This repository has been archived by the owner on May 17, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 91
/
run.go
120 lines (98 loc) · 3.16 KB
/
run.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
// Copyright Jetstack Ltd. See LICENSE for details.
package app
import (
"strconv"
"github.com/spf13/cobra"
"k8s.io/apiserver/pkg/server"
"k8s.io/client-go/rest"
"github.com/jetstack/kube-oidc-proxy/cmd/app/options"
"github.com/jetstack/kube-oidc-proxy/pkg/probe"
"github.com/jetstack/kube-oidc-proxy/pkg/proxy"
"github.com/jetstack/kube-oidc-proxy/pkg/proxy/tokenreview"
"github.com/jetstack/kube-oidc-proxy/pkg/util"
)
func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
// Build options
opts := options.New()
// Build command
cmd := buildRunCommand(stopCh, opts)
// Add option flags to command
opts.AddFlags(cmd)
return cmd
}
// Proxy command
func buildRunCommand(stopCh <-chan struct{}, opts *options.Options) *cobra.Command {
return &cobra.Command{
Use: options.AppName,
Long: "kube-oidc-proxy is a reverse proxy to authenticate users to Kubernetes API servers with Open ID Connect Authentication.",
RunE: func(cmd *cobra.Command, args []string) error {
if err := opts.Validate(cmd); err != nil {
return err
}
// Here we determine to either use custom or 'in-cluster' client configuration
var err error
var restConfig *rest.Config
if opts.Client.ClientFlagsChanged(cmd) {
// One or more client flags have been set to use client flag built
// config
restConfig, err = opts.Client.ToRESTConfig()
if err != nil {
return err
}
} else {
// No client flags have been set so default to in-cluster config
restConfig, err = rest.InClusterConfig()
if err != nil {
return err
}
}
// Initialise token reviewer if enabled
var tokenReviewer *tokenreview.TokenReview
if opts.App.TokenPassthrough.Enabled {
tokenReviewer, err = tokenreview.New(restConfig, opts.App.TokenPassthrough.Audiences)
if err != nil {
return err
}
}
// Initialise Secure Serving Config
secureServingInfo := new(server.SecureServingInfo)
if err := opts.SecureServing.ApplyTo(&secureServingInfo); err != nil {
return err
}
proxyConfig := &proxy.Config{
TokenReview: opts.App.TokenPassthrough.Enabled,
DisableImpersonation: opts.App.DisableImpersonation,
FlushInterval: opts.App.FlushInterval,
ExternalAddress: opts.SecureServing.BindAddress.String(),
ExtraUserHeaders: opts.App.ExtraHeaderOptions.ExtraUserHeaders,
ExtraUserHeadersClientIPEnabled: opts.App.ExtraHeaderOptions.EnableClientIPExtraUserHeader,
}
// Initialise proxy with OIDC token authenticator
p, err := proxy.New(restConfig, opts.OIDCAuthentication, opts.Audit,
tokenReviewer, secureServingInfo, proxyConfig)
if err != nil {
return err
}
// Create a fake JWT to set up readiness probe
fakeJWT, err := util.FakeJWT(opts.OIDCAuthentication.IssuerURL)
if err != nil {
return err
}
// Start readiness probe
if err := probe.Run(strconv.Itoa(opts.App.ReadinessProbePort),
fakeJWT, p.OIDCTokenAuthenticator()); err != nil {
return err
}
// Run proxy
waitCh, err := p.Run(stopCh)
if err != nil {
return err
}
<-waitCh
if err := p.RunPreShutdownHooks(); err != nil {
return err
}
return nil
},
}
}