From 24843e4de09fcd2582e4ee8b0309da3b9d266fb8 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 18 Oct 2023 09:12:59 -0500 Subject: [PATCH] Disable HTTP2 for metrics and the results server Let's use HTTP 1.1 in these cases to mitigate the risk of resource consumption through streams. --- cmd/manager/operator.go | 11 ++++++++++- cmd/manager/resultserver.go | 1 + pkg/controller/metrics/metrics.go | 1 + 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/cmd/manager/operator.go b/cmd/manager/operator.go index 80b0965bb..d0125487d 100644 --- a/cmd/manager/operator.go +++ b/cmd/manager/operator.go @@ -2,6 +2,7 @@ package manager import ( "context" + "crypto/tls" "errors" "flag" "fmt" @@ -228,11 +229,19 @@ func RunOperator(cmd *cobra.Command, args []string) { kubeClient := kubernetes.NewForConfigOrDie(cfg) monitoringClient := monclientv1.NewForConfigOrDie(cfg) + disableHTTP2 := func(c *tls.Config) { + c.NextProtos = []string{"http/1.1"} + } + webhookServerOptions := webhook.Options{ + Port: 9443, + TLSOpts: []func(config *tls.Config){disableHTTP2}, + } + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Cache: c, Scheme: operatorScheme, Metrics: metricsserver.Options{BindAddress: fmt.Sprintf("%s:%d", metricsHost, metricsPort)}, - WebhookServer: webhook.NewServer(webhook.Options{Port: 9443}), + WebhookServer: webhook.NewServer(webhookServerOptions), HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "81473831.openshift.io", // operator-sdk generated this for us diff --git a/cmd/manager/resultserver.go b/cmd/manager/resultserver.go index aabb8bac6..fc08ac2cc 100644 --- a/cmd/manager/resultserver.go +++ b/cmd/manager/resultserver.go @@ -181,6 +181,7 @@ func server(c *resultServerConfig) { tlsConfig := &tls.Config{ MinVersion: tls.VersionTLS12, + NextProtos: []string{"http/1.1"}, } // Configures TLS 1.2 tlsConfig = libgocrypto.SecureTLSConfig(tlsConfig) diff --git a/pkg/controller/metrics/metrics.go b/pkg/controller/metrics/metrics.go index 9b5c795f1..7d121cd70 100644 --- a/pkg/controller/metrics/metrics.go +++ b/pkg/controller/metrics/metrics.go @@ -140,6 +140,7 @@ func (m *Metrics) Start(ctx context.Context) error { tlsConfig := &tls.Config{ MinVersion: tls.VersionTLS12, + NextProtos: []string{"http/1.1"}, } tlsConfig = libgocrypto.SecureTLSConfig(tlsConfig) server := &http.Server{