djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
17d40b7a73
ContainerImage.Pinniped/cmd/local-user-authenticator/main.go

375 lines
10 KiB
Go
Raw Normal View History

cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Package main provides a authentication webhook program.
//
// This webhook is meant to be used in demo settings to play around with
// Pinniped. As well, it can come in handy in integration tests.
//
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
// This webhook is NOT meant for use in production systems.
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
package main
import (
"bytes"
"context"
"crypto/tls"
"encoding/csv"
"encoding/json"
"fmt"
Improve the parsing of headers in test-webhook Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 22:00:53 +00:00
"mime"
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
"net"
"net/http"
"os"
"os/signal"
"strings"
"time"
"golang.org/x/crypto/bcrypt"
cmd/local-user-authenticator: use v1beta1 everywhere See 63f5416b2 for a previous time where we decided to use the v1beta1 TokenReview API. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 16:14:12 +00:00
authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
k8serrors "k8s.io/apimachinery/pkg/api/errors"
kubeinformers "k8s.io/client-go/informers"
corev1informers "k8s.io/client-go/informers/core/v1"
"k8s.io/client-go/kubernetes"
restclient "k8s.io/client-go/rest"
"k8s.io/klog/v2"
Fix lint errors
2020-09-11 01:34:18 +00:00
"github.com/suzerain-io/pinniped/internal/constable"
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
"github.com/suzerain-io/pinniped/internal/controller/apicerts"
"github.com/suzerain-io/pinniped/internal/controllerlib"
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
"github.com/suzerain-io/pinniped/internal/provider"
)
const (
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
// This string must match the name of the Namespace declared in the deployment yaml.
Rename `test-webhook` to `local-user-authenticator` Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 22:20:02 +00:00
namespace = "local-user-authenticator"
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
// This string must match the name of the Service declared in the deployment yaml.
Rename `test-webhook` to `local-user-authenticator` Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 22:20:02 +00:00
serviceName = "local-user-authenticator"
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
Fix lint errors
2020-09-11 01:34:18 +00:00
unauthenticatedResponse = `{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":false}}`
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
authenticatedResponseTemplate = `{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":true,"user":{"username":"%s","uid":"%s","groups":%s}}}`
singletonWorker = 1
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
defaultResyncInterval = 3 * time.Minute
Fix lint errors
2020-09-11 01:34:18 +00:00
invalidRequest = constable.Error("invalid request")
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
)
type webhook struct {
certProvider provider.DynamicTLSServingCertProvider
secretInformer corev1informers.SecretInformer
}
func newWebhook(
certProvider provider.DynamicTLSServingCertProvider,
secretInformer corev1informers.SecretInformer,
) *webhook {
return &webhook{
certProvider: certProvider,
secretInformer: secretInformer,
}
}
// start runs the webhook in a separate goroutine and returns whether or not the
// webhook was started successfully.
func (w *webhook) start(ctx context.Context, l net.Listener) error {
server := http.Server{
Handler: w,
TLSConfig: &tls.Config{
MinVersion: tls.VersionTLS13,
GetCertificate: func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
certPEM, keyPEM := w.certProvider.CurrentCertKeyContent()
cert, err := tls.X509KeyPair(certPEM, keyPEM)
return &cert, err
},
},
}
errCh := make(chan error)
go func() {
// Per ListenAndServeTLS doc, the {cert,key}File parameters can be empty
// since we want to use the certs from http.Server.TLSConfig.
errCh <- server.ServeTLS(l, "", "")
}()
go func() {
select {
case err := <-errCh:
klog.InfoS("server exited", "err", err)
case <-ctx.Done():
klog.InfoS("server context cancelled", "err", ctx.Err())
if err := server.Shutdown(context.Background()); err != nil {
klog.InfoS("server shutdown failed", "err", err)
}
}
}()
return nil
}
func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
Fix lint errors
2020-09-11 01:34:18 +00:00
username, password, err := getUsernameAndPasswordFromRequest(rsp, req)
if err != nil {
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
return
}
cmd/local-user-authenticator: protect against nil-body I saw this while reading other TokenReview code.
2020-09-11 16:44:45 +00:00
defer req.Body.Close()
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
secret, err := w.secretInformer.Lister().Secrets(namespace).Get(username)
notFound := k8serrors.IsNotFound(err)
if err != nil && !notFound {
klog.InfoS("could not get secret", "err", err)
rsp.WriteHeader(http.StatusInternalServerError)
return
}
if notFound {
Add more logging to test-webhook's endpoint - Also correct the webhook url setting in prepare-for-integration-tests.sh - Change the bcrypt count to 10, because 16 is way too slow on old laptops Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-10 20:37:25 +00:00
klog.InfoS("user not found")
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
respondWithUnauthenticated(rsp)
return
}
passwordMatches := bcrypt.CompareHashAndPassword(
secret.Data["passwordHash"],
[]byte(password),
) == nil
if !passwordMatches {
Fix a nil dereference crash in rest.go
2020-09-11 20:08:54 +00:00
klog.InfoS("authentication failed: wrong password")
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
respondWithUnauthenticated(rsp)
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
return
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
}
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
groups := []string{}
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
groupsBuf := bytes.NewBuffer(secret.Data["groups"])
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
if groupsBuf.Len() > 0 {
groupsCSVReader := csv.NewReader(groupsBuf)
groups, err = groupsCSVReader.Read()
if err != nil {
klog.InfoS("could not read groups", "err", err)
rsp.WriteHeader(http.StatusInternalServerError)
return
}
trimLeadingAndTrailingWhitespace(groups)
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
}
Add more logging to test-webhook's endpoint - Also correct the webhook url setting in prepare-for-integration-tests.sh - Change the bcrypt count to 10, because 16 is way too slow on old laptops Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-10 20:37:25 +00:00
klog.InfoS("successful authentication")
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
respondWithAuthenticated(rsp, secret.ObjectMeta.Name, string(secret.UID), groups)
}
Fix lint errors
2020-09-11 01:34:18 +00:00
func getUsernameAndPasswordFromRequest(rsp http.ResponseWriter, req *http.Request) (string, string, error) {
if req.URL.Path != "/authenticate" {
klog.InfoS("received request path other than /authenticate", "path", req.URL.Path)
rsp.WriteHeader(http.StatusNotFound)
return "", "", invalidRequest
}
if req.Method != http.MethodPost {
klog.InfoS("received request method other than post", "method", req.Method)
rsp.WriteHeader(http.StatusMethodNotAllowed)
return "", "", invalidRequest
}
if !headerContains(req, "Content-Type", "application/json") {
klog.InfoS("content type is not application/json", "Content-Type", req.Header.Values("Content-Type"))
rsp.WriteHeader(http.StatusUnsupportedMediaType)
return "", "", invalidRequest
}
if !headerContains(req, "Accept", "application/json") &&
!headerContains(req, "Accept", "application/*") &&
!headerContains(req, "Accept", "*/*") {
klog.InfoS("client does not accept application/json", "Accept", req.Header.Values("Accept"))
rsp.WriteHeader(http.StatusUnsupportedMediaType)
return "", "", invalidRequest
}
cmd/local-user-authenticator: protect against nil-body I saw this while reading other TokenReview code.
2020-09-11 16:44:45 +00:00
if req.Body == nil {
klog.InfoS("invalid nil body")
rsp.WriteHeader(http.StatusBadRequest)
return "", "", invalidRequest
}
cmd/local-user-authenticator: use v1beta1 everywhere See 63f5416b2 for a previous time where we decided to use the v1beta1 TokenReview API. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 16:14:12 +00:00
var body authenticationv1beta1.TokenReview
Fix lint errors
2020-09-11 01:34:18 +00:00
if err := json.NewDecoder(req.Body).Decode(&body); err != nil {
klog.InfoS("failed to decode body", "err", err)
rsp.WriteHeader(http.StatusBadRequest)
return "", "", invalidRequest
}
cmd/local-user-authenticator: use v1beta1 everywhere See 63f5416b2 for a previous time where we decided to use the v1beta1 TokenReview API. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 16:14:12 +00:00
if body.APIVersion != authenticationv1beta1.SchemeGroupVersion.String() {
cmd/local-user-authenticator: check for invalid TokenReview type meta Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 16:06:50 +00:00
klog.InfoS("invalid TokenReview apiVersion", "apiVersion", body.APIVersion)
rsp.WriteHeader(http.StatusBadRequest)
return "", "", invalidRequest
}
if body.Kind != "TokenReview" {
klog.InfoS("invalid TokenReview kind", "kind", body.Kind)
rsp.WriteHeader(http.StatusBadRequest)
return "", "", invalidRequest
}
Fix lint errors
2020-09-11 01:34:18 +00:00
tokenSegments := strings.SplitN(body.Spec.Token, ":", 2)
if len(tokenSegments) != 2 {
klog.InfoS("bad token format in request")
rsp.WriteHeader(http.StatusBadRequest)
return "", "", invalidRequest
}
return tokenSegments[0], tokenSegments[1], nil
}
Improve the parsing of headers in test-webhook Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 22:00:53 +00:00
func headerContains(req *http.Request, headerName, s string) bool {
headerValues := req.Header.Values(headerName)
for i := range headerValues {
mimeTypes := strings.Split(headerValues[i], ",")
for _, mimeType := range mimeTypes {
mediaType, _, _ := mime.ParseMediaType(mimeType)
if mediaType == s {
return true
}
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
}
}
return false
}
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
func trimLeadingAndTrailingWhitespace(ss []string) {
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
for i := range ss {
ss[i] = strings.TrimSpace(ss[i])
}
}
func respondWithUnauthenticated(rsp http.ResponseWriter) {
rsp.Header().Add("Content-Type", "application/json")
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
_, _ = rsp.Write([]byte(unauthenticatedResponse))
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
}
func respondWithAuthenticated(
rsp http.ResponseWriter,
username, uid string,
groups []string,
) {
rsp.Header().Add("Content-Type", "application/json")
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
groupsJSONBytes, err := json.Marshal(groups)
if err != nil {
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
klog.InfoS("could not encode response", "err", err)
rsp.WriteHeader(http.StatusInternalServerError)
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
return
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
}
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
jsonBody := fmt.Sprintf(authenticatedResponseTemplate, username, uid, groupsJSONBytes)
_, _ = rsp.Write([]byte(jsonBody))
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
}
func newK8sClient() (kubernetes.Interface, error) {
kubeConfig, err := restclient.InClusterConfig()
if err != nil {
return nil, fmt.Errorf("could not load in-cluster configuration: %w", err)
}
// Connect to the core Kubernetes API.
kubeClient, err := kubernetes.NewForConfig(kubeConfig)
if err != nil {
return nil, fmt.Errorf("could not load in-cluster configuration: %w", err)
}
return kubeClient, nil
}
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
func startControllers(
ctx context.Context,
dynamicCertProvider provider.DynamicTLSServingCertProvider,
kubeClient kubernetes.Interface,
kubeInformers kubeinformers.SharedInformerFactory,
) {
aVeryLongTime := time.Hour * 24 * 365 * 100
// Create controller manager.
controllerManager := controllerlib.
NewManager().
WithController(
apicerts.NewCertsManagerController(
namespace,
kubeClient,
kubeInformers.Core().V1().Secrets(),
controllerlib.WithInformer,
controllerlib.WithInitialEvent,
aVeryLongTime,
Rename `test-webhook` to `local-user-authenticator` Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 22:20:02 +00:00
"local-user-authenticator CA",
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
serviceName,
),
singletonWorker,
).
WithController(
apicerts.NewCertsObserverController(
namespace,
dynamicCertProvider,
kubeInformers.Core().V1().Secrets(),
controllerlib.WithInformer,
),
singletonWorker,
)
kubeInformers.Start(ctx.Done())
go controllerManager.Start(ctx)
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
}
func startWebhook(
ctx context.Context,
l net.Listener,
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
dynamicCertProvider provider.DynamicTLSServingCertProvider,
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
secretInformer corev1informers.SecretInformer,
) error {
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
return newWebhook(dynamicCertProvider, secretInformer).start(ctx, l)
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
}
func waitForSignal() os.Signal {
signalCh := make(chan os.Signal, 1)
signal.Notify(signalCh, os.Interrupt)
return <-signalCh
}
func run() error {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
kubeClient, err := newK8sClient()
if err != nil {
return fmt.Errorf("cannot create k8s client: %w", err)
}
kubeInformers := kubeinformers.NewSharedInformerFactoryWithOptions(
kubeClient,
defaultResyncInterval,
kubeinformers.WithNamespace(namespace),
)
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
dynamicCertProvider := provider.NewDynamicTLSServingCertProvider()
startControllers(ctx, dynamicCertProvider, kubeClient, kubeInformers)
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
klog.InfoS("controllers are ready")
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
//nolint: gosec
l, err := net.Listen("tcp", ":443")
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
if err != nil {
return fmt.Errorf("cannot create listener: %w", err)
}
defer l.Close()
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
err = startWebhook(ctx, l, dynamicCertProvider, kubeInformers.Core().V1().Secrets())
if err != nil {
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
return fmt.Errorf("cannot start webhook: %w", err)
}
klog.InfoS("webhook is ready", "address", l.Addr().String())
Create a deployment for `test-webhook` - For now, build the test-webhook binary in the same container image as the pinniped-server binary, to make it easier to distribute - Also fix lots of bugs from the first draft of the test-webhook's `/authenticate` implementation from the previous commit - Add a detailed README for the new deploy-test-webhook directory
2020-09-10 02:06:39 +00:00
gotSignal := waitForSignal()
klog.InfoS("webhook exiting", "signal", gotSignal)
cmd/test-webhook: first draft of webhook The webhook still needs to be updated to auto generate its certificates. We decided not to give this webhook its own go module for now since this webhook only pulled in one more dependency, and it is a dependency that we will most likely need in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 19:27:30 +00:00
return nil
}
func main() {
if err := run(); err != nil {
klog.Fatal(err)
}
}
Reference in New Issue Copy Permalink