weaveworks · yiannistri · Jan 28, 2022 · Jan 27, 2022
diff --git a/cmd/gitops-server/main.go b/cmd/gitops-server/main.go
@@ -88,7 +88,10 @@ func NewAPIServerCommand() *cobra.Command {
 				}
 			}()
 
-			profilesConfig := server.NewProfilesConfig(rawClient, profileCache, "default", "weaveworks-charts")
+			profilesConfig := server.NewProfilesConfig(server.ClusterConfig{
+				DefaultConfig: rest,
+				ClusterName:   clusterName,
+			}, profileCache, "default", "weaveworks-charts")
 
 			s, err := server.NewHandlers(context.Background(), &server.Config{AppConfig: appConfig, ProfilesConfig: profilesConfig})
 			if err != nil {

diff --git a/cmd/gitops/cmderrors/errors.go b/cmd/gitops/cmderrors/errors.go
@@ -3,6 +3,10 @@ package cmderrors
 import "errors"
 
 var (
-	ErrNoWGEEndpoint = errors.New("the Weave GitOps Enterprise HTTP API endpoint flag (--endpoint) has not been set")
-	ErrNoURL         = errors.New("the url flag (--url) has not been set")
+	ErrNoWGEEndpoint  = errors.New("the Weave GitOps Enterprise HTTP API endpoint flag (--endpoint) has not been set")
+	ErrNoURL          = errors.New("the URL flag (--url) has not been set")
+	ErrNoIssuerURL    = errors.New("the OIDC issuer URL flag (--oidc-issuer-url) has not been set")
+	ErrNoClientID     = errors.New("the OIDC client ID flag (--oidc-client-id) has not been set")
+	ErrNoClientSecret = errors.New("the OIDC client secret flag (--oidc-client-secret) has not been set")
+	ErrNoRedirectURL  = errors.New("the OIDC redirect URL flag (--oidc-redirect-url) has not been set")
 )
diff --git a/cmd/gitops/ui/run/cmd.go b/cmd/gitops/ui/run/cmd.go
@@ -21,6 +21,7 @@ import (
 	"github.com/spf13/cobra"
 	"go.uber.org/zap"
 
+	"github.com/weaveworks/weave-gitops/cmd/gitops/cmderrors"
 	"github.com/weaveworks/weave-gitops/pkg/helm/watcher"
 	"github.com/weaveworks/weave-gitops/pkg/helm/watcher/cache"
 	"github.com/weaveworks/weave-gitops/pkg/kube"
@@ -57,9 +58,10 @@ var options Options
 // NewCommand returns the `ui run` command
 func NewCommand() *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "run [--log]",
-		Short: "Runs gitops ui",
-		RunE:  runCmd,
+		Use:     "run [--log]",
+		Short:   "Runs gitops ui",
+		PreRunE: preRunCmd,
+		RunE:    runCmd,
 	}
 
 	options = Options{}
@@ -85,6 +87,28 @@ func NewCommand() *cobra.Command {
 	return cmd
 }
 
+func preRunCmd(cmd *cobra.Command, args []string) error {
+	if server.AuthEnabled() {
+		if options.OIDC.IssuerURL == "" {
+			return cmderrors.ErrNoIssuerURL
+		}
+
+		if options.OIDC.ClientID == "" {
+			return cmderrors.ErrNoClientID
+		}
+
+		if options.OIDC.ClientSecret == "" {
+			return cmderrors.ErrNoClientSecret
+		}
+
+		if options.OIDC.RedirectURL == "" {
+			return cmderrors.ErrNoRedirectURL
+		}
+	}
+
+	return nil
+}
+
 func runCmd(cmd *cobra.Command, args []string) error {
 	var log = logrus.New()
 
@@ -144,7 +168,10 @@ func runCmd(cmd *cobra.Command, args []string) error {
 		}
 	}()
 
-	profilesConfig := server.NewProfilesConfig(rawClient, profileCache, options.HelmRepoNamespace, options.HelmRepoName)
+	profilesConfig := server.NewProfilesConfig(server.ClusterConfig{
+		DefaultConfig: rest,
+		ClusterName:   clusterName,
+	}, profileCache, options.HelmRepoNamespace, options.HelmRepoName)
 
 	var authServer *auth.AuthServer
 

diff --git a/cmd/gitops/ui/run/cmd_test.go b/cmd/gitops/ui/run/cmd_test.go
@@ -0,0 +1,73 @@
+package run_test
+
+import (
+	"os"
+	"testing"
+
+	"github.com/go-resty/resty/v2"
+	"github.com/stretchr/testify/assert"
+	"github.com/weaveworks/weave-gitops/cmd/gitops/cmderrors"
+	"github.com/weaveworks/weave-gitops/cmd/gitops/root"
+)
+
+func TestNoIssuerURL(t *testing.T) {
+	os.Setenv("WEAVE_GITOPS_AUTH_ENABLED", "true")
+	defer os.Unsetenv("WEAVE_GITOPS_AUTH_ENABLED")
+
+	client := resty.New()
+	cmd := root.RootCmd(client)
+	cmd.SetArgs([]string{
+		"ui", "run",
+	})
+
+	err := cmd.Execute()
+	assert.ErrorIs(t, err, cmderrors.ErrNoIssuerURL)
+}
+
+func TestNoClientID(t *testing.T) {
+	os.Setenv("WEAVE_GITOPS_AUTH_ENABLED", "true")
+	defer os.Unsetenv("WEAVE_GITOPS_AUTH_ENABLED")
+
+	client := resty.New()
+	cmd := root.RootCmd(client)
+	cmd.SetArgs([]string{
+		"ui", "run",
+		"--oidc-issuer-url=http://weave.works",
+	})
+
+	err := cmd.Execute()
+	assert.ErrorIs(t, err, cmderrors.ErrNoClientID)
+}
+
+func TestNoClientSecret(t *testing.T) {
+	os.Setenv("WEAVE_GITOPS_AUTH_ENABLED", "true")
+	defer os.Unsetenv("WEAVE_GITOPS_AUTH_ENABLED")
+
+	client := resty.New()
+	cmd := root.RootCmd(client)
+	cmd.SetArgs([]string{
+		"ui", "run",
+		"--oidc-issuer-url=http://weave.works",
+		"--oidc-client-id=client-id",
+	})
+
+	err := cmd.Execute()
+	assert.ErrorIs(t, err, cmderrors.ErrNoClientSecret)
+}
+
+func TestNoRedirectURL(t *testing.T) {
+	os.Setenv("WEAVE_GITOPS_AUTH_ENABLED", "true")
+	defer os.Unsetenv("WEAVE_GITOPS_AUTH_ENABLED")
+
+	client := resty.New()
+	cmd := root.RootCmd(client)
+	cmd.SetArgs([]string{
+		"ui", "run",
+		"--oidc-issuer-url=http://weave.works",
+		"--oidc-client-id=client-id",
+		"--oidc-client-secret=client-secret",
+	})
+
+	err := cmd.Execute()
+	assert.ErrorIs(t, err, cmderrors.ErrNoRedirectURL)
+}
diff --git a/pkg/server/profiles.go b/pkg/server/profiles.go
@@ -39,10 +39,10 @@ type ProfilesConfig struct {
 	helmRepoNamespace string
 	helmRepoName      string
 	helmCache         cache.Cache
-	kubeClient        client.Client
+	clusterConfig     ClusterConfig
 }
 
-func NewProfilesConfig(kubeClient client.Client, helmCache cache.Cache, helmRepoNamespace, helmRepoName string) ProfilesConfig {
+func NewProfilesConfig(clusterConfig ClusterConfig, helmCache cache.Cache, helmRepoNamespace, helmRepoName string) ProfilesConfig {
 	zapLog, err := zap.NewDevelopment()
 	if err != nil {
 		log.Fatalf("could not create zap logger: %v", err)
@@ -52,34 +52,44 @@ func NewProfilesConfig(kubeClient client.Client, helmCache cache.Cache, helmRepo
 		logr:              zapr.NewLogger(zapLog),
 		helmRepoNamespace: helmRepoNamespace,
 		helmRepoName:      helmRepoName,
-		kubeClient:        kubeClient,
 		helmCache:         helmCache,
+		clusterConfig:     clusterConfig,
 	}
 }
 
 type ProfilesServer struct {
 	pb.UnimplementedProfilesServer
 
-	KubeClient        client.Client
 	Log               logr.Logger
 	HelmRepoName      string
 	HelmRepoNamespace string
 	HelmCache         cache.Cache
+	ClientGetter      ClientGetter
 }
 
 func NewProfilesServer(config ProfilesConfig) pb.ProfilesServer {
+	clientGetter := &DefaultClientGetter{
+		configGetter: NewImpersonatingConfigGetter(config.clusterConfig.DefaultConfig, false),
+		clusterName:  config.clusterConfig.ClusterName,
+	}
+
 	return &ProfilesServer{
 		Log:               config.logr,
 		HelmRepoNamespace: config.helmRepoNamespace,
 		HelmRepoName:      config.helmRepoName,
 		HelmCache:         config.helmCache,
-		KubeClient:        config.kubeClient,
+		ClientGetter:      clientGetter,
 	}
 }
 
 func (s *ProfilesServer) GetProfiles(ctx context.Context, msg *pb.GetProfilesRequest) (*pb.GetProfilesResponse, error) {
+	kubeClient, err := s.ClientGetter.Client(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get a Kubernetes client: %w", err)
+	}
+
 	helmRepo := &sourcev1beta1.HelmRepository{}
-	err := s.KubeClient.Get(ctx, client.ObjectKey{
+	err = kubeClient.Get(ctx, client.ObjectKey{
 		Name:      s.HelmRepoName,
 		Namespace: s.HelmRepoNamespace,
 	}, helmRepo)
@@ -116,8 +126,13 @@ func (s *ProfilesServer) GetProfiles(ctx context.Context, msg *pb.GetProfilesReq
 }
 
 func (s *ProfilesServer) GetProfileValues(ctx context.Context, msg *pb.GetProfileValuesRequest) (*httpbody.HttpBody, error) {
+	kubeClient, err := s.ClientGetter.Client(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get a Kubernetes client: %w", err)
+	}
+
 	helmRepo := &sourcev1beta1.HelmRepository{}
-	err := s.KubeClient.Get(ctx, client.ObjectKey{
+	err = kubeClient.Get(ctx, client.ObjectKey{
 		Name:      s.HelmRepoName,
 		Namespace: s.HelmRepoNamespace,
 	}, helmRepo)

diff --git a/pkg/server/profiles_test.go b/pkg/server/profiles_test.go
@@ -45,11 +45,11 @@ var _ = Describe("ProfilesServer", func() {
 
 		fakeCache = &cachefakes.FakeCache{}
 		s = &server.ProfilesServer{
-			KubeClient:        kubeClient,
 			Log:               testutils.MakeFakeLogr(),
 			HelmRepoName:      "helmrepo",
 			HelmRepoNamespace: "default",
 			HelmCache:         fakeCache,
+			ClientGetter:      server.NewFakeClientGetter(kubeClient),
 		}
 
 		helmRepo = &sourcev1beta1.HelmRepository{