mirror of https://github.com/helm/helm
Merge pull request #189 from vaikas-google/master
Add support for k8s secrets backed credentialspull/192/head
commit
b2ebb24c08
@ -0,0 +1,127 @@
|
|||||||
|
/*
|
||||||
|
Copyright 2015 The Kubernetes Authors All rights reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package registry
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/base64"
|
||||||
|
"encoding/json"
|
||||||
|
"flag"
|
||||||
|
"fmt"
|
||||||
|
"log"
|
||||||
|
|
||||||
|
"github.com/ghodss/yaml"
|
||||||
|
"github.com/kubernetes/deployment-manager/common"
|
||||||
|
"github.com/kubernetes/deployment-manager/util"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
kubePath = flag.String("kubectl", "./kubectl", "The path to the kubectl binary.")
|
||||||
|
kubeService = flag.String("service", "", "The DNS name of the kubernetes service.")
|
||||||
|
kubeServer = flag.String("server", "", "The IP address and optional port of the kubernetes master.")
|
||||||
|
kubeInsecure = flag.Bool("insecure-skip-tls-verify", false, "Do not check the server's certificate for validity.")
|
||||||
|
kubeConfig = flag.String("config", "", "Path to a kubeconfig file.")
|
||||||
|
kubeCertAuth = flag.String("certificate-authority", "", "Path to a file for the certificate authority.")
|
||||||
|
kubeClientCert = flag.String("client-certificate", "", "Path to a client certificate file.")
|
||||||
|
kubeClientKey = flag.String("client-key", "", "Path to a client key file.")
|
||||||
|
kubeToken = flag.String("token", "", "A service account token.")
|
||||||
|
kubeUsername = flag.String("username", "", "The username to use for basic auth.")
|
||||||
|
kubePassword = flag.String("password", "", "The password to use for basic auth.")
|
||||||
|
)
|
||||||
|
|
||||||
|
var kubernetesConfig *util.KubernetesConfig
|
||||||
|
|
||||||
|
const secretType = "Secret"
|
||||||
|
|
||||||
|
// CredentialProvider provides credentials for registries.
|
||||||
|
type SecretsCredentialProvider struct {
|
||||||
|
// Actual object that talks to secrets service.
|
||||||
|
k util.Kubernetes
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewSecretsCredentialProvider() common.CredentialProvider {
|
||||||
|
kubernetesConfig := &util.KubernetesConfig{
|
||||||
|
KubePath: *kubePath,
|
||||||
|
KubeService: *kubeService,
|
||||||
|
KubeServer: *kubeServer,
|
||||||
|
KubeInsecure: *kubeInsecure,
|
||||||
|
KubeConfig: *kubeConfig,
|
||||||
|
KubeCertAuth: *kubeCertAuth,
|
||||||
|
KubeClientCert: *kubeClientCert,
|
||||||
|
KubeClientKey: *kubeClientKey,
|
||||||
|
KubeToken: *kubeToken,
|
||||||
|
KubeUsername: *kubeUsername,
|
||||||
|
KubePassword: *kubePassword,
|
||||||
|
}
|
||||||
|
return &SecretsCredentialProvider{util.NewKubernetesKubectl(kubernetesConfig)}
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseCredential(credential string) (*common.RegistryCredential, error) {
|
||||||
|
var c common.KubernetesSecret
|
||||||
|
if err := json.Unmarshal([]byte(credential), &c); err != nil {
|
||||||
|
return nil, fmt.Errorf("cannot unmarshal credential '%s' (%#v)", credential, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
d, err := base64.StdEncoding.DecodeString(c.Data["credential"])
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("cannot unmarshal credential '%s' (%#v)", c, err)
|
||||||
|
}
|
||||||
|
// And then finally unmarshal it from yaml to common.RegistryCredential
|
||||||
|
r := &common.RegistryCredential{}
|
||||||
|
if err := yaml.Unmarshal(d, &r); err != nil {
|
||||||
|
return nil, fmt.Errorf("cannot unmarshal credential %s (%#v)", c, err)
|
||||||
|
}
|
||||||
|
return r, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (scp *SecretsCredentialProvider) GetCredential(name string) (*common.RegistryCredential, error) {
|
||||||
|
o, err := scp.k.Get(name, secretType)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return parseCredential(o)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (scp *SecretsCredentialProvider) SetCredential(name string, credential *common.RegistryCredential) error {
|
||||||
|
// Marshal the credential & base64 encode it.
|
||||||
|
b, err := yaml.Marshal(credential)
|
||||||
|
if err != nil {
|
||||||
|
log.Printf("yaml marshal failed for credential: %s: %v", name, err)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
enc := base64.StdEncoding.EncodeToString(b)
|
||||||
|
|
||||||
|
// Then create a kubernetes object out of it
|
||||||
|
metadata := make(map[string]string)
|
||||||
|
metadata["name"] = name
|
||||||
|
data := make(map[string]string)
|
||||||
|
data["credential"] = enc
|
||||||
|
obj := &common.KubernetesSecret{
|
||||||
|
Kind: secretType,
|
||||||
|
ApiVersion: "v1",
|
||||||
|
Metadata: metadata,
|
||||||
|
Data: data,
|
||||||
|
}
|
||||||
|
ko, err := yaml.Marshal(obj)
|
||||||
|
if err != nil {
|
||||||
|
log.Printf("yaml marshal failed for kubernetes object: %s: %v", name, err)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
log.Printf("Calling with: %s", string(ko))
|
||||||
|
o, err := scp.k.Create(string(ko))
|
||||||
|
log.Printf("Create returned: %s", o)
|
||||||
|
return err
|
||||||
|
}
|
@ -0,0 +1,41 @@
|
|||||||
|
/*
|
||||||
|
Copyright 2015 The Kubernetes Authors All rights reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package util
|
||||||
|
|
||||||
|
// KubernetesConfiguration defines the configuration options for talking to Kubernetes master
|
||||||
|
type KubernetesConfig struct {
|
||||||
|
KubePath string // The path to kubectl binary
|
||||||
|
KubeService string // DNS name of the kubernetes service
|
||||||
|
KubeServer string // The IP address and optional port of the kubernetes master
|
||||||
|
KubeInsecure bool // Do not check the server's certificate for validity
|
||||||
|
KubeConfig string // Path to a kubeconfig file
|
||||||
|
KubeCertAuth string // Path to a file for the certificate authority
|
||||||
|
KubeClientCert string // Path to a client certificate file
|
||||||
|
KubeClientKey string // Path to a client key file
|
||||||
|
KubeToken string // A service account token
|
||||||
|
KubeUsername string // The username to use for basic auth
|
||||||
|
KubePassword string // The password to use for basic auth
|
||||||
|
}
|
||||||
|
|
||||||
|
// Kubernetes defines the interface for talking to Kubernetes. Currently the
|
||||||
|
// only implementation is through kubectl, but eventually this could be done
|
||||||
|
// via direct API calls.
|
||||||
|
type Kubernetes interface {
|
||||||
|
Get(name string, resourceType string) (string, error)
|
||||||
|
Create(resource string) (string, error)
|
||||||
|
Delete(name string, resourceType string) (string, error)
|
||||||
|
}
|
@ -0,0 +1,135 @@
|
|||||||
|
/*
|
||||||
|
Copyright 2015 The Kubernetes Authors All rights reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package util
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"fmt"
|
||||||
|
"log"
|
||||||
|
"net"
|
||||||
|
"os"
|
||||||
|
"os/exec"
|
||||||
|
)
|
||||||
|
|
||||||
|
// KubernetesKubectl implements the interface for talking to Kubernetes by wrapping calls
|
||||||
|
// via kubectl.
|
||||||
|
type KubernetesKubectl struct {
|
||||||
|
KubePath string
|
||||||
|
// Base level arguments to kubectl. User commands/arguments get appended to this.
|
||||||
|
Arguments []string
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewKubernetesKubectl(config *KubernetesConfig) Kubernetes {
|
||||||
|
if config.KubePath == "" {
|
||||||
|
log.Fatalf("kubectl path cannot be empty")
|
||||||
|
}
|
||||||
|
// If a configuration file is specified, then it will provide the server
|
||||||
|
// address and credentials. If not, then we check for the server address
|
||||||
|
// and credentials as individual flags.
|
||||||
|
var args []string
|
||||||
|
if config.KubeConfig != "" {
|
||||||
|
config.KubeConfig = os.ExpandEnv(config.KubeConfig)
|
||||||
|
args = append(args, fmt.Sprintf("--kubeconfig=%s", config.KubeConfig))
|
||||||
|
} else {
|
||||||
|
if config.KubeServer != "" {
|
||||||
|
args = append(args, fmt.Sprintf("--server=https://%s", config.KubeServer))
|
||||||
|
} else if config.KubeService != "" {
|
||||||
|
addrs, err := net.LookupHost(config.KubeService)
|
||||||
|
if err != nil || len(addrs) < 1 {
|
||||||
|
log.Fatalf("cannot resolve DNS name: %v", config.KubeService)
|
||||||
|
}
|
||||||
|
|
||||||
|
args = append(args, fmt.Sprintf("--server=https://%s", addrs[0]))
|
||||||
|
}
|
||||||
|
|
||||||
|
if config.KubeInsecure {
|
||||||
|
args = append(args, fmt.Sprintf("--insecure-skip-tls-verify=%s", config.KubeInsecure))
|
||||||
|
} else {
|
||||||
|
if config.KubeCertAuth != "" {
|
||||||
|
args = append(args, fmt.Sprintf("--certificate-authority=%s", config.KubeCertAuth))
|
||||||
|
if config.KubeClientCert == "" {
|
||||||
|
args = append(args, fmt.Sprintf("--client-certificate=%s", config.KubeClientCert))
|
||||||
|
}
|
||||||
|
|
||||||
|
if config.KubeClientKey == "" {
|
||||||
|
args = append(args, fmt.Sprintf("--client-key=%s", config.KubeClientKey))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if config.KubeToken != "" {
|
||||||
|
args = append(args, fmt.Sprintf("--token=%s", config.KubeToken))
|
||||||
|
} else {
|
||||||
|
if config.KubeUsername != "" {
|
||||||
|
args = append(args, fmt.Sprintf("--username=%s", config.KubeUsername))
|
||||||
|
}
|
||||||
|
|
||||||
|
if config.KubePassword != "" {
|
||||||
|
args = append(args, fmt.Sprintf("--password=%s", config.KubePassword))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return &KubernetesKubectl{config.KubePath, args}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (k *KubernetesKubectl) Get(name string, resourceType string) (string, error) {
|
||||||
|
// Specify output as json rather than human readable for easier machine parsing
|
||||||
|
args := []string{"get",
|
||||||
|
"-o",
|
||||||
|
"json",
|
||||||
|
resourceType,
|
||||||
|
name}
|
||||||
|
return k.execute(args, "")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (k *KubernetesKubectl) Create(resource string) (string, error) {
|
||||||
|
args := []string{"create"}
|
||||||
|
return k.execute(args, resource)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (k *KubernetesKubectl) Delete(name string, resourceType string) (string, error) {
|
||||||
|
args := []string{"delete",
|
||||||
|
resourceType,
|
||||||
|
name}
|
||||||
|
return k.execute(args, "")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (k *KubernetesKubectl) execute(args []string, input string) (string, error) {
|
||||||
|
if len(input) > 0 {
|
||||||
|
args = append(args, "-f", "-")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Tack on the common arguments to the end of the command line
|
||||||
|
args = append(args, k.Arguments...)
|
||||||
|
cmd := exec.Command(k.KubePath, args...)
|
||||||
|
cmd.Stdin = bytes.NewBuffer([]byte(input))
|
||||||
|
|
||||||
|
// Combine stdout and stderr into a single dynamically resized buffer
|
||||||
|
combined := &bytes.Buffer{}
|
||||||
|
cmd.Stdout = combined
|
||||||
|
cmd.Stderr = combined
|
||||||
|
|
||||||
|
if err := cmd.Start(); err != nil {
|
||||||
|
log.Printf("cannot start kubectl %#v", err)
|
||||||
|
return combined.String(), err
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := cmd.Wait(); err != nil {
|
||||||
|
log.Printf("kubectl failed: %#v", err)
|
||||||
|
return combined.String(), err
|
||||||
|
}
|
||||||
|
return combined.String(), nil
|
||||||
|
}
|
Loading…
Reference in new issue