bouncer/internal/integration/kubernetes/integration.go
William Petit 7de166765b
All checks were successful
Cadoles/bouncer/pipeline/head This commit looks good
feat(k8s): use secret as shared source for admin private key
2024-03-28 15:53:40 +01:00

294 lines
7.1 KiB
Go

package kubernetes
import (
"context"
"encoding/json"
"os"
"forge.cadoles.com/cadoles/bouncer/internal/auth/jwt"
"forge.cadoles.com/cadoles/bouncer/internal/integration"
"forge.cadoles.com/cadoles/bouncer/internal/jwk"
"github.com/pkg/errors"
"gitlab.com/wpetit/goweb/logger"
v1 "k8s.io/api/core/v1"
k8serr "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
)
const (
namespaceFile = "/var/run/secrets/kubernetes.io/serviceaccount/namespace"
writerTokenSubject = "bouncer-admin-kubernetes-writer"
readerTokenSubject = "bouncer-admin-kubernetes-reader"
)
type Integration struct {
Options *Options
}
// OnKeyLoad implements integration.OnKeyLoad.
func (i *Integration) OnKeyLoad(ctx context.Context) (jwk.Key, error) {
locker := i.Options.Locker
timeout := i.Options.LockTimeout
var key jwk.Key
err := locker.WithLock(ctx, "bouncer-kubernetes-onkeyload", timeout, func(ctx context.Context) error {
client, err := i.getClient()
if err != nil {
return errors.WithStack(err)
}
if i.Options.PrivateKeySecret != "" {
sharedPrivateKey, err := i.getSharedPrivateKey(ctx, client, i.Options.PrivateKeySecretNamespace, i.Options.PrivateKeySecret)
if err != nil {
return errors.WithStack(err)
}
if sharedPrivateKey != nil {
key = sharedPrivateKey
}
}
return nil
})
if err != nil {
return nil, errors.WithStack(err)
}
return key, nil
}
// Integration implements integration.OnStartup.
func (i *Integration) Integration() {}
// OnStartup implements integration.OnStartup.
func (i *Integration) OnStartup(ctx context.Context) error {
locker := i.Options.Locker
timeout := i.Options.LockTimeout
err := locker.WithLock(ctx, "bouncer-kubernetes-onstartup", timeout, func(ctx context.Context) error {
client, err := i.getClient()
if err != nil {
return errors.WithStack(err)
}
if i.Options.WriterTokenSecret != "" {
if err := i.upsertTokenSecret(ctx, client, i.Options.WriterTokenSecretNamespace, i.Options.WriterTokenSecret, writerTokenSubject, jwt.RoleWriter); err != nil {
return errors.Wrap(err, "could not upsert writer token secret")
}
}
if i.Options.ReaderTokenSecret != "" {
if err := i.upsertTokenSecret(ctx, client, i.Options.ReaderTokenSecretNamespace, i.Options.ReaderTokenSecret, readerTokenSubject, jwt.RoleReader); err != nil {
return errors.Wrap(err, "could not upsert reader token secret")
}
}
return nil
})
if err != nil {
return errors.WithStack(err)
}
return nil
}
func (i *Integration) getClient() (*kubernetes.Clientset, error) {
config, err := rest.InClusterConfig()
if err != nil {
return nil, errors.WithStack(err)
}
client, err := kubernetes.NewForConfig(config)
if err != nil {
return nil, errors.WithStack(err)
}
return client, nil
}
const (
annotationPublicKey = "bouncer.cadoles.com/public-key"
)
func (i *Integration) upsertTokenSecret(ctx context.Context, client *kubernetes.Clientset, namespace string, name string, subject string, role jwt.Role) error {
if namespace == "" {
defaultNamespace, err := i.getCurrentNamespace()
if err != nil {
return errors.WithStack(err)
}
namespace = defaultNamespace
}
ctx = logger.With(ctx,
logger.F("secretNamespace", namespace),
logger.F("secretName", name),
logger.F("tokenRole", role),
logger.F("tokenSubject", subject),
)
logger.Debug(ctx, "generating new token")
alreadyExists := true
secret, err := client.CoreV1().Secrets(namespace).Get(ctx, name, metav1.GetOptions{})
if err != nil {
if k8serr.IsNotFound(err) {
alreadyExists = false
} else {
return errors.WithStack(err)
}
}
privateKey, err := integration.CtxPrivateKey(ctx)
if err != nil {
return errors.WithStack(err)
}
keySet, err := integration.CtxPublicKeySet(ctx)
if err != nil {
return errors.WithStack(err)
}
publicKeyThumbprint, err := getKeySetThumbprint(keySet)
if err != nil {
return errors.WithStack(err)
}
if !alreadyExists {
token, err := jwt.GenerateToken(ctx, privateKey, i.Options.Issuer, subject, role)
if err != nil {
return errors.WithStack(err)
}
secret := &v1.Secret{
Type: v1.SecretTypeOpaque,
ObjectMeta: metav1.ObjectMeta{
Name: name,
Annotations: map[string]string{
annotationPublicKey: publicKeyThumbprint,
},
},
StringData: map[string]string{
"token": token,
},
}
logger.Info(ctx, "creating token secret")
if _, err := client.CoreV1().Secrets(namespace).Create(ctx, secret, metav1.CreateOptions{}); err != nil {
return errors.WithStack(err)
}
} else {
existingPublicKeyHash, exists := secret.Annotations[annotationPublicKey]
if !exists || publicKeyThumbprint != existingPublicKeyHash {
token, err := jwt.GenerateToken(ctx, privateKey, i.Options.Issuer, subject, role)
if err != nil {
return errors.WithStack(err)
}
secret.StringData = map[string]string{
"token": token,
}
if secret.Annotations == nil {
secret.Annotations = make(map[string]string)
}
secret.Annotations[annotationPublicKey] = publicKeyThumbprint
logger.Info(ctx, "updating token secret")
if _, err := client.CoreV1().Secrets(namespace).Update(ctx, secret, metav1.UpdateOptions{}); err != nil {
return errors.WithStack(err)
}
} else {
logger.Info(ctx, "key did not changed, doing nothing")
}
}
return nil
}
func (i *Integration) getSharedPrivateKey(ctx context.Context, client *kubernetes.Clientset, namespace string, name string) (jwk.Key, error) {
if namespace == "" {
defaultNamespace, err := i.getCurrentNamespace()
if err != nil {
return nil, errors.WithStack(err)
}
namespace = defaultNamespace
}
ctx = logger.With(ctx,
logger.F("secretNamespace", namespace),
logger.F("secretName", name),
)
logger.Debug(ctx, "searching shared private key from secret")
secret, err := client.CoreV1().Secrets(namespace).Get(ctx, name, metav1.GetOptions{})
if err != nil && !k8serr.IsNotFound(err) {
return nil, errors.WithStack(err)
}
rawPrivateKey, exists := secret.Data["key"]
if exists && len(rawPrivateKey) != 0 {
key, err := jwk.ParseKey(rawPrivateKey)
if err != nil {
return nil, errors.WithStack(err)
}
return key, nil
}
localKey, err := integration.CtxPrivateKey(ctx)
if err != nil {
return nil, errors.WithStack(err)
}
rawLocalKey, err := json.Marshal(localKey)
if err != nil {
return nil, errors.WithStack(err)
}
secret = &v1.Secret{
Type: v1.SecretTypeOpaque,
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
Data: map[string][]byte{
"key": rawLocalKey,
},
}
if _, err := client.CoreV1().Secrets(namespace).Create(ctx, secret, metav1.CreateOptions{}); err != nil {
return nil, errors.WithStack(err)
}
return localKey, nil
}
func (i *Integration) getCurrentNamespace() (string, error) {
namespace, err := os.ReadFile(namespaceFile)
if err != nil {
return "", errors.Wrap(err, "could not retrieve current namespace")
}
return string(namespace), nil
}
func NewIntegration(funcs ...OptionFunc) *Integration {
opts := NewOptions(funcs...)
return &Integration{
Options: opts,
}
}
var (
_ integration.OnStartup = &Integration{}
_ integration.OnKeyLoad = &Integration{}
)