Fix installer issues

kubeguard · Mar 21, 2018 · 30f0c3b · 30f0c3b
1 parent 5071149
commit 30f0c3b
Show file tree

Hide file tree

Showing 66 changed files with 2,431 additions and 3,059 deletions.
diff --git a/appscode/appscode.go → auth/providers/appscode/appscode.go b/appscode/appscode.go → auth/providers/appscode/appscode.go
@@ -11,15 +11,20 @@ import (
 	"appscode.com/api/dtypes"
 	"appscode.com/client-go"
 	_env "github.com/appscode/go/env"
+	"github.com/appscode/guard/auth"
 	"github.com/json-iterator/go"
 	"github.com/pkg/errors"
-	auth "k8s.io/api/authentication/v1"
+	authv1 "k8s.io/api/authentication/v1"
 )
 
 const (
 	OrgType = "appscode"
 )
 
+func init() {
+	auth.SupportedOrgs = append(auth.SupportedOrgs, OrgType)
+}
+
 var json = jsoniter.ConfigCompatibleWithStandardLibrary
 
 type WhoAmIResponse struct {
@@ -46,7 +51,7 @@ type ConduitClient struct {
 	Token string
 }
 
-func Check(name, token string) (*auth.UserInfo, error) {
+func Check(name, token string) (*authv1.UserInfo, error) {
 	ctx := context.Background()
 	options := client.NewOption(_env.ProdApiServer)
 	options.UserAgent("appscode/guard")
@@ -73,7 +78,7 @@ func Check(name, token string) (*auth.UserInfo, error) {
 		return nil, errors.Wrapf(err, "failed to load user's teams for Org %s", name)
 	}
 
-	resp := &auth.UserInfo{
+	resp := &authv1.UserInfo{
 		Username: user.User.UserName,
 		UID:      user.User.Phid,
 	}

diff --git a/appscode/kubectl.go → auth/providers/appscode/kubectl.go b/appscode/kubectl.go → auth/providers/appscode/kubectl.go
diff --git a/azure/azure.go → auth/providers/azure/azure.go b/azure/azure.go → auth/providers/azure/azure.go
@@ -4,10 +4,11 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/appscode/guard/azure/graph"
+	"github.com/appscode/guard/auth"
+	"github.com/appscode/guard/auth/providers/azure/graph"
 	"github.com/coreos/go-oidc"
 	"github.com/pkg/errors"
-	auth "k8s.io/api/authentication/v1"
+	authv1 "k8s.io/api/authentication/v1"
 )
 
 /*
@@ -27,6 +28,10 @@ const (
 	azureUsernameClaim = "upn"
 )
 
+func init() {
+	auth.SupportedOrgs = append(auth.SupportedOrgs, OrgType)
+}
+
 var (
 	// ErrorClaimNotFound indicates the given key was not found in the claims
 	ErrorClaimNotFound = fmt.Errorf("claim not found")
@@ -64,7 +69,7 @@ func New(opts Options) (*Authenticator, error) {
 	return c, nil
 }
 
-func (s Authenticator) Check(token string) (*auth.UserInfo, error) {
+func (s Authenticator) Check(token string) (*authv1.UserInfo, error) {
 	idToken, err := s.verifier.Verify(s.ctx, token)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to verify token for azure")
@@ -98,8 +103,8 @@ func getClaims(token *oidc.IDToken) (claims, error) {
 
 // ReviewFromClaims creates a new TokenReview object from the claims object
 // the claims object
-func (c claims) getUserInfo(usernameClaim string) (*auth.UserInfo, error) {
-	var resp = &auth.UserInfo{}
+func (c claims) getUserInfo(usernameClaim string) (*authv1.UserInfo, error) {
+	var resp = &authv1.UserInfo{}
 
 	username, err := c.String(usernameClaim)
 	if err != nil {

diff --git a/azure/azure_test.go → auth/providers/azure/azure_test.go b/azure/azure_test.go → auth/providers/azure/azure_test.go
@@ -11,13 +11,13 @@ import (
 	"strconv"
 	"testing"
 
-	"github.com/appscode/guard/azure/graph"
+	"github.com/appscode/guard/auth/providers/azure/graph"
 	"github.com/appscode/pat"
 	"github.com/coreos/go-oidc"
 	"github.com/json-iterator/go"
 	"github.com/stretchr/testify/assert"
 	"gopkg.in/square/go-jose.v2"
-	auth "k8s.io/api/authentication/v1"
+	authv1 "k8s.io/api/authentication/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 )
 
@@ -193,7 +193,7 @@ func getGroupsAndIds(t *testing.T, groupSz int) ([]byte, []byte) {
 	return gId, gList
 }
 
-func assertUserInfo(t *testing.T, info *auth.UserInfo, groupSize int) {
+func assertUserInfo(t *testing.T, info *authv1.UserInfo, groupSize int) {
 	if info.Username != username {
 		t.Errorf("expected username %v, got %v", username, info.Username)
 	}
@@ -326,7 +326,7 @@ var testClaims = claims{
 func TestReviewFromClaims(t *testing.T) {
 	// valid user claim
 	t.Run("valid user claim", func(t *testing.T) {
-		var validUserInfo = &auth.UserInfo{
+		var validUserInfo = &authv1.UserInfo{
 			Username: username,
 		}
 

diff --git a/azure/graph/graph.go → auth/providers/azure/graph/graph.go b/azure/graph/graph.go → auth/providers/azure/graph/graph.go
diff --git a/azure/graph/graph_test.go → auth/providers/azure/graph/graph_test.go b/azure/graph/graph_test.go → auth/providers/azure/graph/graph_test.go
diff --git a/azure/graph/types.go → auth/providers/azure/graph/types.go b/azure/graph/types.go → auth/providers/azure/graph/types.go
diff --git a/auth/providers/azure/options.go b/auth/providers/azure/options.go
@@ -0,0 +1,101 @@
+package azure
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/appscode/go/types"
+	"github.com/spf13/pflag"
+	"k8s.io/api/apps/v1beta1"
+	core "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+type Options struct {
+	ClientID     string
+	ClientSecret string
+	TenantID     string
+}
+
+func NewOptions() Options {
+	return Options{
+		ClientSecret: os.Getenv("AZURE_CLIENT_SECRET"),
+	}
+}
+
+func (o *Options) AddFlags(fs *pflag.FlagSet) {
+	fs.StringVar(&o.ClientID, "azure.client-id", o.ClientID, "MS Graph application client ID to use")
+	fs.StringVar(&o.ClientSecret, "azure.client-secret", o.ClientSecret, "MS Graph application client secret to use")
+	fs.StringVar(&o.TenantID, "azure.tenant-id", o.TenantID, "MS Graph application tenant id to use")
+}
+
+func (o *Options) Validate() []error {
+	return nil
+}
+
+func (o Options) IsSet() bool {
+	return o.ClientID != "" || o.ClientSecret != "" || o.TenantID != ""
+}
+
+func (o Options) Apply(d *v1beta1.Deployment) (extraObjs []runtime.Object, err error) {
+	if !o.IsSet() {
+		return nil, nil // nothing to apply
+	}
+
+	container := d.Spec.Template.Spec.Containers[0]
+
+	// create auth secret
+	authSecret := &core.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "guard-azure-auth",
+			Namespace: d.Namespace,
+			Labels:    d.Labels,
+		},
+		Data: map[string][]byte{
+			"client-secret": []byte(o.ClientSecret),
+		},
+	}
+	extraObjs = append(extraObjs, authSecret)
+
+	// mount auth secret into deployment
+	volMount := core.VolumeMount{
+		Name:      authSecret.Name,
+		MountPath: "/etc/guard/auth/azure",
+	}
+	container.VolumeMounts = append(container.VolumeMounts, volMount)
+
+	vol := core.Volume{
+		Name: authSecret.Name,
+		VolumeSource: core.VolumeSource{
+			Secret: &core.SecretVolumeSource{
+				SecretName:  authSecret.Name,
+				DefaultMode: types.Int32P(0555),
+			},
+		},
+	}
+	d.Spec.Template.Spec.Volumes = append(d.Spec.Template.Spec.Volumes, vol)
+
+	// use auth secret in container[0] args
+	container.Env = append(container.Env, core.EnvVar{
+		Name: "AZURE_CLIENT_SECRET",
+		ValueFrom: &core.EnvVarSource{
+			SecretKeyRef: &core.SecretKeySelector{
+				LocalObjectReference: core.LocalObjectReference{
+					Name: authSecret.Name,
+				},
+				Key: "client-secret",
+			},
+		},
+	})
+
+	args := container.Args
+	if o.ClientID != "" {
+		args = append(args, fmt.Sprintf("--azure.client-id=%s", o.ClientID))
+	}
+	if o.TenantID != "" {
+		args = append(args, fmt.Sprintf("--azure.tenant-id=%s", o.TenantID))
+	}
+
+	return extraObjs, nil
+}
diff --git a/github/github.go → auth/providers/github/github.go b/github/github.go → auth/providers/github/github.go
@@ -4,16 +4,21 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/appscode/guard/auth"
 	"github.com/google/go-github/github"
 	"github.com/pkg/errors"
 	"golang.org/x/oauth2"
-	auth "k8s.io/api/authentication/v1"
+	authv1 "k8s.io/api/authentication/v1"
 )
 
 const (
 	OrgType = "github"
 )
 
+func init() {
+	auth.SupportedOrgs = append(auth.SupportedOrgs, OrgType)
+}
+
 type Authenticator struct {
 	Client  *github.Client
 	ctx     context.Context
@@ -32,13 +37,13 @@ func New(name, token string) *Authenticator {
 	return g
 }
 
-func (g *Authenticator) Check() (*auth.UserInfo, error) {
+func (g *Authenticator) Check() (*authv1.UserInfo, error) {
 	mem, _, err := g.Client.Organizations.GetOrgMembership(g.ctx, "", g.OrgName)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to check user's membership in Org %s", g.OrgName)
 	}
 
-	resp := &auth.UserInfo{
+	resp := &authv1.UserInfo{
 		Username: mem.User.GetLogin(),
 		UID:      fmt.Sprintf("%d", mem.User.GetID()),
 	}

diff --git a/github/github_test.go → auth/providers/github/github_test.go b/github/github_test.go → auth/providers/github/github_test.go
diff --git a/github/kubectl.go → auth/providers/github/kubectl.go b/github/kubectl.go → auth/providers/github/kubectl.go
diff --git a/gitlab/gitlab.go → auth/providers/gitlab/gitlab.go b/gitlab/gitlab.go → auth/providers/gitlab/gitlab.go
@@ -3,15 +3,20 @@ package gitlab
 import (
 	"strconv"
 
+	"github.com/appscode/guard/auth"
 	"github.com/pkg/errors"
 	"github.com/xanzy/go-gitlab"
-	auth "k8s.io/api/authentication/v1"
+	authv1 "k8s.io/api/authentication/v1"
 )
 
 const (
 	OrgType = "gitlab"
 )
 
+func init() {
+	auth.SupportedOrgs = append(auth.SupportedOrgs, OrgType)
+}
+
 type Authenticator struct {
 	Client *gitlab.Client
 }
@@ -22,13 +27,13 @@ func New(token string) *Authenticator {
 	}
 }
 
-func (g *Authenticator) Check() (*auth.UserInfo, error) {
+func (g *Authenticator) Check() (*authv1.UserInfo, error) {
 	user, _, err := g.Client.Users.CurrentUser()
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
 
-	resp := &auth.UserInfo{
+	resp := &authv1.UserInfo{
 		Username: user.Username,
 		UID:      strconv.Itoa(user.ID),
 	}

diff --git a/gitlab/gitlab_test.go → auth/providers/gitlab/gitlab_test.go b/gitlab/gitlab_test.go → auth/providers/gitlab/gitlab_test.go
diff --git a/gitlab/kubectl.go → auth/providers/gitlab/kubectl.go b/gitlab/kubectl.go → auth/providers/gitlab/kubectl.go
diff --git a/google/google.go → auth/providers/google/google.go b/google/google.go → auth/providers/google/google.go
@@ -4,12 +4,13 @@ import (
 	"context"
 	"io/ioutil"
 
+	"github.com/appscode/guard/auth"
 	"github.com/coreos/go-oidc"
 	"github.com/pkg/errors"
 	"golang.org/x/oauth2/google"
 	gdir "google.golang.org/api/admin/directory/v1"
 	gauth "google.golang.org/api/oauth2/v1"
-	auth "k8s.io/api/authentication/v1"
+	authv1 "k8s.io/api/authentication/v1"
 )
 
 const (
@@ -21,6 +22,10 @@ const (
 	GoogleOauth2ClientSecret = "pB9ITCuMPLj-bkObrTqKbt57"
 )
 
+func init() {
+	auth.SupportedOrgs = append(auth.SupportedOrgs, OrgType)
+}
+
 type Authenticator struct {
 	Options
 	verifier *oidc.IDTokenVerifier
@@ -74,7 +79,7 @@ func New(opts Options, domain string) (*Authenticator, error) {
 }
 
 // https://developers.google.com/identity/protocols/OpenIDConnect#validatinganidtoken
-func (g *Authenticator) Check(name, token string) (*auth.UserInfo, error) {
+func (g *Authenticator) Check(name, token string) (*authv1.UserInfo, error) {
 	idToken, err := g.verifier.Verify(g.ctx, token)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to verify token for google")
@@ -91,7 +96,7 @@ func (g *Authenticator) Check(name, token string) (*auth.UserInfo, error) {
 		return nil, errors.Errorf("user is not a member of domain %s", name)
 	}
 
-	resp := &auth.UserInfo{
+	resp := &authv1.UserInfo{
 		Username: info.Email,
 		UID:      info.UserId,
 	}

diff --git a/google/google_test.go → auth/providers/google/google_test.go b/google/google_test.go → auth/providers/google/google_test.go
@@ -20,7 +20,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	gdir "google.golang.org/api/admin/directory/v1"
 	"gopkg.in/square/go-jose.v2"
-	auth "k8s.io/api/authentication/v1"
+	authv1 "k8s.io/api/authentication/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 )
 
@@ -248,7 +248,7 @@ func assertGroups(t *testing.T, groupNames []string, expectedSize int) {
 	}
 }
 
-func assertUserInfo(t *testing.T, info *auth.UserInfo, groupSize int) {
+func assertUserInfo(t *testing.T, info *authv1.UserInfo, groupSize int) {
 	if info.Username != userEmail {
 		t.Errorf("expected username %v, got %v", userEmail, info.Username)
 	}

diff --git a/google/kubectl.go → auth/providers/google/kubectl.go b/google/kubectl.go → auth/providers/google/kubectl.go