switch to library-go deps

2026-02-05 09:45:55 +01:00 · 2018-06-29 09:56:23 -04:00
parent a12fe9c8dc
commit 51a2338667
8 changed files with 4 additions and 338 deletions
--- a/cmd/dockerregistry/main.go
+++ b/cmd/dockerregistry/main.go
@@ -13,8 +13,9 @@ import (
 	log "github.com/Sirupsen/logrus"
 	"k8s.io/apiserver/pkg/util/logs"

+	"github.com/openshift/library-go/pkg/serviceability"
+
 	"github.com/openshift/image-registry/pkg/cmd/dockerregistry"
-	"github.com/openshift/image-registry/pkg/origin-common/cmd/util/serviceability"
 )

 func main() {
--- a/pkg/cmd/dockerregistry/dockerregistry.go
+++ b/pkg/cmd/dockerregistry/dockerregistry.go
@@ -35,13 +35,14 @@ import (
 	_ "github.com/docker/distribution/registry/storage/driver/s3-aws"
 	_ "github.com/docker/distribution/registry/storage/driver/swift"

+	"github.com/openshift/library-go/pkg/crypto"
+
 	"github.com/openshift/image-registry/pkg/dockerregistry/server"
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/audit"
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/client"
 	registryconfig "github.com/openshift/image-registry/pkg/dockerregistry/server/configuration"
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/maxconnections"
 	"github.com/openshift/image-registry/pkg/origin-common/clientcmd"
-	"github.com/openshift/image-registry/pkg/origin-common/crypto"
 	"github.com/openshift/image-registry/pkg/version"
 )

--- a/pkg/origin-common/README.md
+++ b/pkg/origin-common/README.md
@@ -10,16 +10,6 @@ The code is almost untouched, but there are some differences:
  * it doesn't support migrations for `KUBECONFIG` (i.e. the old default is ignored, which is `.kube/.config`),
  * it uses the field `openshift.kubeconfig` from our config instead of the `--config` flag.

-### cmd/util/serviceability
-
-This code is copied untouched from [github.com/openshift/origin/pkg/cmd/util/serviceability](https://godoc.org/github.com/openshift/origin/pkg/cmd/util/serviceability).
-
-### crypto
-
-The crypto package is a reduced copy of [github.com/openshift/origin/pkg/cmd/server/crypto](https://godoc.org/github.com/openshift/origin/pkg/cmd/server/crypto).
-
-We keep only functions that are required by the image registry.
-
 ### image/apis/image

 This is a significantly reduced set of code related to the internal api objects defined in [github.com/openshift/origin/pkg/image
--- a/pkg/origin-common/cmd/util/serviceability/panic.go
+++ b/pkg/origin-common/cmd/util/serviceability/panic.go
@@ -1,43 +0,0 @@
-package serviceability
-
-import (
-	"strings"
-	"time"
-
-	"github.com/golang/glog"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-)
-
-// BehaviorOnPanic is a helper for setting the crash mode of OpenShift when a panic is caught.
-// It returns a function that should be the defer handler for the caller.
-func BehaviorOnPanic(mode string) (fn func()) {
-	fn = func() {}
-	switch {
-	case mode == "crash":
-		glog.Infof("Process will terminate as soon as a panic occurs.")
-		utilruntime.ReallyCrash = true
-	case strings.HasPrefix(mode, "sentry:"):
-		url := strings.TrimPrefix(mode, "sentry:")
-		m, err := NewSentryMonitor(url)
-		if err != nil {
-			glog.Errorf("Unable to start Sentry for panic tracing: %v", err)
-			return
-		}
-		glog.Infof("Process will log all panics and errors to Sentry.")
-		utilruntime.ReallyCrash = false
-		utilruntime.PanicHandlers = append(utilruntime.PanicHandlers, m.CapturePanic)
-		utilruntime.ErrorHandlers = append(utilruntime.ErrorHandlers, m.CaptureError)
-		fn = func() {
-			if r := recover(); r != nil {
-				m.CapturePanicAndWait(r, 2*time.Second)
-				panic(r)
-			}
-		}
-	case len(mode) == 0:
-		// default panic behavior
-		utilruntime.ReallyCrash = false
-	default:
-		glog.Errorf("Unrecognized panic behavior")
-	}
-	return
-}
--- a/pkg/origin-common/cmd/util/serviceability/sentry.go
+++ b/pkg/origin-common/cmd/util/serviceability/sentry.go
@@ -1,62 +0,0 @@
-package serviceability
-
-import (
-	"errors"
-	"fmt"
-	"time"
-
-	"github.com/getsentry/raven-go"
-
-	"github.com/openshift/image-registry/pkg/version"
-)
-
-// SentryMonitor encapsulates a Sentry client and set of default tags
-type SentryMonitor struct {
-	client *raven.Client
-	tags   map[string]string
-}
-
-// NewSentryMonitor creates a class that can capture panics and errors from OpenShift
-// and Kubernetes that can roll up to a Sentry server.
-func NewSentryMonitor(url string) (*SentryMonitor, error) {
-	client, err := raven.NewClient(url, nil)
-	if err != nil {
-		return nil, err
-	}
-	client.SetRelease(version.Get().GitCommit)
-	return &SentryMonitor{
-		client: client,
-	}, nil
-}
-
-func (m *SentryMonitor) capturePanic(capture interface{}) chan error {
-	var packet *raven.Packet
-	switch rval := capture.(type) {
-	case error:
-		packet = raven.NewPacket(rval.Error(), raven.NewException(rval, raven.NewStacktrace(2, 3, nil)))
-	default:
-		rvalStr := fmt.Sprint(rval)
-		packet = raven.NewPacket(rvalStr, raven.NewException(errors.New(rvalStr), raven.NewStacktrace(2, 3, nil)))
-	}
-	_, ch := m.client.Capture(packet, m.tags)
-	return ch
-}
-
-// CapturePanic is used by the Sentry client to capture panics
-func (m *SentryMonitor) CapturePanic(capture interface{}) {
-	m.capturePanic(capture)
-}
-
-// CapturePanicAndWait waits until either the Sentry client captures a panic or
-// the provided time expires
-func (m *SentryMonitor) CapturePanicAndWait(capture interface{}, until time.Duration) {
-	select {
-	case <-m.capturePanic(capture):
-	case <-time.After(until):
-	}
-}
-
-// CaptureError is used by the Sentry client to capture errors
-func (m *SentryMonitor) CaptureError(err error) {
-	m.client.CaptureError(err, m.tags)
-}
--- a/pkg/origin-common/cmd/util/serviceability/serviceability.go
+++ b/pkg/origin-common/cmd/util/serviceability/serviceability.go
@@ -1,48 +0,0 @@
-package serviceability
-
-import (
-	"os"
-	"os/signal"
-	"syscall"
-
-	"github.com/pkg/profile"
-)
-
-type Stop interface {
-	Stop()
-}
-
-type stopper struct{}
-
-func (stopper) Stop() {}
-
-func Profile(mode string) Stop {
-	var stop Stop
-	switch mode {
-	case "mem":
-		stop = profileOnExit(profile.Start(profile.MemProfile, profile.ProfilePath("."), profile.NoShutdownHook, profile.Quiet))
-	case "cpu":
-		stop = profileOnExit(profile.Start(profile.CPUProfile, profile.ProfilePath("."), profile.NoShutdownHook, profile.Quiet))
-	case "block":
-		stop = profileOnExit(profile.Start(profile.BlockProfile, profile.ProfilePath("."), profile.NoShutdownHook, profile.Quiet))
-	default:
-		stop = stopper{}
-	}
-	return stop
-}
-
-func profileOnExit(s Stop) Stop {
-	go func() {
-		c := make(chan os.Signal, 1)
-		signal.Notify(c, os.Interrupt, syscall.SIGTERM)
-		<-c
-		// Programs with more sophisticated signal handling
-		// should ensure the Stop() function returned from
-		// Start() is called during shutdown.
-		// See http://godoc.org/github.com/pkg/profile
-		s.Stop()
-
-		os.Exit(1)
-	}()
-	return s
-}
--- a/pkg/origin-common/crypto/crypto.go
+++ b/pkg/origin-common/crypto/crypto.go
@@ -1,125 +0,0 @@
-package crypto
-
-import (
-	"crypto/tls"
-	"fmt"
-	"sort"
-)
-
-var versions = map[string]uint16{
-	"VersionTLS10": tls.VersionTLS10,
-	"VersionTLS11": tls.VersionTLS11,
-	"VersionTLS12": tls.VersionTLS12,
-}
-
-func TLSVersion(versionName string) (uint16, error) {
-	if len(versionName) == 0 {
-		return DefaultTLSVersion(), nil
-	}
-	if version, ok := versions[versionName]; ok {
-		return version, nil
-	}
-	return 0, fmt.Errorf("unknown tls version %q", versionName)
-}
-
-func ValidTLSVersions() []string {
-	validVersions := []string{}
-	for k := range versions {
-		validVersions = append(validVersions, k)
-	}
-	sort.Strings(validVersions)
-	return validVersions
-}
-
-func DefaultTLSVersion() uint16 {
-	// Can't use SSLv3 because of POODLE and BEAST
-	// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
-	// Can't use TLSv1.1 because of RC4 cipher usage
-	return tls.VersionTLS12
-}
-
-var ciphers = map[string]uint16{
-	"TLS_RSA_WITH_RC4_128_SHA":                tls.TLS_RSA_WITH_RC4_128_SHA,
-	"TLS_RSA_WITH_3DES_EDE_CBC_SHA":           tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-	"TLS_RSA_WITH_AES_128_CBC_SHA":            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-	"TLS_RSA_WITH_AES_256_CBC_SHA":            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-	"TLS_RSA_WITH_AES_128_CBC_SHA256":         tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
-	"TLS_RSA_WITH_AES_128_GCM_SHA256":         tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-	"TLS_RSA_WITH_AES_256_GCM_SHA384":         tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-	"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA":        tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-	"TLS_ECDHE_RSA_WITH_RC4_128_SHA":          tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
-	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":     tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":   tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":   tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":   tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":    tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":  tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-}
-
-func CipherSuite(cipherName string) (uint16, error) {
-	if cipher, ok := ciphers[cipherName]; ok {
-		return cipher, nil
-	}
-	return 0, fmt.Errorf("unknown cipher name %q", cipherName)
-}
-
-func ValidCipherSuites() []string {
-	validCipherSuites := []string{}
-	for k := range ciphers {
-		validCipherSuites = append(validCipherSuites, k)
-	}
-	sort.Strings(validCipherSuites)
-	return validCipherSuites
-}
-
-func DefaultCiphers() []uint16 {
-	// HTTP/2 mandates TLS 1.2 or higher with an AEAD cipher
-	// suite (GCM, Poly1305) and ephemeral key exchange (ECDHE, DHE) for
-	// perfect forward secrecy. Servers may provide additional cipher
-	// suites for backwards compatibility with HTTP/1.1 clients.
-	// See RFC7540, section 9.2 (Use of TLS Features) and Appendix A
-	// (TLS 1.2 Cipher Suite Black List).
-	return []uint16{
-		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // required by http/2
-		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // forbidden by http/2, not flagged by http2isBadCipher() in go1.8
-		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   // forbidden by http/2, not flagged by http2isBadCipher() in go1.8
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    // forbidden by http/2
-		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    // forbidden by http/2
-		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      // forbidden by http/2
-		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      // forbidden by http/2
-		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,         // forbidden by http/2
-		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,         // forbidden by http/2
-		// the next one is in the intermediate suite, but go1.8 http2isBadCipher() complains when it is included at the recommended index
-		// because it comes after ciphers forbidden by the http/2 spec
-		// tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
-		// tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, // forbidden by http/2, disabled to mitigate SWEET32 attack
-		// tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,       // forbidden by http/2, disabled to mitigate SWEET32 attack
-		tls.TLS_RSA_WITH_AES_128_CBC_SHA, // forbidden by http/2
-		tls.TLS_RSA_WITH_AES_256_CBC_SHA, // forbidden by http/2
-	}
-}
-
-// SecureTLSConfig enforces the default minimum security settings for the cluster.
-func SecureTLSConfig(config *tls.Config) *tls.Config {
-	if config.MinVersion == 0 {
-		config.MinVersion = DefaultTLSVersion()
-	}
-
-	config.PreferServerCipherSuites = true
-	if len(config.CipherSuites) == 0 {
-		config.CipherSuites = DefaultCiphers()
-	}
-	return config
-}
--- a/pkg/origin-common/crypto/crypto_test.go
+++ b/pkg/origin-common/crypto/crypto_test.go
@@ -1,48 +0,0 @@
-package crypto
-
-import (
-	"fmt"
-	"go/importer"
-	"strings"
-	"testing"
-)
-
-func TestConstantMaps(t *testing.T) {
-	pkg, err := importer.Default().Import("crypto/tls")
-	if err != nil {
-		fmt.Printf("error: %s\n", err.Error())
-		return
-	}
-	discoveredVersions := map[string]bool{}
-	discoveredCiphers := map[string]bool{}
-	for _, declName := range pkg.Scope().Names() {
-		if strings.HasPrefix(declName, "VersionTLS") {
-			discoveredVersions[declName] = true
-		}
-		if strings.HasPrefix(declName, "TLS_RSA_") || strings.HasPrefix(declName, "TLS_ECDHE_") {
-			discoveredCiphers[declName] = true
-		}
-	}
-
-	for k := range discoveredCiphers {
-		if _, ok := ciphers[k]; !ok {
-			t.Errorf("discovered cipher tls.%s not in ciphers map", k)
-		}
-	}
-	for k := range ciphers {
-		if _, ok := discoveredCiphers[k]; !ok {
-			t.Errorf("ciphers map has %s not in tls package", k)
-		}
-	}
-
-	for k := range discoveredVersions {
-		if _, ok := versions[k]; !ok {
-			t.Errorf("discovered version tls.%s not in version map", k)
-		}
-	}
-	for k := range versions {
-		if _, ok := discoveredVersions[k]; !ok {
-			t.Errorf("versions map has %s not in tls package", k)
-		}
-	}
-}