ContainerImage.Pinniped/pkg/config/webhook.go
2020-08-20 10:54:15 -07:00

78 lines
2.4 KiB
Go

/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package config
import (
"fmt"
"io"
"io/ioutil"
"os"
authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
utilnet "k8s.io/apimachinery/pkg/util/net"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
"k8s.io/client-go/tools/clientcmd"
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
"github.com/suzerain-io/pinniped/pkg/config/api"
)
// NewWebhook creates a webhook from the provided API server url and caBundle
// used to validate TLS connections.
func NewWebhook(spec api.WebhookConfigSpec) (*webhook.WebhookTokenAuthenticator, error) {
kubeconfig, err := ioutil.TempFile("", "pinniped-webhook-kubeconfig-*")
if err != nil {
return nil, fmt.Errorf("create temp file: %w", err)
}
defer os.Remove(kubeconfig.Name())
if err := anonymousKubeconfig(spec.URL, spec.CABundle, kubeconfig); err != nil {
return nil, fmt.Errorf("anonymous kubeconfig: %w", err)
}
// We use v1beta1 instead of v1 since v1beta1 is more prevalent in our desired
// integration points.
version := authenticationv1beta1.SchemeGroupVersion.Version
// At the current time, we don't provide any audiences because we simply don't
// have any requirements to do so. This can be changed in the future as
// requirements change.
var implicitAuds authenticator.Audiences
// We set this to nil because we would only need this to support some of the
// custom proxy stuff used by the API server.
var customDial utilnet.DialFunc
return webhook.New(kubeconfig.Name(), version, implicitAuds, customDial)
}
// anonymousKubeconfig writes a kubeconfig file to the provided io.Writer that
// will "use" anonymous auth to talk to a Kube API server at the provided url
// with the provided caBundle.
func anonymousKubeconfig(url string, caBundle []byte, out io.Writer) error {
config := clientcmdapi.NewConfig()
config.Clusters["anonymous-cluster"] = &clientcmdapi.Cluster{
Server: url,
CertificateAuthorityData: caBundle,
}
config.Contexts["anonymous"] = &clientcmdapi.Context{
Cluster: "anonymous-cluster",
}
config.CurrentContext = "anonymous"
data, err := clientcmd.Write(*config)
if err != nil {
return fmt.Errorf("marshal config: %w", err)
}
if _, err := out.Write(data); err != nil {
return fmt.Errorf("write config: %w", err)
}
return nil
}