Write cilium-agent-proxy in Go

Signed-off-by: Daichi Sakaue <[email protected]>
cybozu-go · Oct 17, 2024 · df09fc0 · df09fc0
1 parent ffdfbb0
commit df09fc0
Show file tree

Hide file tree

Showing 9 changed files with 181 additions and 68 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,25 @@
+# Build the manager binary
+FROM ghcr.io/cybozu/golang:1.23-jammy AS builder
+
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY cmd/cilium-agent-proxy/ cmd/cilium-agent-proxy/
+
+# Build
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-w -s" -o cilium-agent-proxy ./cmd/cilium-agent-proxy
+
+# Compose the manager container
+FROM ghcr.io/cybozu/ubuntu:22.04
+LABEL org.opencontainers.image.source=https://github.com/cybozu-go/network-policy-viewer
+
+WORKDIR /
+COPY --from=builder /work/cilium-agent-proxy /
+
+USER 10000:10000
+ENTRYPOINT ["/cilium-agent-proxy"]
diff --git a/cmd/cilium-agent-proxy/main.go b/cmd/cilium-agent-proxy/main.go
@@ -0,0 +1,7 @@
+package main
+
+import "github.com/cybozu-go/network-policy-viewer/cmd/cilium-agent-proxy/sub"
+
+func main() {
+	sub.Execute()
+}
diff --git a/cmd/cilium-agent-proxy/sub/root.go b/cmd/cilium-agent-proxy/sub/root.go
@@ -0,0 +1,26 @@
+package sub
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+var rootCmd = &cobra.Command{
+	Use:   "cilium-agent-proxy",
+	Short: "cilium-agent proxy",
+	Long:  `cilium-agent proxy`,
+
+	RunE: func(cmd *cobra.Command, args []string) error {
+		cmd.SilenceUsage = true
+		return subMain()
+	},
+}
+
+func Execute() {
+	if err := rootCmd.Execute(); err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+}
diff --git a/cmd/cilium-agent-proxy/sub/run.go b/cmd/cilium-agent-proxy/sub/run.go
@@ -0,0 +1,111 @@
+package sub
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"regexp"
+	"strconv"
+)
+
+const socketPath = "/var/run/cilium/cilium.sock"
+
+var (
+	endpointPattern *regexp.Regexp
+	identityPattern *regexp.Regexp
+)
+
+func handleEndpoint(w http.ResponseWriter, r *http.Request) {
+	match := endpointPattern.FindStringSubmatch(r.URL.Path)
+	if match == nil || len(match) < 2 {
+		fmt.Fprint(w, "error\n")
+		return
+	}
+	client := http.Client{
+		Transport: &http.Transport{
+			DialContext: func(_ context.Context, _, _ string) (net.Conn, error) {
+				return net.Dial("unix", socketPath)
+			},
+		},
+	}
+
+	// Convert to number to avoid possible parameter injection
+	endpoint, err := strconv.Atoi(match[1])
+	if err != nil {
+		fmt.Fprint(w, "error\n")
+		return
+	}
+
+	url := fmt.Sprintf("http://localhost/v1/endpoint/%d", endpoint)
+	resp, err := client.Get(url)
+	if err != nil {
+		fmt.Fprint(w, "error\n")
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	io.Copy(w, resp.Body)
+}
+
+func handleIdentity(w http.ResponseWriter, r *http.Request) {
+	match := identityPattern.FindStringSubmatch(r.URL.Path)
+	if match == nil || len(match) < 2 {
+		fmt.Fprint(w, "error\n")
+		return
+	}
+	client := http.Client{
+		Transport: &http.Transport{
+			DialContext: func(_ context.Context, _, _ string) (net.Conn, error) {
+				return net.Dial("unix", socketPath)
+			},
+		},
+	}
+
+	// Convert to number to avoid possible parameter injection
+	identity, err := strconv.Atoi(match[1])
+	if err != nil {
+		fmt.Fprint(w, "error\n")
+		return
+	}
+
+	url := fmt.Sprintf("http://localhost/v1/identity/%d", identity)
+	resp, err := client.Get(url)
+	if err != nil {
+		fmt.Fprint(w, "error\n")
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	io.Copy(w, resp.Body)
+}
+
+func handlePolicy(w http.ResponseWriter, r *http.Request) {
+	fmt.Fprint(w, "error\n")
+}
+
+func subMain() error {
+	pattern, err := regexp.Compile(`^/v1/endpoint/(?P<endpoint>\d+)$`)
+	endpointPattern = pattern
+	if err != nil {
+		return err
+	}
+
+	pattern, err = regexp.Compile(`^/v1/identity/(?P<identity>\d+)$`)
+	identityPattern = pattern
+	if err != nil {
+		return err
+	}
+
+	server := http.Server{
+		Addr:    ":8080",
+		Handler: nil,
+	}
+
+	http.HandleFunc("/v1/endpoint/", handleEndpoint)
+	http.HandleFunc("/v1/identity/", handleIdentity)
+	http.HandleFunc("/policy/", handlePolicy)
+
+	return server.ListenAndServe()
+}
diff --git a/cmd/npv/sub/list.go b/cmd/npv/sub/list.go
@@ -76,12 +76,12 @@ func parseDerivedFromEntry(input []string, direction string) derivedFromEntry {
 func runList(ctx context.Context, w io.Writer, name string) error {
 	_, dynamicClient, client, err := createClients(ctx, name)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to create clients: %w", err)
 	}
 
 	endpointID, err := getPodEndpointID(ctx, dynamicClient, rootOptions.namespace, name)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to get pod endpoint ID: %w", err)
 	}
 
 	params := endpoint.GetEndpointIDParams{
@@ -90,7 +90,7 @@ func runList(ctx context.Context, w io.Writer, name string) error {
 	}
 	response, err := client.Endpoint.GetEndpointID(&params)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to get endpoint information: %w", err)
 	}
 
 	// The same rule appears multiple times in the response, so we need to dedup it

diff --git a/e2e/Makefile b/e2e/Makefile
@@ -29,6 +29,10 @@ start:
 		--namespace kube-system \
 		--set image.pullPolicy=IfNotPresent \
 		--set ipam.mode=kubernetes
+
+	cd ..; docker build . -t cilium-agent-proxy:dev
+	kind load docker-image cilium-agent-proxy:dev
+
 	kustomize build testdata | kubectl apply -f -
 	$(MAKE) --no-print-directory wait-for-workloads
 

diff --git a/e2e/testdata/cilium-agent-proxy.yaml b/e2e/testdata/cilium-agent-proxy.yaml
@@ -15,15 +15,11 @@ spec:
       securityContext:
         fsGroup: 0
       containers:
-        - image: ghcr.io/cybozu/envoy
-          name: envoy
-          command: ["envoy", "-c", "/etc/envoy/envoy-config.yaml"]
-          args: []
+        - image: ghcr.io/cybozu-go/cilium-agent-proxy
+          name: proxy
           volumeMounts:
             - name: cilium-socket
               mountPath: /var/run/cilium
-            - name: envoy-config
-              mountPath: /etc/envoy
           securityContext:
             capabilities:
               drop:
@@ -32,6 +28,3 @@ spec:
         - name: cilium-socket
           hostPath:
             path: /var/run/cilium
-        - name: envoy-config
-          configMap:
-            name: cilium-agent-proxy
diff --git a/e2e/testdata/envoy-config.yaml b/e2e/testdata/envoy-config.yaml
diff --git a/e2e/testdata/kustomization.yaml b/e2e/testdata/kustomization.yaml
@@ -3,11 +3,7 @@ kind: Kustomization
 resources:
   - cilium-agent-proxy.yaml
   - ubuntu.yaml
-configMapGenerator:
-  - namespace: kube-system
-    name: cilium-agent-proxy
-    files:
-      - envoy-config.yaml
 images:
-  - name: ghcr.io/cybozu/envoy
-    newTag: 1.28.1.1
+  - name: ghcr.io/cybozu-go/cilium-agent-proxy
+    newName: cilium-agent-proxy
+    newTag: dev