├── .gitignore ├── LICENSE ├── Makefile ├── README.en.md ├── README.md ├── charts ├── Chart.yaml ├── templates │ ├── NOTES.txt │ ├── fence-accesslog-envoyfilter.yaml │ ├── fence-accesslog-source-configmap.yaml │ ├── fence-proxy-envoyfilter.yaml │ ├── fence-proxy.yaml │ ├── fence-rbac.yaml │ └── fence.yaml └── values.yaml ├── cmd ├── ctrl │ └── main.go └── proxy │ └── main.go ├── deploy └── fence.yaml ├── docs └── images │ ├── fence-english.png │ ├── fence.png │ ├── proxy-push-time-2.png │ ├── proxy-push-time.png │ ├── xds-requests-size-2-and-proxy-push-time-2.png │ ├── xds-requests-size-2.png │ ├── xds-requests-size-and-proxy-push-time.png │ └── xds-requests-size.png ├── go.mod ├── go.sum ├── internal ├── cache │ ├── ip_service.go │ ├── namespace.go │ └── service.go ├── cmd │ ├── ctrl │ │ ├── root.go │ │ └── server.go │ └── proxy │ │ ├── root.go │ │ └── server.go ├── config │ └── fence.go ├── controller │ ├── endpoints_controller.go │ ├── log_entry_controller.go │ ├── namespace_controller.go │ ├── resource.go │ ├── runner.go │ └── utils.go ├── healthz │ └── runner.go ├── istio │ ├── envoyfilter.go │ └── sidecar.go ├── logging │ └── logging.go ├── metric │ ├── accesslog_source.go │ └── runner.go ├── options │ └── global.go ├── proxy │ ├── http.go │ ├── runner.go │ └── serve.go └── utils │ └── env.go └── tools ├── bin └── controller-gen ├── boilerplate └── boilerplate.go.txt ├── docker ├── fence-proxy │ └── Dockerfile └── fence │ └── Dockerfile └── make ├── common.mk ├── helm.mk ├── image.mk └── kube.mk /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | /.vscode/ 3 | /.idea/ 4 | /.examples/ 5 | /vendor/ 6 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | SHELL:= /bin/bash -o pipefail 2 | 3 | # All make targets should be implemented in tools/make/*.mk 4 | # ==================================================================================================== 5 | # Supported Targets: (Run `make help` to see more information) 6 | # ==================================================================================================== 7 | 8 | # This file is a wrapper around `make` so that we can force on the 9 | # --warn-undefined-variables flag. Sure, you can set 10 | # `MAKEFLAGS += --warn-undefined-variables` from inside of a Makefile, 11 | # but then it won't turn on until the second phase (recipe execution), 12 | # and won't actually be on during the initial phase (parsing). 13 | # See: https://www.gnu.org/software/make/manual/make.html#Reading-Makefiles 14 | 15 | # Have everything-else ("%") depend on _run (which uses 16 | # $(MAKECMDGOALS) to decide what to run), rather than having 17 | # everything else run $(MAKE) directly, since that'd end up running 18 | # multiple sub-Makes if you give multiple targets on the CLI. 19 | _run: 20 | @$(MAKE) --warn-undefined-variables -f tools/make/common.mk $(MAKECMDGOALS) 21 | .PHONY: _run 22 | $(if $(MAKECMDGOALS),$(MAKECMDGOALS): %: _run) 23 | -------------------------------------------------------------------------------- /README.en.md: -------------------------------------------------------------------------------- 1 | # Fence([中文](./README.md)) 2 | 3 | Fence is an open source project to automate the management of Istio custom resources `Sidecar`. 4 | 5 | ## Backgroud 6 | 7 | When there are too many services in the Service Mesh, the Envoy configuration is too large and new applications remain in Not Ready state for a long time. For this reason, Ops needs to manage the custom resource `Sidecar` and manually configure service dependencies for the application. 8 | 9 | Fence has the ability to automatically fetch service dependencies and provide automatic management of the custom resource `Sidecar`. 10 | 11 | ## Architecture 12 | 13 | ![architecture](docs/images/fence-english.png) 14 | 15 | ## Performance Indicator 16 | 17 | In a Kubenetes cluster with 250 pods, the `XDS Response Bytes Max` peaks at 450 kB/s and the `Proxy Push Time` peaks at 20s before Fence is enabled, and the `XDS Response Bytes Max` peaks at 27 kB/s and the `Proxy Push Time` peaks at 5s after Fence is enabled. In summary, enabling Fence to automatically manage Sidecar resources reduces the `XDS Response Bytes Max` peak by about 94% and the `Proxy Push Time` peak by about 75%. 18 | 19 | **Before Fence is enabled** 20 | 21 | ![xds requests size](docs/images/xds-requests-size-and-proxy-push-time.png) 22 | 23 | **After Fence is enabled** 24 | 25 | ![xds requests size](docs/images/xds-requests-size-2-and-proxy-push-time-2.png) 26 | 27 | ## Install & Use 28 | 29 | **Use kubectl** 30 | 31 | ```shell 32 | kubectl create namespace fence 33 | kubectl apply -f "https://raw.githubusercontent.com/hexiaodai/fence/0.1.0/deploy/fence.yaml" 34 | ``` 35 | 36 | **Use helm** 37 | 38 | ```shell 39 | helm install fence --create-namespace -n fence oci://registry-1.docker.io/hejianmin/chart-fence --version 0.1.0 40 | ``` 41 | 42 | **Fence has two ways to automate the management of custom resource Sidecars in a cluster:** 43 | 44 | > Note: Fence does not manage Sidecar in the system namespace `kube-system`, `istio-system`. 45 | 46 | - Manage the entire cluster, this is the default behavior 47 | 48 | ```shell 49 | kubectl -n fence set env deployment/fence AUTO_FENCE="true" 50 | ``` 51 | 52 | - Specify a Namespace or Pod to manage 53 | 54 | ```shell 55 | kubectl -n fence set env deployment/fence AUTO_FENCE="false" 56 | # Namespace 57 | kubectl label namespace ${namespace name} sidecar.fence.io=enabled 58 | # Pod 59 | kubectl label pods ${pod name} sidecar.fence.io=enabled 60 | ``` 61 | 62 | - Specify a Namespace or Pod that does not need to be managed 63 | 64 | ```shell 65 | # Namespace 66 | kubectl label namespace ${namespace name} sidecar.fence.io=disable 67 | # Pod 68 | kubectl label pods ${pod name} sidecar.fence.io=disable 69 | ``` 70 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Fence([English](./README.en.md)) 2 | 3 | Fence 是一个开源项目,用于自动管理 Istio 自定义资源 `Sidecar`。 4 | 5 | ## 背景 6 | 7 | 服务网格内服务数量过多时,Envoy 配置量太大,新上的应用长时间处于 Not Ready 状态。为此运维人员需要管理自定义资源 `Sidecar`,手动为应用配置服务依赖关系。 8 | 9 | Fence 拥有自动获取服务依赖关系的能力,提供自动管理自定义资源 `Sidecar`。 10 | 11 | ## 架构 12 | 13 | ![架构图](docs/images/fence.png) 14 | 15 | ## 性能指标 16 | 17 | 在 Kubenetes 集群中部署 250 个 Pod。启用 Fence 前 `XDS Response Bytes Max` 峰值 450 kB/s,`Proxy Push Time` 峰值 20s;启用 Fence 后 `XDS Response Bytes Max` 峰值 27 kB/s,`Proxy Push Time` 峰值 5s。综上,启用 Fence 自动管理 Sidecar 资源后 `XDS Response Bytes Max` 的峰值减少了约 94%,`Proxy Push Time` 的峰值减少了约 75%。 18 | 19 | **启用 Fence 前** 20 | 21 | ![xds requests size](docs/images/xds-requests-size-and-proxy-push-time.png) 22 | 23 | **启用 Fence 后** 24 | 25 | ![xds requests size](docs/images/xds-requests-size-2-and-proxy-push-time-2.png) 26 | 27 | ## 安装和使用 28 | 29 | **Use kubectl** 30 | 31 | ```shell 32 | kubectl create namespace fence 33 | kubectl apply -f "https://raw.githubusercontent.com/hexiaodai/fence/0.1.0/deploy/fence.yaml" 34 | ``` 35 | 36 | **Use helm** 37 | 38 | ```shell 39 | helm install fence --create-namespace -n fence oci://registry-1.docker.io/hejianmin/chart-fence --version 0.1.0 40 | ``` 41 | 42 | **Fence 有两种自动管理集群中自定义资源 Sidecar 的方式:** 43 | 44 | > 注意:Fence 不会管理系统名称空间 `kube-system`、`istio-system` 下的 Sidecar。 45 | 46 | - 管理整个集群,这是默认行为 47 | 48 | ```shell 49 | kubectl -n fence set env deployment/fence AUTO_FENCE="true" 50 | ``` 51 | 52 | - 指定需要管理的 Namespace 或 Pod 53 | 54 | ```shell 55 | kubectl -n fence set env deployment/fence AUTO_FENCE="false" 56 | # 名称空间 57 | kubectl label namespace ${namespace name} sidecar.fence.io=enabled 58 | # Pod 59 | kubectl label pods ${pod name} sidecar.fence.io=enabled 60 | ``` 61 | 62 | - 指定不需要管理的 Namespace 或 Pod 63 | 64 | ```shell 65 | # 名称空间 66 | kubectl label namespace ${namespace name} sidecar.fence.io=disable 67 | # Pod 68 | kubectl label pods ${pod name} sidecar.fence.io=disable 69 | ``` 70 | -------------------------------------------------------------------------------- /charts/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: chart-fence 3 | description: A Helm chart for Fence 4 | type: application 5 | version: 0.0.0 6 | appVersion: 0.0.0 7 | -------------------------------------------------------------------------------- /charts/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Thank you for installing {{ .Chart.Name }}. 2 | 3 | Release Information: 4 | Release Name: {{ .Release.Name }} 5 | Release Namespace: {{ .Release.Namespace }} 6 | 7 | Get the list of pods by executing: 8 | $ kubectl get pods -n {{ .Release.Namespace }} 9 | 10 | Lean More -> https://github.com/hexiaodai/fence 11 | -------------------------------------------------------------------------------- /charts/templates/fence-accesslog-envoyfilter.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: EnvoyFilter 3 | metadata: 4 | name: fence-accesslog 5 | namespace: {{ .Release.Namespace }} 6 | spec: 7 | configPatches: 8 | - applyTo: NETWORK_FILTER 9 | match: 10 | listener: 11 | filterChain: 12 | filter: 13 | name: envoy.filters.network.http_connection_manager 14 | patch: 15 | operation: MERGE 16 | value: 17 | typed_config: 18 | "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager 19 | access_log: 20 | - name: envoy.access_loggers.http_grpc 21 | typed_config: 22 | "@type": type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig 23 | common_config: 24 | grpc_service: 25 | envoy_grpc: 26 | cluster_name: fence-accesslog-source 27 | log_name: http_envoy_accesslog 28 | transport_api_version: V3 29 | workloadSelector: 30 | labels: 31 | app: fence-proxy 32 | -------------------------------------------------------------------------------- /charts/templates/fence-accesslog-source-configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: fence-accesslog-source 5 | namespace: {{ .Release.Namespace }} 6 | data: 7 | custom_bootstrap.json: | 8 | { 9 | "static_resources": { 10 | "clusters": [{ 11 | "name": "fence-accesslog-source", 12 | "type": "STRICT_DNS", 13 | "connect_timeout": "5s", 14 | "http2_protocol_options": {}, 15 | "dns_lookup_family": "V4_ONLY", 16 | "load_assignment": { 17 | "cluster_name": "fence-accesslog-source", 18 | "endpoints": [{ 19 | "lb_endpoints": [{ 20 | "endpoint": { 21 | "address": { 22 | "socket_address": { 23 | "address": "fence.{{ .Release.Namespace }}", 24 | "port_value": {{ .Values.fence.logSourcePort }} 25 | } 26 | } 27 | } 28 | }] 29 | }] 30 | }, 31 | "respect_dns_ttl": true 32 | }] 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /charts/templates/fence-proxy-envoyfilter.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: EnvoyFilter 3 | metadata: 4 | name: fence-proxy 5 | namespace: {{ .Values.istio.namespace }} 6 | spec: 7 | configPatches: [] 8 | -------------------------------------------------------------------------------- /charts/templates/fence-proxy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: fence-proxy 5 | namespace: {{ .Release.Namespace }} 6 | --- 7 | 8 | apiVersion: apps/v1 9 | kind: Deployment 10 | metadata: 11 | name: fence-proxy 12 | namespace: {{ .Release.Namespace }} 13 | labels: 14 | app: fence-proxy 15 | spec: 16 | replicas: {{ .Values.deployment.replicas }} 17 | selector: 18 | matchLabels: 19 | app: fence-proxy 20 | template: 21 | metadata: 22 | labels: 23 | app: fence-proxy 24 | sidecar.istio.io/inject: "true" 25 | annotations: 26 | sidecar.istio.io/bootstrapOverride: fence-accesslog-source 27 | proxy.istio.io/config: | 28 | holdApplicationUntilProxyStarts: true 29 | proxyMetadata: 30 | ISTIO_META_FENCE_APP: 31 | FENCE_PROXY 32 | spec: 33 | containers: 34 | - env: 35 | - name: PROBE_PORT 36 | value: {{ .Values.fence.probePort | quote }} 37 | - name: AUTO_FENCE 38 | value: {{ .Values.fence.autoFence | quote }} 39 | - name: ISTIO_NAMESPACE 40 | value: {{ .Values.istio.namespace }} 41 | - name: FENCE_NAMESPACE 42 | value: {{ .Release.Namespace }} 43 | - name: LOG_SOURCE_PORT 44 | value: {{ .Values.fence.logSourcePort | quote }} 45 | - name: LOG_LEVEL 46 | value: {{ .Values.fence.logLevel }} 47 | name: fence-proxy 48 | image: {{ .Values.deployment.fenceProxy.image.repository }}:{{ .Chart.AppVersion }} 49 | imagePullPolicy: {{ .Values.deployment.fenceProxy.imagePullPolicy }} 50 | resources: 51 | {{- toYaml .Values.deployment.fenceProxy.resources | nindent 12 }} 52 | readinessProbe: 53 | httpGet: 54 | path: / 55 | port: {{ .Values.fence.probePort }} 56 | initialDelaySeconds: 5 57 | periodSeconds: 10 58 | livenessProbe: 59 | httpGet: 60 | path: / 61 | port: {{ .Values.fence.probePort }} 62 | initialDelaySeconds: 15 63 | periodSeconds: 20 64 | serviceAccountName: fence-proxy 65 | --- 66 | 67 | apiVersion: v1 68 | kind: Service 69 | metadata: 70 | labels: 71 | app: fence-proxy 72 | service: fence-proxy 73 | name: fence-proxy 74 | namespace: {{ .Release.Namespace }} 75 | spec: 76 | selector: 77 | app: fence-proxy 78 | type: ClusterIP 79 | ports: 80 | - name: http 81 | port: 80 82 | protocol: TCP 83 | targetPort: 80 84 | - name: status-port 85 | port: {{ .Values.fence.probePort }} 86 | protocol: TCP 87 | targetPort: {{ .Values.fence.probePort }} 88 | -------------------------------------------------------------------------------- /charts/templates/fence-rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: fence 5 | rules: 6 | - apiGroups: 7 | - '*' 8 | resources: 9 | - '*' 10 | verbs: 11 | - "*" 12 | - nonResourceURLs: 13 | - '*' 14 | verbs: 15 | - "*" 16 | --- 17 | 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | kind: ClusterRoleBinding 20 | metadata: 21 | name: fence 22 | roleRef: 23 | apiGroup: rbac.authorization.k8s.io 24 | kind: ClusterRole 25 | name: fence 26 | subjects: 27 | - kind: ServiceAccount 28 | name: fence-proxy 29 | namespace: {{ .Release.Namespace }} 30 | - kind: ServiceAccount 31 | name: fence 32 | namespace: {{ .Release.Namespace }} 33 | -------------------------------------------------------------------------------- /charts/templates/fence.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: fence 5 | namespace: {{ .Release.Namespace }} 6 | --- 7 | 8 | apiVersion: apps/v1 9 | kind: Deployment 10 | metadata: 11 | name: fence 12 | namespace: {{ .Release.Namespace }} 13 | labels: 14 | app: fence 15 | spec: 16 | replicas: {{ .Values.deployment.replicas }} 17 | selector: 18 | matchLabels: 19 | app: fence 20 | template: 21 | metadata: 22 | labels: 23 | app: fence 24 | spec: 25 | containers: 26 | - env: 27 | - name: PROBE_PORT 28 | value: {{ .Values.fence.probePort | quote }} 29 | - name: AUTO_FENCE 30 | value: {{ .Values.fence.autoFence | quote }} 31 | - name: ISTIO_NAMESPACE 32 | value: {{ .Values.istio.namespace }} 33 | - name: FENCE_NAMESPACE 34 | value: {{ .Release.Namespace }} 35 | - name: LOG_SOURCE_PORT 36 | value: {{ .Values.fence.logSourcePort | quote }} 37 | - name: LOG_LEVEL 38 | value: {{ .Values.fence.logLevel }} 39 | name: fence 40 | image: {{ .Values.deployment.fence.image.repository }}:{{ .Chart.AppVersion }} 41 | imagePullPolicy: {{ .Values.deployment.fence.imagePullPolicy }} 42 | resources: 43 | {{- toYaml .Values.deployment.fence.resources | nindent 12 }} 44 | readinessProbe: 45 | httpGet: 46 | path: / 47 | port: {{ .Values.fence.probePort }} 48 | initialDelaySeconds: 5 49 | periodSeconds: 10 50 | livenessProbe: 51 | httpGet: 52 | path: / 53 | port: {{ .Values.fence.probePort }} 54 | initialDelaySeconds: 15 55 | periodSeconds: 20 56 | serviceAccountName: fence 57 | --- 58 | 59 | apiVersion: v1 60 | kind: Service 61 | metadata: 62 | labels: 63 | app: fence 64 | service: fence 65 | name: fence 66 | namespace: {{ .Release.Namespace }} 67 | spec: 68 | selector: 69 | app: fence 70 | type: ClusterIP 71 | ports: 72 | - name: status-port 73 | port: {{ .Values.fence.probePort }} 74 | protocol: TCP 75 | targetPort: {{ .Values.fence.probePort }} 76 | - name: log-source-port 77 | port: {{ .Values.fence.logSourcePort }} 78 | protocol: TCP 79 | targetPort: {{ .Values.fence.logSourcePort }} 80 | -------------------------------------------------------------------------------- /charts/values.yaml: -------------------------------------------------------------------------------- 1 | deployment: 2 | fence: 3 | image: 4 | repository: hejianmin/fence 5 | imagePullPolicy: Always 6 | resources: 7 | limits: 8 | cpu: 500m 9 | memory: 128Mi 10 | requests: 11 | cpu: 10m 12 | memory: 64Mi 13 | fenceProxy: 14 | image: 15 | repository: hejianmin/fence-proxy 16 | imagePullPolicy: Always 17 | resources: 18 | limits: 19 | cpu: 500m 20 | memory: 128Mi 21 | requests: 22 | cpu: 10m 23 | memory: 64Mi 24 | replicas: 1 25 | 26 | fence: 27 | autoFence: true 28 | probePort: 16021 29 | logSourcePort: 8082 30 | logLevel: info 31 | 32 | istio: 33 | namespace: istio-system 34 | -------------------------------------------------------------------------------- /cmd/ctrl/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "os" 6 | 7 | "github.com/hexiaodai/fence/internal/cmd/ctrl" 8 | ) 9 | 10 | func main() { 11 | if err := ctrl.GetRootCommand().Execute(); err != nil { 12 | _, _ = fmt.Fprintln(os.Stderr, err) 13 | os.Exit(1) 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /cmd/proxy/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "os" 6 | 7 | "github.com/hexiaodai/fence/internal/cmd/proxy" 8 | ) 9 | 10 | func main() { 11 | if err := proxy.GetRootCommand().Execute(); err != nil { 12 | _, _ = fmt.Fprintln(os.Stderr, err) 13 | os.Exit(1) 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /deploy/fence.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Source: chart-fence/templates/fence-proxy.yaml 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: fence-proxy 7 | namespace: fence 8 | --- 9 | # Source: chart-fence/templates/fence.yaml 10 | apiVersion: v1 11 | kind: ServiceAccount 12 | metadata: 13 | name: fence 14 | namespace: fence 15 | --- 16 | # Source: chart-fence/templates/fence-accesslog-source-configmap.yaml 17 | apiVersion: v1 18 | kind: ConfigMap 19 | metadata: 20 | name: fence-accesslog-source 21 | namespace: fence 22 | data: 23 | custom_bootstrap.json: | 24 | { 25 | "static_resources": { 26 | "clusters": [{ 27 | "name": "fence-accesslog-source", 28 | "type": "STRICT_DNS", 29 | "connect_timeout": "5s", 30 | "http2_protocol_options": {}, 31 | "dns_lookup_family": "V4_ONLY", 32 | "load_assignment": { 33 | "cluster_name": "fence-accesslog-source", 34 | "endpoints": [{ 35 | "lb_endpoints": [{ 36 | "endpoint": { 37 | "address": { 38 | "socket_address": { 39 | "address": "fence.fence", 40 | "port_value": 8082 41 | } 42 | } 43 | } 44 | }] 45 | }] 46 | }, 47 | "respect_dns_ttl": true 48 | }] 49 | } 50 | } 51 | --- 52 | # Source: chart-fence/templates/fence-rbac.yaml 53 | apiVersion: rbac.authorization.k8s.io/v1 54 | kind: ClusterRole 55 | metadata: 56 | name: fence 57 | rules: 58 | - apiGroups: 59 | - '*' 60 | resources: 61 | - '*' 62 | verbs: 63 | - "*" 64 | - nonResourceURLs: 65 | - '*' 66 | verbs: 67 | - "*" 68 | --- 69 | # Source: chart-fence/templates/fence-rbac.yaml 70 | apiVersion: rbac.authorization.k8s.io/v1 71 | kind: ClusterRoleBinding 72 | metadata: 73 | name: fence 74 | roleRef: 75 | apiGroup: rbac.authorization.k8s.io 76 | kind: ClusterRole 77 | name: fence 78 | subjects: 79 | - kind: ServiceAccount 80 | name: fence-proxy 81 | namespace: fence 82 | - kind: ServiceAccount 83 | name: fence 84 | namespace: fence 85 | --- 86 | # Source: chart-fence/templates/fence-proxy.yaml 87 | apiVersion: v1 88 | kind: Service 89 | metadata: 90 | labels: 91 | app: fence-proxy 92 | service: fence-proxy 93 | name: fence-proxy 94 | namespace: fence 95 | spec: 96 | selector: 97 | app: fence-proxy 98 | type: ClusterIP 99 | ports: 100 | - name: http 101 | port: 80 102 | protocol: TCP 103 | targetPort: 80 104 | - name: status-port 105 | port: 16021 106 | protocol: TCP 107 | targetPort: 16021 108 | --- 109 | # Source: chart-fence/templates/fence.yaml 110 | apiVersion: v1 111 | kind: Service 112 | metadata: 113 | labels: 114 | app: fence 115 | service: fence 116 | name: fence 117 | namespace: fence 118 | spec: 119 | selector: 120 | app: fence 121 | type: ClusterIP 122 | ports: 123 | - name: status-port 124 | port: 16021 125 | protocol: TCP 126 | targetPort: 16021 127 | - name: log-source-port 128 | port: 8082 129 | protocol: TCP 130 | targetPort: 8082 131 | --- 132 | # Source: chart-fence/templates/fence-proxy.yaml 133 | apiVersion: apps/v1 134 | kind: Deployment 135 | metadata: 136 | name: fence-proxy 137 | namespace: fence 138 | labels: 139 | app: fence-proxy 140 | spec: 141 | replicas: 1 142 | selector: 143 | matchLabels: 144 | app: fence-proxy 145 | template: 146 | metadata: 147 | labels: 148 | app: fence-proxy 149 | sidecar.istio.io/inject: "true" 150 | annotations: 151 | sidecar.istio.io/bootstrapOverride: fence-accesslog-source 152 | proxy.istio.io/config: | 153 | holdApplicationUntilProxyStarts: true 154 | proxyMetadata: 155 | ISTIO_META_FENCE_APP: 156 | FENCE_PROXY 157 | spec: 158 | containers: 159 | - env: 160 | - name: PROBE_PORT 161 | value: "16021" 162 | - name: AUTO_FENCE 163 | value: "true" 164 | - name: ISTIO_NAMESPACE 165 | value: istio-system 166 | - name: FENCE_NAMESPACE 167 | value: fence 168 | - name: LOG_SOURCE_PORT 169 | value: "8082" 170 | - name: LOG_LEVEL 171 | value: info 172 | name: fence-proxy 173 | image: docker.io/hejianmin/fence-proxy:0.1.0 174 | imagePullPolicy: Always 175 | resources: 176 | limits: 177 | cpu: 500m 178 | memory: 128Mi 179 | requests: 180 | cpu: 10m 181 | memory: 64Mi 182 | readinessProbe: 183 | httpGet: 184 | path: / 185 | port: 16021 186 | initialDelaySeconds: 5 187 | periodSeconds: 10 188 | livenessProbe: 189 | httpGet: 190 | path: / 191 | port: 16021 192 | initialDelaySeconds: 15 193 | periodSeconds: 20 194 | serviceAccountName: fence-proxy 195 | --- 196 | # Source: chart-fence/templates/fence.yaml 197 | apiVersion: apps/v1 198 | kind: Deployment 199 | metadata: 200 | name: fence 201 | namespace: fence 202 | labels: 203 | app: fence 204 | spec: 205 | replicas: 1 206 | selector: 207 | matchLabels: 208 | app: fence 209 | template: 210 | metadata: 211 | labels: 212 | app: fence 213 | spec: 214 | containers: 215 | - env: 216 | - name: PROBE_PORT 217 | value: "16021" 218 | - name: AUTO_FENCE 219 | value: "true" 220 | - name: ISTIO_NAMESPACE 221 | value: istio-system 222 | - name: FENCE_NAMESPACE 223 | value: fence 224 | - name: LOG_SOURCE_PORT 225 | value: "8082" 226 | - name: LOG_LEVEL 227 | value: info 228 | name: fence 229 | image: docker.io/hejianmin/fence:0.1.0 230 | imagePullPolicy: Always 231 | resources: 232 | limits: 233 | cpu: 500m 234 | memory: 128Mi 235 | requests: 236 | cpu: 10m 237 | memory: 64Mi 238 | readinessProbe: 239 | httpGet: 240 | path: / 241 | port: 16021 242 | initialDelaySeconds: 5 243 | periodSeconds: 10 244 | livenessProbe: 245 | httpGet: 246 | path: / 247 | port: 16021 248 | initialDelaySeconds: 15 249 | periodSeconds: 20 250 | serviceAccountName: fence 251 | --- 252 | # Source: chart-fence/templates/fence-accesslog-envoyfilter.yaml 253 | apiVersion: networking.istio.io/v1alpha3 254 | kind: EnvoyFilter 255 | metadata: 256 | name: fence-accesslog 257 | namespace: fence 258 | spec: 259 | configPatches: 260 | - applyTo: NETWORK_FILTER 261 | match: 262 | listener: 263 | filterChain: 264 | filter: 265 | name: envoy.filters.network.http_connection_manager 266 | patch: 267 | operation: MERGE 268 | value: 269 | typed_config: 270 | "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager 271 | access_log: 272 | - name: envoy.access_loggers.http_grpc 273 | typed_config: 274 | "@type": type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig 275 | common_config: 276 | grpc_service: 277 | envoy_grpc: 278 | cluster_name: fence-accesslog-source 279 | log_name: http_envoy_accesslog 280 | transport_api_version: V3 281 | workloadSelector: 282 | labels: 283 | app: fence-proxy 284 | --- 285 | # Source: chart-fence/templates/fence-proxy-envoyfilter.yaml 286 | apiVersion: networking.istio.io/v1alpha3 287 | kind: EnvoyFilter 288 | metadata: 289 | name: fence-proxy 290 | namespace: istio-system 291 | spec: 292 | configPatches: [] 293 | -------------------------------------------------------------------------------- /docs/images/fence-english.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hexiaodai/fence/0defaad041abd82f094816cc11e4ea1b4b190c8c/docs/images/fence-english.png -------------------------------------------------------------------------------- /docs/images/fence.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hexiaodai/fence/0defaad041abd82f094816cc11e4ea1b4b190c8c/docs/images/fence.png -------------------------------------------------------------------------------- /docs/images/proxy-push-time-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hexiaodai/fence/0defaad041abd82f094816cc11e4ea1b4b190c8c/docs/images/proxy-push-time-2.png -------------------------------------------------------------------------------- /docs/images/proxy-push-time.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hexiaodai/fence/0defaad041abd82f094816cc11e4ea1b4b190c8c/docs/images/proxy-push-time.png -------------------------------------------------------------------------------- /docs/images/xds-requests-size-2-and-proxy-push-time-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hexiaodai/fence/0defaad041abd82f094816cc11e4ea1b4b190c8c/docs/images/xds-requests-size-2-and-proxy-push-time-2.png -------------------------------------------------------------------------------- /docs/images/xds-requests-size-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hexiaodai/fence/0defaad041abd82f094816cc11e4ea1b4b190c8c/docs/images/xds-requests-size-2.png -------------------------------------------------------------------------------- /docs/images/xds-requests-size-and-proxy-push-time.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hexiaodai/fence/0defaad041abd82f094816cc11e4ea1b4b190c8c/docs/images/xds-requests-size-and-proxy-push-time.png -------------------------------------------------------------------------------- /docs/images/xds-requests-size.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hexiaodai/fence/0defaad041abd82f094816cc11e4ea1b4b190c8c/docs/images/xds-requests-size.png -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/hexiaodai/fence 2 | 3 | go 1.20 4 | 5 | require ( 6 | github.com/envoyproxy/go-control-plane v0.11.0 7 | github.com/go-logr/logr v1.2.4 8 | github.com/go-logr/zapr v1.2.3 9 | github.com/spf13/cobra v1.7.0 10 | github.com/spf13/pflag v1.0.5 // indirect 11 | go.uber.org/zap v1.24.0 12 | golang.org/x/sys v0.7.0 13 | google.golang.org/grpc v1.54.0 14 | gopkg.in/yaml.v2 v2.4.0 // indirect 15 | istio.io/api v0.0.0-20230414193140-04eb39977e2a 16 | istio.io/client-go v1.17.1 17 | k8s.io/api v0.27.1 18 | k8s.io/apimachinery v0.27.1 19 | k8s.io/cli-runtime v0.27.1 20 | k8s.io/client-go v0.27.1 21 | sigs.k8s.io/controller-runtime v0.13.1-0.20230420181312-a24b949df33a 22 | ) 23 | 24 | require ( 25 | github.com/beorn7/perks v1.0.1 // indirect 26 | github.com/cespare/xxhash/v2 v2.2.0 // indirect 27 | github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b // indirect 28 | github.com/davecgh/go-spew v1.1.1 // indirect 29 | github.com/emicklei/go-restful/v3 v3.9.0 // indirect 30 | github.com/envoyproxy/protoc-gen-validate v0.9.1 // indirect 31 | github.com/evanphx/json-patch v4.12.0+incompatible // indirect 32 | github.com/evanphx/json-patch/v5 v5.6.0 // indirect 33 | github.com/fsnotify/fsnotify v1.6.0 // indirect 34 | github.com/go-errors/errors v1.4.2 // indirect 35 | github.com/go-openapi/jsonpointer v0.19.6 // indirect 36 | github.com/go-openapi/jsonreference v0.20.1 // indirect 37 | github.com/go-openapi/swag v0.22.3 // indirect 38 | github.com/gogo/protobuf v1.3.2 // indirect 39 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect 40 | github.com/golang/protobuf v1.5.3 // indirect 41 | github.com/google/btree v1.0.1 // indirect 42 | github.com/google/gnostic v0.5.7-v3refs // indirect 43 | github.com/google/go-cmp v0.5.9 // indirect 44 | github.com/google/gofuzz v1.1.0 // indirect 45 | github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect 46 | github.com/google/uuid v1.3.0 // indirect 47 | github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect 48 | github.com/imdario/mergo v0.3.12 // indirect 49 | github.com/inconshreveable/mousetrap v1.1.0 // indirect 50 | github.com/josharian/intern v1.0.0 // indirect 51 | github.com/json-iterator/go v1.1.12 // indirect 52 | github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect 53 | github.com/mailru/easyjson v0.7.7 // indirect 54 | github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect 55 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect 56 | github.com/modern-go/reflect2 v1.0.2 // indirect 57 | github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect 58 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect 59 | github.com/peterbourgon/diskv v2.0.1+incompatible // indirect 60 | github.com/pkg/errors v0.9.1 // indirect 61 | github.com/prometheus/client_golang v1.15.0 // indirect 62 | github.com/prometheus/client_model v0.3.0 // indirect 63 | github.com/prometheus/common v0.42.0 // indirect 64 | github.com/prometheus/procfs v0.9.0 // indirect 65 | github.com/xlab/treeprint v1.1.0 // indirect 66 | go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect 67 | go.uber.org/atomic v1.7.0 // indirect 68 | go.uber.org/multierr v1.6.0 // indirect 69 | golang.org/x/net v0.8.0 // indirect 70 | golang.org/x/oauth2 v0.5.0 // indirect 71 | golang.org/x/term v0.6.0 // indirect 72 | golang.org/x/text v0.8.0 // indirect 73 | golang.org/x/time v0.3.0 // indirect 74 | gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect 75 | google.golang.org/appengine v1.6.7 // indirect 76 | google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect 77 | google.golang.org/protobuf v1.30.0 78 | gopkg.in/inf.v0 v0.9.1 // indirect 79 | gopkg.in/yaml.v3 v3.0.1 // indirect 80 | k8s.io/apiextensions-apiserver v0.26.1 // indirect 81 | k8s.io/component-base v0.26.1 // indirect 82 | k8s.io/klog/v2 v2.90.1 // indirect 83 | k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a // indirect 84 | k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect 85 | sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect 86 | sigs.k8s.io/kustomize/api v0.13.2 // indirect 87 | sigs.k8s.io/kustomize/kyaml v0.14.1 // indirect 88 | sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect 89 | sigs.k8s.io/yaml v1.3.0 // indirect 90 | ) 91 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= 2 | cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= 3 | cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= 4 | cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= 5 | cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= 6 | cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= 7 | cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= 8 | cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= 9 | cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= 10 | cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= 11 | cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= 12 | cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= 13 | cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= 14 | cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= 15 | cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= 16 | cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= 17 | cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= 18 | cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= 19 | cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= 20 | cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= 21 | cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= 22 | cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= 23 | cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= 24 | cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= 25 | cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= 26 | cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= 27 | cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= 28 | cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= 29 | cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= 30 | cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= 31 | cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= 32 | cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= 33 | dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= 34 | github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= 35 | github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= 36 | github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= 37 | github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= 38 | github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= 39 | github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= 40 | github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= 41 | github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= 42 | github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= 43 | github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= 44 | github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= 45 | github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= 46 | github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= 47 | github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= 48 | github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= 49 | github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= 50 | github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= 51 | github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= 52 | github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= 53 | github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= 54 | github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= 55 | github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= 56 | github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= 57 | github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b h1:ACGZRIr7HsgBKHsueQ1yM4WaVaXh21ynwqsF8M8tXhA= 58 | github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= 59 | github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= 60 | github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= 61 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 62 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 63 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 64 | github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= 65 | github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= 66 | github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= 67 | github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= 68 | github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= 69 | github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= 70 | github.com/envoyproxy/go-control-plane v0.11.0 h1:jtLewhRR2vMRNnq2ZZUoCjUlgut+Y0+sDDWPOfwOi1o= 71 | github.com/envoyproxy/go-control-plane v0.11.0/go.mod h1:VnHyVMpzcLvCFt9yUz1UnCwHLhwx1WguiVDV7pTG/tI= 72 | github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= 73 | github.com/envoyproxy/protoc-gen-validate v0.9.1 h1:PS7VIOgmSVhWUEeZwTe7z7zouA22Cr590PzXKbZHOVY= 74 | github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0++PMirau2/yoOwVac3AbF2w= 75 | github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= 76 | github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= 77 | github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= 78 | github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= 79 | github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= 80 | github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= 81 | github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= 82 | github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= 83 | github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= 84 | github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= 85 | github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= 86 | github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= 87 | github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= 88 | github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= 89 | github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= 90 | github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= 91 | github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= 92 | github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= 93 | github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= 94 | github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= 95 | github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= 96 | github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= 97 | github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= 98 | github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= 99 | github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= 100 | github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= 101 | github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= 102 | github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= 103 | github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8= 104 | github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= 105 | github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= 106 | github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= 107 | github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= 108 | github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= 109 | github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= 110 | github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= 111 | github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= 112 | github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= 113 | github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= 114 | github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 115 | github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 116 | github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 117 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= 118 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 119 | github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= 120 | github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= 121 | github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= 122 | github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= 123 | github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= 124 | github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= 125 | github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= 126 | github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 127 | github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 128 | github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 129 | github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= 130 | github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= 131 | github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= 132 | github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= 133 | github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= 134 | github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= 135 | github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= 136 | github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= 137 | github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= 138 | github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= 139 | github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= 140 | github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= 141 | github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= 142 | github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= 143 | github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= 144 | github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= 145 | github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= 146 | github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= 147 | github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= 148 | github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= 149 | github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= 150 | github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= 151 | github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 152 | github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 153 | github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 154 | github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 155 | github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 156 | github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 157 | github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 158 | github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 159 | github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= 160 | github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= 161 | github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 162 | github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= 163 | github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 164 | github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= 165 | github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= 166 | github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= 167 | github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= 168 | github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 169 | github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 170 | github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 171 | github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 172 | github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 173 | github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= 174 | github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= 175 | github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= 176 | github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= 177 | github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= 178 | github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 179 | github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= 180 | github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= 181 | github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM= 182 | github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= 183 | github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= 184 | github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= 185 | github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= 186 | github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= 187 | github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= 188 | github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= 189 | github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= 190 | github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= 191 | github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= 192 | github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= 193 | github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= 194 | github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= 195 | github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= 196 | github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= 197 | github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= 198 | github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= 199 | github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= 200 | github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= 201 | github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= 202 | github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= 203 | github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= 204 | github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= 205 | github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= 206 | github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= 207 | github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= 208 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= 209 | github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= 210 | github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= 211 | github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= 212 | github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= 213 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= 214 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 215 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 216 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 217 | github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= 218 | github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= 219 | github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= 220 | github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= 221 | github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= 222 | github.com/matttproud/golang_protobuf_extensions v1.0.2 h1:hAHbPm5IJGijwng3PWk09JkG9WeqChjprR5s9bBZ+OM= 223 | github.com/matttproud/golang_protobuf_extensions v1.0.2/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= 224 | github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= 225 | github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= 226 | github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 227 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= 228 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 229 | github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 230 | github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 231 | github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= 232 | github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= 233 | github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= 234 | github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= 235 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= 236 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= 237 | github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= 238 | github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= 239 | github.com/onsi/ginkgo/v2 v2.9.1 h1:zie5Ly042PD3bsCvsSOPvRnFwyo3rKe64TJlD6nu0mk= 240 | github.com/onsi/ginkgo/v2 v2.9.2 h1:BA2GMJOtfGAfagzYtrAlufIP0lq6QERkFmHLMLPwFSU= 241 | github.com/onsi/gomega v1.27.4 h1:Z2AnStgsdSayCMDiCU42qIz+HLqEPcgiOCXjAU/w+8E= 242 | github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= 243 | github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= 244 | github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= 245 | github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 246 | github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 247 | github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= 248 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 249 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 250 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 251 | github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= 252 | github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= 253 | github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= 254 | github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= 255 | github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= 256 | github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw= 257 | github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= 258 | github.com/prometheus/client_golang v1.15.0 h1:5fCgGYogn0hFdhyhLbw7hEsWxufKtY9klyvdNfFlFhM= 259 | github.com/prometheus/client_golang v1.15.0/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= 260 | github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= 261 | github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= 262 | github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= 263 | github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= 264 | github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= 265 | github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= 266 | github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= 267 | github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= 268 | github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= 269 | github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= 270 | github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE= 271 | github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= 272 | github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= 273 | github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= 274 | github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= 275 | github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= 276 | github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= 277 | github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= 278 | github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= 279 | github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= 280 | github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= 281 | github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= 282 | github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= 283 | github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= 284 | github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= 285 | github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= 286 | github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= 287 | github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= 288 | github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= 289 | github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= 290 | github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= 291 | github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= 292 | github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= 293 | github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= 294 | github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= 295 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 296 | github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 297 | github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= 298 | github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= 299 | github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= 300 | github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= 301 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 302 | github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= 303 | github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= 304 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 305 | github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 306 | github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= 307 | github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= 308 | github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= 309 | github.com/xlab/treeprint v1.1.0 h1:G/1DjNkPpfZCFt9CSh6b5/nY4VimlbHF3Rh4obvtzDk= 310 | github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= 311 | github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 312 | github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 313 | github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 314 | github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 315 | go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= 316 | go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= 317 | go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= 318 | go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= 319 | go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= 320 | go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc= 321 | go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= 322 | go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= 323 | go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= 324 | go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= 325 | go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk= 326 | go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= 327 | go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= 328 | go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= 329 | go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= 330 | go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= 331 | go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= 332 | golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= 333 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 334 | golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 335 | golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 336 | golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 337 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 338 | golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= 339 | golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= 340 | golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= 341 | golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= 342 | golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= 343 | golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= 344 | golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= 345 | golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= 346 | golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= 347 | golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= 348 | golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= 349 | golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= 350 | golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= 351 | golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= 352 | golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= 353 | golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 354 | golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 355 | golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 356 | golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 357 | golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= 358 | golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= 359 | golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= 360 | golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= 361 | golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= 362 | golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= 363 | golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= 364 | golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= 365 | golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= 366 | golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 367 | golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 368 | golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 369 | golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 370 | golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 371 | golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 372 | golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 373 | golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 374 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 375 | golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 376 | golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 377 | golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= 378 | golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 379 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 380 | golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 381 | golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 382 | golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 383 | golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 384 | golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 385 | golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 386 | golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 387 | golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 388 | golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 389 | golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 390 | golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 391 | golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 392 | golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 393 | golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= 394 | golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= 395 | golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= 396 | golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= 397 | golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= 398 | golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= 399 | golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= 400 | golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ= 401 | golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= 402 | golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= 403 | golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 404 | golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 405 | golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 406 | golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 407 | golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= 408 | golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= 409 | golang.org/x/oauth2 v0.4.0 h1:NF0gk8LVPg1Ml7SSbGyySuoxdsXitj7TvgvuRxIMc/M= 410 | golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec= 411 | golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s= 412 | golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= 413 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 414 | golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 415 | golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 416 | golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 417 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 418 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 419 | golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 420 | golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 421 | golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 422 | golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 423 | golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 424 | golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 425 | golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 426 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 427 | golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 428 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 429 | golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 430 | golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 431 | golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 432 | golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 433 | golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 434 | golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 435 | golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 436 | golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 437 | golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 438 | golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 439 | golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 440 | golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 441 | golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 442 | golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 443 | golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 444 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 445 | golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 446 | golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 447 | golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 448 | golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 449 | golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 450 | golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 451 | golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 452 | golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 453 | golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 454 | golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 455 | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 456 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 457 | golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 458 | golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 459 | golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 460 | golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 461 | golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 462 | golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 463 | golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 464 | golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU= 465 | golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 466 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 467 | golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= 468 | golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw= 469 | golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= 470 | golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 471 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 472 | golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 473 | golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= 474 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 475 | golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 476 | golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= 477 | golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68= 478 | golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= 479 | golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 480 | golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 481 | golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 482 | golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= 483 | golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 484 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 485 | golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 486 | golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= 487 | golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 488 | golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 489 | golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 490 | golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 491 | golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 492 | golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 493 | golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= 494 | golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= 495 | golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= 496 | golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 497 | golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 498 | golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 499 | golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 500 | golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 501 | golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 502 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 503 | golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 504 | golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 505 | golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 506 | golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 507 | golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 508 | golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 509 | golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 510 | golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 511 | golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 512 | golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 513 | golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 514 | golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 515 | golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= 516 | golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= 517 | golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= 518 | golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 519 | golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 520 | golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 521 | golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 522 | golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 523 | golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= 524 | golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= 525 | golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= 526 | golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= 527 | golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4= 528 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 529 | golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 530 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 531 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 532 | gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY= 533 | gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY= 534 | google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= 535 | google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= 536 | google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= 537 | google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= 538 | google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= 539 | google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= 540 | google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= 541 | google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 542 | google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 543 | google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 544 | google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 545 | google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 546 | google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= 547 | google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= 548 | google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= 549 | google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= 550 | google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= 551 | google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= 552 | google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= 553 | google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= 554 | google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= 555 | google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= 556 | google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= 557 | google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= 558 | google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= 559 | google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 560 | google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 561 | google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 562 | google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 563 | google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= 564 | google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= 565 | google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= 566 | google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 567 | google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 568 | google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 569 | google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 570 | google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 571 | google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 572 | google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= 573 | google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 574 | google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 575 | google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 576 | google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 577 | google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 578 | google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 579 | google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 580 | google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 581 | google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= 582 | google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= 583 | google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= 584 | google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 585 | google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 586 | google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 587 | google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 588 | google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= 589 | google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= 590 | google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= 591 | google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= 592 | google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= 593 | google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= 594 | google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= 595 | google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= 596 | google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= 597 | google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= 598 | google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= 599 | google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= 600 | google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= 601 | google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= 602 | google.golang.org/grpc v1.54.0 h1:EhTqbhiYeixwWQtAEZAxmV9MGqcjEU2mFx52xCzNyag= 603 | google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g= 604 | google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= 605 | google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= 606 | google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= 607 | google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= 608 | google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= 609 | google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 610 | google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 611 | google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 612 | google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= 613 | google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= 614 | google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= 615 | google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= 616 | google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= 617 | google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= 618 | gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= 619 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 620 | gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 621 | gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 622 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= 623 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= 624 | gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= 625 | gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= 626 | gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= 627 | gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 628 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 629 | gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 630 | gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 631 | gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 632 | gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 633 | gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= 634 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 635 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 636 | gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 637 | gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 638 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 639 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 640 | honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 641 | honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 642 | honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 643 | honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 644 | honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= 645 | honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= 646 | honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= 647 | istio.io/api v0.0.0-20230414193140-04eb39977e2a h1:A+FBNGJpU/CYENpjXVza4fAtQctbnVVmmoKTefpwP1g= 648 | istio.io/api v0.0.0-20230414193140-04eb39977e2a/go.mod h1:dDMe1TsOtrRoUlBzdxqNolWXpXPQjLfbcXvqPMtQ6eo= 649 | istio.io/client-go v1.17.1 h1:W0kQXYCzIluA/20zLzxeNF7bNMJXXArmGYRt/MIg2io= 650 | istio.io/client-go v1.17.1/go.mod h1:mLTRYYFxHctzUbt8Iclgj+Sueq34+qC2ZEJTn6BxRuE= 651 | k8s.io/api v0.27.1 h1:Z6zUGQ1Vd10tJ+gHcNNNgkV5emCyW+v2XTmn+CLjSd0= 652 | k8s.io/api v0.27.1/go.mod h1:z5g/BpAiD+f6AArpqNjkY+cji8ueZDU/WV1jcj5Jk4E= 653 | k8s.io/apiextensions-apiserver v0.26.1 h1:cB8h1SRk6e/+i3NOrQgSFij1B2S0Y0wDoNl66bn8RMI= 654 | k8s.io/apiextensions-apiserver v0.26.1/go.mod h1:AptjOSXDGuE0JICx/Em15PaoO7buLwTs0dGleIHixSM= 655 | k8s.io/apimachinery v0.27.1 h1:EGuZiLI95UQQcClhanryclaQE6xjg1Bts6/L3cD7zyc= 656 | k8s.io/apimachinery v0.27.1/go.mod h1:5ikh59fK3AJ287GUvpUsryoMFtH9zj/ARfWCo3AyXTM= 657 | k8s.io/cli-runtime v0.27.1 h1:MMzp5Q/Xmr5L1Lrowuc+Y/r95XINC6c6/fE3aN7JDRM= 658 | k8s.io/cli-runtime v0.27.1/go.mod h1:tEbTB1XP/nTH3wujsi52bw91gWpErtWiS15R6CwYsAI= 659 | k8s.io/client-go v0.27.1 h1:oXsfhW/qncM1wDmWBIuDzRHNS2tLhK3BZv512Nc59W8= 660 | k8s.io/client-go v0.27.1/go.mod h1:f8LHMUkVb3b9N8bWturc+EDtVVVwZ7ueTVquFAJb2vA= 661 | k8s.io/component-base v0.26.1 h1:4ahudpeQXHZL5kko+iDHqLj/FSGAEUnSVO0EBbgDd+4= 662 | k8s.io/component-base v0.26.1/go.mod h1:VHrLR0b58oC035w6YQiBSbtsf0ThuSwXP+p5dD/kAWU= 663 | k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw= 664 | k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= 665 | k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a h1:gmovKNur38vgoWfGtP5QOGNOA7ki4n6qNYoFAgMlNvg= 666 | k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a/go.mod h1:y5VtZWM9sHHc2ZodIH/6SHzXj+TPU5USoA8lcIeKEKY= 667 | k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY= 668 | k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= 669 | rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= 670 | rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= 671 | rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= 672 | sigs.k8s.io/controller-runtime v0.13.1-0.20230420181312-a24b949df33a h1:jzAEMUCMIytf2whTW2Fe+d6gNGxYY/iUha7kGM23bog= 673 | sigs.k8s.io/controller-runtime v0.13.1-0.20230420181312-a24b949df33a/go.mod h1:ujEX5tSkpg5cCOhcwDWLsXwNuMCO+j4rpmmkIn6BGGc= 674 | sigs.k8s.io/controller-runtime v0.14.0 h1:ju2xsov5Ara6FoQuddg+az+rAxsUsTYn2IYyEKCTyDc= 675 | sigs.k8s.io/controller-runtime v0.14.0/go.mod h1:GaRkrY8a7UZF0kqFFbUKG7n9ICiTY5T55P1RiE3UZlU= 676 | sigs.k8s.io/controller-runtime v0.14.5 h1:6xaWFqzT5KuAQ9ufgUaj1G/+C4Y1GRkhrxl+BJ9i+5s= 677 | sigs.k8s.io/controller-runtime v0.14.5/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= 678 | sigs.k8s.io/controller-runtime v0.14.6 h1:oxstGVvXGNnMvY7TAESYk+lzr6S3V5VFxQ6d92KcwQA= 679 | sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= 680 | sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= 681 | sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= 682 | sigs.k8s.io/kustomize/api v0.13.2 h1:kejWfLeJhUsTGioDoFNJET5LQe/ajzXhJGYoU+pJsiA= 683 | sigs.k8s.io/kustomize/api v0.13.2/go.mod h1:DUp325VVMFVcQSq+ZxyDisA8wtldwHxLZbr1g94UHsw= 684 | sigs.k8s.io/kustomize/kyaml v0.14.1 h1:c8iibius7l24G2wVAGZn/Va2wNys03GXLjYVIcFVxKA= 685 | sigs.k8s.io/kustomize/kyaml v0.14.1/go.mod h1:AN1/IpawKilWD7V+YvQwRGUvuUOOWpjsHu6uHwonSF4= 686 | sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= 687 | sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= 688 | sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= 689 | sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= 690 | -------------------------------------------------------------------------------- /internal/cache/ip_service.go: -------------------------------------------------------------------------------- 1 | package cache 2 | 3 | import ( 4 | "context" 5 | "fmt" 6 | "net" 7 | "reflect" 8 | "strings" 9 | "sync" 10 | "time" 11 | 12 | envoy_config_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" 13 | data_accesslog "github.com/envoyproxy/go-control-plane/envoy/data/accesslog/v3" 14 | "github.com/hexiaodai/fence/internal/config" 15 | "github.com/hexiaodai/fence/internal/options" 16 | corev1 "k8s.io/api/core/v1" 17 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 18 | "k8s.io/apimachinery/pkg/runtime" 19 | "k8s.io/apimachinery/pkg/types" 20 | "k8s.io/apimachinery/pkg/watch" 21 | "k8s.io/client-go/kubernetes" 22 | "k8s.io/client-go/tools/cache" 23 | ) 24 | 25 | type IpService struct { 26 | // map[string]types.NamespacedName 27 | IpToService sync.Map 28 | // map[types.NamespacedName][]string 29 | ServiceToIps sync.Map 30 | config.Server 31 | } 32 | 33 | func NewIpService(server config.Server) *IpService { 34 | server.Logger = server.Logger.WithName("IpService").WithValues("cache", "IpService") 35 | return &IpService{ 36 | Server: server, 37 | IpToService: sync.Map{}, 38 | ServiceToIps: sync.Map{}, 39 | } 40 | } 41 | 42 | func (i *IpService) Start(ctx context.Context) error { 43 | config, err := options.DefaultConfigFlags.ToRawKubeConfigLoader().ClientConfig() 44 | if err != nil { 45 | return err 46 | } 47 | client, err := kubernetes.NewForConfig(config) 48 | if err != nil { 49 | return err 50 | } 51 | 52 | lw := &cache.ListWatch{ 53 | ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { 54 | return client.CoreV1().Endpoints("").List(ctx, metav1.ListOptions{}) 55 | }, 56 | WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { 57 | return client.CoreV1().Endpoints("").Watch(ctx, metav1.ListOptions{}) 58 | }, 59 | } 60 | 61 | _, controller := cache.NewInformer(lw, &corev1.Endpoints{}, 60*time.Second, cache.ResourceEventHandlerFuncs{ 62 | AddFunc: func(obj interface{}) { i.handleEpAdd(ctx, obj) }, 63 | UpdateFunc: func(oldObj, newObj interface{}) { i.handleEpUpdate(ctx, oldObj, newObj) }, 64 | DeleteFunc: func(obj interface{}) { i.handleEpDelete(ctx, obj) }, 65 | }) 66 | 67 | go controller.Run(ctx.Done()) 68 | 69 | i.Logger.Info("started") 70 | return nil 71 | } 72 | 73 | func (i *IpService) handleEpAdd(ctx context.Context, obj interface{}) { 74 | ep, ok := obj.(*corev1.Endpoints) 75 | if !ok { 76 | return 77 | } 78 | i.addIpWithEp(ep) 79 | } 80 | 81 | func (i *IpService) handleEpUpdate(ctx context.Context, old, obj interface{}) { 82 | ep, ok := obj.(*corev1.Endpoints) 83 | if !ok { 84 | return 85 | } 86 | oldEp, ok := old.(*corev1.Endpoints) 87 | if !ok { 88 | return 89 | } 90 | 91 | if reflect.DeepEqual(oldEp.Subsets, ep.Subsets) { 92 | return 93 | } 94 | 95 | i.deleteIpFromEp(oldEp) 96 | i.addIpWithEp(ep) 97 | } 98 | 99 | func (i *IpService) handleEpDelete(ctx context.Context, obj interface{}) { 100 | ep, ok := obj.(*corev1.Endpoints) 101 | if !ok { 102 | return 103 | } 104 | i.deleteIpFromEp(ep) 105 | } 106 | 107 | func (i *IpService) addIpWithEp(ep *corev1.Endpoints) { 108 | svc := types.NamespacedName{Namespace: ep.GetNamespace(), Name: ep.GetName()} 109 | var addresses []string 110 | for _, subset := range ep.Subsets { 111 | for _, address := range subset.Addresses { 112 | addresses = append(addresses, address.IP) 113 | i.IpToService.Store(address.IP, svc) 114 | } 115 | } 116 | i.ServiceToIps.Store(svc, addresses) 117 | } 118 | 119 | func (i *IpService) deleteIpFromEp(ep *corev1.Endpoints) { 120 | svc := types.NamespacedName{Namespace: ep.GetNamespace(), Name: ep.GetName()} 121 | 122 | // delete svc in ServiceToIps 123 | value, ok := i.ServiceToIps.LoadAndDelete(svc) 124 | if !ok { 125 | return 126 | } 127 | ips := value.([]string) 128 | 129 | // delete ips related svc 130 | for _, ip := range ips { 131 | i.IpToService.Delete(ip) 132 | } 133 | } 134 | 135 | func (i *IpService) FetchSourceIp(entry *data_accesslog.HTTPAccessLogEntry) (sourceIp string, err error) { 136 | downstreamSock := entry.CommonProperties.DownstreamRemoteAddress.Address.(*envoy_config_core.Address_SocketAddress) 137 | if net.ParseIP(downstreamSock.SocketAddress.Address) == nil { 138 | err = fmt.Errorf("source ip does not exist") 139 | return 140 | } 141 | sourceIp = downstreamSock.SocketAddress.Address 142 | return 143 | } 144 | 145 | func (i *IpService) FetchSourceSvc(sourceIp string) (*types.NamespacedName, error) { 146 | value, ok := i.IpToService.Load(sourceIp) 147 | if !ok { 148 | return nil, fmt.Errorf("no source service, source ip is %v", sourceIp) 149 | } 150 | 151 | svc, ok := value.(types.NamespacedName) 152 | if !ok { 153 | return nil, fmt.Errorf("failed to get source service, source ip is %v", sourceIp) 154 | } 155 | return &svc, nil 156 | } 157 | 158 | func (i *IpService) FetchDestinationSvc(entry *data_accesslog.HTTPAccessLogEntry) (destSvc string, err error) { 159 | upstreamCluster := entry.CommonProperties.UpstreamCluster 160 | parts := strings.Split(upstreamCluster, "|") 161 | if len(parts) != 4 { 162 | err = fmt.Errorf("upstreamCluster is wrong: parts number is not 4, upstreamCluster is %v", upstreamCluster) 163 | return 164 | } 165 | // only handle inbound access log 166 | if parts[0] != "inbound" { 167 | err = fmt.Errorf("this log is not inbound") 168 | return 169 | } 170 | // get destination service info from request.authority 171 | auth := entry.Request.Authority 172 | dest := strings.Split(auth, ":")[0] 173 | 174 | // dest is ip address, skip 175 | if net.ParseIP(dest) != nil { 176 | err = fmt.Errorf("destination is ip address") 177 | return 178 | } 179 | 180 | // both short name and k8s fqdn will be added as following 181 | 182 | destParts := strings.Split(dest, ".") 183 | 184 | sourceIp, err := i.FetchSourceIp(entry) 185 | if err != nil { 186 | err = fmt.Errorf("failed to fetch source ip") 187 | return 188 | } 189 | sourceSvc, err := i.FetchSourceSvc(sourceIp) 190 | if err != nil { 191 | return 192 | } 193 | 194 | destSvc = dest 195 | switch len(destParts) { 196 | case 1: 197 | destSvc = fmt.Sprintf("%v.%v.svc.cluster.local", dest, sourceSvc.Namespace) 198 | case 2: 199 | destSvc = i.completeDestSvcName(destParts, dest, "svc.cluster.local") 200 | case 3: 201 | if destParts[2] == "svc" { 202 | destSvc = i.completeDestSvcName(destParts, dest, "cluster.local") 203 | } 204 | } 205 | 206 | return 207 | } 208 | 209 | func (i *IpService) completeDestSvcName(destParts []string, dest, suffix string) (destSvc string) { 210 | destSvc = dest 211 | // destParts: name.namespace.svc.cluster.local 212 | svc := types.NamespacedName{Namespace: destParts[1], Name: destParts[0]} 213 | if _, ok := i.ServiceToIps.Load(svc); ok { 214 | destSvc = fmt.Sprintf("%v.%v", dest, suffix) 215 | } 216 | return 217 | } 218 | -------------------------------------------------------------------------------- /internal/cache/namespace.go: -------------------------------------------------------------------------------- 1 | package cache 2 | 3 | import ( 4 | "context" 5 | "fmt" 6 | "sync" 7 | "time" 8 | 9 | "github.com/hexiaodai/fence/internal/config" 10 | "github.com/hexiaodai/fence/internal/options" 11 | corev1 "k8s.io/api/core/v1" 12 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 13 | "k8s.io/apimachinery/pkg/runtime" 14 | "k8s.io/apimachinery/pkg/watch" 15 | "k8s.io/client-go/kubernetes" 16 | "k8s.io/client-go/tools/cache" 17 | ) 18 | 19 | func NewNamespace(server config.Server) *Namespace { 20 | server.Logger = server.Logger.WithName("Namespace").WithValues("cache", "Namespace") 21 | return &Namespace{ 22 | Server: server, 23 | Disable: sync.Map{}, 24 | Enabled: sync.Map{}, 25 | } 26 | } 27 | 28 | func (ns *Namespace) Start(ctx context.Context) error { 29 | config, err := options.DefaultConfigFlags.ToRawKubeConfigLoader().ClientConfig() 30 | if err != nil { 31 | return err 32 | } 33 | client, err := kubernetes.NewForConfig(config) 34 | if err != nil { 35 | return err 36 | } 37 | 38 | lw := &cache.ListWatch{ 39 | ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { 40 | return client.CoreV1().Namespaces().List(ctx, metav1.ListOptions{}) 41 | }, 42 | WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { 43 | return client.CoreV1().Namespaces().Watch(ctx, metav1.ListOptions{}) 44 | }, 45 | } 46 | _, controller := cache.NewInformer(lw, &corev1.Namespace{}, 60*time.Second, cache.ResourceEventHandlerFuncs{ 47 | AddFunc: func(obj interface{}) { ns.handleNamespaceUpdate(obj) }, 48 | UpdateFunc: func(_, newObj interface{}) { ns.handleNamespaceUpdate(newObj) }, 49 | DeleteFunc: func(obj interface{}) { ns.handleNamespaceDelete(obj) }, 50 | }) 51 | 52 | go controller.Run(ctx.Done()) 53 | 54 | if !cache.WaitForCacheSync(ctx.Done(), controller.HasSynced) { 55 | return fmt.Errorf("failed to wait for namespace cache sync") 56 | } 57 | 58 | ns.Logger.Info("started") 59 | return nil 60 | } 61 | 62 | type Namespace struct { 63 | // map[namespaceName]struct{} 64 | Disable sync.Map 65 | // map[namespaceName]struct{} 66 | Enabled sync.Map 67 | config.Server 68 | } 69 | 70 | func (ns *Namespace) handleNamespaceUpdate(obj interface{}) { 71 | nsv, ok := obj.(*corev1.Namespace) 72 | if !ok { 73 | return 74 | } 75 | if nsv.Labels[config.SidecarFenceLabel] == config.SidecarFenceValueDisable { 76 | ns.SetDisable(nsv.Name) 77 | } 78 | if nsv.Labels[config.SidecarFenceLabel] == config.SidecarFenceValueEnabled { 79 | ns.SetEnabled(nsv.Name) 80 | } 81 | } 82 | 83 | func (ns *Namespace) handleNamespaceDelete(obj interface{}) { 84 | nsv, ok := obj.(*corev1.Namespace) 85 | if !ok { 86 | return 87 | } 88 | ns.Delete(nsv.Name) 89 | } 90 | 91 | func (ns *Namespace) IsDisable(name string) bool { 92 | _, ok := ns.Disable.Load(name) 93 | return ok 94 | } 95 | 96 | func (ns *Namespace) IsEnabled(name string) bool { 97 | _, ok := ns.Enabled.Load(name) 98 | return ok 99 | } 100 | 101 | func (ns *Namespace) SetDisable(name string) { 102 | ns.Disable.Store(name, struct{}{}) 103 | } 104 | 105 | func (ns *Namespace) SetEnabled(name string) { 106 | ns.Enabled.Store(name, struct{}{}) 107 | } 108 | 109 | func (ns *Namespace) Delete(name string) { 110 | ns.Disable.Delete(name) 111 | ns.Enabled.Delete(name) 112 | } 113 | -------------------------------------------------------------------------------- /internal/cache/service.go: -------------------------------------------------------------------------------- 1 | package cache 2 | 3 | import ( 4 | "context" 5 | "fmt" 6 | "sync" 7 | "time" 8 | 9 | "github.com/hexiaodai/fence/internal/config" 10 | "github.com/hexiaodai/fence/internal/options" 11 | corev1 "k8s.io/api/core/v1" 12 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 13 | "k8s.io/apimachinery/pkg/runtime" 14 | "k8s.io/apimachinery/pkg/types" 15 | "k8s.io/apimachinery/pkg/watch" 16 | "k8s.io/client-go/kubernetes" 17 | "k8s.io/client-go/tools/cache" 18 | ) 19 | 20 | func NewService(server config.Server) *Service { 21 | server.Logger = server.Logger.WithName("Service").WithValues("cache", "Service") 22 | return &Service{ 23 | Server: server, 24 | Data: sync.Map{}, 25 | } 26 | } 27 | 28 | func (sc *Service) Start(ctx context.Context) error { 29 | config, err := options.DefaultConfigFlags.ToRawKubeConfigLoader().ClientConfig() 30 | if err != nil { 31 | return err 32 | } 33 | client, err := kubernetes.NewForConfig(config) 34 | if err != nil { 35 | return err 36 | } 37 | 38 | lw := &cache.ListWatch{ 39 | ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { 40 | return client.CoreV1().Services("").List(ctx, metav1.ListOptions{}) 41 | }, 42 | WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { 43 | return client.CoreV1().Services("").Watch(ctx, metav1.ListOptions{}) 44 | }, 45 | } 46 | _, controller := cache.NewInformer(lw, &corev1.Service{}, 60*time.Second, cache.ResourceEventHandlerFuncs{ 47 | AddFunc: func(obj interface{}) { sc.handleServiceUpdate(obj) }, 48 | UpdateFunc: func(_, newObj interface{}) { sc.handleServiceUpdate(newObj) }, 49 | DeleteFunc: func(obj interface{}) { sc.handleServiceDelete(obj) }, 50 | }) 51 | 52 | go controller.Run(ctx.Done()) 53 | 54 | if !cache.WaitForCacheSync(ctx.Done(), controller.HasSynced) { 55 | return fmt.Errorf("failed to wait for service cache sync") 56 | } 57 | 58 | sc.Logger.Info("started") 59 | return nil 60 | } 61 | 62 | func (sc *Service) handleServiceUpdate(obj interface{}) { 63 | svc, ok := obj.(*corev1.Service) 64 | if !ok { 65 | return 66 | } 67 | nn := types.NamespacedName{ 68 | Name: svc.Name, 69 | Namespace: svc.Namespace, 70 | } 71 | 72 | sc.Set(nn) 73 | } 74 | 75 | type Service struct { 76 | // map[types.NamespacedName]struct{} 77 | Data sync.Map 78 | config.Server 79 | } 80 | 81 | func (sc *Service) handleServiceDelete(obj interface{}) { 82 | svc, ok := obj.(*corev1.Service) 83 | if !ok { 84 | return 85 | } 86 | nn := types.NamespacedName{ 87 | Name: svc.Name, 88 | Namespace: svc.Namespace, 89 | } 90 | sc.Delete(nn) 91 | } 92 | 93 | func (sc *Service) ExistNcName(nn types.NamespacedName) bool { 94 | _, ok := sc.Data.Load(nn) 95 | return ok 96 | } 97 | 98 | func (sc *Service) Set(nn types.NamespacedName) { 99 | sc.Data.Store(nn, struct{}{}) 100 | } 101 | 102 | func (sc *Service) Delete(nn types.NamespacedName) { 103 | sc.Data.Delete(nn) 104 | } 105 | -------------------------------------------------------------------------------- /internal/cmd/ctrl/root.go: -------------------------------------------------------------------------------- 1 | package ctrl 2 | 3 | import "github.com/spf13/cobra" 4 | 5 | func GetRootCommand() *cobra.Command { 6 | cmd := &cobra.Command{ 7 | Use: "fence controller", 8 | Short: "Fence Controller", 9 | Long: "Fence Controller", 10 | } 11 | 12 | cmd.AddCommand(getServerCommand()) 13 | 14 | return cmd 15 | } 16 | -------------------------------------------------------------------------------- /internal/cmd/ctrl/server.go: -------------------------------------------------------------------------------- 1 | package ctrl 2 | 3 | import ( 4 | "github.com/hexiaodai/fence/internal/config" 5 | "github.com/hexiaodai/fence/internal/controller" 6 | "github.com/hexiaodai/fence/internal/healthz" 7 | "github.com/spf13/cobra" 8 | ctrl "sigs.k8s.io/controller-runtime" 9 | ) 10 | 11 | func getServerCommand() *cobra.Command { 12 | cmd := &cobra.Command{ 13 | Use: "controller", 14 | Aliases: []string{"ctrl", "controller"}, 15 | Short: "Fence Controller", 16 | RunE: func(cmd *cobra.Command, args []string) error { 17 | return server() 18 | }, 19 | } 20 | 21 | return cmd 22 | } 23 | 24 | func server() error { 25 | return setupRunners() 26 | } 27 | 28 | func setupRunners() error { 29 | ctx := ctrl.SetupSignalHandler() 30 | 31 | server := config.New() 32 | 33 | ctrlrunner := controller.New(server) 34 | if err := ctrlrunner.Start(ctx); err != nil { 35 | return err 36 | } 37 | 38 | healthzRunner := healthz.New(server) 39 | if err := healthzRunner.Start(); err != nil { 40 | return err 41 | } 42 | 43 | <-ctx.Done() 44 | return nil 45 | } 46 | -------------------------------------------------------------------------------- /internal/cmd/proxy/root.go: -------------------------------------------------------------------------------- 1 | package proxy 2 | 3 | import "github.com/spf13/cobra" 4 | 5 | func GetRootCommand() *cobra.Command { 6 | cmd := &cobra.Command{ 7 | Use: "fence proxy", 8 | Short: "Fence Proxy", 9 | Long: "Fence Proxy", 10 | } 11 | 12 | cmd.AddCommand(getServerCommand()) 13 | 14 | return cmd 15 | } 16 | -------------------------------------------------------------------------------- /internal/cmd/proxy/server.go: -------------------------------------------------------------------------------- 1 | package proxy 2 | 3 | import ( 4 | "github.com/hexiaodai/fence/internal/config" 5 | "github.com/hexiaodai/fence/internal/healthz" 6 | httpproxy "github.com/hexiaodai/fence/internal/proxy" 7 | "github.com/spf13/cobra" 8 | ctrl "sigs.k8s.io/controller-runtime" 9 | ) 10 | 11 | func getServerCommand() *cobra.Command { 12 | cmd := &cobra.Command{ 13 | Use: "proxy", 14 | Aliases: []string{"proxy"}, 15 | Short: "Fence Proxy", 16 | RunE: func(cmd *cobra.Command, args []string) error { 17 | return server() 18 | }, 19 | } 20 | 21 | return cmd 22 | } 23 | 24 | func server() error { 25 | return setupRunners() 26 | } 27 | 28 | func setupRunners() error { 29 | ctx := ctrl.SetupSignalHandler() 30 | 31 | server := config.New() 32 | 33 | proxyrunner := httpproxy.New(server) 34 | if err := proxyrunner.Start(ctx); err != nil { 35 | return err 36 | } 37 | 38 | healthzRunner := healthz.New(server) 39 | if err := healthzRunner.Start(); err != nil { 40 | return err 41 | } 42 | 43 | <-ctx.Done() 44 | return nil 45 | } 46 | -------------------------------------------------------------------------------- /internal/config/fence.go: -------------------------------------------------------------------------------- 1 | package config 2 | 3 | import ( 4 | "strconv" 5 | 6 | "github.com/hexiaodai/fence/internal/logging" 7 | "github.com/hexiaodai/fence/internal/utils" 8 | ) 9 | 10 | const ( 11 | SidecarFenceLabel = "sidecar.fence.io" 12 | SidecarFenceValueEnabled = "enabled" 13 | SidecarFenceValueDisable = "disable" 14 | ) 15 | 16 | // Server wraps the Fence configuration and additional parameters 17 | // used by Fence server. 18 | type Server struct { 19 | // FenceNamespace is the namespace that Fence runs in. 20 | FenceNamespace string 21 | // IstioNamespace is the namespace that Istio runs in. 22 | IstioNamespace string 23 | // ProbePort is the health check port. 24 | ProbePort string 25 | // WormholePort is the wormhole port. 26 | WormholePort string 27 | // AutoFence is an automatic management sidecar. 28 | AutoFence bool 29 | // LogSourcePort is the LogSource port. 30 | LogSourcePort string 31 | // Logger is the logr implementation used by Fence. 32 | Logger logging.Logger 33 | } 34 | 35 | // New returns a Server with default parameters. 36 | func New() Server { 37 | autoFence, _ := strconv.ParseBool(utils.Lookup("AUTO_FENCE", "true")) 38 | return Server{ 39 | FenceNamespace: utils.Lookup("FENCE_NAMESPACE", "fence"), 40 | IstioNamespace: utils.Lookup("ISTIO_NAMESPACE", "istio-system"), 41 | ProbePort: utils.Lookup("PROBE_PORT", "16021"), 42 | WormholePort: utils.Lookup("WORMHOLE_PORT", "80"), 43 | AutoFence: autoFence, 44 | LogSourcePort: utils.Lookup("LOG_SOURCE_PORT", "8082"), 45 | // the default logger 46 | Logger: logging.DefaultLogger(logging.LogLevel(utils.Lookup("LOG_LEVEL", logging.LogLevelInfo))), 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /internal/controller/endpoints_controller.go: -------------------------------------------------------------------------------- 1 | package controller 2 | 3 | import ( 4 | "context" 5 | goerrors "errors" 6 | "fmt" 7 | 8 | "github.com/hexiaodai/fence/internal/cache" 9 | "github.com/hexiaodai/fence/internal/config" 10 | "github.com/hexiaodai/fence/internal/istio" 11 | corev1 "k8s.io/api/core/v1" 12 | "k8s.io/apimachinery/pkg/api/errors" 13 | "k8s.io/apimachinery/pkg/labels" 14 | "k8s.io/apimachinery/pkg/runtime" 15 | "k8s.io/apimachinery/pkg/types" 16 | ctrl "sigs.k8s.io/controller-runtime" 17 | "sigs.k8s.io/controller-runtime/pkg/client" 18 | ) 19 | 20 | type EndpointsReconciler struct { 21 | client.Client 22 | config.Server 23 | Scheme *runtime.Scheme 24 | Sidecar *istio.Sidecar 25 | NamespaceCache *cache.Namespace 26 | Resource *Resource 27 | } 28 | 29 | type EndpointsReconcilerOpts func(*EndpointsReconciler) 30 | 31 | func NewEndpointsReconciler(opts ...EndpointsReconcilerOpts) *EndpointsReconciler { 32 | r := &EndpointsReconciler{} 33 | for _, opt := range opts { 34 | opt(r) 35 | } 36 | r.Logger = r.Logger.WithName("Reconciler").WithValues("controller", "Endpoints") 37 | return r 38 | } 39 | 40 | func (r *EndpointsReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) { 41 | log := r.Logger.WithValues("namespace", request.Namespace, "name", request.Name) 42 | 43 | if isSystemNamespace(r.Server.FenceNamespace, r.Server.IstioNamespace, request.Namespace) { 44 | log.Sugar().Debugw("skip system namespace", "namespaceName", request.NamespacedName) 45 | return ctrl.Result{}, nil 46 | } 47 | 48 | instance := &corev1.Endpoints{} 49 | if err := r.Client.Get(ctx, request.NamespacedName, instance); err != nil { 50 | if errors.IsNotFound(err) { 51 | log.Sugar().Debugw("resource not found. ignoring since object must be deleted", "namespaceName", request.NamespacedName) 52 | return ctrl.Result{}, nil 53 | } else { 54 | return ctrl.Result{}, fmt.Errorf("failed to get endpoints: %v", err) 55 | } 56 | } 57 | 58 | if len(instance.Subsets) == 0 { 59 | log.Sugar().Debugw("endpoints subsets are empty", "namespaceName", request.NamespacedName) 60 | return ctrl.Result{}, nil 61 | } 62 | 63 | svc, pod, err := r.fetchServiceAndPod(ctx, instance) 64 | if err != nil { 65 | if goerrors.Is(err, errNotFound) || errors.IsNotFound(err) { 66 | log.Sugar().Warnw("no service and pod associated", "namespaceName", request.NamespacedName) 67 | return ctrl.Result{}, nil 68 | } 69 | return ctrl.Result{}, fmt.Errorf("failed to fetch service and pod: %v", err) 70 | } 71 | 72 | if !fenceIsEnabled(r.NamespaceCache, r.Server.AutoFence, pod) || !isInjectSidecar(pod) { 73 | log.Sugar().Debugw("fence is not enabled or sidecar is not injected", "namespaceName", request.NamespacedName) 74 | return ctrl.Result{}, nil 75 | } 76 | 77 | if err := r.Resource.RefreshByService(ctx, svc); err != nil { 78 | if errors.IsConflict(err) { 79 | return ctrl.Result{Requeue: true}, nil 80 | } 81 | return ctrl.Result{}, fmt.Errorf("failed to refresh resource. namespaceName %v. %w", request.NamespacedName, err) 82 | } 83 | 84 | return ctrl.Result{}, nil 85 | } 86 | 87 | var errNotFound = fmt.Errorf("resource not found") 88 | 89 | func (r *EndpointsReconciler) fetchServiceAndPod(ctx context.Context, ep *corev1.Endpoints) (svc *corev1.Service, pod *corev1.Pod, err error) { 90 | if len(ep.Subsets) == 0 { 91 | err = errNotFound 92 | return 93 | } 94 | svc = &corev1.Service{} 95 | pod = &corev1.Pod{} 96 | if err = r.Client.Get(ctx, types.NamespacedName{Namespace: ep.Namespace, Name: ep.Name}, svc); err != nil { 97 | err = fmt.Errorf("failed to get service: %w", err) 98 | return 99 | } 100 | list := &corev1.PodList{} 101 | if err = r.Client.List(ctx, list, &client.ListOptions{ 102 | LabelSelector: labels.Set(svc.Spec.Selector).AsSelector(), 103 | Limit: 1, 104 | }); err != nil { 105 | err = fmt.Errorf("failed to list pod: %v", err) 106 | return 107 | } 108 | if len(list.Items) == 0 { 109 | err = errNotFound 110 | return 111 | } 112 | pod = &list.Items[0] 113 | return 114 | } 115 | 116 | func (r *EndpointsReconciler) SetupWithManager(mgr ctrl.Manager) error { 117 | return ctrl.NewControllerManagedBy(mgr). 118 | For(&corev1.Endpoints{}). 119 | Complete(r) 120 | } 121 | -------------------------------------------------------------------------------- /internal/controller/log_entry_controller.go: -------------------------------------------------------------------------------- 1 | package controller 2 | 3 | import ( 4 | "context" 5 | "fmt" 6 | "net" 7 | "strings" 8 | 9 | data_accesslog "github.com/envoyproxy/go-control-plane/envoy/data/accesslog/v3" 10 | "github.com/hexiaodai/fence/internal/cache" 11 | "github.com/hexiaodai/fence/internal/config" 12 | iistio "github.com/hexiaodai/fence/internal/istio" 13 | "k8s.io/apimachinery/pkg/runtime" 14 | "k8s.io/apimachinery/pkg/types" 15 | "k8s.io/client-go/util/retry" 16 | "sigs.k8s.io/controller-runtime/pkg/client" 17 | ) 18 | 19 | type LogEntry struct { 20 | config.Server 21 | client.Client 22 | sidecar *iistio.Sidecar 23 | namespaceCache *cache.Namespace 24 | ipServiceCache *cache.IpService 25 | resource *Resource 26 | scheme *runtime.Scheme 27 | } 28 | 29 | type HTTPAccessLogEntryWrapper struct { 30 | types.NamespacedName 31 | *data_accesslog.HTTPAccessLogEntry 32 | DestinationService DestinationService 33 | } 34 | 35 | type DestinationService int 36 | 37 | const ( 38 | Internal DestinationService = iota 39 | External 40 | ) 41 | 42 | func NewLogEntry(client client.Client, scheme *runtime.Scheme, sidecar *iistio.Sidecar, namespaceCache *cache.Namespace, ipServiceCache *cache.IpService, resource *Resource, server config.Server) *LogEntry { 43 | server.Logger = server.Logger.WithName("StreamLogEntry").WithValues("controller", "LogEntry") 44 | return &LogEntry{ 45 | Client: client, 46 | scheme: scheme, 47 | sidecar: sidecar, 48 | namespaceCache: namespaceCache, 49 | ipServiceCache: ipServiceCache, 50 | resource: resource, 51 | Server: server, 52 | } 53 | } 54 | 55 | func (l *LogEntry) StreamLogEntry(logEntrys []*data_accesslog.HTTPAccessLogEntry) { 56 | for _, entry := range logEntrys { 57 | l.Logger.Sugar().Debugw("StreamLogEntry", "HTTPAccessLogEntry", entry) 58 | nn, err := l.getNamespacedName(entry) 59 | if err != nil { 60 | sourceIp, _ := l.ipServiceCache.FetchSourceIp(entry) 61 | l.Logger.Error(err, "failed to get sidecar namespaceName", "source ip", sourceIp) 62 | continue 63 | } 64 | 65 | log := l.Logger.WithValues("namespace", nn.Namespace, "service", nn.Name) 66 | 67 | if isSystemNamespace(l.FenceNamespace, l.IstioNamespace, nn.Namespace) { 68 | log.Sugar().Debugw("skip system namespace", "namespaceName", nn) 69 | continue 70 | } 71 | 72 | entryWrapper := &HTTPAccessLogEntryWrapper{ 73 | DestinationService: l.destinationService(entry), 74 | NamespacedName: nn, 75 | HTTPAccessLogEntry: entry, 76 | } 77 | 78 | retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error { 79 | return l.resource.RefreshByHTTPAccessLogEntryWrapper(context.Background(), entryWrapper) 80 | }) 81 | if retryErr != nil { 82 | l.Logger.Error(retryErr, "failed to update sidecar, exceeded the maximum number of conflict retries", "namespaceName", nn) 83 | continue 84 | } 85 | } 86 | } 87 | 88 | func (l *LogEntry) getNamespacedName(entry *data_accesslog.HTTPAccessLogEntry) (out types.NamespacedName, err error) { 89 | sourceIp, err := l.ipServiceCache.FetchSourceIp(entry) 90 | if err != nil { 91 | return 92 | } 93 | sourceSvc, err := l.ipServiceCache.FetchSourceSvc(sourceIp) 94 | if err != nil { 95 | err = fmt.Errorf("failed to get source service. source ip is %v", sourceIp) 96 | return 97 | } 98 | return types.NamespacedName{Namespace: sourceSvc.Namespace, Name: sourceSvc.Name}, nil 99 | } 100 | 101 | func (l *LogEntry) destinationService(entry *data_accesslog.HTTPAccessLogEntry) DestinationService { 102 | dest := strings.Split(entry.Request.Authority, ":")[0] 103 | if dest == "" || net.ParseIP(dest) != nil { 104 | return External 105 | } 106 | 107 | destParts := strings.Split(dest, ".") 108 | if len(destParts) == 0 { 109 | return External 110 | } 111 | destSvc := types.NamespacedName{Name: destParts[0]} 112 | if len(destParts) == 1 { 113 | sourceIp, err := l.ipServiceCache.FetchSourceIp(entry) 114 | if err != nil { 115 | return External 116 | } 117 | sourceSvc, err := l.ipServiceCache.FetchSourceSvc(sourceIp) 118 | if err != nil { 119 | return External 120 | } 121 | destSvc.Namespace = sourceSvc.Namespace 122 | } else { 123 | destSvc.Namespace = destParts[1] 124 | } 125 | 126 | if _, ok := l.ipServiceCache.ServiceToIps.Load(destSvc); ok { 127 | return Internal 128 | } 129 | return External 130 | } 131 | -------------------------------------------------------------------------------- /internal/controller/namespace_controller.go: -------------------------------------------------------------------------------- 1 | package controller 2 | 3 | import ( 4 | "context" 5 | goerrors "errors" 6 | "fmt" 7 | 8 | "github.com/hexiaodai/fence/internal/cache" 9 | "github.com/hexiaodai/fence/internal/config" 10 | "github.com/hexiaodai/fence/internal/istio" 11 | corev1 "k8s.io/api/core/v1" 12 | "k8s.io/apimachinery/pkg/api/errors" 13 | "k8s.io/apimachinery/pkg/labels" 14 | "k8s.io/apimachinery/pkg/runtime" 15 | "k8s.io/apimachinery/pkg/types" 16 | ctrl "sigs.k8s.io/controller-runtime" 17 | "sigs.k8s.io/controller-runtime/pkg/client" 18 | ) 19 | 20 | type NamespaceReconciler struct { 21 | config.Server 22 | client.Client 23 | Scheme *runtime.Scheme 24 | Sidecar *istio.Sidecar 25 | NamespaceCache *cache.Namespace 26 | Resource *Resource 27 | } 28 | 29 | type NamespaceReconcilerOpts func(*NamespaceReconciler) 30 | 31 | func NewNamespaceReconciler(opts ...NamespaceReconcilerOpts) *NamespaceReconciler { 32 | r := &NamespaceReconciler{} 33 | for _, opt := range opts { 34 | opt(r) 35 | } 36 | r.Logger = r.Logger.WithName("Reconciler").WithValues("controller", "Namespace") 37 | return r 38 | } 39 | 40 | func (r *NamespaceReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) { 41 | log := r.Logger.WithValues("namespace", request.Namespace, "name", request.Name) 42 | 43 | if isSystemNamespace(r.FenceNamespace, r.IstioNamespace, request.Name) { 44 | log.Sugar().Debugw("skip system namespace", "namespaceName", request.NamespacedName) 45 | return ctrl.Result{}, nil 46 | } 47 | 48 | instance := &corev1.Namespace{} 49 | if err := r.Client.Get(ctx, request.NamespacedName, instance); err != nil { 50 | if errors.IsNotFound(err) { 51 | log.Sugar().Debugw("resource not found. ignoring since object must be deleted", "namespaceName", request.NamespacedName) 52 | return ctrl.Result{}, nil 53 | } else { 54 | return ctrl.Result{}, fmt.Errorf("failed to get namespace: %v", err) 55 | } 56 | } 57 | 58 | if namespaceIsDisable(instance) { 59 | log.Sugar().Debugw("skip disabled namespace", "namespaceName", request.NamespacedName) 60 | return ctrl.Result{}, nil 61 | } 62 | 63 | svcList := &corev1.ServiceList{} 64 | if err := r.Client.List(ctx, svcList, &client.ListOptions{Namespace: instance.Name}); err != nil && !errors.IsNotFound(err) { 65 | return ctrl.Result{}, err 66 | } 67 | 68 | for _, svc := range svcList.Items { 69 | nn := types.NamespacedName{Namespace: svc.Namespace, Name: svc.Name} 70 | pod, err := r.fetchPod(ctx, &svc) 71 | if err != nil { 72 | if !goerrors.Is(err, errNotFound) && !errors.IsNotFound(err) { 73 | log.Error(err, "failed to fetch pod", "namespaceName", nn) 74 | } 75 | continue 76 | } 77 | if !fenceIsEnabled(r.NamespaceCache, r.AutoFence, pod) && !isInjectSidecar(pod) { 78 | log.Sugar().Debugw("skip namespace without fence enabled or without sidecar injected", "namespaceName", nn) 79 | continue 80 | } 81 | 82 | if err := r.Resource.RefreshByService(ctx, &svc); err != nil { 83 | if errors.IsConflict(err) { 84 | log.Sugar().Debugw(err.Error(), "namespaceName", nn) 85 | return ctrl.Result{Requeue: true}, nil 86 | } 87 | } 88 | } 89 | 90 | return ctrl.Result{}, nil 91 | } 92 | 93 | func (r *NamespaceReconciler) fetchPod(ctx context.Context, svc *corev1.Service) (*corev1.Pod, error) { 94 | list := &corev1.PodList{} 95 | if err := r.Client.List(ctx, list, &client.ListOptions{ 96 | LabelSelector: labels.Set(svc.Spec.Selector).AsSelector(), 97 | Limit: 1, 98 | }); err != nil { 99 | return nil, fmt.Errorf("failed to list pod: %v", err) 100 | } 101 | if len(list.Items) == 0 { 102 | return nil, errNotFound 103 | } 104 | return &list.Items[0], nil 105 | } 106 | 107 | func (r *NamespaceReconciler) SetupWithManager(mgr ctrl.Manager) error { 108 | return ctrl.NewControllerManagedBy(mgr). 109 | For(&corev1.Namespace{}). 110 | Complete(r) 111 | } 112 | -------------------------------------------------------------------------------- /internal/controller/resource.go: -------------------------------------------------------------------------------- 1 | package controller 2 | 3 | import ( 4 | "context" 5 | goerrors "errors" 6 | "fmt" 7 | "reflect" 8 | 9 | "github.com/hexiaodai/fence/internal/cache" 10 | "github.com/hexiaodai/fence/internal/config" 11 | iistio "github.com/hexiaodai/fence/internal/istio" 12 | networkingv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3" 13 | corev1 "k8s.io/api/core/v1" 14 | "k8s.io/apimachinery/pkg/api/errors" 15 | "k8s.io/apimachinery/pkg/runtime" 16 | "k8s.io/apimachinery/pkg/types" 17 | "k8s.io/apimachinery/pkg/util/intstr" 18 | ctrl "sigs.k8s.io/controller-runtime" 19 | "sigs.k8s.io/controller-runtime/pkg/client" 20 | ) 21 | 22 | type Resource struct { 23 | config.Server 24 | client.Client 25 | scheme *runtime.Scheme 26 | sidecar *iistio.Sidecar 27 | namespaceCache *cache.Namespace 28 | } 29 | 30 | func NewResource(client client.Client, sidecar *iistio.Sidecar, namespaceCache *cache.Namespace, server config.Server, scheme *runtime.Scheme) *Resource { 31 | server.Logger = server.Logger.WithName("Refresh").WithValues("controller", "Resource") 32 | return &Resource{ 33 | Client: client, 34 | sidecar: sidecar, 35 | namespaceCache: namespaceCache, 36 | Server: server, 37 | scheme: scheme, 38 | } 39 | } 40 | 41 | func (r *Resource) RefreshByService(ctx context.Context, obj *corev1.Service) error { 42 | nn := types.NamespacedName{Namespace: obj.Namespace, Name: obj.Name}.String() 43 | r.Logger.Sugar().Debugw("refreshing resources through Service", "function", "RefreshByService", "namespaceName", nn) 44 | if err := r.BindPortToFence(ctx, obj.Spec.Ports); err != nil { 45 | if errors.IsConflict(err) { 46 | return err 47 | } 48 | return fmt.Errorf("failed to bind port. namespaceName %v. %w", nn, err) 49 | } 50 | if err := r.CreateSidecar(ctx, obj); err != nil { 51 | return fmt.Errorf("failed to create sidecar. namespaceName %v. %w", nn, err) 52 | } 53 | if err := r.AddServiceToEnvoyFilter(ctx, obj); err != nil { 54 | if errors.IsConflict(err) { 55 | return err 56 | } 57 | return fmt.Errorf("failed to update envoy filter. namespaceName %v. %w", nn, err) 58 | } 59 | r.Logger.Sugar().Debugw("refreshing resources successfully", "function", "RefreshByService", "namespaceName", nn) 60 | return nil 61 | } 62 | 63 | func (r *Resource) RefreshByHTTPAccessLogEntryWrapper(ctx context.Context, obj *HTTPAccessLogEntryWrapper) error { 64 | nn := obj.NamespacedName.String() 65 | r.Logger.Sugar().Debugw("refreshing resources through HTTPAccessLog", "function", "RefreshByHTTPAccessLogEntryWrapper", "namespaceName", nn) 66 | if obj.DestinationService == Internal { 67 | if err := r.AddDestinationServiceToSidecar(obj); err != nil { 68 | return fmt.Errorf("failed to add destination service to sidecar. namespaceName: %v. %w", nn, err) 69 | } 70 | } else if obj.DestinationService == External { 71 | if err := r.AddExternalServiceToEnvoyFilter(obj); err != nil { 72 | return fmt.Errorf("failed to add external service to envoyFilter. namespaceName: %v. %w", nn, err) 73 | } 74 | } else { 75 | r.Logger.Sugar().Warnw("unknown DestinationService", "function", "RefreshByHTTPAccessLogEntryWrapper", "namespaceName", nn) 76 | } 77 | r.Logger.Sugar().Debugw("refreshing resources successfully", "function", "RefreshByHTTPAccessLogEntryWrapper", "namespaceName", nn) 78 | return nil 79 | } 80 | 81 | func (r *Resource) CreateSidecar(ctx context.Context, svc *corev1.Service) error { 82 | nn := types.NamespacedName{Namespace: svc.Namespace, Name: svc.Name} 83 | log := r.Logger.WithName(nn.String()).WithValues("function", "CreateSidecar") 84 | 85 | sidecar, err := r.sidecar.Generate(svc) 86 | if err != nil { 87 | if goerrors.Is(err, iistio.ErrNoLabelSelector) { 88 | log.Sugar().Warnw("skip create sidecar", "namespaceName", nn, "error", err) 89 | return nil 90 | } 91 | return err 92 | } 93 | if err := ctrl.SetControllerReference(svc, sidecar, r.scheme); err != nil { 94 | return err 95 | } 96 | if err := r.Client.Create(context.Background(), sidecar); err != nil { 97 | if errors.IsAlreadyExists(err) { 98 | log.Sugar().Warnw("skip create sidecar", "namespaceName", nn, "error", err) 99 | return nil 100 | } 101 | return err 102 | } 103 | log.Sugar().Debugw("create sidecar successfully", "function", "CreateSidecar", "namespaceName", nn) 104 | return nil 105 | } 106 | 107 | func (r *Resource) AddDestinationServiceToSidecar(entry *HTTPAccessLogEntryWrapper) error { 108 | log := r.Logger.WithName(entry.NamespacedName.String()).WithValues("function", "AddDestinationServiceToSidecar") 109 | 110 | found := &networkingv1alpha3.Sidecar{} 111 | if err := r.Client.Get(context.Background(), entry.NamespacedName, found); err != nil { 112 | if errors.IsNotFound(err) { 113 | log.Sugar().Warnw("skip add destination to sidecar", "namespaceName", entry.NamespacedName, "error", err) 114 | return nil 115 | } 116 | return fmt.Errorf("failed to get sidecar. namespaceName %v. %w", entry.NamespacedName, err) 117 | } 118 | 119 | if err := r.sidecar.AddDestinationSvcToEgress(found, entry.HTTPAccessLogEntry); err != nil { 120 | return fmt.Errorf("failed to add destination service to egress. namespaceName %v. %w", entry.NamespacedName, err) 121 | } 122 | if err := r.Client.Update(context.Background(), found); err != nil { 123 | return err 124 | } 125 | log.Sugar().Debugw("destination added successfully to sidecar", "function", "AddDestinationServiceToSidecar", "namespaceName", entry.NamespacedName) 126 | return nil 127 | } 128 | 129 | func (r *Resource) AddServiceToEnvoyFilter(ctx context.Context, svc *corev1.Service) error { 130 | nn := types.NamespacedName{Namespace: svc.Namespace, Name: svc.Name} 131 | log := r.Logger.WithName(nn.String()).WithValues("function", "AddServiceToEnvoyFilter") 132 | 133 | envoyFilter := &networkingv1alpha3.EnvoyFilter{} 134 | if err := r.Client.Get(ctx, types.NamespacedName{Namespace: r.IstioNamespace, Name: "fence-proxy"}, envoyFilter); err != nil { 135 | return err 136 | } 137 | iistio.MergeFenceProxyEnvoyFilter(&envoyFilter.Spec, svc) 138 | if err := r.Client.Update(ctx, envoyFilter); err != nil { 139 | return err 140 | } 141 | log.Sugar().Debugw("service added successfully to envoyFilter", "function", "AddServiceToEnvoyFilter", "namespaceName", nn) 142 | return nil 143 | } 144 | 145 | func (r *Resource) AddExternalServiceToEnvoyFilter(entry *HTTPAccessLogEntryWrapper) error { 146 | nn := types.NamespacedName{Namespace: r.IstioNamespace, Name: "fence-proxy"} 147 | log := r.Logger.WithName(nn.String()).WithValues("function", "AddExternalServiceToEnvoyFilter") 148 | 149 | found := &networkingv1alpha3.EnvoyFilter{} 150 | if err := r.Client.Get(context.Background(), nn, found); err != nil { 151 | if errors.IsNotFound(err) { 152 | log.Sugar().Warnw("skip add external service to envoyFilter", "namespaceName", nn, "error", err) 153 | return nil 154 | } 155 | return fmt.Errorf("failed to get envoyFilter. namespaceName %v. %w", nn.String(), err) 156 | } 157 | iistio.AddExternalServiceToRouteConfigUration(entry.Request.Authority, found) 158 | if err := r.Client.Update(context.Background(), found); err != nil { 159 | return err 160 | } 161 | log.Sugar().Debugw("external service added successfully to envoyFilter", "function", "AddExternalServiceToEnvoyFilter", "namespaceName", nn) 162 | return nil 163 | } 164 | 165 | func (r *Resource) BindPortToFence(ctx context.Context, sps []corev1.ServicePort) error { 166 | nn := types.NamespacedName{Namespace: r.FenceNamespace, Name: "fence-proxy"} 167 | log := r.Logger.WithName(nn.String()).WithValues("function", "BindPortToFence") 168 | 169 | fenceProxySvc := &corev1.Service{} 170 | if err := r.Client.Get(context.Background(), nn, fenceProxySvc); err != nil { 171 | return err 172 | } 173 | newsps := []corev1.ServicePort{} 174 | indexer := map[int32]struct{}{} 175 | for _, p := range fenceProxySvc.Spec.Ports { 176 | newsps = append(newsps, p) 177 | indexer[p.Port] = struct{}{} 178 | } 179 | for _, p := range sps { 180 | if p.Protocol != corev1.ProtocolTCP { 181 | continue 182 | } 183 | if _, ok := indexer[p.Port]; ok { 184 | continue 185 | } 186 | sp := corev1.ServicePort{ 187 | Name: fmt.Sprintf("http-%v", p.Port), 188 | Protocol: corev1.ProtocolTCP, 189 | Port: p.Port, 190 | TargetPort: intstr.Parse(r.WormholePort), 191 | } 192 | newsps = append(newsps, sp) 193 | } 194 | if reflect.DeepEqual(newsps, fenceProxySvc.Spec.Ports) { 195 | log.Sugar().Debugw("skip bind port to fence. no port bind required", "namespaceName", nn) 196 | return nil 197 | } 198 | fenceProxySvc.Spec.Ports = newsps 199 | 200 | if err := r.Client.Update(context.Background(), fenceProxySvc); err != nil { 201 | return err 202 | } 203 | log.Sugar().Debugw("ports bind successfully to fence", "function", "BindPortToFence", "namespaceName", nn) 204 | return nil 205 | } 206 | -------------------------------------------------------------------------------- /internal/controller/runner.go: -------------------------------------------------------------------------------- 1 | package controller 2 | 3 | import ( 4 | "context" 5 | 6 | icache "github.com/hexiaodai/fence/internal/cache" 7 | "github.com/hexiaodai/fence/internal/config" 8 | "github.com/hexiaodai/fence/internal/istio" 9 | "github.com/hexiaodai/fence/internal/metric" 10 | networkingv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3" 11 | corev1 "k8s.io/api/core/v1" 12 | "k8s.io/apimachinery/pkg/runtime" 13 | uruntime "k8s.io/apimachinery/pkg/util/runtime" 14 | ctrl "sigs.k8s.io/controller-runtime" 15 | "sigs.k8s.io/controller-runtime/pkg/healthz" 16 | "sigs.k8s.io/controller-runtime/pkg/log/zap" 17 | ) 18 | 19 | func New(server config.Server) *Runner { 20 | return &Runner{server} 21 | } 22 | 23 | type Runner struct { 24 | config.Server 25 | } 26 | 27 | func (r *Runner) Name() string { 28 | return "Runner" 29 | } 30 | 31 | func (r *Runner) Start(ctx context.Context) error { 32 | r.Logger = r.Logger.WithName(r.Name()).WithValues("controller", r.Name()) 33 | 34 | ctrl.SetLogger(zap.New(zap.UseFlagOptions(&zap.Options{ 35 | Development: true, 36 | }))) 37 | 38 | scheme := runtime.NewScheme() 39 | uruntime.Must(corev1.AddToScheme(scheme)) 40 | uruntime.Must(networkingv1alpha3.AddToScheme(scheme)) 41 | 42 | mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ 43 | Scheme: scheme, 44 | Port: 9443, 45 | LeaderElectionID: "fence-controller", 46 | LeaderElection: true, 47 | LeaderElectionNamespace: r.FenceNamespace, 48 | }) 49 | if err != nil { 50 | r.Logger.Error(err, "start controllers failed") 51 | return err 52 | } 53 | 54 | if err := r.registerControllers(mgr); err != nil { 55 | r.Logger.Error(err, "register controllers failed") 56 | return err 57 | } 58 | 59 | go func() { 60 | if err := mgr.Start(ctx); err != nil { 61 | panic(err) 62 | } 63 | }() 64 | 65 | r.Logger.Info("started") 66 | return nil 67 | } 68 | 69 | func (r *Runner) registerControllers(mgr ctrl.Manager) error { 70 | ipService := icache.NewIpService(r.Server) 71 | if err := ipService.Start(context.Background()); err != nil { 72 | return err 73 | } 74 | namespaceCache := icache.NewNamespace(r.Server) 75 | if err := namespaceCache.Start(context.Background()); err != nil { 76 | return err 77 | } 78 | 79 | sidecar := istio.NewSidecar(ipService, r.Server) 80 | 81 | resource := NewResource(mgr.GetClient(), sidecar, namespaceCache, r.Server, mgr.GetScheme()) 82 | 83 | if err := NewEndpointsReconciler(func(sr *EndpointsReconciler) { 84 | sr.Client = mgr.GetClient() 85 | sr.Scheme = mgr.GetScheme() 86 | sr.Sidecar = sidecar 87 | sr.NamespaceCache = namespaceCache 88 | sr.Resource = resource 89 | sr.Server = r.Server 90 | }).SetupWithManager(mgr); err != nil { 91 | return err 92 | } 93 | 94 | if err := NewNamespaceReconciler(func(nr *NamespaceReconciler) { 95 | nr.Client = mgr.GetClient() 96 | nr.Scheme = mgr.GetScheme() 97 | nr.Sidecar = sidecar 98 | nr.NamespaceCache = namespaceCache 99 | nr.Resource = resource 100 | nr.Server = r.Server 101 | }).SetupWithManager(mgr); err != nil { 102 | return err 103 | } 104 | 105 | metricrunner := metric.New(r.Server) 106 | if err := metricrunner.Start(context.Background()); err != nil { 107 | return err 108 | } 109 | le := NewLogEntry(mgr.GetClient(), mgr.GetScheme(), sidecar, namespaceCache, ipService, resource, r.Server) 110 | metricrunner.RegisterHttpLogEntry(le) 111 | 112 | if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { 113 | return err 114 | } 115 | if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { 116 | return err 117 | } 118 | 119 | return nil 120 | } 121 | -------------------------------------------------------------------------------- /internal/controller/utils.go: -------------------------------------------------------------------------------- 1 | package controller 2 | 3 | import ( 4 | "github.com/hexiaodai/fence/internal/cache" 5 | iconfig "github.com/hexiaodai/fence/internal/config" 6 | corev1 "k8s.io/api/core/v1" 7 | ) 8 | 9 | type VarNamespace interface { 10 | *corev1.Namespace | *cache.Namespace 11 | } 12 | 13 | func fenceIsEnabled[T VarNamespace](namespace T, autoFence bool, pod *corev1.Pod) bool { 14 | var nsEnabled bool 15 | switch any(namespace).(type) { 16 | case *corev1.Namespace: 17 | // namespace 18 | ns, ok := any(namespace).(*corev1.Namespace) 19 | if !ok { 20 | return false 21 | } 22 | nsEnabled = ns.Labels[iconfig.SidecarFenceLabel] == iconfig.SidecarFenceValueEnabled 23 | if ns.Labels[iconfig.SidecarFenceLabel] == iconfig.SidecarFenceValueDisable { 24 | return false 25 | } 26 | case *cache.Namespace: 27 | // namespace 28 | nsc, ok := any(namespace).(*cache.Namespace) 29 | if !ok { 30 | return false 31 | } 32 | nsEnabled = nsc.IsEnabled(pod.Namespace) 33 | if nsc.IsDisable(pod.Namespace) { 34 | return false 35 | } 36 | default: 37 | return false 38 | } 39 | // pod 40 | if pod.Labels[iconfig.SidecarFenceLabel] == iconfig.SidecarFenceValueDisable { 41 | return false 42 | } 43 | 44 | svcEnabled := pod.Labels[iconfig.SidecarFenceLabel] == iconfig.SidecarFenceValueEnabled 45 | return autoFence || nsEnabled || svcEnabled 46 | } 47 | 48 | func namespaceIsDisable(ns *corev1.Namespace) bool { 49 | return ns.Labels[iconfig.SidecarFenceLabel] == iconfig.SidecarFenceValueDisable 50 | } 51 | 52 | func isInjectSidecar(pod *corev1.Pod) bool { 53 | for _, container := range pod.Spec.Containers { 54 | if container.Name == "istio-proxy" { 55 | return true 56 | } 57 | } 58 | return false 59 | } 60 | 61 | func isSystemNamespace(namespace, istioNamespace, targetNs string) bool { 62 | include := map[string]struct{}{namespace: {}, istioNamespace: {}, "kube-system": {}} 63 | _, ok := include[targetNs] 64 | return ok 65 | } 66 | -------------------------------------------------------------------------------- /internal/healthz/runner.go: -------------------------------------------------------------------------------- 1 | package healthz 2 | 3 | import ( 4 | "fmt" 5 | "net/http" 6 | 7 | "github.com/hexiaodai/fence/internal/config" 8 | ) 9 | 10 | func New(server config.Server) *Runner { 11 | server.Logger = server.Logger.WithName("Runner").WithValues("healthz", "Runner") 12 | return &Runner{Server: server} 13 | } 14 | 15 | type Runner struct { 16 | healthz *healthz 17 | config.Server 18 | } 19 | 20 | func (r *Runner) Start() error { 21 | if r.ProbePort == r.WormholePort { 22 | return fmt.Errorf("health check port is conflict with wormholePort. conflict port is %v", r.ProbePort) 23 | } 24 | addr := fmt.Sprintf(":%v", r.ProbePort) 25 | go func() { 26 | if err := http.ListenAndServe(addr, r.healthz); err != nil { 27 | r.Logger.Error(err, "failed to start health check listener", "addr", r.ProbePort) 28 | return 29 | } 30 | }() 31 | 32 | r.Logger.Info("started") 33 | return nil 34 | } 35 | 36 | type healthz struct{} 37 | 38 | func (h *healthz) ServeHTTP(w http.ResponseWriter, req *http.Request) {} 39 | -------------------------------------------------------------------------------- /internal/istio/envoyfilter.go: -------------------------------------------------------------------------------- 1 | package istio 2 | 3 | import ( 4 | "fmt" 5 | "strconv" 6 | "strings" 7 | 8 | "google.golang.org/protobuf/types/known/structpb" 9 | "istio.io/api/networking/v1alpha3" 10 | networkingv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3" 11 | corev1 "k8s.io/api/core/v1" 12 | ) 13 | 14 | var ( 15 | fenceProxyMatch = &v1alpha3.EnvoyFilter_ProxyMatch{Metadata: map[string]string{"FENCE_APP": "FENCE_PROXY"}} 16 | emptyProxyMatch = &v1alpha3.EnvoyFilter_ProxyMatch{} 17 | 18 | allowAnyVhost = &v1alpha3.EnvoyFilter_RouteConfigurationMatch_VirtualHostMatch{Name: "allow_any"} 19 | fenceProxyVhost = &v1alpha3.EnvoyFilter_RouteConfigurationMatch_VirtualHostMatch{Name: "fence_proxy"} 20 | ) 21 | 22 | func MergeFenceProxyEnvoyFilter(envoyFilter *v1alpha3.EnvoyFilter, svc *corev1.Service) { 23 | for _, port := range svc.Spec.Ports { 24 | if port.Protocol != corev1.ProtocolTCP { 25 | continue 26 | } 27 | if !alreadyAllowAnyVirtualHost(envoyFilter, port) { 28 | envoyFilter.ConfigPatches = append(envoyFilter.ConfigPatches, generateVirtualHost(port, emptyProxyMatch, allowAnyVhost)) 29 | } 30 | if !alreadyVirtualHost(envoyFilter, port) { 31 | envoyFilter.ConfigPatches = append(envoyFilter.ConfigPatches, generateVirtualHost(port, fenceProxyMatch, fenceProxyVhost)) 32 | } 33 | if !alreadyRouteConfigUration(envoyFilter, port) { 34 | envoyFilter.ConfigPatches = append(envoyFilter.ConfigPatches, generateRouteConfigUration(port)) 35 | } 36 | if !alreadyAllowAnyNewRouteConfigUration(envoyFilter, port) { 37 | envoyFilter.ConfigPatches = append(envoyFilter.ConfigPatches, generateRouteConfigUrationAllowAnyNew(port)) 38 | } 39 | if !alreadyHttpFilter(envoyFilter, port) { 40 | envoyFilter.ConfigPatches = append(envoyFilter.ConfigPatches, generateHttpFilter(port)) 41 | } 42 | if !alreadyHttpRoute(envoyFilter, port) { 43 | envoyFilter.ConfigPatches = append(envoyFilter.ConfigPatches, generateHttpRoute(port, fenceProxyVhost)) 44 | } 45 | } 46 | } 47 | 48 | func generateVirtualHost(svcPort corev1.ServicePort, proxyMatch *v1alpha3.EnvoyFilter_ProxyMatch, vhost *v1alpha3.EnvoyFilter_RouteConfigurationMatch_VirtualHostMatch) *v1alpha3.EnvoyFilter_EnvoyConfigObjectPatch { 49 | config := &v1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{ 50 | ApplyTo: v1alpha3.EnvoyFilter_VIRTUAL_HOST, 51 | Match: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch{ 52 | Context: v1alpha3.EnvoyFilter_SIDECAR_OUTBOUND, 53 | Proxy: proxyMatch, 54 | ObjectTypes: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch_RouteConfiguration{ 55 | RouteConfiguration: &v1alpha3.EnvoyFilter_RouteConfigurationMatch{ 56 | Name: strconv.Itoa(int(svcPort.Port)), 57 | Vhost: vhost, 58 | }, 59 | }, 60 | }, 61 | Patch: &v1alpha3.EnvoyFilter_Patch{ 62 | Operation: v1alpha3.EnvoyFilter_Patch_REMOVE, 63 | Value: &structpb.Struct{}, 64 | }, 65 | } 66 | return config 67 | } 68 | 69 | func generateRouteConfigUration(svcPort corev1.ServicePort) *v1alpha3.EnvoyFilter_EnvoyConfigObjectPatch { 70 | config := &v1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{ 71 | ApplyTo: v1alpha3.EnvoyFilter_ROUTE_CONFIGURATION, 72 | Match: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch{ 73 | Context: v1alpha3.EnvoyFilter_SIDECAR_OUTBOUND, 74 | ObjectTypes: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch_RouteConfiguration{ 75 | RouteConfiguration: &v1alpha3.EnvoyFilter_RouteConfigurationMatch{ 76 | Name: strconv.Itoa(int(svcPort.Port)), 77 | }, 78 | }, 79 | }, 80 | Patch: &v1alpha3.EnvoyFilter_Patch{ 81 | Operation: v1alpha3.EnvoyFilter_Patch_MERGE, 82 | Value: &structpb.Struct{ 83 | Fields: map[string]*structpb.Value{ 84 | "request_headers_to_add": { 85 | Kind: &structpb.Value_ListValue{ 86 | ListValue: &structpb.ListValue{ 87 | Values: []*structpb.Value{ 88 | { 89 | Kind: &structpb.Value_StructValue{ 90 | StructValue: &structpb.Struct{ 91 | Fields: map[string]*structpb.Value{ 92 | "append": { 93 | Kind: &structpb.Value_BoolValue{BoolValue: true}, 94 | }, 95 | "header": { 96 | Kind: &structpb.Value_StructValue{ 97 | StructValue: &structpb.Struct{ 98 | Fields: map[string]*structpb.Value{ 99 | "key": {Kind: &structpb.Value_StringValue{StringValue: "Fence-Orig-Dest"}}, 100 | "value": {Kind: &structpb.Value_StringValue{StringValue: "%DOWNSTREAM_LOCAL_ADDRESS%"}}, 101 | }, 102 | }, 103 | }, 104 | }, 105 | }, 106 | }, 107 | }, 108 | }, 109 | }, 110 | }, 111 | }}, 112 | "virtual_hosts": { 113 | Kind: &structpb.Value_ListValue{ 114 | ListValue: &structpb.ListValue{ 115 | Values: []*structpb.Value{ 116 | { 117 | Kind: &structpb.Value_StructValue{ 118 | StructValue: &structpb.Struct{ 119 | Fields: map[string]*structpb.Value{ 120 | "domains": { 121 | Kind: &structpb.Value_ListValue{ 122 | ListValue: &structpb.ListValue{ 123 | Values: []*structpb.Value{ 124 | { 125 | Kind: &structpb.Value_StringValue{StringValue: "*"}, 126 | }, 127 | }, 128 | }, 129 | }, 130 | }, 131 | "name": { 132 | Kind: &structpb.Value_StringValue{StringValue: "fence_proxy"}, 133 | }, 134 | "routes": { 135 | Kind: &structpb.Value_ListValue{ 136 | ListValue: &structpb.ListValue{ 137 | Values: []*structpb.Value{ 138 | { 139 | Kind: &structpb.Value_StructValue{ 140 | StructValue: &structpb.Struct{ 141 | Fields: map[string]*structpb.Value{ 142 | "match": { 143 | Kind: &structpb.Value_StructValue{ 144 | StructValue: &structpb.Struct{ 145 | Fields: map[string]*structpb.Value{ 146 | "headers": { 147 | Kind: &structpb.Value_ListValue{ 148 | ListValue: &structpb.ListValue{ 149 | Values: []*structpb.Value{ 150 | { 151 | Kind: &structpb.Value_StructValue{ 152 | StructValue: &structpb.Struct{ 153 | Fields: map[string]*structpb.Value{ 154 | "name": {Kind: &structpb.Value_StringValue{ 155 | StringValue: ":authority"}}, 156 | "string_match": { 157 | Kind: &structpb.Value_StructValue{ 158 | StructValue: &structpb.Struct{ 159 | Fields: map[string]*structpb.Value{ 160 | "safe_regex": { 161 | Kind: &structpb.Value_StructValue{ 162 | StructValue: &structpb.Struct{ 163 | Fields: map[string]*structpb.Value{ 164 | "regex": { 165 | Kind: &structpb.Value_StringValue{ 166 | StringValue: `^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?::([1-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-5][0-5][0-3][0-5]))?$`, 167 | }, 168 | }, 169 | "google_re2": {Kind: &structpb.Value_StructValue{StructValue: &structpb.Struct{Fields: map[string]*structpb.Value{}}}}, 170 | }, 171 | }, 172 | }, 173 | }, 174 | }, 175 | }, 176 | }, 177 | }, 178 | }, 179 | }, 180 | }, 181 | }, 182 | }, 183 | }, 184 | }, 185 | }, 186 | "prefix": { 187 | Kind: &structpb.Value_StringValue{StringValue: "/"}, 188 | }, 189 | }, 190 | }, 191 | }, 192 | }, 193 | "route": { 194 | Kind: &structpb.Value_StructValue{ 195 | StructValue: &structpb.Struct{ 196 | Fields: map[string]*structpb.Value{ 197 | "cluster": {Kind: &structpb.Value_StringValue{StringValue: "PassthroughCluster"}}, 198 | "timeout": {Kind: &structpb.Value_StringValue{StringValue: "0s"}}, 199 | }, 200 | }, 201 | }, 202 | }, 203 | }, 204 | }, 205 | }, 206 | }, 207 | { 208 | Kind: &structpb.Value_StructValue{ 209 | StructValue: &structpb.Struct{ 210 | Fields: map[string]*structpb.Value{ 211 | "match": { 212 | Kind: &structpb.Value_StructValue{ 213 | StructValue: &structpb.Struct{ 214 | Fields: map[string]*structpb.Value{ 215 | "prefix": {Kind: &structpb.Value_StringValue{StringValue: "/"}}, 216 | }, 217 | }, 218 | }, 219 | }, 220 | "route": { 221 | Kind: &structpb.Value_StructValue{ 222 | StructValue: &structpb.Struct{ 223 | Fields: map[string]*structpb.Value{ 224 | "cluster": {Kind: &structpb.Value_StringValue{StringValue: "outbound|80||fence-proxy.fence.svc.cluster.local"}}, 225 | "timeout": {Kind: &structpb.Value_StringValue{StringValue: "0s"}}, 226 | }, 227 | }, 228 | }, 229 | }, 230 | }, 231 | }, 232 | }, 233 | }, 234 | }, 235 | }, 236 | }, 237 | }, 238 | }, 239 | }, 240 | }, 241 | }, 242 | }, 243 | }, 244 | }, 245 | }, 246 | }, 247 | }, 248 | }, 249 | } 250 | return config 251 | } 252 | 253 | func generateRouteConfigUrationAllowAnyNew(svcPort corev1.ServicePort) *v1alpha3.EnvoyFilter_EnvoyConfigObjectPatch { 254 | config := &v1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{ 255 | ApplyTo: v1alpha3.EnvoyFilter_ROUTE_CONFIGURATION, 256 | Match: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch{ 257 | Context: v1alpha3.EnvoyFilter_SIDECAR_OUTBOUND, 258 | Proxy: fenceProxyMatch, 259 | ObjectTypes: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch_RouteConfiguration{ 260 | RouteConfiguration: &v1alpha3.EnvoyFilter_RouteConfigurationMatch{ 261 | Name: strconv.Itoa(int(svcPort.Port)), 262 | }, 263 | }, 264 | }, 265 | Patch: &v1alpha3.EnvoyFilter_Patch{ 266 | Operation: v1alpha3.EnvoyFilter_Patch_MERGE, 267 | Value: &structpb.Struct{ 268 | Fields: map[string]*structpb.Value{ 269 | "virtual_hosts": { 270 | Kind: &structpb.Value_ListValue{ 271 | ListValue: &structpb.ListValue{ 272 | Values: []*structpb.Value{ 273 | { 274 | Kind: &structpb.Value_StructValue{ 275 | StructValue: &structpb.Struct{ 276 | Fields: map[string]*structpb.Value{ 277 | "domains": { 278 | Kind: &structpb.Value_ListValue{ 279 | ListValue: &structpb.ListValue{ 280 | Values: []*structpb.Value{ 281 | { 282 | Kind: &structpb.Value_StringValue{StringValue: "*"}, 283 | }, 284 | }, 285 | }, 286 | }, 287 | }, 288 | "name": { 289 | Kind: &structpb.Value_StringValue{StringValue: "allow_any_new"}, 290 | }, 291 | "routes": { 292 | Kind: &structpb.Value_ListValue{ 293 | ListValue: &structpb.ListValue{ 294 | Values: []*structpb.Value{ 295 | { 296 | Kind: &structpb.Value_StructValue{ 297 | StructValue: &structpb.Struct{ 298 | Fields: map[string]*structpb.Value{ 299 | "match": { 300 | Kind: &structpb.Value_StructValue{ 301 | StructValue: &structpb.Struct{ 302 | Fields: map[string]*structpb.Value{ 303 | "prefix": { 304 | Kind: &structpb.Value_StringValue{StringValue: "/"}, 305 | }, 306 | }, 307 | }, 308 | }, 309 | }, 310 | "route": { 311 | Kind: &structpb.Value_StructValue{ 312 | StructValue: &structpb.Struct{ 313 | Fields: map[string]*structpb.Value{ 314 | "cluster": {Kind: &structpb.Value_StringValue{StringValue: "PassthroughCluster"}}, 315 | "timeout": {Kind: &structpb.Value_StringValue{StringValue: "0s"}}, 316 | }, 317 | }, 318 | }, 319 | }, 320 | }, 321 | }, 322 | }, 323 | }, 324 | }, 325 | }, 326 | }, 327 | }, 328 | }, 329 | }, 330 | }, 331 | }, 332 | }, 333 | }, 334 | }, 335 | }, 336 | }, 337 | }, 338 | }, 339 | } 340 | return config 341 | } 342 | 343 | func generateHttpFilter(svcPort corev1.ServicePort) *v1alpha3.EnvoyFilter_EnvoyConfigObjectPatch { 344 | config := &v1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{ 345 | ApplyTo: v1alpha3.EnvoyFilter_HTTP_FILTER, 346 | Match: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch{ 347 | Context: v1alpha3.EnvoyFilter_SIDECAR_OUTBOUND, 348 | ObjectTypes: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch_Listener{ 349 | Listener: &v1alpha3.EnvoyFilter_ListenerMatch{ 350 | FilterChain: &v1alpha3.EnvoyFilter_ListenerMatch_FilterChainMatch{ 351 | Filter: &v1alpha3.EnvoyFilter_ListenerMatch_FilterMatch{ 352 | Name: "envoy.filters.network.http_connection_manager", 353 | SubFilter: &v1alpha3.EnvoyFilter_ListenerMatch_SubFilterMatch{ 354 | Name: "envoy.filters.http.router", 355 | }, 356 | }, 357 | }, 358 | Name: fmt.Sprintf("0.0.0.0_%v", svcPort.Port), 359 | }, 360 | }, 361 | }, 362 | Patch: &v1alpha3.EnvoyFilter_Patch{ 363 | Operation: v1alpha3.EnvoyFilter_Patch_INSERT_BEFORE, 364 | Value: &structpb.Struct{ 365 | Fields: map[string]*structpb.Value{ 366 | "name": { 367 | Kind: &structpb.Value_StringValue{StringValue: "envoy.filters.http.lua"}, 368 | }, 369 | "typed_config": { 370 | Kind: &structpb.Value_StructValue{ 371 | StructValue: &structpb.Struct{ 372 | Fields: map[string]*structpb.Value{ 373 | "@type": {Kind: &structpb.Value_StringValue{StringValue: "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"}}, 374 | "inline_code": {Kind: &structpb.Value_StringValue{StringValue: "-- place holder"}}, 375 | "source_codes": { 376 | Kind: &structpb.Value_StructValue{ 377 | StructValue: &structpb.Struct{ 378 | Fields: map[string]*structpb.Value{ 379 | "add.lua": { 380 | Kind: &structpb.Value_StructValue{ 381 | StructValue: &structpb.Struct{ 382 | Fields: map[string]*structpb.Value{ 383 | "inline_string": { 384 | Kind: &structpb.Value_StringValue{ 385 | StringValue: "function envoy_on_request(request_handle) request_handle:headers():replace(\"Fence-Source-Ns\", os.getenv(\"POD_NAMESPACE\")) end", 386 | }, 387 | }, 388 | }, 389 | }, 390 | }, 391 | }, 392 | }, 393 | }, 394 | }, 395 | }, 396 | }, 397 | }, 398 | }, 399 | }, 400 | }, 401 | }, 402 | }, 403 | } 404 | return config 405 | } 406 | 407 | func generateHttpRoute(svcPort corev1.ServicePort, vhost *v1alpha3.EnvoyFilter_RouteConfigurationMatch_VirtualHostMatch) *v1alpha3.EnvoyFilter_EnvoyConfigObjectPatch { 408 | config := &v1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{ 409 | ApplyTo: v1alpha3.EnvoyFilter_HTTP_ROUTE, 410 | Match: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch{ 411 | Context: v1alpha3.EnvoyFilter_SIDECAR_OUTBOUND, 412 | ObjectTypes: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch_RouteConfiguration{ 413 | RouteConfiguration: &v1alpha3.EnvoyFilter_RouteConfigurationMatch{ 414 | Name: strconv.Itoa(int(svcPort.Port)), 415 | Vhost: vhost, 416 | }, 417 | }, 418 | }, 419 | Patch: &v1alpha3.EnvoyFilter_Patch{ 420 | Operation: v1alpha3.EnvoyFilter_Patch_MERGE, 421 | Value: &structpb.Struct{ 422 | Fields: map[string]*structpb.Value{ 423 | "typed_per_filter_config": { 424 | Kind: &structpb.Value_StructValue{ 425 | StructValue: &structpb.Struct{ 426 | Fields: map[string]*structpb.Value{ 427 | "envoy.filters.http.lua": { 428 | Kind: &structpb.Value_StructValue{ 429 | StructValue: &structpb.Struct{ 430 | Fields: map[string]*structpb.Value{ 431 | "@type": {Kind: &structpb.Value_StringValue{StringValue: "type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute"}}, 432 | "name": {Kind: &structpb.Value_StringValue{StringValue: "add.lua"}}, 433 | }, 434 | }, 435 | }, 436 | }, 437 | }, 438 | }, 439 | }, 440 | }, 441 | }, 442 | }, 443 | }, 444 | } 445 | return config 446 | } 447 | 448 | func alreadyAllowAnyVirtualHost(envoyFilter *v1alpha3.EnvoyFilter, svcPort corev1.ServicePort) bool { 449 | for _, patche := range envoyFilter.ConfigPatches { 450 | if patche.ApplyTo == v1alpha3.EnvoyFilter_VIRTUAL_HOST && 451 | patche.Match.GetRouteConfiguration().GetName() == strconv.Itoa(int(svcPort.Port)) && 452 | patche.Match.GetRouteConfiguration().GetVhost().Name == allowAnyVhost.Name { 453 | return true 454 | } 455 | } 456 | return false 457 | } 458 | 459 | func alreadyVirtualHost(envoyFilter *v1alpha3.EnvoyFilter, svcPort corev1.ServicePort) bool { 460 | for _, patche := range envoyFilter.ConfigPatches { 461 | if patche.ApplyTo == v1alpha3.EnvoyFilter_VIRTUAL_HOST && patche.Match.GetRouteConfiguration().GetName() == strconv.Itoa(int(svcPort.Port)) { 462 | return true 463 | } 464 | } 465 | return false 466 | } 467 | 468 | func alreadyRouteConfigUration(envoyFilter *v1alpha3.EnvoyFilter, svcPort corev1.ServicePort) bool { 469 | for _, patche := range envoyFilter.ConfigPatches { 470 | if patche.ApplyTo == v1alpha3.EnvoyFilter_ROUTE_CONFIGURATION && patche.Match.GetRouteConfiguration().GetName() == strconv.Itoa(int(svcPort.Port)) { 471 | return true 472 | } 473 | } 474 | return false 475 | } 476 | 477 | func alreadyAllowAnyNewRouteConfigUration(envoyFilter *v1alpha3.EnvoyFilter, svcPort corev1.ServicePort) bool { 478 | for _, patche := range envoyFilter.ConfigPatches { 479 | if patche.ApplyTo == v1alpha3.EnvoyFilter_ROUTE_CONFIGURATION && patche.Match.GetRouteConfiguration().GetName() == strconv.Itoa(int(svcPort.Port)) { 480 | vh, ok := patche.Patch.GetValue().GetFields()["virtual_hosts"] 481 | if !ok { 482 | return false 483 | } 484 | for _, value := range vh.GetListValue().GetValues() { 485 | name, ok := value.GetStructValue().GetFields()["name"] 486 | if !ok { 487 | return false 488 | } 489 | if name.GetStringValue() == "allow_any_new" { 490 | return true 491 | } 492 | } 493 | } 494 | } 495 | return false 496 | } 497 | 498 | func alreadyHttpFilter(envoyFilter *v1alpha3.EnvoyFilter, svcPort corev1.ServicePort) bool { 499 | for _, patche := range envoyFilter.ConfigPatches { 500 | if patche.ApplyTo == v1alpha3.EnvoyFilter_HTTP_FILTER && 501 | patche.Match.GetListener().GetFilterChain().GetFilter().GetName() == fmt.Sprintf("0.0.0.0_%v", svcPort.Port) { 502 | return true 503 | } 504 | } 505 | return false 506 | } 507 | 508 | func alreadyHttpRoute(envoyFilter *v1alpha3.EnvoyFilter, svcPort corev1.ServicePort) bool { 509 | for _, patche := range envoyFilter.ConfigPatches { 510 | if patche.ApplyTo == v1alpha3.EnvoyFilter_HTTP_ROUTE && patche.Match.GetRouteConfiguration().GetName() == strconv.Itoa(int(svcPort.Port)) { 511 | return true 512 | } 513 | } 514 | return false 515 | } 516 | 517 | func AddExternalServiceToRouteConfigUration(authority string, envoyFilter *networkingv1alpha3.EnvoyFilter) { 518 | destParts := strings.Split(authority, ":") 519 | destSvc, destPort := destParts[0], "80" 520 | if len(destParts) == 2 { 521 | destPort = destParts[1] 522 | } 523 | 524 | for _, patche := range envoyFilter.Spec.ConfigPatches { 525 | if patche.ApplyTo == v1alpha3.EnvoyFilter_ROUTE_CONFIGURATION && patche.Match.GetRouteConfiguration().GetName() == destPort { 526 | newvh := &structpb.Value{ 527 | Kind: &structpb.Value_StructValue{ 528 | StructValue: &structpb.Struct{ 529 | Fields: map[string]*structpb.Value{ 530 | "domains": { 531 | Kind: &structpb.Value_ListValue{ 532 | ListValue: &structpb.ListValue{ 533 | Values: []*structpb.Value{ 534 | { 535 | Kind: &structpb.Value_StringValue{StringValue: destSvc}, 536 | }, 537 | }, 538 | }, 539 | }, 540 | }, 541 | "name": {Kind: &structpb.Value_StringValue{StringValue: destSvc}}, 542 | "routes": { 543 | Kind: &structpb.Value_ListValue{ 544 | ListValue: &structpb.ListValue{ 545 | Values: []*structpb.Value{ 546 | { 547 | Kind: &structpb.Value_StructValue{ 548 | StructValue: &structpb.Struct{ 549 | Fields: map[string]*structpb.Value{ 550 | "match": { 551 | Kind: &structpb.Value_StructValue{ 552 | StructValue: &structpb.Struct{ 553 | Fields: map[string]*structpb.Value{ 554 | "prefix": {Kind: &structpb.Value_StringValue{StringValue: "/"}}, 555 | }, 556 | }, 557 | }, 558 | }, 559 | "route": { 560 | Kind: &structpb.Value_StructValue{ 561 | StructValue: &structpb.Struct{ 562 | Fields: map[string]*structpb.Value{ 563 | "cluster": {Kind: &structpb.Value_StringValue{StringValue: "PassthroughCluster"}}, 564 | }, 565 | }, 566 | }, 567 | }, 568 | }, 569 | }, 570 | }, 571 | }, 572 | }, 573 | }, 574 | }, 575 | }, 576 | }, 577 | }, 578 | }, 579 | } 580 | if _, ok := patche.Patch.Value.Fields["virtual_hosts"]; ok && !alreadyExistVirtualHosts(patche.Patch.Value.Fields["virtual_hosts"], destSvc) { 581 | patche.Patch.Value.Fields["virtual_hosts"].GetListValue().Values = append(patche.Patch.Value.Fields["virtual_hosts"].GetListValue().Values, newvh) 582 | } 583 | return 584 | } 585 | } 586 | } 587 | 588 | func alreadyExistVirtualHosts(vhs *structpb.Value, domain string) bool { 589 | for _, vhItem := range vhs.GetListValue().Values { 590 | domains, ok := vhItem.GetStructValue().Fields["domains"] 591 | if !ok { 592 | continue 593 | } 594 | for _, domainValue := range domains.GetListValue().Values { 595 | if domainValue.GetStringValue() == domain { 596 | return true 597 | } 598 | } 599 | } 600 | return false 601 | } 602 | -------------------------------------------------------------------------------- /internal/istio/sidecar.go: -------------------------------------------------------------------------------- 1 | package istio 2 | 3 | import ( 4 | "errors" 5 | "fmt" 6 | 7 | data_accesslog "github.com/envoyproxy/go-control-plane/envoy/data/accesslog/v3" 8 | icache "github.com/hexiaodai/fence/internal/cache" 9 | "github.com/hexiaodai/fence/internal/config" 10 | istio "istio.io/api/networking/v1alpha3" 11 | networkingv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3" 12 | corev1 "k8s.io/api/core/v1" 13 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 14 | ) 15 | 16 | var ( 17 | ErrNoLabelSelector = errors.New("no label selector") 18 | ) 19 | 20 | type Sidecar struct { 21 | ipServiceCache *icache.IpService 22 | config.Server 23 | } 24 | 25 | func NewSidecar(ipServiceCache *icache.IpService, server config.Server) *Sidecar { 26 | return &Sidecar{ipServiceCache: ipServiceCache, Server: server} 27 | } 28 | 29 | func (s *Sidecar) Generate(svc *corev1.Service) (*networkingv1alpha3.Sidecar, error) { 30 | if len(svc.Spec.Selector) == 0 { 31 | return nil, ErrNoLabelSelector 32 | } 33 | sidecar := &networkingv1alpha3.Sidecar{ 34 | ObjectMeta: metav1.ObjectMeta{ 35 | Name: svc.Name, 36 | Namespace: svc.Namespace, 37 | }, 38 | Spec: istio.Sidecar{ 39 | WorkloadSelector: &istio.WorkloadSelector{ 40 | Labels: svc.Spec.Selector, 41 | }, 42 | Egress: s.generateDefaultEgress(), 43 | }, 44 | } 45 | return sidecar, nil 46 | } 47 | 48 | func (s *Sidecar) generateDefaultEgress() []*istio.IstioEgressListener { 49 | return []*istio.IstioEgressListener{ 50 | { 51 | Hosts: []string{ 52 | fmt.Sprintf("%s/*", s.IstioNamespace), 53 | fmt.Sprintf("%s/*", s.FenceNamespace), 54 | }, 55 | }, 56 | } 57 | } 58 | 59 | func (s *Sidecar) AddDestinationSvcToEgress(sidecar *networkingv1alpha3.Sidecar, entry *data_accesslog.HTTPAccessLogEntry) error { 60 | destSvc, err := s.ipServiceCache.FetchDestinationSvc(entry) 61 | if err != nil { 62 | return fmt.Errorf("get destination domain error, error: %v", err) 63 | } 64 | hostIndexer := map[string]struct{}{} 65 | egress := sidecar.Spec.Egress 66 | if len(egress) == 0 { 67 | egress = s.generateDefaultEgress() 68 | } 69 | for _, host := range egress[0].Hosts { 70 | hostIndexer[host] = struct{}{} 71 | } 72 | hostIndexer[fmt.Sprintf("*/%v", destSvc)] = struct{}{} 73 | hosts := []string{} 74 | for host := range hostIndexer { 75 | hosts = append(hosts, host) 76 | } 77 | egress[0].Hosts = hosts 78 | sidecar.Spec.Egress = egress 79 | return nil 80 | } 81 | -------------------------------------------------------------------------------- /internal/logging/logging.go: -------------------------------------------------------------------------------- 1 | package logging 2 | 3 | import ( 4 | "os" 5 | 6 | "github.com/go-logr/logr" 7 | "github.com/go-logr/zapr" 8 | "go.uber.org/zap" 9 | "go.uber.org/zap/zapcore" 10 | ) 11 | 12 | const ( 13 | LogLevelInfo = "info" 14 | LogLevelDebug = "debug" 15 | LogLevelError = "error" 16 | LogLevelWarn = "warn" 17 | ) 18 | 19 | type LogLevel string 20 | 21 | type Logging struct { 22 | // Level is the logging level. If unspecified, defaults to "info". 23 | // LogLevel options: debug/info/error/warn. 24 | Level LogLevel 25 | } 26 | 27 | func DefaultLogging() *Logging { 28 | return &Logging{Level: LogLevelInfo} 29 | } 30 | 31 | type Logger struct { 32 | logr.Logger 33 | logging *Logging 34 | sugaredLogger *zap.SugaredLogger 35 | } 36 | 37 | func NewLogger(logging *Logging) Logger { 38 | logger := initZapLogger(logging, logging.Level) 39 | return Logger{ 40 | Logger: zapr.NewLogger(logger), 41 | logging: logging, 42 | sugaredLogger: logger.Sugar(), 43 | } 44 | } 45 | 46 | func DefaultLogger(level LogLevel) Logger { 47 | logging := DefaultLogging() 48 | logger := initZapLogger(logging, level) 49 | 50 | return Logger{ 51 | Logger: zapr.NewLogger(logger), 52 | logging: logging, 53 | sugaredLogger: logger.Sugar(), 54 | } 55 | } 56 | 57 | // WithName returns a new Logger instance with the specified name element added 58 | // to the Logger's name. Successive calls with WithName append additional 59 | // suffixes to the Logger's name. It's strongly recommended that name segments 60 | // contain only letters, digits, and hyphens (see the package documentation for 61 | // more information). 62 | func (l Logger) WithName(name string) Logger { 63 | logLevel := l.logging.Level 64 | logger := initZapLogger(l.logging, logLevel) 65 | return Logger{ 66 | Logger: zapr.NewLogger(logger).WithName(name), 67 | logging: l.logging, 68 | sugaredLogger: l.sugaredLogger, 69 | } 70 | } 71 | 72 | // WithValues returns a new Logger instance with additional key/value pairs. 73 | // See Info for documentation on how key/value pairs work. 74 | func (l Logger) WithValues(keysAndValues ...interface{}) Logger { 75 | l.Logger = l.Logger.WithValues(keysAndValues...) 76 | return l 77 | } 78 | 79 | // A Sugar wraps the base Logger functionality in a slower, but less 80 | // verbose, API. Any Logger can be converted to a SugaredLogger with its Sugar 81 | // method. 82 | // 83 | // Unlike the Logger, the SugaredLogger doesn't insist on structured logging. 84 | // For each log level, it exposes four methods: 85 | // 86 | // - methods named after the log level for log.Print-style logging 87 | // - methods ending in "w" for loosely-typed structured logging 88 | // - methods ending in "f" for log.Printf-style logging 89 | // - methods ending in "ln" for log.Println-style logging 90 | // 91 | // For example, the methods for InfoLevel are: 92 | // 93 | // Info(...any) Print-style logging 94 | // Infow(...any) Structured logging (read as "info with") 95 | // Infof(string, ...any) Printf-style logging 96 | // Infoln(...any) Println-style logging 97 | func (l Logger) Sugar() *zap.SugaredLogger { 98 | return l.sugaredLogger 99 | } 100 | 101 | func initZapLogger(logging *Logging, level LogLevel) *zap.Logger { 102 | parseLevel, _ := zapcore.ParseLevel(string(level)) 103 | core := zapcore.NewCore(zapcore.NewConsoleEncoder(zap.NewDevelopmentEncoderConfig()), zapcore.AddSync(os.Stdout), zap.NewAtomicLevelAt(parseLevel)) 104 | 105 | return zap.New(core, zap.AddCaller()) 106 | } 107 | -------------------------------------------------------------------------------- /internal/metric/accesslog_source.go: -------------------------------------------------------------------------------- 1 | package metric 2 | 3 | import ( 4 | "fmt" 5 | "net" 6 | 7 | data_accesslog "github.com/envoyproxy/go-control-plane/envoy/data/accesslog/v3" 8 | service_accesslog "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v3" 9 | "github.com/hexiaodai/fence/internal/config" 10 | "google.golang.org/grpc" 11 | ) 12 | 13 | type HttpLogEntry interface { 14 | StreamLogEntry([]*data_accesslog.HTTPAccessLogEntry) 15 | } 16 | 17 | type AccessLogSource struct { 18 | servePort string 19 | httpLogEntry HttpLogEntry 20 | config.Server 21 | } 22 | 23 | func (a *AccessLogSource) Name() string { 24 | return "AccessLogSource" 25 | } 26 | 27 | func NewAccessLogSource(servePort string, server config.Server) (*AccessLogSource, error) { 28 | source := &AccessLogSource{ 29 | Server: server, 30 | servePort: servePort, 31 | } 32 | source.Logger = source.Logger.WithName(source.Name()).WithValues("metric", source.Name()) 33 | return source, nil 34 | } 35 | 36 | func (s *AccessLogSource) RegisterHttpLogEntry(h HttpLogEntry) { 37 | s.httpLogEntry = h 38 | } 39 | 40 | // StreamAccessLogs accept access log from fence xds egress gateway 41 | func (s *AccessLogSource) StreamAccessLogs(logServer service_accesslog.AccessLogService_StreamAccessLogsServer) error { 42 | for { 43 | message, err := logServer.Recv() 44 | if err != nil { 45 | return err 46 | } 47 | 48 | httpLogEntries := message.GetHttpLogs() 49 | if httpLogEntries != nil && s.httpLogEntry != nil { 50 | s.httpLogEntry.StreamLogEntry(httpLogEntries.LogEntry) 51 | } 52 | } 53 | } 54 | 55 | // Start grpc server 56 | func (s *AccessLogSource) Start() error { 57 | listen, err := net.Listen("tcp", fmt.Sprintf(":%v", s.servePort)) 58 | if err != nil { 59 | return err 60 | } 61 | 62 | server := grpc.NewServer() 63 | service_accesslog.RegisterAccessLogServiceServer(server, s) 64 | 65 | go func() { 66 | if err = server.Serve(listen); err != nil { 67 | panic(err) 68 | } 69 | }() 70 | 71 | s.Logger.Info("accessLogSource server is starting to listen", "addr", s.servePort) 72 | return nil 73 | } 74 | -------------------------------------------------------------------------------- /internal/metric/runner.go: -------------------------------------------------------------------------------- 1 | package metric 2 | 3 | import ( 4 | "context" 5 | 6 | "github.com/hexiaodai/fence/internal/config" 7 | ) 8 | 9 | func New(server config.Server) *Runner { 10 | server.Logger = server.Logger.WithName("Runner").WithValues("metric", "Runner") 11 | return &Runner{Server: server} 12 | } 13 | 14 | type Runner struct { 15 | accessLogSource *AccessLogSource 16 | config.Server 17 | } 18 | 19 | func (r *Runner) Start(ctx context.Context) error { 20 | accessLogSource, err := NewAccessLogSource(r.LogSourcePort, r.Server) 21 | if err != nil { 22 | return err 23 | } 24 | if err := accessLogSource.Start(); err != nil { 25 | return err 26 | } 27 | 28 | r.accessLogSource = accessLogSource 29 | 30 | r.Logger.Info("started") 31 | return nil 32 | } 33 | 34 | func (r *Runner) RegisterHttpLogEntry(h HttpLogEntry) { 35 | r.accessLogSource.RegisterHttpLogEntry(h) 36 | } 37 | -------------------------------------------------------------------------------- /internal/options/global.go: -------------------------------------------------------------------------------- 1 | package options 2 | 3 | import ( 4 | "k8s.io/cli-runtime/pkg/genericclioptions" 5 | ) 6 | 7 | var DefaultConfigFlags = genericclioptions.NewConfigFlags(true). 8 | WithDeprecatedPasswordFlag(). 9 | WithDiscoveryBurst(300). 10 | WithDiscoveryQPS(50.0) 11 | -------------------------------------------------------------------------------- /internal/proxy/http.go: -------------------------------------------------------------------------------- 1 | package proxy 2 | 3 | import ( 4 | "context" 5 | "fmt" 6 | "io" 7 | "net" 8 | "net/http" 9 | "strings" 10 | "time" 11 | 12 | "github.com/hexiaodai/fence/internal/cache" 13 | "github.com/hexiaodai/fence/internal/config" 14 | "k8s.io/apimachinery/pkg/types" 15 | ) 16 | 17 | const ( 18 | HeaderSourceNs = "Fence-Source-Ns" 19 | HeaderOrigDest = "Fence-Orig-Dest" 20 | ) 21 | 22 | func NewHttpProxy(wormholePort string, serviceCache *cache.Service, server config.Server) (*HttpProxy, error) { 23 | hp := &HttpProxy{ 24 | Server: server, 25 | wormholePort: wormholePort, 26 | serviceCache: serviceCache, 27 | } 28 | hp.Logger = server.Logger.WithName("HttpProxy").WithValues("proxy", "HttpProxy") 29 | return hp, nil 30 | } 31 | 32 | type HttpProxy struct { 33 | wormholePort string 34 | serviceCache *cache.Service 35 | config.Server 36 | } 37 | 38 | func (h *HttpProxy) ServeHTTP(w http.ResponseWriter, req *http.Request) { 39 | h.Logger.Info("request", "proto", req.Proto, "method", req.Method, "host", req.Host) 40 | 41 | var ( 42 | reqCtx = req.Context() 43 | reqHost = req.Host 44 | origDest, origDestIp string 45 | origDestPort = h.wormholePort 46 | ) 47 | 48 | if values := req.Header[HeaderSourceNs]; len(values) > 0 && values[0] != "" { 49 | req.Header.Del(HeaderSourceNs) 50 | 51 | // we do not sure if reqHost is k8s short name or no ns service 52 | // so k8s svc will be extended/searched first 53 | // otherwise original reqHost is used 54 | 55 | if !strings.Contains(reqHost, ".") { 56 | // short name 57 | var ( 58 | ns = values[0] 59 | svcName = reqHost 60 | port string 61 | ) 62 | 63 | // if host has port info, extract it 64 | idx := strings.LastIndex(reqHost, ":") 65 | if idx >= 0 { 66 | svcName = reqHost[:idx] 67 | port = reqHost[idx+1:] 68 | } 69 | 70 | nn := types.NamespacedName{ 71 | Namespace: ns, 72 | Name: svcName, 73 | } 74 | 75 | // it means svc controller is disabled when SvcCache is nil, 76 | // so, all short domain should add ns info 77 | 78 | if h.serviceCache == nil || h.serviceCache.ExistNcName(nn) { 79 | if idx >= 0 { 80 | // add port info 81 | reqHost = fmt.Sprintf("%s.%s:%s", nn.Name, nn.Namespace, port) 82 | } else { 83 | reqHost = fmt.Sprintf("%s.%s", nn.Name, nn.Namespace) 84 | } 85 | } 86 | } 87 | } 88 | 89 | if values := req.Header[HeaderOrigDest]; len(values) > 0 { 90 | origDest = values[0] 91 | req.Header.Del(HeaderOrigDest) 92 | 93 | if idx := strings.LastIndex(origDest, ":"); idx >= 0 { 94 | origDestIp = origDest[:idx] 95 | if origDest[idx+1:] == "" { 96 | http.Error(w, fmt.Sprintf("invalid header %s value: %s", HeaderOrigDest, origDest), http.StatusBadRequest) 97 | return 98 | } 99 | origDestPort = origDest[idx+1:] 100 | } else { 101 | origDestIp = origDest 102 | } 103 | } 104 | 105 | if origDest == "" { 106 | if idx := strings.LastIndex(reqHost, ":"); idx >= 0 { 107 | origDestIp = reqHost[:idx] 108 | } else { 109 | origDestIp = reqHost 110 | } 111 | } 112 | 113 | if req.URL.Scheme == "" { 114 | req.URL.Scheme = "http" 115 | } 116 | req.URL.Host = reqHost 117 | req.Host = reqHost 118 | req.RequestURI = "" 119 | newCtx, cancel := context.WithCancel(reqCtx) 120 | defer cancel() 121 | req = req.WithContext(newCtx) 122 | 123 | dialer := &net.Dialer{ 124 | KeepAlive: 30 * time.Second, 125 | } 126 | transport := &http.Transport{ 127 | Proxy: http.ProxyFromEnvironment, 128 | DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) { 129 | newAddr := fmt.Sprintf("%s:%s", origDestIp, origDestPort) 130 | return dialer.DialContext(ctx, network, newAddr) 131 | }, 132 | MaxIdleConns: 100, 133 | IdleConnTimeout: 90 * time.Second, 134 | TLSHandshakeTimeout: 10 * time.Second, 135 | ExpectContinueTimeout: 1 * time.Second, 136 | } 137 | client := &http.Client{ 138 | Transport: transport, 139 | } 140 | 141 | resp, err := client.Do(req) 142 | if err != nil { 143 | select { 144 | case <-reqCtx.Done(): 145 | default: 146 | h.Logger.Info(err.Error()) 147 | http.Error(w, "", http.StatusInternalServerError) 148 | } 149 | return 150 | } 151 | 152 | for k, vv := range resp.Header { 153 | for _, v := range vv { 154 | w.Header().Add(k, v) 155 | } 156 | } 157 | w.WriteHeader(resp.StatusCode) 158 | if _, err := io.Copy(w, resp.Body); err != nil { 159 | h.Logger.Info(err.Error()) 160 | } 161 | } 162 | -------------------------------------------------------------------------------- /internal/proxy/runner.go: -------------------------------------------------------------------------------- 1 | package proxy 2 | 3 | import ( 4 | "context" 5 | 6 | icache "github.com/hexiaodai/fence/internal/cache" 7 | "github.com/hexiaodai/fence/internal/config" 8 | ) 9 | 10 | func New(server config.Server) *Runner { 11 | server.Logger = server.Logger.WithName("Runner").WithValues("proxy", "Runner") 12 | return &Runner{Server: server} 13 | } 14 | 15 | type Runner struct { 16 | config.Server 17 | } 18 | 19 | func (r *Runner) Start(ctx context.Context) error { 20 | serviceCache := icache.NewService(r.Server) 21 | if err := serviceCache.Start(ctx); err != nil { 22 | return err 23 | } 24 | 25 | serve, err := NewServe(serviceCache, r.Server) 26 | if err != nil { 27 | return err 28 | } 29 | 30 | serve.ListenAndServe(r.WormholePort) 31 | 32 | r.Logger.Info("started") 33 | return nil 34 | } 35 | -------------------------------------------------------------------------------- /internal/proxy/serve.go: -------------------------------------------------------------------------------- 1 | package proxy 2 | 3 | import ( 4 | "context" 5 | "fmt" 6 | "net" 7 | "net/http" 8 | "strconv" 9 | "sync" 10 | "syscall" 11 | "time" 12 | 13 | "github.com/hexiaodai/fence/internal/cache" 14 | "github.com/hexiaodai/fence/internal/config" 15 | "golang.org/x/sys/unix" 16 | ) 17 | 18 | func NewServe(serviceCache *cache.Service, server config.Server) (*Serve, error) { 19 | s := &Serve{ 20 | serviceCache: serviceCache, 21 | servers: make(map[string]*http.Server), 22 | Server: server, 23 | } 24 | s.Logger = s.Logger.WithName(s.Name()).WithValues("proxy", s.Name()) 25 | return s, nil 26 | } 27 | 28 | type Serve struct { 29 | serverMutex sync.RWMutex 30 | servers map[string]*http.Server 31 | serviceCache *cache.Service 32 | config.Server 33 | } 34 | 35 | func (s *Serve) Name() string { 36 | return "Serve" 37 | } 38 | 39 | func (s *Serve) ListenAndServe(wormholePorts ...string) { 40 | s.serverMutex.Lock() 41 | defer s.serverMutex.Unlock() 42 | 43 | s.Logger.Info("starting listen and serve with wormholePorts", "wormholePorts", wormholePorts) 44 | for _, whPort := range wormholePorts { 45 | if _, exist := s.servers[whPort]; !exist { 46 | if whPort == s.ProbePort { 47 | s.Logger.Info("probePort is conflict with wormholePort. skip port bind", "wormholePort", whPort) 48 | continue 49 | } 50 | handler, err := NewHttpProxy(whPort, s.serviceCache, s.Server) 51 | if err != nil { 52 | s.Logger.Error(err, "skip port bind", "wormholePort", whPort) 53 | continue 54 | } 55 | srv := &http.Server{ 56 | Addr: fmt.Sprintf(":%v", whPort), 57 | Handler: handler, 58 | } 59 | s.servers[whPort] = srv 60 | go s.startServer(srv) 61 | } 62 | } 63 | s.Logger.Info("started") 64 | } 65 | 66 | func (s *Serve) startServer(srv *http.Server) { 67 | lc := net.ListenConfig{ 68 | Control: func(network, address string, c syscall.RawConn) error { 69 | return c.Control(func(fd uintptr) { 70 | syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, unix.SO_REUSEADDR, 1) 71 | syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, unix.SO_REUSEPORT, 1) 72 | }) 73 | }, 74 | } 75 | l, err := lc.Listen(context.Background(), "tcp", srv.Addr) 76 | if err != nil { 77 | s.Logger.Error(err, "proxy listen error") 78 | return 79 | } 80 | if err := srv.Serve(l); err != nil && err != http.ErrServerClosed { 81 | s.Logger.Error(err, "proxy serve error") 82 | } 83 | } 84 | 85 | func (s *Serve) ShutdownServer(wormholePort int32) error { 86 | srv := s.servers[strconv.Itoa(int(wormholePort))] 87 | if srv == nil { 88 | return nil 89 | } 90 | s.Logger.Info("stopting proxy", "addr", srv.Addr) 91 | ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) 92 | defer cancel() 93 | return srv.Shutdown(ctx) 94 | } 95 | -------------------------------------------------------------------------------- /internal/utils/env.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "os" 5 | "strconv" 6 | "time" 7 | ) 8 | 9 | type Var interface { 10 | string | int | time.Duration 11 | } 12 | 13 | // Lookup get specific value by env key, default value will be used when not found and invalid convert. 14 | func Lookup[T Var](key string, defaultValue T) T { 15 | value, ok := os.LookupEnv(key) 16 | if !ok { 17 | return defaultValue 18 | } 19 | 20 | var ret any 21 | switch any(defaultValue).(type) { 22 | case time.Duration: 23 | d, err := time.ParseDuration(value) 24 | if err != nil { 25 | return defaultValue 26 | } 27 | ret = d 28 | case string: 29 | ret = value 30 | case int: 31 | i, err := strconv.ParseInt(value, 10, 0) 32 | if err != nil { 33 | return defaultValue 34 | } 35 | ret = int(i) 36 | } 37 | return ret.(T) 38 | } 39 | -------------------------------------------------------------------------------- /tools/bin/controller-gen: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hexiaodai/fence/0defaad041abd82f094816cc11e4ea1b4b190c8c/tools/bin/controller-gen -------------------------------------------------------------------------------- /tools/boilerplate/boilerplate.go.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Feather Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | -------------------------------------------------------------------------------- /tools/docker/fence-proxy/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM --platform=$BUILDPLATFORM golang:1.20.3 as build 2 | ENV GOOS=linux \ 3 | CGO_ENABLED=0 \ 4 | GO111MODULE=on 5 | WORKDIR /fence 6 | COPY . . 7 | RUN go build -o fence-proxy ./cmd/proxy 8 | 9 | FROM --platform=$BUILDPLATFORM alpine:3.16 10 | COPY --from=build /fence/fence-proxy /bin/fence-proxy 11 | RUN chmod go+x /bin/fence-proxy 12 | CMD ["fence-proxy", "proxy"] 13 | -------------------------------------------------------------------------------- /tools/docker/fence/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM --platform=$BUILDPLATFORM golang:1.20.3 as build 2 | ENV GOOS=linux \ 3 | CGO_ENABLED=0 \ 4 | GO111MODULE=on 5 | WORKDIR /fence 6 | COPY . . 7 | RUN go build -o fence ./cmd/ctrl 8 | 9 | FROM --platform=$BUILDPLATFORM alpine:3.16 10 | COPY --from=build /fence/fence /bin/fence 11 | RUN chmod go+x /bin/fence 12 | CMD ["fence", "ctrl"] 13 | -------------------------------------------------------------------------------- /tools/make/common.mk: -------------------------------------------------------------------------------- 1 | # This is a wrapper to set common variables 2 | # 3 | # All make targets related to common variables are defined in this file. 4 | 5 | # ==================================================================================================== 6 | # Configure Make itself: 7 | # ==================================================================================================== 8 | 9 | # Turn off .INTERMEDIATE file removal by marking all files as 10 | # .SECONDARY. .INTERMEDIATE file removal is a space-saving hack from 11 | # a time when drives were small; on modern computers with plenty of 12 | # storage, it causes nothing but headaches. 13 | # 14 | # https://news.ycombinator.com/item?id=16486331 15 | .SECONDARY: 16 | 17 | SHELL:=/bin/bash 18 | 19 | # ==================================================================================================== 20 | # ROOT Options: 21 | # ==================================================================================================== 22 | 23 | # Set Root Directory Path 24 | ifeq ($(origin ROOT_DIR),undefined) 25 | ROOT_DIR := $(abspath $(shell pwd -P)) 26 | endif 27 | 28 | # ==================================================================================================== 29 | # ENV Options: 30 | # ==================================================================================================== 31 | 32 | OCI_REGISTRY ?= oci://docker.io/hejianmin 33 | # REGISTRY is the image registry to use for build and push image targets. 34 | REGISTRY ?= docker.io/hejianmin 35 | # IMAGE_NAME is the name of image 36 | # Use fence-dev in default when developing 37 | # Use fence when releasing an image. 38 | IMAGE_NAME ?= fence 39 | IMAGE_NAME_PROXY ?= fence-proxy 40 | # HELM_NAME is the name of helm chart 41 | HELM_NAME ?= chart-fence 42 | # IMAGE is the image URL for build and push image targets. 43 | IMAGE ?= $(REGISTRY)/$(IMAGE_NAME) 44 | IMAGE_PROXY ?= $(REGISTRY)/$(IMAGE_NAME_PROXY) 45 | # Version is the tag to use for build and push image targets. 46 | VERSION ?= $(shell git describe --tags --abbrev=8) 47 | 48 | .PHONY: help 49 | help: ## Show this help info. 50 | @$(LOG_TARGET) 51 | @echo -e "Fence is an open source project to automate the management of custom resources Sidecar\n" 52 | @echo -e "Usage:\n make \033[36m\033[0m \033[36m