moves kubeconfig creation logic inside svc account service

sighupio · Jul 10, 2021 · 8cea90b · 8cea90b
1 parent 4cacf94
commit 8cea90b
Show file tree

Hide file tree

Showing 7 changed files with 92 additions and 101 deletions.
diff --git a/internal/kubeconfig/create-kubeconfig.go b/internal/kubeconfig/create-kubeconfig.go
diff --git a/internal/resources/certificate.go b/internal/resources/certificate.go
@@ -0,0 +1,20 @@
+package resources
+
+import (
+	"encoding/base64"
+	"log"
+	runtime "sigs.k8s.io/controller-runtime"
+)
+
+// getCaBase64 returns the base64 encoding of the Kubernetes cluster api-server CA
+func getCaBase64() string {
+
+	kConfig, err := runtime.GetConfig()
+
+	if err != nil {
+		log.Fatalf("Unable to get kubeconfig.\n%v", err)
+	}
+
+	return base64.StdEncoding.EncodeToString(kConfig.CAData)
+
+}
diff --git a/internal/resources/resources.go b/internal/resources/resources.go
@@ -2,7 +2,6 @@ package resources
 
 import (
 	"context"
-
 	k8sclient "k8s.io/client-go/kubernetes"
 )
 

diff --git a/internal/resources/serviceaccount.go b/internal/resources/serviceaccount.go
@@ -6,13 +6,16 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"log"
+	"sighupio/permission-manager/internal/config"
 	"time"
 )
 
 type ServiceAccountService interface {
 	ServiceAccountGet(namespace, name string) (*v1.ServiceAccount, error)
 	ServiceAccountCreate(namespace, name string) (*v1.ServiceAccount, error)
-	ServiceAccountGetToken(ns string, name string, shouldWaitSvcCreation bool) (string, string, error)
+	// ServiceAccountCreateKubeConfigForUser Creates a ServiceAccount for the user and returns the KubeConfig with its token
+	ServiceAccountCreateKubeConfigForUser(cluster config.ClusterConfig, username, namespace string) (kubeconfigYAML string)
 }
 
 func (r *resourceService) ServiceAccountGet(namespace, name string) (*v1.ServiceAccount, error) {
@@ -27,10 +30,64 @@ func (r *resourceService) ServiceAccountCreate(namespace, name string) (*v1.Serv
 	}, metav1.CreateOptions{})
 }
 
+func (r *resourceService) ServiceAccountCreateKubeConfigForUser(cluster config.ClusterConfig, username, kubeConfigNamespace string) (kubeconfigYAML string) {
+
+	serviceAccountNamespace := "permission-manager" // TODO: must be received externally to this func?
+
+	// Create service account
+	_, err := r.ServiceAccountCreate(serviceAccountNamespace, username)
+
+	if err != nil {
+		log.Printf("Service Account not created: %v", err)
+	}
+
+	// get service account token
+	_, token, err := r.serviceAccountGetToken(serviceAccountNamespace, username, true)
+
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	certificateTpl := `---
+apiVersion: v1
+kind: Config
+current-context: %s@%s
+clusters:
+  - cluster:
+      certificate-authority-data: %s
+      server: %s
+    name: %s
+contexts:
+  - context:
+      cluster: %s
+      user: %s
+      namespace: %s
+    name: %s@%s
+users:
+  - name: %s
+    user:
+      token: %s`
+
+	return fmt.Sprintf(certificateTpl,
+		username,
+		cluster.Name,
+		getCaBase64(),
+		cluster.ControlPlaneAddress,
+		cluster.Name,
+		cluster.Name,
+		username,
+		kubeConfigNamespace,
+		username,
+		cluster.Name,
+		username,
+		token,
+	)
+}
+
+
+
 //todo refactor
-func (r *resourceService) ServiceAccountGetToken(ns string, name string, shouldWait bool) (string, string, error) {
-	tokenName := ""
-	token := ""
+func (r *resourceService) serviceAccountGetToken(ns string, name string, shouldWaitServiceAccountCreation bool) (tokenName string, token string, err error) {
 
 	findToken := func() (bool, error) {
 		user, err := r.ServiceAccountGet(ns, name)
@@ -74,7 +131,7 @@ func (r *resourceService) ServiceAccountGetToken(ns string, name string, shouldW
 		return false, nil
 	}
 
-	if shouldWait {
+	if shouldWaitServiceAccountCreation {
 		err := wait.Poll(time.Second, 10*time.Second, findToken)
 
 		if err != nil {
@@ -93,3 +150,6 @@ func (r *resourceService) ServiceAccountGetToken(ns string, name string, shouldW
 
 	return tokenName, token, nil
 }
+
+
+
diff --git a/...rnal/kubeconfig/create-kubeconfig_test.go → internal/resources/serviceaccount_test.go b/...rnal/kubeconfig/create-kubeconfig_test.go → internal/resources/serviceaccount_test.go
@@ -1,9 +1,8 @@
-package kubeconfig
+package resources
 
 import (
 	"context"
 	"sighupio/permission-manager/internal/config"
-	"sighupio/permission-manager/internal/resources"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -17,9 +16,9 @@ func TestCreateKubeconfig(t *testing.T) {
 		ControlPlaneAddress: "https://100.200.10.200",
 	}
 
-	rs := resources.NewResourceService(resources.NewFakeKubeClient(), context.TODO())
+	rs := NewResourceService(NewFakeKubeClient(), context.TODO())
 
-	got := CreateKubeConfigYAMLForUser(rs, clusterConfig, "gino", "pangolier")
+	got := rs.ServiceAccountCreateKubeConfigForUser(clusterConfig, "gino", "pangolier")
 
 	want := `---
 apiVersion: v1

diff --git a/internal/resources/user.go b/internal/resources/user.go
@@ -18,6 +18,7 @@ type UserService interface {
 	UserList() ([]User, error)
 	UserDelete(username string) error
 	UserCreate(username string) (User, error)
+
 }
 
 const resourceURL = "apis/permissionmanager.user/v1alpha1/permissionmanagerusers"
@@ -139,3 +140,4 @@ func (r *resourceService) UserDelete(username string) error {
 
 	return err
 }
+
diff --git a/internal/server/handlers.go b/internal/server/handlers.go
@@ -1,11 +1,9 @@
 package server
 
 import (
-	"net/http"
-
 	"github.com/labstack/echo"
 	rbacv1 "k8s.io/api/rbac/v1"
-	"sighupio/permission-manager/internal/kubeconfig"
+	"net/http"
 )
 
 
@@ -92,7 +90,7 @@ func createKubeconfig(c echo.Context) error {
 		r.Namespace = "default"
 	}
 
-	kubeCfg := kubeconfig.CreateKubeConfigYAMLForUser(ac.ResourceService, ac.Config.Cluster, r.Username, r.Namespace)
+	kubeCfg := ac.ResourceService.ServiceAccountCreateKubeConfigForUser(ac.Config.Cluster, r.Username, r.Namespace)
 
 	return c.JSON(http.StatusOK, Response{Ok: true, Kubeconfig: kubeCfg})
 }