Expose pprof endpoint when debugging

This commit introduces a change that allows requests to the pprof
endpoint to be made without a client certificate when OLM is not
configured to use tls certificates and is ran with the --debug
flag.

Author: awgreene

Diff for: cmd/catalog/main.go

@@ -109,7 +109,7 @@ func main() {
 		*catalogNamespace = catalogNamespaceEnvVarValue
 	}
 
-	listenAndServe, err := server.GetListenAndServeFunc(logger, tlsCertPath, tlsKeyPath, clientCAPath)
+	listenAndServe, err := server.GetListenAndServeFunc(logger, tlsCertPath, tlsKeyPath, clientCAPath, *debug)
 	if err != nil {
 		logger.Fatal("Error setting up health/metric/pprof service: %v", err)
 	}

Diff for: cmd/olm/main.go

@@ -118,7 +118,7 @@ func main() {
 	}
 	logger.Infof("log level %s", logger.Level)
 
-	listenAndServe, err := server.GetListenAndServeFunc(logger, tlsCertPath, tlsKeyPath, clientCAPath)
+	listenAndServe, err := server.GetListenAndServeFunc(logger, tlsCertPath, tlsKeyPath, clientCAPath, *debug)
 	if err != nil {
 		logger.Fatal("Error setting up health/metric/pprof service: %v", err)
 	}

Diff for: pkg/lib/profile/profile.go

@@ -6,36 +6,37 @@ import (
 )
 
 type profileConfig struct {
-	pprof   bool
-	cmdline bool
-	profile bool
-	symbol  bool
-	trace   bool
+	pprof     bool
+	cmdline   bool
+	profile   bool
+	symbol    bool
+	trace     bool
+	enableTLS bool
 }
 
 // Option applies a configuration option to the given config.
 type Option func(p *profileConfig)
 
 func (p *profileConfig) apply(options []Option) {
-	if len(options) == 0 {
-		// If no options are given, default to all
-		p.pprof = true
-		p.cmdline = true
-		p.profile = true
-		p.symbol = true
-		p.trace = true
-
-		return
-	}
-
 	for _, o := range options {
 		o(p)
 	}
 }
 
+func DisableTLS(p *profileConfig) {
+	p.enableTLS = false
+}
+
 func defaultProfileConfig() *profileConfig {
 	// Initialize config
-	return &profileConfig{}
+	return &profileConfig{
+		pprof:     true,
+		cmdline:   true,
+		profile:   true,
+		symbol:    true,
+		trace:     true,
+		enableTLS: true,
+	}
 }
 
 // RegisterHandlers registers profile Handlers with the given ServeMux.
@@ -47,25 +48,25 @@ func RegisterHandlers(mux *http.ServeMux, options ...Option) {
 	config.apply(options)
 
 	if config.pprof {
-		mux.Handle("/debug/pprof/", requireVerifiedClientCertificate(http.HandlerFunc(pprof.Index)))
+		mux.Handle("/debug/pprof/", pprofHandlerFunc(http.HandlerFunc(pprof.Index), config.enableTLS))
 	}
 	if config.cmdline {
-		mux.Handle("/debug/pprof/cmdline", requireVerifiedClientCertificate(http.HandlerFunc(pprof.Cmdline)))
+		mux.Handle("/debug/pprof/cmdline", pprofHandlerFunc(http.HandlerFunc(pprof.Cmdline), config.enableTLS))
 	}
 	if config.profile {
-		mux.Handle("/debug/pprof/profile", requireVerifiedClientCertificate(http.HandlerFunc(pprof.Profile)))
+		mux.Handle("/debug/pprof/profile", pprofHandlerFunc(http.HandlerFunc(pprof.Profile), config.enableTLS))
 	}
 	if config.symbol {
-		mux.Handle("/debug/pprof/symbol", requireVerifiedClientCertificate(http.HandlerFunc(pprof.Symbol)))
+		mux.Handle("/debug/pprof/symbol", pprofHandlerFunc(http.HandlerFunc(pprof.Symbol), config.enableTLS))
 	}
 	if config.trace {
-		mux.Handle("/debug/pprof/trace", requireVerifiedClientCertificate(http.HandlerFunc(pprof.Trace)))
+		mux.Handle("/debug/pprof/trace", pprofHandlerFunc(http.HandlerFunc(pprof.Trace), config.enableTLS))
 	}
 }
 
-func requireVerifiedClientCertificate(h http.Handler) http.Handler {
+func pprofHandlerFunc(h http.Handler, enableTLS bool) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.TLS == nil || len(r.TLS.VerifiedChains) == 0 {
+		if enableTLS && (r.TLS == nil || len(r.TLS.VerifiedChains) == 0) {
 			w.WriteHeader(http.StatusForbidden)
 			return
 		}

Diff for: pkg/lib/server/server.go

@@ -13,9 +13,8 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-func GetListenAndServeFunc(logger *logrus.Logger, tlsCertPath, tlsKeyPath, clientCAPath *string) (func() error, error) {
+func GetListenAndServeFunc(logger *logrus.Logger, tlsCertPath, tlsKeyPath, clientCAPath *string, debug bool) (func() error, error) {
 	mux := http.NewServeMux()
-	profile.RegisterHandlers(mux)
 	mux.Handle("/metrics", promhttp.Handler())
 	mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -25,10 +24,11 @@ func GetListenAndServeFunc(logger *logrus.Logger, tlsCertPath, tlsKeyPath, clien
 		Handler: mux,
 		Addr:    ":8080",
 	}
-	listenAndServe := s.ListenAndServe
+	var listenAndServe func() error
 
-	if *tlsCertPath != "" && *tlsKeyPath != "" {
+	if !debug && *tlsCertPath != "" && *tlsKeyPath != "" {
 		logger.Info("TLS keys set, using https for metrics")
+		profile.RegisterHandlers(mux)
 
 		certStore, err := filemonitor.NewCertStore(*tlsCertPath, *tlsKeyPath)
 		if err != nil {
@@ -74,7 +74,19 @@ func GetListenAndServeFunc(logger *logrus.Logger, tlsCertPath, tlsKeyPath, clien
 	} else if *tlsCertPath != "" || *tlsKeyPath != "" {
 		return nil, fmt.Errorf("both --tls-key and --tls-crt must be provided for TLS to be enabled")
 	} else {
-		logger.Info("TLS keys not set, using non-https for metrics")
+		options := []profile.Option{}
+		if debug {
+			logger.Info("TLS keys not set and debug mode enabled, requests to pprof endpoint no longer require certificates")
+			options = append(options, profile.DisableTLS)
+		}
+
+		profile.RegisterHandlers(mux, options...)
+		logger.Info("TLS keys not set, using non-https for metrics and healthz endpoints")
+		listenAndServe = s.ListenAndServe
+	}
+
+	if listenAndServe == nil {
+		return nil, fmt.Errorf("unable to configure healthz/metrics/pprof server")
 	}
 	return listenAndServe, nil
 }