-
Notifications
You must be signed in to change notification settings - Fork 56
/
user_client_factory.go
105 lines (83 loc) · 2.64 KB
/
user_client_factory.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
package authorization
import (
"encoding/pem"
"errors"
"fmt"
"strings"
k8sclient "k8s.io/client-go/kubernetes"
"code.cloudfoundry.org/korifi/api/apierrors"
"k8s.io/apimachinery/pkg/api/meta"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/kubernetes/scheme"
"k8s.io/client-go/rest"
"sigs.k8s.io/controller-runtime/pkg/client"
)
type UserK8sClientFactory interface {
BuildClient(Info) (client.WithWatch, error)
BuildK8sClient(info Info) (k8sclient.Interface, error)
}
type UnprivilegedClientFactory struct {
config *rest.Config
mapper meta.RESTMapper
backoff wait.Backoff
}
func NewUnprivilegedClientFactory(config *rest.Config, mapper meta.RESTMapper, backoff wait.Backoff) UnprivilegedClientFactory {
return UnprivilegedClientFactory{
config: rest.AnonymousClientConfig(rest.CopyConfig(config)),
mapper: mapper,
backoff: backoff,
}
}
func (f UnprivilegedClientFactory) BuildClient(authInfo Info) (client.WithWatch, error) {
config := rest.CopyConfig(f.config)
switch strings.ToLower(authInfo.Scheme()) {
case BearerScheme:
config.BearerToken = authInfo.Token
case CertScheme:
certBlock, rst := pem.Decode(authInfo.CertData)
if certBlock == nil {
return nil, fmt.Errorf("failed to decode cert PEM")
}
keyBlock, _ := pem.Decode(rst)
if keyBlock == nil {
return nil, fmt.Errorf("failed to decode key PEM")
}
config.CertData = pem.EncodeToMemory(certBlock)
config.KeyData = pem.EncodeToMemory(keyBlock)
default:
return nil, apierrors.NewNotAuthenticatedError(errors.New("unsupported Authorization header scheme"))
}
userClient, err := client.NewWithWatch(config, client.Options{
Scheme: scheme.Scheme,
Mapper: f.mapper,
})
if err != nil {
return nil, apierrors.FromK8sError(err, "")
}
return NewAuthRetryingClient(userClient, f.backoff), nil
}
func (f UnprivilegedClientFactory) BuildK8sClient(authInfo Info) (k8sclient.Interface, error) {
config := rest.CopyConfig(f.config)
switch strings.ToLower(authInfo.Scheme()) {
case BearerScheme:
config.BearerToken = authInfo.Token
case CertScheme:
certBlock, rst := pem.Decode(authInfo.CertData)
if certBlock == nil {
return nil, fmt.Errorf("failed to decode cert PEM")
}
keyBlock, _ := pem.Decode(rst)
if keyBlock == nil {
return nil, fmt.Errorf("failed to decode key PEM")
}
config.CertData = pem.EncodeToMemory(certBlock)
config.KeyData = pem.EncodeToMemory(keyBlock)
default:
return nil, apierrors.NewNotAuthenticatedError(errors.New("unsupported Authorization header scheme"))
}
userK8sClient, err := k8sclient.NewForConfig(config)
if err != nil {
return nil, apierrors.FromK8sError(err, "")
}
return userK8sClient, nil
}