/* Copyright 2020 VMware, Inc. SPDX-License-Identifier: Apache-2.0 */ // Package app is the command line entry point for placeholder-name. package app import ( "context" "crypto/tls" "crypto/x509" "crypto/x509/pkix" "encoding/pem" "fmt" "io" "time" "github.com/spf13/cobra" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/intstr" genericapiserver "k8s.io/apiserver/pkg/server" "k8s.io/apiserver/pkg/server/dynamiccertificates" genericoptions "k8s.io/apiserver/pkg/server/options" "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook" "k8s.io/client-go/kubernetes" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" restclient "k8s.io/client-go/rest" apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1" aggregationv1client "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" placeholderv1alpha1 "github.com/suzerain-io/placeholder-name-api/pkg/apis/placeholder/v1alpha1" "github.com/suzerain-io/placeholder-name/internal/autoregistration" "github.com/suzerain-io/placeholder-name/internal/certauthority" "github.com/suzerain-io/placeholder-name/internal/downward" "github.com/suzerain-io/placeholder-name/pkg/apiserver" "github.com/suzerain-io/placeholder-name/pkg/config" ) // App is an object that represents the placeholder-name application. type App struct { cmd *cobra.Command // CLI flags configPath string downwardAPIPath string clusterSigningCertFilePath string clusterSigningKeyFilePath string recommendedOptions *genericoptions.RecommendedOptions } // This is ignored for now because we turn off etcd storage below, but this is // the right prefix in case we turn it back on. const defaultEtcdPathPrefix = "/registry/" + placeholderv1alpha1.GroupName // New constructs a new App with command line args, stdout and stderr. func New(ctx context.Context, args []string, stdout, stderr io.Writer) *App { a := &App{ recommendedOptions: genericoptions.NewRecommendedOptions( defaultEtcdPathPrefix, apiserver.Codecs.LegacyCodec(placeholderv1alpha1.SchemeGroupVersion), // TODO we should check to see if all the other default settings are acceptable for us ), } a.recommendedOptions.Etcd = nil // turn off etcd storage because we don't need it yet cmd := &cobra.Command{ Use: `placeholder-name`, Long: `placeholder-name provides a generic API for mapping an external credential from somewhere to an internal credential to be used for authenticating to the Kubernetes API.`, RunE: func(cmd *cobra.Command, args []string) error { // Load the Kubernetes client configuration (kubeconfig), kubeConfig, err := restclient.InClusterConfig() if err != nil { return fmt.Errorf("could not load in-cluster configuration: %w", err) } // explicitly use protobuf when talking to built-in kube APIs protoKubeConfig := createProtoKubeConfig(kubeConfig) // Connect to the core Kubernetes API. k8s, err := kubernetes.NewForConfig(protoKubeConfig) if err != nil { return fmt.Errorf("could not initialize Kubernetes client: %w", err) } // Connect to the Kubernetes aggregation API. aggregation, err := aggregationv1client.NewForConfig(protoKubeConfig) if err != nil { return fmt.Errorf("could not initialize Kubernetes client: %w", err) } return a.run(ctx, k8s.CoreV1(), aggregation) }, Args: cobra.NoArgs, } cmd.SetArgs(args) cmd.SetOut(stdout) cmd.SetErr(stderr) cmd.Flags().StringVarP( &a.configPath, "config", "c", "placeholder-name.yaml", "path to configuration file", ) cmd.Flags().StringVar( &a.downwardAPIPath, "downward-api-path", "/etc/podinfo", "path to Downward API volume mount", ) cmd.Flags().StringVar( &a.clusterSigningCertFilePath, "cluster-signing-cert-file", "", "path to cluster signing certificate", ) cmd.Flags().StringVar( &a.clusterSigningKeyFilePath, "cluster-signing-key-file", "", "path to cluster signing private key", ) a.cmd = cmd return a } func (a *App) Run() error { return a.cmd.Execute() } func (a *App) run( ctx context.Context, k8s corev1client.CoreV1Interface, aggregation aggregationv1client.Interface, ) error { cfg, err := config.FromPath(a.configPath) if err != nil { return fmt.Errorf("could not load config: %w", err) } // Load the Kubernetes cluster signing CA. clientCA, err := certauthority.Load(a.clusterSigningCertFilePath, a.clusterSigningKeyFilePath) if err != nil { return fmt.Errorf("could not load cluster signing CA: %w", err) } webhookTokenAuthenticator, err := config.NewWebhook(cfg.WebhookConfig) if err != nil { return fmt.Errorf("could not create webhook client: %w", err) } podinfo, err := downward.Load(a.downwardAPIPath) if err != nil { return fmt.Errorf("could not read pod metadata: %w", err) } // TODO use the postStart hook to generate certs? apiCA, err := certauthority.New(pkix.Name{CommonName: "Placeholder CA"}) if err != nil { return fmt.Errorf("could not initialize CA: %w", err) } const serviceName = "placeholder-name-api" cert, err := apiCA.Issue( pkix.Name{CommonName: serviceName + "." + podinfo.Namespace + ".svc"}, []string{}, 24*365*time.Hour, ) if err != nil { return fmt.Errorf("could not issue serving certificate: %w", err) } // Dynamically register our v1alpha1 API service. service := corev1.Service{ ObjectMeta: metav1.ObjectMeta{Name: serviceName}, Spec: corev1.ServiceSpec{ Ports: []corev1.ServicePort{ { Protocol: corev1.ProtocolTCP, Port: 443, TargetPort: intstr.IntOrString{IntVal: 443}, }, }, Selector: podinfo.Labels, Type: corev1.ServiceTypeClusterIP, }, } apiService := apiregistrationv1.APIService{ ObjectMeta: metav1.ObjectMeta{ Name: placeholderv1alpha1.SchemeGroupVersion.Version + "." + placeholderv1alpha1.GroupName, }, Spec: apiregistrationv1.APIServiceSpec{ Group: placeholderv1alpha1.GroupName, Version: placeholderv1alpha1.SchemeGroupVersion.Version, CABundle: apiCA.Bundle(), GroupPriorityMinimum: 2500, // TODO what is the right value? https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#apiservicespec-v1beta1-apiregistration-k8s-io VersionPriority: 10, // TODO what is the right value? https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#apiservicespec-v1beta1-apiregistration-k8s-io }, } if err := autoregistration.Setup(ctx, autoregistration.SetupOptions{ CoreV1: k8s, AggregationV1: aggregation, Namespace: podinfo.Namespace, ServiceTemplate: service, APIServiceTemplate: apiService, }); err != nil { return fmt.Errorf("could not register API service: %w", err) } apiServerConfig, err := a.ConfigServer(cert, webhookTokenAuthenticator, clientCA) if err != nil { return err } server, err := apiServerConfig.Complete().New() if err != nil { return fmt.Errorf("could not issue serving certificate: %w", err) } return server.GenericAPIServer.PrepareRun().Run(ctx.Done()) } func (a *App) ConfigServer(cert *tls.Certificate, webhookTokenAuthenticator *webhook.WebhookTokenAuthenticator, ca *certauthority.CA) (*apiserver.Config, error) { provider, err := createStaticCertKeyProvider(cert) if err != nil { return nil, fmt.Errorf("could not create static cert key provider: %w", err) } a.recommendedOptions.SecureServing.ServerCert.GeneratedCert = provider serverConfig := genericapiserver.NewRecommendedConfig(apiserver.Codecs) if err := a.recommendedOptions.ApplyTo(serverConfig); err != nil { return nil, err } apiServerConfig := &apiserver.Config{ GenericConfig: serverConfig, ExtraConfig: apiserver.ExtraConfig{ Webhook: webhookTokenAuthenticator, Issuer: ca, }, } return apiServerConfig, nil } // createProtoKubeConfig returns a copy of the input config with the ContentConfig set to use protobuf. // do not use this config to communicate with any CRD based APIs. func createProtoKubeConfig(kubeConfig *restclient.Config) *restclient.Config { protoKubeConfig := restclient.CopyConfig(kubeConfig) const protoThenJSON = runtime.ContentTypeProtobuf + "," + runtime.ContentTypeJSON protoKubeConfig.AcceptContentTypes = protoThenJSON protoKubeConfig.ContentType = runtime.ContentTypeProtobuf return protoKubeConfig } func createStaticCertKeyProvider(cert *tls.Certificate) (dynamiccertificates.CertKeyContentProvider, error) { privateKeyDER, err := x509.MarshalPKCS8PrivateKey(cert.PrivateKey) if err != nil { return nil, fmt.Errorf("error marshalling private key: %w", err) } privateKeyPEM := pem.EncodeToMemory(&pem.Block{ Type: "PRIVATE KEY", Headers: nil, Bytes: privateKeyDER, }) certChainPEM := make([]byte, 0) for _, certFromChain := range cert.Certificate { certPEMBytes := pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE", Headers: nil, Bytes: certFromChain, }) certChainPEM = append(certChainPEM, certPEMBytes...) } return dynamiccertificates.NewStaticCertKeyContent("some-name???", certChainPEM, privateKeyPEM) }