.Errorf("validate endpoints: %w", err) - } - return &config, nil } @@ -142,42 +128,12 @@ func validateEndpoint(endpoint Endpoint) error { } return nil case NetworkDisabled: - if len(endpoint.Address) != 0 { - return fmt.Errorf("address set to %q when disabled, should be empty", endpoint.Address) - } - return nil + return fmt.Errorf("must not be disabled") default: return fmt.Errorf("unknown network %q", n) } } -func validateAdditionalHTTPEndpointRequirements(endpoint Endpoint, allowExternalHTTP stringOrBoolAsBool) error { - if endpoint.Network == NetworkTCP && !addrIsOnlyOnLoopback(endpoint.Address) { - if allowExternalHTTP { - // Log that the validation should have been triggered. - plog.Warning("Listening on non-loopback interfaces for the HTTP port is deprecated and will be removed " + - "in a future release. Your current configuration would not be allowed in that future release. " + - "Please see comments in deploy/supervisor/values.yaml and review your settings.") - // Skip enforcement of the validation. - return nil - } - return fmt.Errorf( - "http listener address %q for %q network may only bind to loopback interfaces", - endpoint.Address, - endpoint.Network) - } - return nil -} - -func validateAtLeastOneEnabledEndpoint(endpoints ...Endpoint) error { - for _, endpoint := range endpoints { - if endpoint.Network != NetworkDisabled { - return nil - } - } - return constable.Error("all endpoints are disabled") -} - // For tcp networks, the address can be in several formats: host:port, host:, and :port. // See address description in https://pkg.go.dev/net#Listen and https://pkg.go.dev/net#Dial. // The host may be a literal IP address, or a host name that can be resolved to IP addresses, diff --git a/internal/config/supervisor/config_test.go b/internal/config/supervisor/config_test.go index a90f662db..4752a3020 100644 --- a/internal/config/supervisor/config_test.go +++ b/internal/config/supervisor/config_test.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package supervisor @@ -24,7 +24,7 @@ func TestFromPath(t *testing.T) { wantError string }{ { - name: "Happy", + name: "Happy (with new log field)", yaml: here.Doc(` --- apiGroupSuffix: some.suffix.com @@ -37,58 +37,6 @@ func TestFromPath(t *testing.T) { https: network: unix address: :1234 - http: - network: tcp - address: 127.0.0.1:1234 - insecureAcceptExternalUnencryptedHttpRequests: false - logLevel: trace - aggregatedAPIServerPort: 12345 - `), - wantConfig: &Config{ - APIGroupSuffix: ptr.To("some.suffix.com"), - Labels: map[string]string{ - "myLabelKey1": "myLabelValue1", - "myLabelKey2": "myLabelValue2", - }, - NamesConfig: NamesConfigSpec{ - DefaultTLSCertificateSecret: "my-secret-name", - }, - Endpoints: &Endpoints{ - HTTPS: &Endpoint{ - Network: "unix", - Address: ":1234", - }, - HTTP: &Endpoint{ - Network: "tcp", - Address: "127.0.0.1:1234", - }, - }, - AllowExternalHTTP: false, - LogLevel: func(level plog.LogLevel) *plog.LogLevel { return &level }(plog.LevelTrace), - Log: plog.LogSpec{ - Level: plog.LevelTrace, - }, - AggregatedAPIServerPort: ptr.To[int64](12345), - }, - }, - { - name: "Happy with new log field", - yaml: here.Doc(` - --- - apiGroupSuffix: some.suffix.com - labels: - myLabelKey1: myLabelValue1 - myLabelKey2: myLabelValue2 - names: - defaultTLSCertificateSecret: my-secret-name - endpoints: - https: - network: unix - address: :1234 - http: - network: tcp - address: 127.0.0.1:1234 - insecureAcceptExternalUnencryptedHttpRequests: false log: level: info format: text @@ -108,12 +56,7 @@ func TestFromPath(t *testing.T) { Network: "unix", Address: ":1234", }, - HTTP: &Endpoint{ - Network: "tcp", - Address: "127.0.0.1:1234", - }, }, - AllowExternalHTTP: false, Log: plog.LogSpec{ Level: plog.LevelInfo, Format: plog.FormatText, @@ -121,57 +64,6 @@ func TestFromPath(t *testing.T) { AggregatedAPIServerPort: ptr.To[int64](12345), }, }, - { - name: "Happy with old and new log field", - yaml: here.Doc(` - --- - apiGroupSuffix: some.suffix.com - labels: - myLabelKey1: myLabelValue1 - myLabelKey2: myLabelValue2 - names: - defaultTLSCertificateSecret: my-secret-name - endpoints: - https: - network: unix - address: :1234 - http: - network: tcp - address: 127.0.0.1:1234 - insecureAcceptExternalUnencryptedHttpRequests: false - logLevel: trace - log: - level: info - format: text - `), - wantConfig: &Config{ - APIGroupSuffix: ptr.To("some.suffix.com"), - Labels: map[string]string{ - "myLabelKey1": "myLabelValue1", - "myLabelKey2": "myLabelValue2", - }, - NamesConfig: NamesConfigSpec{ - DefaultTLSCertificateSecret: "my-secret-name", - }, - Endpoints: &Endpoints{ - HTTPS: &Endpoint{ - Network: "unix", - Address: ":1234", - }, - HTTP: &Endpoint{ - Network: "tcp", - Address: "127.0.0.1:1234", - }, - }, - AllowExternalHTTP: false, - LogLevel: func(level plog.LogLevel) *plog.LogLevel { return &level }(plog.LevelTrace), - Log: plog.LogSpec{ - Level: plog.LevelTrace, - Format: plog.FormatText, - }, - AggregatedAPIServerPort: ptr.To[int64](10250), - }, - }, { name: "bad log format", yaml: here.Doc(` @@ -202,11 +94,7 @@ func TestFromPath(t *testing.T) { Network: "tcp", Address: ":8443", }, - HTTP: &Endpoint{ - Network: "disabled", - }, }, - AllowExternalHTTP: false, AggregatedAPIServerPort: ptr.To[int64](10250), }, }, @@ -219,10 +107,8 @@ func TestFromPath(t *testing.T) { endpoints: https: network: disabled - http: - network: disabled `), - wantError: "validate endpoints: all endpoints are disabled", + wantError: "validate https endpoint: must not be disabled", }, { name: "invalid https endpoint", @@ -238,141 +124,6 @@ func TestFromPath(t *testing.T) { `), wantError: `validate https endpoint: unknown network "foo"`, }, - { - name: "invalid http endpoint", - yaml: here.Doc(` - --- - names: - defaultTLSCertificateSecret: my-secret-name - endpoints: - https: - network: disabled - http: - network: bar - `), - wantError: `validate http endpoint: unknown network "bar"`, - }, - { - name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests missing", - yaml: here.Doc(` - --- - names: - defaultTLSCertificateSecret: my-secret-name - endpoints: - https: - network: disabled - http: - network: tcp - address: :8080 - `), - wantError: `validate http endpoint: http listener address ":8080" for "tcp" network may only bind to loopback interfaces`, - }, - { - name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests set to boolean false", - yaml: here.Doc(` - --- - names: - defaultTLSCertificateSecret: my-secret-name - endpoints: - https: - network: disabled - http: - network: tcp - address: :8080 - insecureAcceptExternalUnencryptedHttpRequests: false - `), - wantError: `validate http endpoint: http listener address ":8080" for "tcp" network may only bind to loopback interfaces`, - }, - { - name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests set to unsupported value", - yaml: here.Doc(` - --- - names: - defaultTLSCertificateSecret: my-secret-name - insecureAcceptExternalUnencryptedHttpRequests: "garbage" # this will be treated as the default, which is false - `), - wantError: `decode yaml: error unmarshaling JSON: while decoding JSON: invalid value for boolean`, - }, - { - name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests set to string false", - yaml: here.Doc(` - --- - names: - defaultTLSCertificateSecret: my-secret-name - endpoints: - https: - network: disabled - http: - network: tcp - address: :8080 - insecureAcceptExternalUnencryptedHttpRequests: "false" - `), - wantError: `validate http endpoint: http listener address ":8080" for "tcp" network may only bind to loopback interfaces`, - }, - { - name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests set to boolean true", - yaml: here.Doc(` - --- - names: - defaultTLSCertificateSecret: my-secret-name - endpoints: - http: - network: tcp - address: :1234 - insecureAcceptExternalUnencryptedHttpRequests: true - `), - wantConfig: &Config{ - APIGroupSuffix: ptr.To("pinniped.dev"), - Labels: map[string]string{}, - NamesConfig: NamesConfigSpec{ - DefaultTLSCertificateSecret: "my-secret-name", - }, - Endpoints: &Endpoints{ - HTTPS: &Endpoint{ - Network: "tcp", - Address: ":8443", - }, - HTTP: &Endpoint{ - Network: "tcp", - Address: ":1234", - }, - }, - AllowExternalHTTP: true, - AggregatedAPIServerPort: ptr.To[int64](10250), - }, - }, - { - name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests set to string true", - yaml: here.Doc(` - --- - names: - defaultTLSCertificateSecret: my-secret-name - endpoints: - http: - network: tcp - address: :1234 - insecureAcceptExternalUnencryptedHttpRequests: "true" - `), - wantConfig: &Config{ - APIGroupSuffix: ptr.To("pinniped.dev"), - Labels: map[string]string{}, - NamesConfig: NamesConfigSpec{ - DefaultTLSCertificateSecret: "my-secret-name", - }, - Endpoints: &Endpoints{ - HTTPS: &Endpoint{ - Network: "tcp", - Address: ":8443", - }, - HTTP: &Endpoint{ - Network: "tcp", - Address: ":1234", - }, - }, - AllowExternalHTTP: true, - AggregatedAPIServerPort: ptr.To[int64](10250), - }, - }, { name: "endpoint disabled with non-empty address", yaml: here.Doc(` @@ -384,7 +135,7 @@ func TestFromPath(t *testing.T) { network: disabled address: wee `), - wantError: `validate https endpoint: address set to "wee" when disabled, should be empty`, + wantError: `validate https endpoint: must not be disabled`, }, { name: "endpoint tcp with empty address", @@ -393,10 +144,10 @@ func TestFromPath(t *testing.T) { names: defaultTLSCertificateSecret: my-secret-name endpoints: - http: + https: network: tcp `), - wantError: `validate http endpoint: address must be set with "tcp" network`, + wantError: `validate https endpoint: address must be set with "tcp" network`, }, { name: "endpoint unix with empty address", diff --git a/internal/config/supervisor/types.go b/internal/config/supervisor/types.go index bd89e2c7a..7ef9294e0 100644 --- a/internal/config/supervisor/types.go +++ b/internal/config/supervisor/types.go @@ -1,25 +1,20 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package supervisor import ( - "errors" - "go.pinniped.dev/internal/plog" ) // Config contains knobs to setup an instance of the Pinniped Supervisor. type Config struct { - APIGroupSuffix *string `json:"apiGroupSuffix,omitempty"` - Labels map[string]string `json:"labels"` - NamesConfig NamesConfigSpec `json:"names"` - // Deprecated: use log.level instead - LogLevel *plog.LogLevel `json:"logLevel"` - Log plog.LogSpec `json:"log"` - Endpoints *Endpoints `json:"endpoints"` - AllowExternalHTTP stringOrBoolAsBool `json:"insecureAcceptExternalUnencryptedHttpRequests"` - AggregatedAPIServerPort *int64 `json:"aggregatedAPIServerPort"` + APIGroupSuffix *string `json:"apiGroupSuffix,omitempty"` + Labels map[string]string `json:"labels"` + NamesConfig NamesConfigSpec `json:"names"` + Log plog.LogSpec `json:"log"` + Endpoints *Endpoints `json:"endpoints"` + AggregatedAPIServerPort *int64 `json:"aggregatedAPIServerPort"` } // NamesConfigSpec configures the names of some Kubernetes resources for the Supervisor. @@ -30,24 +25,9 @@ type NamesConfigSpec struct { type Endpoints struct { HTTPS *Endpoint `json:"https,omitempty"` - HTTP *Endpoint `json:"http,omitempty"` } type Endpoint struct { Network string `json:"network"` Address string `json:"address"` } - -type stringOrBoolAsBool bool - -func (sb *stringOrBoolAsBool) UnmarshalJSON(b []byte) error { - switch string(b) { - case "true", `"true"`: - *sb = true - case "false", `"false"`: - *sb = false - default: - return errors.New("invalid value for boolean") - } - return nil -} diff --git a/internal/plog/config.go b/internal/plog/config.go index b5e7ad3ce..1a28cfe0c 100644 --- a/internal/plog/config.go +++ b/internal/plog/config.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package plog @@ -50,13 +50,6 @@ type LogSpec struct { Format LogFormat `json:"format,omitempty"` } -func MaybeSetDeprecatedLogLevel(level *LogLevel, log *LogSpec) { - if level != nil { - Warning("logLevel is deprecated, set log.level instead") - log.Level = *level - } -} - func ValidateAndSetLogLevelAndFormatGlobally(ctx context.Context, spec LogSpec) error { klogLevel := klogLevelForPlogLevel(spec.Level) if klogLevel < 0 { diff --git a/internal/plog/config_test.go b/internal/plog/config_test.go index 1c7888631..0b77d2557 100644 --- a/internal/plog/config_test.go +++ b/internal/plog/config_test.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package plog @@ -166,7 +166,7 @@ testing.tRunner // check for the deprecation warning require.True(t, scanner.Scan()) require.NoError(t, scanner.Err()) - require.Equal(t, fmt.Sprintf(`I1121 23:37:26.953313%8d config.go:96] "setting log.format to 'text' is deprecated - this option will be removed in a future release" warning=true`, + require.Equal(t, fmt.Sprintf(`I1121 23:37:26.953313%8d config.go:89] "setting log.format to 'text' is deprecated - this option will be removed in a future release" warning=true`, pid), scanner.Text()) Debug("what is happening", "does klog", "work?") diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go index 99709d57d..ba254ec96 100644 --- a/internal/supervisor/server/server.go +++ b/internal/supervisor/server/server.go @@ -508,80 +508,61 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis return fmt.Errorf("could not create aggregated API server: %w", err) } - if e := cfg.Endpoints.HTTP; e.Network != supervisor.NetworkDisabled { - finishSetupPerms := maybeSetupUnixPerms(e, supervisorPod) + finishSetupPerms := maybeSetupUnixPerms(cfg.Endpoints.HTTPS, supervisorPod) - httpListener, err := net.Listen(e.Network, e.Address) - if err != nil { - return fmt.Errorf("cannot create http listener with network %q and address %q: %w", e.Network, e.Address, err) - } - - if err := finishSetupPerms(); err != nil { - return fmt.Errorf("cannot setup http listener permissions for network %q and address %q: %w", e.Network, e.Address, err) - } - - defer func() { _ = httpListener.Close() }() - startServer(ctx, shutdown, httpListener, oidProvidersManager) - plog.Debug("supervisor http listener started", "address", httpListener.Addr().String()) + bootstrapCert, err := getBootstrapCert() // generate this in-memory once per process startup + if err != nil { + return fmt.Errorf("https listener bootstrap error: %w", err) } - if e := cfg.Endpoints.HTTPS; e.Network != supervisor.NetworkDisabled { //nolint:nestif - finishSetupPerms := maybeSetupUnixPerms(e, supervisorPod) + c := ptls.Default(nil) + c.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { + cert := dynamicTLSCertProvider.GetTLSCert(strings.ToLower(info.ServerName)) + foundServerNameCert := cert != nil - bootstrapCert, err := getBootstrapCert() // generate this in-memory once per process startup - if err != nil { - return fmt.Errorf("https listener bootstrap error: %w", err) + defaultCert := dynamicTLSCertProvider.GetDefaultTLSCert() + + if !foundServerNameCert { + cert = defaultCert } - c := ptls.Default(nil) - c.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { - cert := dynamicTLSCertProvider.GetTLSCert(strings.ToLower(info.ServerName)) - foundServerNameCert := cert != nil - - defaultCert := dynamicTLSCertProvider.GetDefaultTLSCert() - - if !foundServerNameCert { - cert = defaultCert - } - - // If we still don't have a cert for the request at this point, then using the bootstrapping cert, - // but in that case also set the request to fail unless it is a health check request. - usingBootstrapCert := false - if cert == nil { - usingBootstrapCert = true - setIsBootstrapConn(info.Context()) // make this connection only work for bootstrap requests - cert = bootstrapCert - } - - // Emit logs visible at a higher level of logging than the default. Using Info level so the user - // can safely configure a production Supervisor to show this message if they choose. - plog.Info("choosing TLS cert for incoming request", - "requestSNIServerName", info.ServerName, - "foundCertForSNIServerNameFromFederationDomain", foundServerNameCert, - "foundDefaultCertFromSecret", defaultCert != nil, - "defaultCertSecretName", cfg.NamesConfig.DefaultTLSCertificateSecret, - "servingBootstrapHealthzCert", usingBootstrapCert, - "requestLocalAddr", info.Conn.LocalAddr().String(), - "requestRemoteAddr", info.Conn.RemoteAddr().String(), - ) - - return cert, nil + // If we still don't have a cert for the request at this point, then using the bootstrapping cert, + // but in that case also set the request to fail unless it is a health check request. + usingBootstrapCert := false + if cert == nil { + usingBootstrapCert = true + setIsBootstrapConn(info.Context()) // make this connection only work for bootstrap requests + cert = bootstrapCert } - httpsListener, err := tls.Listen(e.Network, e.Address, c) - if err != nil { - return fmt.Errorf("cannot create https listener with network %q and address %q: %w", e.Network, e.Address, err) - } + // Emit logs visible at a higher level of logging than the default. Using Info level so the user + // can safely configure a production Supervisor to show this message if they choose. + plog.Info("choosing TLS cert for incoming request", + "requestSNIServerName", info.ServerName, + "foundCertForSNIServerNameFromFederationDomain", foundServerNameCert, + "foundDefaultCertFromSecret", defaultCert != nil, + "defaultCertSecretName", cfg.NamesConfig.DefaultTLSCertificateSecret, + "servingBootstrapHealthzCert", usingBootstrapCert, + "requestLocalAddr", info.Conn.LocalAddr().String(), + "requestRemoteAddr", info.Conn.RemoteAddr().String(), + ) - if err := finishSetupPerms(); err != nil { - return fmt.Errorf("cannot setup https listener permissions for network %q and address %q: %w", e.Network, e.Address, err) - } - - defer func() { _ = httpsListener.Close() }() - startServer(ctx, shutdown, httpsListener, oidProvidersManager) - plog.Debug("supervisor https listener started", "address", httpsListener.Addr().String()) + return cert, nil } + httpsListener, err := tls.Listen(cfg.Endpoints.HTTPS.Network, cfg.Endpoints.HTTPS.Address, c) + if err != nil { + return fmt.Errorf("cannot create https listener with network %q and address %q: %w", cfg.Endpoints.HTTPS.Network, cfg.Endpoints.HTTPS.Address, err) + } + + if err := finishSetupPerms(); err != nil { + return fmt.Errorf("cannot setup https listener permissions for network %q and address %q: %w", cfg.Endpoints.HTTPS.Network, cfg.Endpoints.HTTPS.Address, err) + } + + defer func() { _ = httpsListener.Close() }() + startServer(ctx, shutdown, httpsListener, oidProvidersManager) + plog.Debug("supervisor https listener started", "address", httpsListener.Addr().String()) + plog.Debug("supervisor started") defer plog.Debug("supervisor exiting")