mirror of
https://github.com/kubernetes/client-go.git
synced 2026-01-29 21:38:35 +00:00
e0129e64d4
* Updates ImpersonationConfig in rest/config.go to include UID attribute, and pass it through when copying the config * Updates ImpersonationConfig in transport/config.go to include UID attribute * In transport/round_tripper.go, Set the "Impersonate-Uid" header in requests based on the UID value in the config * Update auth_test.go integration test to specify a UID through the new rest.ImpersonationConfig field rather than manually setting the Impersonate-Uid header Signed-off-by: Margo Crawford <margaretc@vmware.com> Kubernetes-commit: d9ddfb26e10ee353fc4617b66d2c9274bf6d1c08
132 lines
4.1 KiB
Go
132 lines
4.1 KiB
Go
/*
|
|
Copyright 2014 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package rest
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"errors"
|
|
"net/http"
|
|
|
|
"k8s.io/client-go/pkg/apis/clientauthentication"
|
|
"k8s.io/client-go/plugin/pkg/client/auth/exec"
|
|
"k8s.io/client-go/transport"
|
|
)
|
|
|
|
// TLSConfigFor returns a tls.Config that will provide the transport level security defined
|
|
// by the provided Config. Will return nil if no transport level security is requested.
|
|
func TLSConfigFor(config *Config) (*tls.Config, error) {
|
|
cfg, err := config.TransportConfig()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return transport.TLSConfigFor(cfg)
|
|
}
|
|
|
|
// TransportFor returns an http.RoundTripper that will provide the authentication
|
|
// or transport level security defined by the provided Config. Will return the
|
|
// default http.DefaultTransport if no special case behavior is needed.
|
|
func TransportFor(config *Config) (http.RoundTripper, error) {
|
|
cfg, err := config.TransportConfig()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return transport.New(cfg)
|
|
}
|
|
|
|
// HTTPWrappersForConfig wraps a round tripper with any relevant layered behavior from the
|
|
// config. Exposed to allow more clients that need HTTP-like behavior but then must hijack
|
|
// the underlying connection (like WebSocket or HTTP2 clients). Pure HTTP clients should use
|
|
// the higher level TransportFor or RESTClientFor methods.
|
|
func HTTPWrappersForConfig(config *Config, rt http.RoundTripper) (http.RoundTripper, error) {
|
|
cfg, err := config.TransportConfig()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return transport.HTTPWrappersForConfig(cfg, rt)
|
|
}
|
|
|
|
// TransportConfig converts a client config to an appropriate transport config.
|
|
func (c *Config) TransportConfig() (*transport.Config, error) {
|
|
conf := &transport.Config{
|
|
UserAgent: c.UserAgent,
|
|
Transport: c.Transport,
|
|
WrapTransport: c.WrapTransport,
|
|
DisableCompression: c.DisableCompression,
|
|
TLS: transport.TLSConfig{
|
|
Insecure: c.Insecure,
|
|
ServerName: c.ServerName,
|
|
CAFile: c.CAFile,
|
|
CAData: c.CAData,
|
|
CertFile: c.CertFile,
|
|
CertData: c.CertData,
|
|
KeyFile: c.KeyFile,
|
|
KeyData: c.KeyData,
|
|
NextProtos: c.NextProtos,
|
|
},
|
|
Username: c.Username,
|
|
Password: c.Password,
|
|
BearerToken: c.BearerToken,
|
|
BearerTokenFile: c.BearerTokenFile,
|
|
Impersonate: transport.ImpersonationConfig{
|
|
UserName: c.Impersonate.UserName,
|
|
UID: c.Impersonate.UID,
|
|
Groups: c.Impersonate.Groups,
|
|
Extra: c.Impersonate.Extra,
|
|
},
|
|
Dial: c.Dial,
|
|
Proxy: c.Proxy,
|
|
}
|
|
|
|
if c.ExecProvider != nil && c.AuthProvider != nil {
|
|
return nil, errors.New("execProvider and authProvider cannot be used in combination")
|
|
}
|
|
|
|
if c.ExecProvider != nil {
|
|
var cluster *clientauthentication.Cluster
|
|
if c.ExecProvider.ProvideClusterInfo {
|
|
var err error
|
|
cluster, err = ConfigToExecCluster(c)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
provider, err := exec.GetAuthenticator(c.ExecProvider, cluster)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if err := provider.UpdateTransportConfig(conf); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
if c.AuthProvider != nil {
|
|
provider, err := GetAuthProvider(c.Host, c.AuthProvider, c.AuthConfigPersister)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
conf.Wrap(provider.WrapTransport)
|
|
}
|
|
return conf, nil
|
|
}
|
|
|
|
// Wrap adds a transport middleware function that will give the caller
|
|
// an opportunity to wrap the underlying http.RoundTripper prior to the
|
|
// first API call being made. The provided function is invoked after any
|
|
// existing transport wrappers are invoked.
|
|
func (c *Config) Wrap(fn transport.WrapperFunc) {
|
|
c.WrapTransport = transport.Wrappers(c.WrapTransport, fn)
|
|
}
|