[apiserver] fix audit log identity headers and add version user-agent

Refactor extra headers from []string to map[string]string so the k8s
header authenticator correctly maps X-Remote-Extra-<Key>: <Value>
pairs into user.extra fields in audit events. The old implementation
set a single X-Remote-Extra- header with comma-joined values, which
produced an empty-string key.

Add APIServerUserAgent() and set UserAgent on rest.Config so internal
controller traffic identifies as apoxy-apiserver/<version> instead of
the default apiserver/v0.0.0 kubernetes/$Format.

Author: dilyevsky

build/build.go

@@ -25,10 +25,15 @@ func Version() string {
 	return fmt.Sprintf("%s (%s), built %s", BuildVersion, CommitHash, BuildDate)
 }
 
-// UserAgent returns the user agent string.
+// UserAgent returns the user agent string for the CLI.
 func UserAgent() string {
 	if BuildVersion == "dev" {
 		return fmt.Sprintf("apoxy-cli/%s", BuildVersion)
 	}
 	return fmt.Sprintf("apoxy-cli/v%s-%s (%s)", BuildVersion, CommitHash, BuildDate)
 }
+
+// APIServerUserAgent returns the user agent string for the apiserver.
+func APIServerUserAgent() string {
+	return fmt.Sprintf("apoxy-apiserver/%s", BuildVersion)
+}

pkg/apiserver/auth/headers.go

@@ -35,11 +35,11 @@ type headerRoundTripper struct {
 	roundTripper http.RoundTripper
 	userHeader   string
 	groupHeaders []string
-	extraHeaders []string
+	extraHeaders map[string]string
 }
 
 // NewHeaderRoundTripper returns a new round tripper that adds the given headers to the request.
-func NewHeaderRoundTripper(rt http.RoundTripper, userHeader string, groupHeaders, extraHeaders []string) *headerRoundTripper {
+func NewHeaderRoundTripper(rt http.RoundTripper, userHeader string, groupHeaders []string, extraHeaders map[string]string) *headerRoundTripper {
 	return &headerRoundTripper{
 		roundTripper: rt,
 		userHeader:   userHeader,
@@ -54,14 +54,14 @@ func (rt *headerRoundTripper) RoundTrip(req *http.Request) (*http.Response, erro
 	for _, groupHeader := range rt.groupHeaders {
 		req.Header.Add(GroupHeaderKey, groupHeader)
 	}
-	for _, extraHeader := range rt.extraHeaders {
-		req.Header.Add(ExtraHeaderKey, extraHeader)
+	for k, v := range rt.extraHeaders {
+		req.Header.Set(ExtraHeaderKey+k, v)
 	}
 	return rt.roundTripper.RoundTrip(req)
 }
 
 // NewTransportWrapperFunc returns a new transport.WrapperFunc that adds the given headers to the request.
-func NewTransportWrapperFunc(userHeader string, groupHeaders, extraHeaders []string) func(rt http.RoundTripper) http.RoundTripper {
+func NewTransportWrapperFunc(userHeader string, groupHeaders []string, extraHeaders map[string]string) func(rt http.RoundTripper) http.RoundTripper {
 	return func(rt http.RoundTripper) http.RoundTripper {
 		return NewHeaderRoundTripper(rt, userHeader, groupHeaders, extraHeaders)
 	}

pkg/apiserver/client.go

@@ -5,6 +5,8 @@ import (
 
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/transport"
+
+	"github.com/apoxy-dev/apoxy/build"
 )
 
 // ClientOption is a set of options for the client.
@@ -68,5 +70,6 @@ func NewClientConfig(opts ...ClientOption) *rest.Config {
 		TLSClientConfig: sOpts.tlsConfig,
 		BearerToken:     sOpts.bearerToken,
 		WrapTransport:   sOpts.transportWrapFunc,
+		UserAgent:       build.APIServerUserAgent(),
 	}
 }