Skip to content

Commit c16b9fd

Browse files
awgreeneawgreene
committed
Expose pprof endpoint if tls is not configured
Problem: Currently, if OLM is not configured to use TLS, it is not possible to reach the pprof endpoint. This limitation makes it difficult to debug complex performance problems on clusters where OLM is not configured to use tls. Solution: If OLM is not configured to use tls, do not require a tls certificate to access the pprof endpoint. Signed-off-by: Alexander Greene <[email protected]>
1 parent 4c3c8f1 commit c16b9fd

File tree

2 files changed

+33
-26
lines changed

2 files changed

+33
-26
lines changed

pkg/lib/profile/profile.go

+25-24
Original file line numberDiff line numberDiff line change
@@ -6,36 +6,37 @@ import (
66
)
77

88
type profileConfig struct {
9-
pprof bool
10-
cmdline bool
11-
profile bool
12-
symbol bool
13-
trace bool
9+
pprof bool
10+
cmdline bool
11+
profile bool
12+
symbol bool
13+
trace bool
14+
enableTLS bool
1415
}
1516

1617
// Option applies a configuration option to the given config.
1718
type Option func(p *profileConfig)
1819

1920
func (p *profileConfig) apply(options []Option) {
20-
if len(options) == 0 {
21-
// If no options are given, default to all
22-
p.pprof = true
23-
p.cmdline = true
24-
p.profile = true
25-
p.symbol = true
26-
p.trace = true
27-
28-
return
29-
}
30-
3121
for _, o := range options {
3222
o(p)
3323
}
3424
}
3525

26+
func DisableTLS(p *profileConfig) {
27+
p.enableTLS = false
28+
}
29+
3630
func defaultProfileConfig() *profileConfig {
3731
// Initialize config
38-
return &profileConfig{}
32+
return &profileConfig{
33+
pprof: true,
34+
cmdline: true,
35+
profile: true,
36+
symbol: true,
37+
trace: true,
38+
enableTLS: true,
39+
}
3940
}
4041

4142
// RegisterHandlers registers profile Handlers with the given ServeMux.
@@ -47,25 +48,25 @@ func RegisterHandlers(mux *http.ServeMux, options ...Option) {
4748
config.apply(options)
4849

4950
if config.pprof {
50-
mux.Handle("/debug/pprof/", requireVerifiedClientCertificate(http.HandlerFunc(pprof.Index)))
51+
mux.Handle("/debug/pprof/", pprofHandlerFunc(http.HandlerFunc(pprof.Index), config.enableTLS))
5152
}
5253
if config.cmdline {
53-
mux.Handle("/debug/pprof/cmdline", requireVerifiedClientCertificate(http.HandlerFunc(pprof.Cmdline)))
54+
mux.Handle("/debug/pprof/cmdline", pprofHandlerFunc(http.HandlerFunc(pprof.Cmdline), config.enableTLS))
5455
}
5556
if config.profile {
56-
mux.Handle("/debug/pprof/profile", requireVerifiedClientCertificate(http.HandlerFunc(pprof.Profile)))
57+
mux.Handle("/debug/pprof/profile", pprofHandlerFunc(http.HandlerFunc(pprof.Profile), config.enableTLS))
5758
}
5859
if config.symbol {
59-
mux.Handle("/debug/pprof/symbol", requireVerifiedClientCertificate(http.HandlerFunc(pprof.Symbol)))
60+
mux.Handle("/debug/pprof/symbol", pprofHandlerFunc(http.HandlerFunc(pprof.Symbol), config.enableTLS))
6061
}
6162
if config.trace {
62-
mux.Handle("/debug/pprof/trace", requireVerifiedClientCertificate(http.HandlerFunc(pprof.Trace)))
63+
mux.Handle("/debug/pprof/trace", pprofHandlerFunc(http.HandlerFunc(pprof.Trace), config.enableTLS))
6364
}
6465
}
6566

66-
func requireVerifiedClientCertificate(h http.Handler) http.Handler {
67+
func pprofHandlerFunc(h http.Handler, enableTLS bool) http.Handler {
6768
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
68-
if r.TLS == nil || len(r.TLS.VerifiedChains) == 0 {
69+
if enableTLS && (r.TLS == nil || len(r.TLS.VerifiedChains) == 0) {
6970
w.WriteHeader(http.StatusForbidden)
7071
return
7172
}

pkg/lib/server/server.go

+8-2
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,6 @@ import (
1515

1616
func GetListenAndServeFunc(logger *logrus.Logger, tlsCertPath, tlsKeyPath, clientCAPath *string) (func() error, error) {
1717
mux := http.NewServeMux()
18-
profile.RegisterHandlers(mux)
1918
mux.Handle("/metrics", promhttp.Handler())
2019
mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
2120
w.WriteHeader(http.StatusOK)
@@ -25,10 +24,11 @@ func GetListenAndServeFunc(logger *logrus.Logger, tlsCertPath, tlsKeyPath, clien
2524
Handler: mux,
2625
Addr: ":8080",
2726
}
28-
listenAndServe := s.ListenAndServe
27+
var listenAndServe func() error
2928

3029
if *tlsCertPath != "" && *tlsKeyPath != "" {
3130
logger.Info("TLS keys set, using https for metrics")
31+
profile.RegisterHandlers(mux)
3232

3333
certStore, err := filemonitor.NewCertStore(*tlsCertPath, *tlsKeyPath)
3434
if err != nil {
@@ -75,6 +75,12 @@ func GetListenAndServeFunc(logger *logrus.Logger, tlsCertPath, tlsKeyPath, clien
7575
return nil, fmt.Errorf("both --tls-key and --tls-crt must be provided for TLS to be enabled")
7676
} else {
7777
logger.Info("TLS keys not set, using non-https for metrics")
78+
profile.RegisterHandlers(mux, profile.DisableTLS)
79+
listenAndServe = s.ListenAndServe
80+
}
81+
82+
if listenAndServe == nil {
83+
return nil, fmt.Errorf("unable to configure healthz/metrics/pprof server")
7884
}
7985
return listenAndServe, nil
8086
}

0 commit comments

Comments
 (0)