/
getremoteclient.go
192 lines (175 loc) · 6.07 KB
/
getremoteclient.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package remoteclient
import (
"context"
"encoding/base64"
"fmt"
"os/exec"
"regexp"
container "cloud.google.com/go/container/apiv1"
api "github.com/GoogleContainerTools/kpt/porch/controllers/remoterootsync/api/v1alpha1"
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
containerpb "google.golang.org/genproto/googleapis/container/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/rest"
"k8s.io/klog/v2"
"sigs.k8s.io/controller-runtime/pkg/client"
)
// GetCCRESTConfig builds a rest.Config for accessing the config controller cluster,
// this is a tmp workaround.
func GetCCRESTConfig(ctx context.Context, cluster *unstructured.Unstructured) (*rest.Config, error) {
gkeResourceLink, exist, err := unstructured.NestedString(cluster.Object, "status", "gkeResourceLink")
if err != nil {
return nil, fmt.Errorf("failed to get rest config: %w", err)
}
if !exist {
return nil, fmt.Errorf("failed to find gkeResourceLink field")
}
c, err := container.NewClusterManagerClient(ctx)
if err != nil {
return nil, fmt.Errorf("failed to create new cluster manager client: %w", err)
}
defer c.Close()
nameMatchPattern := regexp.MustCompile(`projects/.*`)
clusterName := nameMatchPattern.FindString(gkeResourceLink)
klog.Infof("cluster name is %s", clusterName)
req := &containerpb.GetClusterRequest{
Name: clusterName,
}
resp, err := c.GetCluster(ctx, req)
if err != nil {
return nil, fmt.Errorf("failed to get cluster info: %w", err)
}
restConfig := &rest.Config{}
caData, err := base64.StdEncoding.DecodeString(resp.MasterAuth.ClusterCaCertificate)
if err != nil {
return nil, fmt.Errorf("error decoding ca certificate: %w", err)
}
restConfig.CAData = caData
restConfig.Host = "https://" + resp.Endpoint
klog.Infof("Host endpoint is %s", restConfig.Host)
accessToken, err := GetGcloudAccessToken(ctx)
if err != nil {
return nil, err
}
restConfig.BearerToken = accessToken.AccessToken
return restConfig, nil
}
func GetRemoteClient(ctx context.Context, c client.Client, ref *api.ClusterRef, ns string) (*rest.Config, error) {
key := types.NamespacedName{Namespace: ref.Namespace, Name: ref.Name}
if key.Namespace == "" {
key.Namespace = ns
}
u := &unstructured.Unstructured{}
var config *rest.Config
gv, err := schema.ParseGroupVersion(ref.ApiVersion)
if err != nil {
return nil, fmt.Errorf("failed to parse group version when building object: %w", err)
}
u.SetGroupVersionKind(schema.GroupVersionKind{
Group: gv.Group,
Version: gv.Version,
Kind: ref.Kind,
})
if err := c.Get(ctx, key, u); err != nil {
return nil, fmt.Errorf("failed to get cluster: %w", err)
}
if ref.Kind == "ContainerCluster" {
config, err = GetGKERESTConfig(ctx, u)
} else if ref.Kind == "ConfigControllerInstance" {
config, err = GetCCRESTConfig(ctx, u) //TODO: tmp workaround, update after ACP add new fields
} else {
return nil, fmt.Errorf("failed to find target cluster, cluster kind has to be ContainerCluster or ConfigControllerInstance")
}
if err != nil {
return nil, err
}
return config, nil
}
// GetGKERESTConfig builds a rest.Config for accessing the specified cluster,
// without assuming that kubeconfig is correctly configured / mapped.
func GetGKERESTConfig(ctx context.Context, cluster *unstructured.Unstructured) (*rest.Config, error) {
restConfig := &rest.Config{}
clusterCaCertificate, exist, err := unstructured.NestedString(cluster.Object, "spec", "masterAuth", "clusterCaCertificate")
if err != nil {
return nil, fmt.Errorf("failed to get rest config: %w", err)
}
if !exist {
return nil, fmt.Errorf("clusterCaCertificate field does not exist")
}
caData, err := base64.StdEncoding.DecodeString(clusterCaCertificate)
if err != nil {
return nil, fmt.Errorf("error decoding ca certificate: %w", err)
}
restConfig.CAData = caData
endpoint, exist, err := unstructured.NestedString(cluster.Object, "status", "endpoint")
if err != nil {
return nil, fmt.Errorf("failed to get rest config: %w", err)
}
if !exist {
return nil, fmt.Errorf("endpoint field does not exist")
}
restConfig.Host = "https://" + endpoint
klog.Infof("Host endpoint is %s", restConfig.Host)
accessToken, err := GetGcloudAccessToken(ctx)
if err != nil {
return nil, err
}
restConfig.BearerToken = accessToken.AccessToken
return restConfig, nil
}
func HasGcloud() (bool, error) {
_, err := exec.LookPath("gcloud")
if err == nil {
return true, nil
}
if execError, ok := err.(*exec.Error); ok {
if execError.Err == exec.ErrNotFound {
return false, nil
}
}
return false, fmt.Errorf("error finding gcloud: %w", err)
}
func GetGcloudAccessToken(ctx context.Context) (*oauth2.Token, error) {
// Note: Not all tools support specifying the access token, so
// the user still needs to log in with ADC. e.g. terraform
// https://github.com/hashicorp/terraform/issues/21680
useGcloudDefaultLogin := true
if !useGcloudDefaultLogin {
return nil, nil
}
hasGcloud, err := HasGcloud()
if err != nil {
return nil, err
}
if !hasGcloud {
fmt.Print("gcloud not found in PATH, cannot use gcloud credentials")
return nil, nil
}
accessToken, err := google.DefaultTokenSource(ctx, "https://www.googleapis.com/auth/cloud-platform")
if err != nil {
return nil, fmt.Errorf("unable to get default access-token from gcloud: %w", err)
}
token, err := accessToken.Token()
if err != nil {
return nil, fmt.Errorf("unable to get token from token source: %w", err)
}
return &oauth2.Token{
AccessToken: token.AccessToken,
}, nil
}