2020-09-16 14:19:51 +00:00
|
|
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
2020-09-09 19:27:30 +00:00
|
|
|
|
|
|
|
// Package main provides a authentication webhook program.
|
|
|
|
//
|
|
|
|
// This webhook is meant to be used in demo settings to play around with
|
|
|
|
// Pinniped. As well, it can come in handy in integration tests.
|
|
|
|
//
|
2020-09-10 02:06:39 +00:00
|
|
|
// This webhook is NOT meant for use in production systems.
|
2020-09-09 19:27:30 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"context"
|
|
|
|
"crypto/tls"
|
|
|
|
"encoding/csv"
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2020-09-10 22:00:53 +00:00
|
|
|
"mime"
|
2020-09-09 19:27:30 +00:00
|
|
|
"net"
|
|
|
|
"net/http"
|
|
|
|
"os"
|
|
|
|
"os/signal"
|
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"golang.org/x/crypto/bcrypt"
|
2020-09-11 16:14:12 +00:00
|
|
|
authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
|
2020-09-09 19:27:30 +00:00
|
|
|
k8serrors "k8s.io/apimachinery/pkg/api/errors"
|
2020-09-11 19:19:05 +00:00
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2020-09-09 19:27:30 +00:00
|
|
|
kubeinformers "k8s.io/client-go/informers"
|
|
|
|
corev1informers "k8s.io/client-go/informers/core/v1"
|
|
|
|
"k8s.io/client-go/kubernetes"
|
|
|
|
restclient "k8s.io/client-go/rest"
|
|
|
|
"k8s.io/klog/v2"
|
|
|
|
|
2020-09-18 19:56:24 +00:00
|
|
|
"go.pinniped.dev/internal/constable"
|
|
|
|
"go.pinniped.dev/internal/controller/apicerts"
|
|
|
|
"go.pinniped.dev/internal/controllerlib"
|
2020-09-23 12:26:59 +00:00
|
|
|
"go.pinniped.dev/internal/dynamiccert"
|
2020-09-09 19:27:30 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
2020-09-10 02:06:39 +00:00
|
|
|
// This string must match the name of the Namespace declared in the deployment yaml.
|
2020-09-10 22:20:02 +00:00
|
|
|
namespace = "local-user-authenticator"
|
2020-09-10 02:06:39 +00:00
|
|
|
// This string must match the name of the Service declared in the deployment yaml.
|
2020-09-10 22:20:02 +00:00
|
|
|
serviceName = "local-user-authenticator"
|
2020-09-09 19:27:30 +00:00
|
|
|
|
2020-09-10 02:06:39 +00:00
|
|
|
singletonWorker = 1
|
2020-09-09 19:27:30 +00:00
|
|
|
defaultResyncInterval = 3 * time.Minute
|
2020-09-11 01:34:18 +00:00
|
|
|
|
|
|
|
invalidRequest = constable.Error("invalid request")
|
2020-09-09 19:27:30 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type webhook struct {
|
2020-09-23 12:26:59 +00:00
|
|
|
certProvider dynamiccert.Provider
|
2020-09-09 19:27:30 +00:00
|
|
|
secretInformer corev1informers.SecretInformer
|
|
|
|
}
|
|
|
|
|
|
|
|
func newWebhook(
|
2020-09-23 12:26:59 +00:00
|
|
|
certProvider dynamiccert.Provider,
|
2020-09-09 19:27:30 +00:00
|
|
|
secretInformer corev1informers.SecretInformer,
|
|
|
|
) *webhook {
|
|
|
|
return &webhook{
|
|
|
|
certProvider: certProvider,
|
|
|
|
secretInformer: secretInformer,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// start runs the webhook in a separate goroutine and returns whether or not the
|
|
|
|
// webhook was started successfully.
|
|
|
|
func (w *webhook) start(ctx context.Context, l net.Listener) error {
|
|
|
|
server := http.Server{
|
|
|
|
Handler: w,
|
|
|
|
TLSConfig: &tls.Config{
|
|
|
|
MinVersion: tls.VersionTLS13,
|
|
|
|
GetCertificate: func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
|
|
|
certPEM, keyPEM := w.certProvider.CurrentCertKeyContent()
|
|
|
|
cert, err := tls.X509KeyPair(certPEM, keyPEM)
|
|
|
|
return &cert, err
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
errCh := make(chan error)
|
|
|
|
go func() {
|
|
|
|
// Per ListenAndServeTLS doc, the {cert,key}File parameters can be empty
|
|
|
|
// since we want to use the certs from http.Server.TLSConfig.
|
|
|
|
errCh <- server.ServeTLS(l, "", "")
|
|
|
|
}()
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
select {
|
|
|
|
case err := <-errCh:
|
|
|
|
klog.InfoS("server exited", "err", err)
|
|
|
|
case <-ctx.Done():
|
|
|
|
klog.InfoS("server context cancelled", "err", ctx.Err())
|
|
|
|
if err := server.Shutdown(context.Background()); err != nil {
|
|
|
|
klog.InfoS("server shutdown failed", "err", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
|
2020-09-11 01:34:18 +00:00
|
|
|
username, password, err := getUsernameAndPasswordFromRequest(rsp, req)
|
|
|
|
if err != nil {
|
2020-09-09 19:27:30 +00:00
|
|
|
return
|
|
|
|
}
|
2020-10-27 23:33:08 +00:00
|
|
|
defer func() { _ = req.Body.Close() }()
|
2020-09-09 19:27:30 +00:00
|
|
|
|
|
|
|
secret, err := w.secretInformer.Lister().Secrets(namespace).Get(username)
|
|
|
|
notFound := k8serrors.IsNotFound(err)
|
|
|
|
if err != nil && !notFound {
|
|
|
|
klog.InfoS("could not get secret", "err", err)
|
|
|
|
rsp.WriteHeader(http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if notFound {
|
2020-09-10 20:37:25 +00:00
|
|
|
klog.InfoS("user not found")
|
2020-09-09 19:27:30 +00:00
|
|
|
respondWithUnauthenticated(rsp)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
passwordMatches := bcrypt.CompareHashAndPassword(
|
|
|
|
secret.Data["passwordHash"],
|
|
|
|
[]byte(password),
|
|
|
|
) == nil
|
|
|
|
if !passwordMatches {
|
2020-09-11 20:08:54 +00:00
|
|
|
klog.InfoS("authentication failed: wrong password")
|
2020-09-09 19:27:30 +00:00
|
|
|
respondWithUnauthenticated(rsp)
|
2020-09-10 02:06:39 +00:00
|
|
|
return
|
2020-09-09 19:27:30 +00:00
|
|
|
}
|
|
|
|
|
2020-09-10 02:06:39 +00:00
|
|
|
groups := []string{}
|
2020-09-09 19:27:30 +00:00
|
|
|
groupsBuf := bytes.NewBuffer(secret.Data["groups"])
|
2020-09-10 02:06:39 +00:00
|
|
|
if groupsBuf.Len() > 0 {
|
|
|
|
groupsCSVReader := csv.NewReader(groupsBuf)
|
|
|
|
groups, err = groupsCSVReader.Read()
|
|
|
|
if err != nil {
|
|
|
|
klog.InfoS("could not read groups", "err", err)
|
|
|
|
rsp.WriteHeader(http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
trimLeadingAndTrailingWhitespace(groups)
|
2020-09-09 19:27:30 +00:00
|
|
|
}
|
|
|
|
|
2020-09-10 20:37:25 +00:00
|
|
|
klog.InfoS("successful authentication")
|
2020-09-09 19:27:30 +00:00
|
|
|
respondWithAuthenticated(rsp, secret.ObjectMeta.Name, string(secret.UID), groups)
|
|
|
|
}
|
|
|
|
|
2020-09-11 01:34:18 +00:00
|
|
|
func getUsernameAndPasswordFromRequest(rsp http.ResponseWriter, req *http.Request) (string, string, error) {
|
|
|
|
if req.URL.Path != "/authenticate" {
|
|
|
|
klog.InfoS("received request path other than /authenticate", "path", req.URL.Path)
|
|
|
|
rsp.WriteHeader(http.StatusNotFound)
|
|
|
|
return "", "", invalidRequest
|
|
|
|
}
|
|
|
|
|
|
|
|
if req.Method != http.MethodPost {
|
|
|
|
klog.InfoS("received request method other than post", "method", req.Method)
|
|
|
|
rsp.WriteHeader(http.StatusMethodNotAllowed)
|
|
|
|
return "", "", invalidRequest
|
|
|
|
}
|
|
|
|
|
|
|
|
if !headerContains(req, "Content-Type", "application/json") {
|
|
|
|
klog.InfoS("content type is not application/json", "Content-Type", req.Header.Values("Content-Type"))
|
|
|
|
rsp.WriteHeader(http.StatusUnsupportedMediaType)
|
|
|
|
return "", "", invalidRequest
|
|
|
|
}
|
|
|
|
|
|
|
|
if !headerContains(req, "Accept", "application/json") &&
|
|
|
|
!headerContains(req, "Accept", "application/*") &&
|
|
|
|
!headerContains(req, "Accept", "*/*") {
|
|
|
|
klog.InfoS("client does not accept application/json", "Accept", req.Header.Values("Accept"))
|
|
|
|
rsp.WriteHeader(http.StatusUnsupportedMediaType)
|
|
|
|
return "", "", invalidRequest
|
|
|
|
}
|
|
|
|
|
2020-09-11 16:44:45 +00:00
|
|
|
if req.Body == nil {
|
|
|
|
klog.InfoS("invalid nil body")
|
|
|
|
rsp.WriteHeader(http.StatusBadRequest)
|
|
|
|
return "", "", invalidRequest
|
|
|
|
}
|
|
|
|
|
2020-09-11 16:14:12 +00:00
|
|
|
var body authenticationv1beta1.TokenReview
|
2020-09-11 01:34:18 +00:00
|
|
|
if err := json.NewDecoder(req.Body).Decode(&body); err != nil {
|
|
|
|
klog.InfoS("failed to decode body", "err", err)
|
|
|
|
rsp.WriteHeader(http.StatusBadRequest)
|
|
|
|
return "", "", invalidRequest
|
|
|
|
}
|
|
|
|
|
2020-09-11 16:14:12 +00:00
|
|
|
if body.APIVersion != authenticationv1beta1.SchemeGroupVersion.String() {
|
2020-09-11 16:06:50 +00:00
|
|
|
klog.InfoS("invalid TokenReview apiVersion", "apiVersion", body.APIVersion)
|
|
|
|
rsp.WriteHeader(http.StatusBadRequest)
|
|
|
|
return "", "", invalidRequest
|
|
|
|
}
|
|
|
|
|
|
|
|
if body.Kind != "TokenReview" {
|
|
|
|
klog.InfoS("invalid TokenReview kind", "kind", body.Kind)
|
|
|
|
rsp.WriteHeader(http.StatusBadRequest)
|
|
|
|
return "", "", invalidRequest
|
|
|
|
}
|
|
|
|
|
2020-09-11 01:34:18 +00:00
|
|
|
tokenSegments := strings.SplitN(body.Spec.Token, ":", 2)
|
|
|
|
if len(tokenSegments) != 2 {
|
|
|
|
klog.InfoS("bad token format in request")
|
|
|
|
rsp.WriteHeader(http.StatusBadRequest)
|
|
|
|
return "", "", invalidRequest
|
|
|
|
}
|
|
|
|
|
|
|
|
return tokenSegments[0], tokenSegments[1], nil
|
|
|
|
}
|
|
|
|
|
2020-09-10 22:00:53 +00:00
|
|
|
func headerContains(req *http.Request, headerName, s string) bool {
|
|
|
|
headerValues := req.Header.Values(headerName)
|
|
|
|
for i := range headerValues {
|
|
|
|
mimeTypes := strings.Split(headerValues[i], ",")
|
|
|
|
for _, mimeType := range mimeTypes {
|
|
|
|
mediaType, _, _ := mime.ParseMediaType(mimeType)
|
|
|
|
if mediaType == s {
|
|
|
|
return true
|
|
|
|
}
|
2020-09-09 19:27:30 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2020-09-10 02:06:39 +00:00
|
|
|
func trimLeadingAndTrailingWhitespace(ss []string) {
|
2020-09-09 19:27:30 +00:00
|
|
|
for i := range ss {
|
|
|
|
ss[i] = strings.TrimSpace(ss[i])
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func respondWithUnauthenticated(rsp http.ResponseWriter) {
|
|
|
|
rsp.Header().Add("Content-Type", "application/json")
|
2020-09-11 19:19:05 +00:00
|
|
|
|
|
|
|
body := authenticationv1beta1.TokenReview{
|
|
|
|
TypeMeta: metav1.TypeMeta{
|
|
|
|
Kind: "TokenReview",
|
|
|
|
APIVersion: authenticationv1beta1.SchemeGroupVersion.String(),
|
|
|
|
},
|
|
|
|
Status: authenticationv1beta1.TokenReviewStatus{
|
|
|
|
Authenticated: false,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
if err := json.NewEncoder(rsp).Encode(body); err != nil {
|
|
|
|
klog.InfoS("could not encode response", "err", err)
|
|
|
|
rsp.WriteHeader(http.StatusInternalServerError)
|
|
|
|
}
|
2020-09-09 19:27:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func respondWithAuthenticated(
|
|
|
|
rsp http.ResponseWriter,
|
|
|
|
username, uid string,
|
|
|
|
groups []string,
|
|
|
|
) {
|
|
|
|
rsp.Header().Add("Content-Type", "application/json")
|
2020-09-11 19:19:05 +00:00
|
|
|
body := authenticationv1beta1.TokenReview{
|
|
|
|
TypeMeta: metav1.TypeMeta{
|
|
|
|
Kind: "TokenReview",
|
|
|
|
APIVersion: authenticationv1beta1.SchemeGroupVersion.String(),
|
|
|
|
},
|
|
|
|
Status: authenticationv1beta1.TokenReviewStatus{
|
|
|
|
Authenticated: true,
|
|
|
|
User: authenticationv1beta1.UserInfo{
|
|
|
|
Username: username,
|
|
|
|
Groups: groups,
|
|
|
|
UID: uid,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
if err := json.NewEncoder(rsp).Encode(body); err != nil {
|
2020-09-09 19:27:30 +00:00
|
|
|
klog.InfoS("could not encode response", "err", err)
|
|
|
|
rsp.WriteHeader(http.StatusInternalServerError)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func newK8sClient() (kubernetes.Interface, error) {
|
|
|
|
kubeConfig, err := restclient.InClusterConfig()
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("could not load in-cluster configuration: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Connect to the core Kubernetes API.
|
|
|
|
kubeClient, err := kubernetes.NewForConfig(kubeConfig)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("could not load in-cluster configuration: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return kubeClient, nil
|
|
|
|
}
|
|
|
|
|
2020-09-10 02:06:39 +00:00
|
|
|
func startControllers(
|
|
|
|
ctx context.Context,
|
2020-09-23 12:26:59 +00:00
|
|
|
dynamicCertProvider dynamiccert.Provider,
|
2020-09-10 02:06:39 +00:00
|
|
|
kubeClient kubernetes.Interface,
|
|
|
|
kubeInformers kubeinformers.SharedInformerFactory,
|
|
|
|
) {
|
|
|
|
aVeryLongTime := time.Hour * 24 * 365 * 100
|
|
|
|
|
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
|
|
|
const certsSecretResourceName = "local-user-authenticator-tls-serving-certificate"
|
|
|
|
|
2020-09-10 02:06:39 +00:00
|
|
|
// Create controller manager.
|
|
|
|
controllerManager := controllerlib.
|
|
|
|
NewManager().
|
|
|
|
WithController(
|
|
|
|
apicerts.NewCertsManagerController(
|
|
|
|
namespace,
|
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
|
|
|
certsSecretResourceName,
|
2020-10-15 17:14:23 +00:00
|
|
|
map[string]string{
|
|
|
|
"app": "local-user-authenticator",
|
|
|
|
},
|
2020-09-10 02:06:39 +00:00
|
|
|
kubeClient,
|
|
|
|
kubeInformers.Core().V1().Secrets(),
|
|
|
|
controllerlib.WithInformer,
|
|
|
|
controllerlib.WithInitialEvent,
|
|
|
|
aVeryLongTime,
|
2020-09-10 22:20:02 +00:00
|
|
|
"local-user-authenticator CA",
|
2020-09-10 02:06:39 +00:00
|
|
|
serviceName,
|
|
|
|
),
|
|
|
|
singletonWorker,
|
|
|
|
).
|
|
|
|
WithController(
|
|
|
|
apicerts.NewCertsObserverController(
|
|
|
|
namespace,
|
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
|
|
|
certsSecretResourceName,
|
2020-09-10 02:06:39 +00:00
|
|
|
dynamicCertProvider,
|
|
|
|
kubeInformers.Core().V1().Secrets(),
|
|
|
|
controllerlib.WithInformer,
|
|
|
|
),
|
|
|
|
singletonWorker,
|
|
|
|
)
|
|
|
|
|
|
|
|
kubeInformers.Start(ctx.Done())
|
|
|
|
|
|
|
|
go controllerManager.Start(ctx)
|
2020-09-09 19:27:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func startWebhook(
|
|
|
|
ctx context.Context,
|
|
|
|
l net.Listener,
|
2020-09-23 12:26:59 +00:00
|
|
|
dynamicCertProvider dynamiccert.Provider,
|
2020-09-09 19:27:30 +00:00
|
|
|
secretInformer corev1informers.SecretInformer,
|
|
|
|
) error {
|
2020-09-10 02:06:39 +00:00
|
|
|
return newWebhook(dynamicCertProvider, secretInformer).start(ctx, l)
|
2020-09-09 19:27:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func waitForSignal() os.Signal {
|
|
|
|
signalCh := make(chan os.Signal, 1)
|
|
|
|
signal.Notify(signalCh, os.Interrupt)
|
|
|
|
return <-signalCh
|
|
|
|
}
|
|
|
|
|
|
|
|
func run() error {
|
|
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
kubeClient, err := newK8sClient()
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("cannot create k8s client: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
kubeInformers := kubeinformers.NewSharedInformerFactoryWithOptions(
|
|
|
|
kubeClient,
|
|
|
|
defaultResyncInterval,
|
|
|
|
kubeinformers.WithNamespace(namespace),
|
|
|
|
)
|
|
|
|
|
2020-09-23 12:26:59 +00:00
|
|
|
dynamicCertProvider := dynamiccert.New()
|
2020-09-10 02:06:39 +00:00
|
|
|
|
|
|
|
startControllers(ctx, dynamicCertProvider, kubeClient, kubeInformers)
|
2020-09-09 19:27:30 +00:00
|
|
|
klog.InfoS("controllers are ready")
|
|
|
|
|
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
|
|
|
//nolint: gosec // Intentionally binding to all network interfaces.
|
2020-11-02 16:57:05 +00:00
|
|
|
l, err := net.Listen("tcp", ":8443")
|
2020-09-09 19:27:30 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("cannot create listener: %w", err)
|
|
|
|
}
|
2020-10-27 23:33:08 +00:00
|
|
|
defer func() { _ = l.Close() }()
|
2020-09-09 19:27:30 +00:00
|
|
|
|
2020-09-10 02:06:39 +00:00
|
|
|
err = startWebhook(ctx, l, dynamicCertProvider, kubeInformers.Core().V1().Secrets())
|
|
|
|
if err != nil {
|
2020-09-09 19:27:30 +00:00
|
|
|
return fmt.Errorf("cannot start webhook: %w", err)
|
|
|
|
}
|
|
|
|
klog.InfoS("webhook is ready", "address", l.Addr().String())
|
|
|
|
|
2020-09-10 02:06:39 +00:00
|
|
|
gotSignal := waitForSignal()
|
|
|
|
klog.InfoS("webhook exiting", "signal", gotSignal)
|
2020-09-09 19:27:30 +00:00
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func main() {
|
|
|
|
if err := run(); err != nil {
|
|
|
|
klog.Fatal(err)
|
|
|
|
}
|
|
|
|
}
|