Merge pull request #105 from postfinance/cjmn-patch-2a0d

fix: do not reuse connections per default

.github/workflows/ci-helm-deploy-nginx.yml

@@ -12,7 +12,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.20'
+          go-version: '1.21'
       - name: GoReleaser
         uses: goreleaser/goreleaser-action@v4
         with:

.github/workflows/ci-helm-deploy-traefik.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.20'
+          go-version: '1.21'
       - name: GoReleaser
         uses: goreleaser/goreleaser-action@v4
         with:

.github/workflows/ci-kustomize-deploy.yml

@@ -12,7 +12,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.20'
+          go-version: '1.21'
       - name: GoReleaser
         uses: goreleaser/goreleaser-action@v4
         with:

.github/workflows/lint.yml

@@ -7,6 +7,9 @@ jobs:
   lint-go:
     runs-on: ubuntu-latest
     steps:
+    - uses: actions/setup-go@v5
+      with:
+        go-version: '1.21'
     - uses: actions/checkout@v4
     - uses: golangci/golangci-lint-action@v3
       with:
@@ -26,7 +29,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
-        go-version: '1.20'
+        go-version: '1.21'
     - name: Run unit tests
       run: go test -race -covermode atomic -coverprofile=profile.cov ./...
     - name: Send coverage report

.github/workflows/release.yml

@@ -13,7 +13,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.20'
+          go-version: '1.21'
       - name: Login to DockerHub
         uses: docker/login-action@v3
         with:

.golangci.yml

@@ -54,7 +54,7 @@ linters:
     - gochecknoglobals
     - gochecknoinits
     - gocognit
-    - goconst
+    # - goconst
     - gocritic
     - gocyclo
     - gofmt

README.md

@@ -52,6 +52,7 @@ The following command can be used to install kubenurse with Helm: `helm upgrade
 | check_me_service                   | Sets `KUBENURSE_CHECK_ME_SERVICE` environment variable                                                               | `true`                             |
 | check_neighbourhood                | Sets `KUBENURSE_CHECK_NEIGHBOURHOOD` environment variable                                                            | `true`                             |
 | check_interval                     | Sets `KUBENURSE_CHECK_INTERVAL` environment variable                                                                 | `5s`                               |
+| reuse_connections                  | Sets `KUBENURSE_REUSE_CONNECTIONS` environment variable                                                              | `false`                            |
 | use_tls                            | Sets `KUBENURSE_USE_TLS` environment variable                                                                        | `false`                            |
 | cert_file                          | Sets `KUBENURSE_CERT_FILE` environment variable                                                                      |                                    |
 | cert_key                           | Sets `KUBENURSE_CERT_KEY` environment variable                                                                       |                                    |
@@ -91,6 +92,7 @@ kubenurse is configured with environment variables:
 - `KUBENURSE_CHECK_ME_SERVICE`: If this is `"true"`, kubenurse will perform the check [Me Service](#Me Service). default is "true"
 - `KUBENURSE_CHECK_NEIGHBOURHOOD`: If this is `"true"`, kubenurse will perform the check [Neighbourhood](#Neighbourhood). default is "true"
 - `KUBENURSE_CHECK_INTERVAL`: the frequency to perform kubenurse checks. the string should be formatted for [time.ParseDuration](https://pkg.go.dev/time#ParseDuration). defaults to `5s`
+- `KUBENURSE_REUSE_CONNECTIONS`: whether to reuse connections or not for all checks. default is "false"
 - `KUBENURSE_HISTOGRAM_BUCKETS`: optional comma-separated list of float64, used in place of the [default prometheus histogram buckets](https://pkg.go.dev/github.com/prometheus/[email protected]/prometheus#DefBuckets)
 - `KUBENURSE_USE_TLS`: If this is `"true"`, enable TLS endpoint on port 8443
 - `KUBENURSE_CERT_FILE`: Certificate to use with TLS endpoint

go.mod

@@ -1,6 +1,8 @@
 module github.com/postfinance/kubenurse
 
-go 1.17
+go 1.21
+
+toolchain go1.21.5
 
 require (
 	github.com/prometheus/client_golang v1.18.0

helm/kubenurse/templates/daemonset.yaml

@@ -72,6 +72,8 @@ spec:
           value: {{ .Values.check_neighbourhood | quote }}
         - name: KUBENURSE_CHECK_INTERVAL
           value: {{ .Values.check_interval }}
+        - name: KUBENURSE_REUSE_CONNECTIONS
+          value: {{ .Values.reuse_connections | quote }}
         - name: KUBENURSE_SHUTDOWN_DURATION
           value: {{ .Values.shutdown_duration }}
         - name: KUBENURSE_USE_TLS

helm/kubenurse/values.yaml

@@ -49,6 +49,8 @@ check_api_me_service: true
 check_neighbourhood: true
 # KUBENURSE_CHECK_INTERVAL
 check_interval: 5s
+# KUBENURSE_REUSE_CONNECTIONS
+reuse_connections: false
 # KUBENURSE_SHUTDOWN_DURATION
 shutdown_duration: 5s
 # KUBENURSE_USE_TLS

internal/servicecheck/servicecheck.go

@@ -3,8 +3,10 @@ package servicecheck
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"log"
+	"net"
 	"net/http"
 	"os"
 	"time"
@@ -47,11 +49,28 @@ func New(_ context.Context, discovery *kubediscovery.Client, promRegistry *prome
 	promRegistry.MustRegister(errorCounter, durationHistogram)
 
 	// setup http transport
-	transport, err := generateRoundTripper(os.Getenv("KUBENURSE_EXTRA_CA"), os.Getenv("KUBENURSE_INSECURE") == "true")
+	tlsConfig, err := generateTLSConfig(os.Getenv("KUBENURSE_EXTRA_CA"))
 	if err != nil {
-		log.Printf("using default transport: %s", err)
+		log.Printf("cannot generate tlsConfig with KUBENURSE_EXTRA_CA: %s", err)
 
-		transport = http.DefaultTransport
+		tlsConfig = &tls.Config{MinVersion: tls.VersionTLS12}
+	}
+
+	tlsConfig.InsecureSkipVerify = os.Getenv("KUBENURSE_INSECURE") == "true"
+	dialer := &net.Dialer{
+		Timeout:   30 * time.Second,
+		KeepAlive: 30 * time.Second,
+	}
+	transport := &http.Transport{
+		TLSClientConfig:       tlsConfig,
+		Proxy:                 http.ProxyFromEnvironment,
+		DialContext:           dialer.DialContext,
+		ForceAttemptHTTP2:     true,
+		DisableKeepAlives:     os.Getenv("KUBENURSE_REUSE_CONNECTIONS") != "true",
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
 	}
 
 	httpClient := &http.Client{

internal/servicecheck/transport.go

@@ -12,16 +12,16 @@ import (
 
 const (
 	//nolint:gosec // This is the well-known path to Kubernetes serviceaccount tokens.
-	tokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
-	caFile    = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+	K8sTokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+	k8sCAFile    = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
 )
 
 // doRequest does an http request only to get the http status code
 func (c *Checker) doRequest(url string) (string, error) {
 	// Read Bearer Token file from ServiceAccount
-	token, err := os.ReadFile(tokenFile)
+	token, err := os.ReadFile(K8sTokenFile)
 	if err != nil {
-		return errStr, fmt.Errorf("load kubernetes serviceaccount token from %s: %w", tokenFile, err)
+		return errStr, fmt.Errorf("load kubernetes serviceaccount token from %s: %w", K8sTokenFile, err)
 	}
 
 	req, _ := http.NewRequest("GET", url, http.NoBody)
@@ -46,18 +46,18 @@ func (c *Checker) doRequest(url string) (string, error) {
 	return resp.Status, errors.New(resp.Status)
 }
 
-// generateRoundTripper returns a custom http.RoundTripper, including the k8s CA.
-func generateRoundTripper(extraCA string, insecure bool) (http.RoundTripper, error) {
+// generateTLSConfig returns a TLSConfig including K8s CA and the user-defined extraCA
+func generateTLSConfig(extraCA string) (*tls.Config, error) {
 	// Append default certpool
 	rootCAs, _ := x509.SystemCertPool()
 	if rootCAs == nil {
 		rootCAs = x509.NewCertPool()
 	}
 
 	// Append ServiceAccount cacert
-	caCert, err := os.ReadFile(caFile)
+	caCert, err := os.ReadFile(k8sCAFile)
 	if err != nil {
-		return nil, fmt.Errorf("could not load certificate %s: %w", caFile, err)
+		return nil, fmt.Errorf("could not load certificate %s: %w", k8sCAFile, err)
 	}
 
 	if ok := rootCAs.AppendCertsFromPEM(caCert); !ok {
@@ -78,11 +78,9 @@ func generateRoundTripper(extraCA string, insecure bool) (http.RoundTripper, err
 
 	// Configure transport
 	tlsConfig := &tls.Config{
-		InsecureSkipVerify: insecure, //nolint:gosec // Can be true if the user requested this.
-		RootCAs:            rootCAs,
+		RootCAs:    rootCAs,
+		MinVersion: tls.VersionTLS12,
 	}
 
-	transport := &http.Transport{TLSClientConfig: tlsConfig}
-
-	return transport, nil
+	return tlsConfig, nil
 }