mirror of
https://github.com/cert-manager/webhook-example.git
synced 2025-07-04 07:35:49 +02:00
142 lines
4.3 KiB
Go
142 lines
4.3 KiB
Go
/*
|
|
Copyright 2021 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package controlplane
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"k8s.io/client-go/rest"
|
|
"sigs.k8s.io/controller-runtime/pkg/internal/testing/certs"
|
|
"sigs.k8s.io/controller-runtime/pkg/internal/testing/process"
|
|
)
|
|
|
|
// User represents a Kubernetes user.
|
|
type User struct {
|
|
// Name is the user's Name.
|
|
Name string
|
|
// Groups are the groups to which the user belongs.
|
|
Groups []string
|
|
}
|
|
|
|
// Authn knows how to configure an API server for a particular type of authentication,
|
|
// and provision users under that authentication scheme.
|
|
//
|
|
// The methods must be called in the following order (as presented below in the interface
|
|
// for a mnemonic):
|
|
//
|
|
// 1. Configure
|
|
// 2. Start
|
|
// 3. AddUsers (0+ calls)
|
|
// 4. Stop.
|
|
type Authn interface {
|
|
// Configure provides the working directory to this authenticator,
|
|
// and configures the given API server arguments to make use of this authenticator.
|
|
//
|
|
// Should be called first.
|
|
Configure(workDir string, args *process.Arguments) error
|
|
// Start runs this authenticator. Will be called just before API server start.
|
|
//
|
|
// Must be called after Configure.
|
|
Start() error
|
|
// AddUser provisions a user, returning a copy of the given base rest.Config
|
|
// configured to authenticate as that users.
|
|
//
|
|
// May only be called while the authenticator is "running".
|
|
AddUser(user User, baseCfg *rest.Config) (*rest.Config, error)
|
|
// Stop shuts down this authenticator.
|
|
Stop() error
|
|
}
|
|
|
|
// CertAuthn is an authenticator (Authn) that makes use of client certificate authn.
|
|
type CertAuthn struct {
|
|
// ca is the CA used to sign the client certs
|
|
ca *certs.TinyCA
|
|
// certDir is the directory used to write the CA crt file
|
|
// so that the API server can read it.
|
|
certDir string
|
|
}
|
|
|
|
// NewCertAuthn creates a new client-cert-based Authn with a new CA.
|
|
func NewCertAuthn() (*CertAuthn, error) {
|
|
ca, err := certs.NewTinyCA()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to provision client certificate auth CA: %w", err)
|
|
}
|
|
return &CertAuthn{
|
|
ca: ca,
|
|
}, nil
|
|
}
|
|
|
|
// AddUser provisions a new user that's authenticated via certificates, with
|
|
// the given uesrname and groups embedded in the certificate as expected by the
|
|
// API server.
|
|
func (c *CertAuthn) AddUser(user User, baseCfg *rest.Config) (*rest.Config, error) {
|
|
certs, err := c.ca.NewClientCert(certs.ClientInfo{
|
|
Name: user.Name,
|
|
Groups: user.Groups,
|
|
})
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to create client certificates for %s: %w", user.Name, err)
|
|
}
|
|
|
|
crt, key, err := certs.AsBytes()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to serialize client certificates for %s: %w", user.Name, err)
|
|
}
|
|
|
|
cfg := rest.CopyConfig(baseCfg)
|
|
cfg.CertData = crt
|
|
cfg.KeyData = key
|
|
|
|
return cfg, nil
|
|
}
|
|
|
|
// caCrtPath returns the path to the on-disk client-cert CA crt file.
|
|
func (c *CertAuthn) caCrtPath() string {
|
|
return filepath.Join(c.certDir, "client-cert-auth-ca.crt")
|
|
}
|
|
|
|
// Configure provides the working directory to this authenticator,
|
|
// and configures the given API server arguments to make use of this authenticator.
|
|
func (c *CertAuthn) Configure(workDir string, args *process.Arguments) error {
|
|
c.certDir = workDir
|
|
args.Set("client-ca-file", c.caCrtPath())
|
|
return nil
|
|
}
|
|
|
|
// Start runs this authenticator. Will be called just before API server start.
|
|
//
|
|
// Must be called after Configure.
|
|
func (c *CertAuthn) Start() error {
|
|
if len(c.certDir) == 0 {
|
|
return fmt.Errorf("start called before configure")
|
|
}
|
|
caCrt := c.ca.CA.CertBytes()
|
|
if err := os.WriteFile(c.caCrtPath(), caCrt, 0640); err != nil { //nolint:gosec
|
|
return fmt.Errorf("unable to save the client certificate CA to %s: %w", c.caCrtPath(), err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Stop shuts down this authenticator.
|
|
func (c *CertAuthn) Stop() error {
|
|
// no-op -- our workdir is cleaned up for us automatically
|
|
return nil
|
|
}
|