2021-01-07 22:58:09 +00:00
|
|
|
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
2020-09-16 14:19:51 +00:00
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
2020-07-08 17:06:44 +00:00
|
|
|
|
2020-10-06 18:59:03 +00:00
|
|
|
// Package server is the command line entry point for pinniped-concierge.
|
2020-07-27 20:32:14 +00:00
|
|
|
package server
|
2020-07-08 17:06:44 +00:00
|
|
|
|
|
|
|
import (
|
2020-07-13 19:30:16 +00:00
|
|
|
"context"
|
|
|
|
"fmt"
|
2020-07-08 17:06:44 +00:00
|
|
|
"io"
|
2020-08-19 18:21:07 +00:00
|
|
|
"time"
|
2020-07-08 17:06:44 +00:00
|
|
|
|
2020-07-27 12:55:33 +00:00
|
|
|
"github.com/spf13/cobra"
|
2021-01-13 01:27:41 +00:00
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime/serializer"
|
|
|
|
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
2020-07-23 15:05:21 +00:00
|
|
|
genericapiserver "k8s.io/apiserver/pkg/server"
|
|
|
|
genericoptions "k8s.io/apiserver/pkg/server/options"
|
2020-07-16 19:24:30 +00:00
|
|
|
|
2021-01-13 01:27:41 +00:00
|
|
|
loginapi "go.pinniped.dev/generated/1.20/apis/concierge/login"
|
2021-01-07 22:58:09 +00:00
|
|
|
loginv1alpha1 "go.pinniped.dev/generated/1.20/apis/concierge/login/v1alpha1"
|
2020-09-23 13:53:21 +00:00
|
|
|
"go.pinniped.dev/internal/certauthority/dynamiccertauthority"
|
2020-10-06 18:59:03 +00:00
|
|
|
"go.pinniped.dev/internal/concierge/apiserver"
|
2020-10-15 19:40:56 +00:00
|
|
|
"go.pinniped.dev/internal/config/concierge"
|
2020-10-30 19:02:21 +00:00
|
|
|
"go.pinniped.dev/internal/controller/authenticator/authncache"
|
2020-09-18 19:56:24 +00:00
|
|
|
"go.pinniped.dev/internal/controllermanager"
|
|
|
|
"go.pinniped.dev/internal/downward"
|
2020-09-23 12:26:59 +00:00
|
|
|
"go.pinniped.dev/internal/dynamiccert"
|
2021-01-13 01:27:41 +00:00
|
|
|
"go.pinniped.dev/internal/groupsuffix"
|
2020-09-18 19:56:24 +00:00
|
|
|
"go.pinniped.dev/internal/here"
|
2020-11-10 13:48:42 +00:00
|
|
|
"go.pinniped.dev/internal/plog"
|
2020-09-18 19:56:24 +00:00
|
|
|
"go.pinniped.dev/internal/registry/credentialrequest"
|
2020-07-08 17:06:44 +00:00
|
|
|
)
|
|
|
|
|
2020-10-06 18:59:03 +00:00
|
|
|
// App is an object that represents the pinniped-concierge application.
|
2020-07-08 17:06:44 +00:00
|
|
|
type App struct {
|
2020-08-11 01:53:53 +00:00
|
|
|
cmd *cobra.Command
|
2020-07-08 17:06:44 +00:00
|
|
|
|
2020-07-16 19:24:30 +00:00
|
|
|
// CLI flags
|
2020-08-20 19:17:18 +00:00
|
|
|
configPath string
|
|
|
|
downwardAPIPath string
|
2020-07-08 17:06:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// New constructs a new App with command line args, stdout and stderr.
|
2020-07-23 15:05:21 +00:00
|
|
|
func New(ctx context.Context, args []string, stdout, stderr io.Writer) *App {
|
2020-08-07 21:49:04 +00:00
|
|
|
app := &App{}
|
|
|
|
app.addServerCommand(ctx, args, stdout, stderr)
|
|
|
|
return app
|
|
|
|
}
|
|
|
|
|
|
|
|
// Run the server.
|
2020-08-11 01:53:53 +00:00
|
|
|
func (a *App) Run() error {
|
|
|
|
return a.cmd.Execute()
|
2020-08-07 21:49:04 +00:00
|
|
|
}
|
2020-07-08 17:06:44 +00:00
|
|
|
|
2020-08-07 21:49:04 +00:00
|
|
|
// Create the server command and save it into the App.
|
2020-08-11 01:53:53 +00:00
|
|
|
func (a *App) addServerCommand(ctx context.Context, args []string, stdout, stderr io.Writer) {
|
2020-07-08 17:06:44 +00:00
|
|
|
cmd := &cobra.Command{
|
2020-10-06 18:59:03 +00:00
|
|
|
Use: "pinniped-concierge",
|
2020-09-12 01:15:24 +00:00
|
|
|
Long: here.Doc(`
|
2020-10-06 18:59:03 +00:00
|
|
|
pinniped-concierge provides a generic API for mapping an external
|
2020-09-12 01:15:24 +00:00
|
|
|
credential from somewhere to an internal credential to be used for
|
|
|
|
authenticating to the Kubernetes API.`),
|
2020-08-11 01:53:53 +00:00
|
|
|
RunE: func(cmd *cobra.Command, args []string) error { return a.runServer(ctx) },
|
2020-07-08 17:06:44 +00:00
|
|
|
Args: cobra.NoArgs,
|
|
|
|
}
|
|
|
|
|
|
|
|
cmd.SetArgs(args)
|
|
|
|
cmd.SetOut(stdout)
|
|
|
|
cmd.SetErr(stderr)
|
2020-08-11 01:53:53 +00:00
|
|
|
addCommandlineFlagsToCommand(cmd, a)
|
2020-07-08 17:06:44 +00:00
|
|
|
|
2020-08-11 01:53:53 +00:00
|
|
|
a.cmd = cmd
|
2020-08-07 21:49:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Define the app's commandline flags.
|
|
|
|
func addCommandlineFlagsToCommand(cmd *cobra.Command, app *App) {
|
2020-07-08 17:06:44 +00:00
|
|
|
cmd.Flags().StringVarP(
|
2020-08-07 21:49:04 +00:00
|
|
|
&app.configPath,
|
2020-07-08 17:06:44 +00:00
|
|
|
"config",
|
|
|
|
"c",
|
2020-08-20 17:54:15 +00:00
|
|
|
"pinniped.yaml",
|
2020-07-08 17:06:44 +00:00
|
|
|
"path to configuration file",
|
|
|
|
)
|
|
|
|
|
2020-07-16 19:24:30 +00:00
|
|
|
cmd.Flags().StringVar(
|
2020-08-07 21:49:04 +00:00
|
|
|
&app.downwardAPIPath,
|
2020-07-16 19:24:30 +00:00
|
|
|
"downward-api-path",
|
|
|
|
"/etc/podinfo",
|
|
|
|
"path to Downward API volume mount",
|
|
|
|
)
|
2020-11-10 13:48:42 +00:00
|
|
|
|
|
|
|
plog.RemoveKlogGlobalFlags()
|
2020-07-08 17:06:44 +00:00
|
|
|
}
|
|
|
|
|
2020-08-07 21:49:04 +00:00
|
|
|
// Boot the aggregated API server, which will in turn boot the controllers.
|
2020-08-11 01:53:53 +00:00
|
|
|
func (a *App) runServer(ctx context.Context) error {
|
2020-08-07 21:49:04 +00:00
|
|
|
// Read the server config file.
|
2020-10-15 19:40:56 +00:00
|
|
|
cfg, err := concierge.FromPath(a.configPath)
|
2020-07-14 15:50:14 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("could not load config: %w", err)
|
|
|
|
}
|
|
|
|
|
2020-08-25 01:07:34 +00:00
|
|
|
// Discover in which namespace we are installed.
|
|
|
|
podInfo, err := downward.Load(a.downwardAPIPath)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("could not read pod metadata: %w", err)
|
|
|
|
}
|
|
|
|
|
2020-10-30 19:02:21 +00:00
|
|
|
// Initialize the cache of active authenticators.
|
|
|
|
authenticators := authncache.New()
|
2020-07-14 15:50:14 +00:00
|
|
|
|
2020-08-09 17:04:05 +00:00
|
|
|
// This cert provider will provide certs to the API server and will
|
|
|
|
// be mutated by a controller to keep the certs up to date with what
|
|
|
|
// is stored in a k8s Secret. Therefore it also effectively acting as
|
|
|
|
// an in-memory cache of what is stored in the k8s Secret, helping to
|
|
|
|
// keep incoming requests fast.
|
2020-09-23 13:53:21 +00:00
|
|
|
dynamicServingCertProvider := dynamiccert.New()
|
|
|
|
|
|
|
|
// This cert provider will be used to provide a signing key to the
|
|
|
|
// cert issuer used to issue certs to Pinniped clients wishing to login.
|
|
|
|
dynamicSigningCertProvider := dynamiccert.New()
|
2020-07-13 19:30:16 +00:00
|
|
|
|
2020-08-07 21:49:04 +00:00
|
|
|
// Prepare to start the controllers, but defer actually starting them until the
|
|
|
|
// post start hook of the aggregated API server.
|
2020-08-09 17:04:05 +00:00
|
|
|
startControllersFunc, err := controllermanager.PrepareControllers(
|
2020-09-21 18:16:14 +00:00
|
|
|
&controllermanager.Config{
|
2021-01-05 22:07:33 +00:00
|
|
|
ServerInstallationInfo: podInfo,
|
2021-01-19 15:52:12 +00:00
|
|
|
APIGroupSuffix: *cfg.APIGroupSuffix,
|
2021-01-05 22:07:33 +00:00
|
|
|
NamesConfig: &cfg.NamesConfig,
|
|
|
|
Labels: cfg.Labels,
|
|
|
|
KubeCertAgentConfig: &cfg.KubeCertAgentConfig,
|
|
|
|
DiscoveryURLOverride: cfg.DiscoveryInfo.URL,
|
|
|
|
DynamicServingCertProvider: dynamicServingCertProvider,
|
|
|
|
DynamicSigningCertProvider: dynamicSigningCertProvider,
|
|
|
|
ServingCertDuration: time.Duration(*cfg.APIConfig.ServingCertificateConfig.DurationSeconds) * time.Second,
|
|
|
|
ServingCertRenewBefore: time.Duration(*cfg.APIConfig.ServingCertificateConfig.RenewBeforeSeconds) * time.Second,
|
|
|
|
AuthenticatorCache: authenticators,
|
2020-09-21 18:16:14 +00:00
|
|
|
},
|
2020-08-03 14:17:11 +00:00
|
|
|
)
|
2020-08-07 21:49:04 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("could not prepare controllers: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get the aggregated API server config.
|
|
|
|
aggregatedAPIServerConfig, err := getAggregatedAPIServerConfig(
|
2020-09-23 13:53:21 +00:00
|
|
|
dynamicServingCertProvider,
|
2020-10-30 19:02:21 +00:00
|
|
|
authenticators,
|
2020-09-23 13:53:21 +00:00
|
|
|
dynamiccertauthority.New(dynamicSigningCertProvider),
|
2020-08-07 21:49:04 +00:00
|
|
|
startControllersFunc,
|
2021-01-19 15:52:12 +00:00
|
|
|
*cfg.APIGroupSuffix,
|
2020-07-31 16:08:07 +00:00
|
|
|
)
|
2020-07-23 15:05:21 +00:00
|
|
|
if err != nil {
|
2020-08-07 21:49:04 +00:00
|
|
|
return fmt.Errorf("could not configure aggregated API server: %w", err)
|
2020-07-13 19:30:16 +00:00
|
|
|
}
|
|
|
|
|
2020-08-07 21:49:04 +00:00
|
|
|
// Complete the aggregated API server config and make a server instance.
|
|
|
|
server, err := aggregatedAPIServerConfig.Complete().New()
|
2020-07-23 15:05:21 +00:00
|
|
|
if err != nil {
|
2020-08-07 21:49:04 +00:00
|
|
|
return fmt.Errorf("could not create aggregated API server: %w", err)
|
2020-07-23 15:05:21 +00:00
|
|
|
}
|
2020-07-14 15:50:14 +00:00
|
|
|
|
2020-08-07 21:49:04 +00:00
|
|
|
// Run the server. Its post-start hook will start the controllers.
|
2020-07-23 15:05:21 +00:00
|
|
|
return server.GenericAPIServer.PrepareRun().Run(ctx.Done())
|
2020-07-13 19:30:16 +00:00
|
|
|
}
|
|
|
|
|
2020-08-07 21:49:04 +00:00
|
|
|
// Create a configuration for the aggregated API server.
|
|
|
|
func getAggregatedAPIServerConfig(
|
2020-09-23 12:26:59 +00:00
|
|
|
dynamicCertProvider dynamiccert.Provider,
|
2020-09-21 16:37:54 +00:00
|
|
|
authenticator credentialrequest.TokenCredentialRequestAuthenticator,
|
|
|
|
issuer credentialrequest.CertIssuer,
|
2020-07-31 16:08:07 +00:00
|
|
|
startControllersPostStartHook func(context.Context),
|
2021-01-19 15:52:12 +00:00
|
|
|
apiGroupSuffix string,
|
2020-07-31 16:08:07 +00:00
|
|
|
) (*apiserver.Config, error) {
|
2021-02-09 20:51:38 +00:00
|
|
|
loginConciergeAPIGroup, ok := groupsuffix.Replace(loginv1alpha1.GroupName, apiGroupSuffix)
|
2021-01-19 15:52:12 +00:00
|
|
|
if !ok {
|
|
|
|
return nil, fmt.Errorf("cannot make api group from %s/%s", loginv1alpha1.GroupName, apiGroupSuffix)
|
|
|
|
}
|
2021-01-13 01:27:41 +00:00
|
|
|
|
2021-02-09 20:51:38 +00:00
|
|
|
scheme := getAggregatedAPIServerScheme(loginConciergeAPIGroup, apiGroupSuffix)
|
2021-01-13 01:27:41 +00:00
|
|
|
codecs := serializer.NewCodecFactory(scheme)
|
|
|
|
|
2021-02-09 20:51:38 +00:00
|
|
|
defaultEtcdPathPrefix := fmt.Sprintf("/registry/%s", loginConciergeAPIGroup)
|
2021-01-13 01:27:41 +00:00
|
|
|
groupVersion := schema.GroupVersion{
|
2021-02-09 20:51:38 +00:00
|
|
|
Group: loginConciergeAPIGroup,
|
2021-01-13 01:27:41 +00:00
|
|
|
Version: loginv1alpha1.SchemeGroupVersion.Version,
|
|
|
|
}
|
2021-01-19 15:52:12 +00:00
|
|
|
|
2020-08-07 21:49:04 +00:00
|
|
|
recommendedOptions := genericoptions.NewRecommendedOptions(
|
|
|
|
defaultEtcdPathPrefix,
|
2021-01-13 01:27:41 +00:00
|
|
|
codecs.LegacyCodec(groupVersion),
|
2020-08-07 21:49:04 +00:00
|
|
|
)
|
|
|
|
recommendedOptions.Etcd = nil // turn off etcd storage because we don't need it yet
|
2020-08-09 17:04:05 +00:00
|
|
|
recommendedOptions.SecureServing.ServerCert.GeneratedCert = dynamicCertProvider
|
2020-11-02 16:57:05 +00:00
|
|
|
recommendedOptions.SecureServing.BindPort = 8443 // Don't run on default 443 because that requires root
|
2020-07-13 19:30:16 +00:00
|
|
|
|
2021-01-13 01:27:41 +00:00
|
|
|
serverConfig := genericapiserver.NewRecommendedConfig(codecs)
|
2020-08-09 17:04:05 +00:00
|
|
|
// Note that among other things, this ApplyTo() function copies
|
|
|
|
// `recommendedOptions.SecureServing.ServerCert.GeneratedCert` into
|
|
|
|
// `serverConfig.SecureServing.Cert` thus making `dynamicCertProvider`
|
|
|
|
// the cert provider for the running server. The provider will be called
|
|
|
|
// by the API machinery periodically. When the provider returns nil certs,
|
|
|
|
// the API server will return "the server is currently unable to
|
|
|
|
// handle the request" error responses for all incoming requests.
|
|
|
|
// If the provider later starts returning certs, then the API server
|
|
|
|
// will use them to handle the incoming requests successfully.
|
2020-08-07 21:49:04 +00:00
|
|
|
if err := recommendedOptions.ApplyTo(serverConfig); err != nil {
|
2020-07-23 15:05:21 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2020-07-13 19:30:16 +00:00
|
|
|
|
2020-07-23 15:05:21 +00:00
|
|
|
apiServerConfig := &apiserver.Config{
|
|
|
|
GenericConfig: serverConfig,
|
|
|
|
ExtraConfig: apiserver.ExtraConfig{
|
2020-09-21 16:37:54 +00:00
|
|
|
Authenticator: authenticator,
|
|
|
|
Issuer: issuer,
|
2020-07-31 16:08:07 +00:00
|
|
|
StartControllersPostStartHook: startControllersPostStartHook,
|
2021-01-13 01:27:41 +00:00
|
|
|
Scheme: scheme,
|
|
|
|
NegotiatedSerializer: codecs,
|
|
|
|
GroupVersion: groupVersion,
|
2020-07-23 15:05:21 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
return apiServerConfig, nil
|
2020-07-13 19:30:16 +00:00
|
|
|
}
|
2021-02-03 14:21:36 +00:00
|
|
|
|
2021-02-09 20:51:38 +00:00
|
|
|
func getAggregatedAPIServerScheme(loginConciergeAPIGroup, apiGroupSuffix string) *runtime.Scheme {
|
2021-02-03 14:21:36 +00:00
|
|
|
// standard set up of the server side scheme
|
|
|
|
scheme := runtime.NewScheme()
|
|
|
|
|
|
|
|
// add the options to empty v1
|
2021-02-03 15:20:27 +00:00
|
|
|
metav1.AddToGroupVersion(scheme, metav1.Unversioned)
|
2021-02-03 14:21:36 +00:00
|
|
|
|
|
|
|
// nothing fancy is required if using the standard group
|
2021-02-09 20:51:38 +00:00
|
|
|
if loginConciergeAPIGroup == loginv1alpha1.GroupName {
|
2021-02-03 14:21:36 +00:00
|
|
|
utilruntime.Must(loginv1alpha1.AddToScheme(scheme))
|
|
|
|
utilruntime.Must(loginapi.AddToScheme(scheme))
|
|
|
|
return scheme
|
|
|
|
}
|
|
|
|
|
|
|
|
// we need a temporary place to register our types to avoid double registering them
|
|
|
|
tmpScheme := runtime.NewScheme()
|
|
|
|
utilruntime.Must(loginv1alpha1.AddToScheme(tmpScheme))
|
|
|
|
utilruntime.Must(loginapi.AddToScheme(tmpScheme))
|
|
|
|
|
|
|
|
for gvk := range tmpScheme.AllKnownTypes() {
|
|
|
|
if gvk.GroupVersion() == metav1.Unversioned {
|
|
|
|
continue // metav1.AddToGroupVersion registers types outside of our aggregated API group that we need to ignore
|
|
|
|
}
|
|
|
|
|
|
|
|
if gvk.Group != loginv1alpha1.GroupName {
|
|
|
|
panic("tmp scheme has types not in the aggregated API group: " + gvk.Group) // programmer error
|
|
|
|
}
|
|
|
|
|
|
|
|
obj, err := tmpScheme.New(gvk)
|
|
|
|
if err != nil {
|
|
|
|
panic(err) // programmer error, scheme internal code is broken
|
|
|
|
}
|
|
|
|
newGVK := schema.GroupVersionKind{
|
2021-02-09 20:51:38 +00:00
|
|
|
Group: loginConciergeAPIGroup,
|
2021-02-03 14:21:36 +00:00
|
|
|
Version: gvk.Version,
|
|
|
|
Kind: gvk.Kind,
|
|
|
|
}
|
|
|
|
|
|
|
|
// register the existing type but with the new group in the correct scheme
|
|
|
|
scheme.AddKnownTypeWithName(newGVK, obj)
|
|
|
|
}
|
|
|
|
|
|
|
|
// manually register conversions and defaulting into the correct scheme since we cannot directly call loginv1alpha1.AddToScheme
|
|
|
|
utilruntime.Must(loginv1alpha1.RegisterConversions(scheme))
|
|
|
|
utilruntime.Must(loginv1alpha1.RegisterDefaults(scheme))
|
|
|
|
|
2021-02-09 20:51:38 +00:00
|
|
|
// we do not want to return errors from the scheme and instead would prefer to defer
|
|
|
|
// to the REST storage layer for consistency. The simplest way to do this is to force
|
|
|
|
// a cache miss from the authenticator cache. Kube API groups are validated via the
|
|
|
|
// IsDNS1123Subdomain func thus we can easily create a group that is guaranteed never
|
|
|
|
// to be in the authenticator cache. Add a timestamp just to be extra sure.
|
|
|
|
const authenticatorCacheMissPrefix = "_INVALID_API_GROUP_"
|
|
|
|
authenticatorCacheMiss := authenticatorCacheMissPrefix + time.Now().UTC().String()
|
|
|
|
|
|
|
|
// we do not have any defaulting functions for *loginv1alpha1.TokenCredentialRequest
|
|
|
|
// today, but we may have some in the future. Calling AddTypeDefaultingFunc overwrites
|
|
|
|
// any previously registered defaulting function. Thus to make sure that we catch
|
|
|
|
// a situation where we add a defaulting func, we attempt to call it here with a nil
|
|
|
|
// *loginv1alpha1.TokenCredentialRequest. This will do nothing when there is no
|
|
|
|
// defaulting func registered, but it will almost certainly panic if one is added.
|
|
|
|
scheme.Default((*loginv1alpha1.TokenCredentialRequest)(nil))
|
|
|
|
|
|
|
|
// on incoming requests, restore the authenticator API group to the standard group
|
|
|
|
// note that we are responsible for duplicating this logic for every external API version
|
|
|
|
scheme.AddTypeDefaultingFunc(&loginv1alpha1.TokenCredentialRequest{}, func(obj interface{}) {
|
|
|
|
credentialRequest := obj.(*loginv1alpha1.TokenCredentialRequest)
|
|
|
|
|
|
|
|
if credentialRequest.Spec.Authenticator.APIGroup == nil {
|
|
|
|
// force a cache miss because this is an invalid request
|
|
|
|
plog.Debug("invalid token credential request, nil group", "authenticator", credentialRequest.Spec.Authenticator)
|
|
|
|
credentialRequest.Spec.Authenticator.APIGroup = &authenticatorCacheMiss
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
restoredGroup, ok := groupsuffix.Unreplace(*credentialRequest.Spec.Authenticator.APIGroup, apiGroupSuffix)
|
|
|
|
if !ok {
|
|
|
|
// force a cache miss because this is an invalid request
|
|
|
|
plog.Debug("invalid token credential request, wrong group", "authenticator", credentialRequest.Spec.Authenticator)
|
|
|
|
credentialRequest.Spec.Authenticator.APIGroup = &authenticatorCacheMiss
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
credentialRequest.Spec.Authenticator.APIGroup = &restoredGroup
|
|
|
|
})
|
|
|
|
|
2021-02-03 14:21:36 +00:00
|
|
|
return scheme
|
|
|
|
}
|