-
Notifications
You must be signed in to change notification settings - Fork 122
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Handle cert injection properly for authn-k8s (#1789)
* Inject cert using bash script There is [an issue](kubernetes/kubernetes#89899) in k8s where messages that are sent via WebSockets to Kubectl Exec are left hanging without returning a response when using STDIN. However, if we inject the cert by running a bash script that exits explicitly then we don't have the hanging issue, and the K8s API will close the socket upon cert injection success/failure. * Make exec command timeout configurable We now enable configuration of the exec command timeout. This can be done by setting the `KUBECTL_EXEC_COMMAND_TIMEOUT` env var. * Return 202 instead of 200 for inject_client_cert requests The "inject_client_cert" request now returns 202 Accepted instead of 200 OK to indicate that the cert injection has started but not necessarily completed. * Print cert injection logs upon error The "inject_client_cert" request now writes the injection logs to the client container. We can print them when we have an error to help troubleshooting * Verify "inject_client_cert" responds with 202 We should verify that the response code of the request is 202 Accepted in successful cases * Extract file copy logic to new command class This logic was inside kubectl_exec.rb which had a lot going on already. This commit will enhance this logic's readability * Refactor kubectl_client to kube_client The latter better tells its purpose as it a k8s client and not a Kubectl client * Remove redundant -r flag * Add description and fix indentation * Refactor SetFileContentInContainer to CopyTextToFileInContainer * Add UTs for CopyTextToFileInContainer class * Implement some PR requests
- Loading branch information
Showing
13 changed files
with
287 additions
and
110 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
71 changes: 71 additions & 0 deletions
71
app/domain/authentication/authn_k8s/copy_text_to_file_in_container.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
# frozen_string_literal: true | ||
|
||
require 'command_class' | ||
|
||
# SetFileContentInContainer is used to set some text into a file inside a container | ||
module Authentication | ||
module AuthnK8s | ||
|
||
CopyTextToFileInContainer ||= CommandClass.new( | ||
dependencies: { | ||
kubectl_exec: KubectlExec.new, | ||
k8s_object_lookup: K8sObjectLookup, | ||
logger: Rails.logger | ||
}, | ||
inputs: %i(webservice pod_namespace pod_name container path content mode) | ||
) do | ||
|
||
LOG_FILE = "${TMPDIR:-/tmp}/conjur_set_file_content.log" | ||
|
||
def call | ||
copy_text_to_file_in_container | ||
end | ||
|
||
private | ||
|
||
def copy_text_to_file_in_container | ||
@kubectl_exec.call( | ||
k8s_object_lookup: @k8s_object_lookup.new(@webservice), | ||
pod_namespace: @pod_namespace, | ||
pod_name: @pod_name, | ||
container: @container, | ||
cmds: %w(sh), | ||
body: set_file_content_script(@path, @content, @mode), | ||
stdin: true | ||
) | ||
end | ||
|
||
# Sets the content of a file in a given path to the given content | ||
# We first copy the content into a temporary file and only then move it to | ||
# the desired path as the client polls on its existence and we want it to | ||
# exist only when the whole content is present. | ||
# | ||
# We redirect the output to a log file on the authn-client container | ||
# that will be written in its logs for supportability. | ||
def set_file_content_script(path, content, mode) | ||
tmp_cert = "#{path}.tmp" | ||
|
||
" | ||
#!/bin/sh | ||
set -e | ||
cleanup() { | ||
rm -f \"#{tmp_cert}\" | ||
} | ||
trap cleanup EXIT | ||
set_file_content() { | ||
cat > \"#{tmp_cert}\" <<EOF | ||
#{content} | ||
EOF | ||
chmod \"#{mode}\" \"#{tmp_cert}\" | ||
mv \"#{tmp_cert}\" \"#{path}\" | ||
} | ||
set_file_content > \"#{LOG_FILE}\" 2>&1 | ||
" | ||
end | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.