205 lines
4.9 KiB
TypeScript
205 lines
4.9 KiB
TypeScript
import { readdir, readFile } from 'node:fs/promises'
|
|
import { platform } from 'node:os'
|
|
import { join, resolve } from 'node:path'
|
|
import { kill } from 'node:process'
|
|
|
|
import { Config, CoreV1Api, KubeConfig } from '@kubernetes/client-node'
|
|
|
|
import log from '~/utils/log'
|
|
|
|
import { createIntegration } from './integration'
|
|
|
|
interface Context {
|
|
pid: number | undefined
|
|
}
|
|
|
|
export default createIntegration<Context>({
|
|
name: 'Kubernetes (k8s)',
|
|
context: {
|
|
pid: undefined,
|
|
},
|
|
isAvailable: async (context) => {
|
|
if (platform() !== 'linux') {
|
|
log.error('INTG', 'Kubernetes is only available on Linux')
|
|
return false
|
|
}
|
|
|
|
const svcRoot = Config.SERVICEACCOUNT_ROOT
|
|
try {
|
|
log.debug('INTG', 'Checking Kubernetes service account at %s', svcRoot)
|
|
const files = await readdir(svcRoot)
|
|
if (files.length === 0) {
|
|
log.error('INTG', 'Kubernetes service account not found')
|
|
return false
|
|
}
|
|
|
|
const mappedFiles = new Set(files.map(file => join(svcRoot, file)))
|
|
const expectedFiles = [
|
|
Config.SERVICEACCOUNT_CA_PATH,
|
|
Config.SERVICEACCOUNT_TOKEN_PATH,
|
|
Config.SERVICEACCOUNT_NAMESPACE_PATH,
|
|
]
|
|
|
|
log.debug('INTG', 'Looking for %s', expectedFiles.join(', '))
|
|
if (!expectedFiles.every(file => mappedFiles.has(file))) {
|
|
log.error('INTG', 'Malformed Kubernetes service account')
|
|
return false
|
|
}
|
|
} catch (error) {
|
|
log.error('INTG', 'Failed to access %s: %s', svcRoot, error)
|
|
return false
|
|
}
|
|
|
|
log.debug('INTG', 'Reading Kubernetes service account at %s', svcRoot)
|
|
const namespace = await readFile(
|
|
Config.SERVICEACCOUNT_NAMESPACE_PATH,
|
|
'utf8',
|
|
)
|
|
|
|
// Some very ugly nesting but it's necessary
|
|
if (process.env.HEADSCALE_INTEGRATION_UNSTRICT === 'true') {
|
|
log.warn('INTG', 'Skipping strict Pod status check')
|
|
} else {
|
|
const pod = process.env.POD_NAME
|
|
if (!pod) {
|
|
log.error('INTG', 'Missing POD_NAME variable')
|
|
return false
|
|
}
|
|
|
|
if (pod.trim().length === 0) {
|
|
log.error('INTG', 'Pod name is empty')
|
|
return false
|
|
}
|
|
|
|
log.debug('INTG', 'Checking Kubernetes pod %s in namespace %s',
|
|
pod,
|
|
namespace,
|
|
)
|
|
|
|
try {
|
|
log.debug('INTG', 'Attempgin to get cluster KubeConfig')
|
|
const kc = new KubeConfig()
|
|
kc.loadFromCluster()
|
|
|
|
const cluster = kc.getCurrentCluster()
|
|
if (!cluster) {
|
|
log.error('INTG', 'Malformed kubeconfig')
|
|
return false
|
|
}
|
|
|
|
log.info('INTG', 'Service account connected to %s (%s)',
|
|
cluster.name,
|
|
cluster.server,
|
|
)
|
|
|
|
const kCoreV1Api = kc.makeApiClient(CoreV1Api)
|
|
|
|
log.info('INTG', 'Checking pod %s in namespace %s (%s)',
|
|
pod,
|
|
namespace,
|
|
kCoreV1Api.basePath,
|
|
)
|
|
|
|
log.debug('INTG', 'Reading pod info for %s', pod)
|
|
const { response, body } = await kCoreV1Api.readNamespacedPod(
|
|
pod,
|
|
namespace,
|
|
)
|
|
|
|
if (response.statusCode !== 200) {
|
|
log.error('INTG', 'Failed to read pod info: http %d',
|
|
response.statusCode,
|
|
)
|
|
return false
|
|
}
|
|
|
|
log.debug('INTG', 'Got pod info: %o', body.spec)
|
|
const shared = body.spec?.shareProcessNamespace
|
|
if (shared === undefined) {
|
|
log.error(
|
|
'INTG',
|
|
'Pod does not have spec.shareProcessNamespace set',
|
|
)
|
|
return false
|
|
}
|
|
|
|
if (!shared) {
|
|
log.error(
|
|
'INTG',
|
|
'Pod has set but disabled spec.shareProcessNamespace',
|
|
)
|
|
return false
|
|
}
|
|
|
|
log.info('INTG', 'Pod %s enabled shared processes', pod)
|
|
} catch (error) {
|
|
log.error('INTG', 'Failed to read pod info: %s', error)
|
|
return false
|
|
}
|
|
}
|
|
|
|
log.debug('INTG', 'Looking for namespaced process in /proc')
|
|
const dir = resolve('/proc')
|
|
try {
|
|
const subdirs = await readdir(dir)
|
|
const promises = subdirs.map(async (dir) => {
|
|
const pid = Number.parseInt(dir, 10)
|
|
|
|
if (Number.isNaN(pid)) {
|
|
return
|
|
}
|
|
|
|
const path = join('/proc', dir, 'cmdline')
|
|
try {
|
|
log.debug('INTG', 'Reading %s', path)
|
|
const data = await readFile(path, 'utf8')
|
|
if (data.includes('headscale')) {
|
|
return pid
|
|
}
|
|
} catch (error) {
|
|
log.debug('INTG', 'Failed to read %s: %s', path, error)
|
|
}
|
|
})
|
|
|
|
const results = await Promise.allSettled(promises)
|
|
const pids = []
|
|
|
|
for (const result of results) {
|
|
if (result.status === 'fulfilled' && result.value) {
|
|
pids.push(result.value)
|
|
}
|
|
}
|
|
|
|
log.debug('INTG', 'Found Headscale processes: %o', pids)
|
|
if (pids.length > 1) {
|
|
log.error('INTG', 'Found %d Headscale processes: %s',
|
|
pids.length,
|
|
pids.join(', '),
|
|
)
|
|
return false
|
|
}
|
|
|
|
if (pids.length === 0) {
|
|
log.error('INTG', 'Could not find Headscale process')
|
|
return false
|
|
}
|
|
|
|
context.pid = pids[0]
|
|
log.info('INTG', 'Found Headscale process with PID: %d', context.pid)
|
|
return true
|
|
} catch {
|
|
log.error('INTG', 'Failed to read /proc')
|
|
return false
|
|
}
|
|
},
|
|
|
|
onConfigChange: (context) => {
|
|
if (!context.pid) {
|
|
return
|
|
}
|
|
|
|
log.info('INTG', 'Sending SIGTERM to Headscale')
|
|
kill(context.pid, 'SIGTERM')
|
|
},
|
|
})
|