mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-10-31 13:50:01 +00:00
138 lines
4.1 KiB
Go
138 lines
4.1 KiB
Go
/*
|
|
Copyright 2017 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package app
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/golang/glog"
|
|
|
|
capi "k8s.io/api/certificates/v1beta1"
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
"k8s.io/apiserver/pkg/util/webhook"
|
|
clientset "k8s.io/client-go/kubernetes"
|
|
"k8s.io/client-go/rest"
|
|
"k8s.io/client-go/tools/record"
|
|
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
|
_ "k8s.io/kubernetes/pkg/apis/certificates/install"
|
|
"k8s.io/kubernetes/pkg/controller/certificates"
|
|
)
|
|
|
|
var (
|
|
groupVersions = []schema.GroupVersion{capi.SchemeGroupVersion}
|
|
)
|
|
|
|
// GKESigner uses external calls to GKE in order to sign certificate signing
|
|
// requests.
|
|
type GKESigner struct {
|
|
webhook *webhook.GenericWebhook
|
|
kubeConfigFile string
|
|
retryBackoff time.Duration
|
|
recorder record.EventRecorder
|
|
client clientset.Interface
|
|
}
|
|
|
|
// NewGKESigner will create a new instance of a GKESigner.
|
|
func NewGKESigner(kubeConfigFile string, retryBackoff time.Duration, recorder record.EventRecorder, client clientset.Interface) (*GKESigner, error) {
|
|
webhook, err := webhook.NewGenericWebhook(legacyscheme.Registry, legacyscheme.Codecs, kubeConfigFile, groupVersions, retryBackoff)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &GKESigner{
|
|
webhook: webhook,
|
|
kubeConfigFile: kubeConfigFile,
|
|
retryBackoff: retryBackoff,
|
|
recorder: recorder,
|
|
client: client,
|
|
}, nil
|
|
}
|
|
|
|
func (s *GKESigner) handle(csr *capi.CertificateSigningRequest) error {
|
|
if !certificates.IsCertificateRequestApproved(csr) {
|
|
return nil
|
|
}
|
|
csr, err := s.sign(csr)
|
|
if err != nil {
|
|
return fmt.Errorf("error auto signing csr: %v", err)
|
|
}
|
|
_, err = s.client.CertificatesV1beta1().CertificateSigningRequests().UpdateStatus(csr)
|
|
if err != nil {
|
|
return fmt.Errorf("error updating signature for csr: %v", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Sign will make an external call to GKE order to sign the given
|
|
// *capi.CertificateSigningRequest, using the GKESigner's
|
|
// kubeConfigFile.
|
|
func (s *GKESigner) sign(csr *capi.CertificateSigningRequest) (*capi.CertificateSigningRequest, error) {
|
|
result := s.webhook.WithExponentialBackoff(func() rest.Result {
|
|
return s.webhook.RestClient.Post().Body(csr).Do()
|
|
})
|
|
|
|
if err := result.Error(); err != nil {
|
|
if bodyErr := s.resultBodyError(result); bodyErr != nil {
|
|
return nil, s.webhookError(csr, bodyErr)
|
|
}
|
|
return nil, s.webhookError(csr, err)
|
|
}
|
|
|
|
var statusCode int
|
|
if result.StatusCode(&statusCode); statusCode < 200 || statusCode >= 300 {
|
|
return nil, s.webhookError(csr, fmt.Errorf("received unsuccessful response code from webhook: %d", statusCode))
|
|
}
|
|
|
|
result_csr := &capi.CertificateSigningRequest{}
|
|
|
|
if err := result.Into(result_csr); err != nil {
|
|
return nil, s.webhookError(result_csr, err)
|
|
}
|
|
|
|
// Keep the original CSR intact, and only update fields we expect to change.
|
|
csr.Status.Certificate = result_csr.Status.Certificate
|
|
return csr, nil
|
|
}
|
|
|
|
func (s *GKESigner) webhookError(csr *capi.CertificateSigningRequest, err error) error {
|
|
glog.V(2).Infof("error contacting webhook backend: %s", err)
|
|
s.recorder.Eventf(csr, "Warning", "SigningError", "error while calling GKE: %v", err)
|
|
return err
|
|
}
|
|
|
|
// signResultError represents the structured response body of a failed call to
|
|
// GKE's SignCertificate API.
|
|
type signResultError struct {
|
|
Error struct {
|
|
Code int
|
|
Message string
|
|
Status string
|
|
}
|
|
}
|
|
|
|
// resultBodyError attempts to extract an error out of a response body.
|
|
func (s *GKESigner) resultBodyError(result rest.Result) error {
|
|
body, _ := result.Raw()
|
|
var sre signResultError
|
|
if err := json.Unmarshal(body, &sre); err == nil {
|
|
return fmt.Errorf("server responded with error: %s", sre.Error.Message)
|
|
}
|
|
return nil
|
|
}
|