updated

Author: mfaizanse

pkg/kubernetes/auth_headers.go

@@ -3,104 +3,110 @@ package kubernetes
 import (
 	"encoding/base64"
 	"fmt"
+	"strings"
 )
 
 // AuthType represents the type of Kubernetes authentication.
 type AuthType string
+type ContextKey string
 
 const (
 	// AuthTypeToken represents token-based authentication.
 	AuthTypeToken AuthType = "token"
 	// AuthTypeClientCertificate represents client certificate authentication.
 	AuthTypeClientCertificate AuthType = "client_certificate"
-	// AuthTypeUnknown represents unknown or unsupported authentication type.
-	AuthTypeUnknown       AuthType = "unknown"
-	AuthHeadersContextKey string   = "k8s_auth_headers"
+	// AuthHeadersContextKey is the context key for the Kubernetes authentication headers.
+	AuthHeadersContextKey ContextKey = "k8s_auth_headers"
 )
 
 // K8sAuthHeaders represents Kubernetes API authentication headers.
 type K8sAuthHeaders struct {
-	// ClusterURL is the Kubernetes cluster URL.
-	ClusterURL string
-	// ClusterCertificateAuthorityData is the base64-encoded CA certificate.
-	ClusterCertificateAuthorityData string
+	// Server is the Kubernetes cluster URL.
+	Server string
+	// ClusterCertificateAuthorityData is the Certificate Authority data.
+	CertificateAuthorityData []byte
 	// AuthorizationToken is the optional bearer token for authentication.
 	AuthorizationToken string
-	// ClientCertificateData is the optional base64-encoded client certificate.
-	ClientCertificateData string
-	// ClientKeyData is the optional base64-encoded client key.
-	ClientKeyData string
+	// ClientCertificateData is the optional client certificate data.
+	ClientCertificateData []byte
+	// ClientKeyData is the optional client key data.
+	ClientKeyData []byte
+	// InsecureSkipTLSVerify is the optional flag to skip TLS verification.
+	InsecureSkipTLSVerify bool
+}
+
+// GetDecodedData decodes and returns the data.
+func GetDecodedData(data string) ([]byte, error) {
+	return base64.StdEncoding.DecodeString(data)
 }
 
 func NewK8sAuthHeadersFromHeaders(data map[string]any) (*K8sAuthHeaders, error) {
-	authHeaders := &K8sAuthHeaders{}
 	var ok bool
-	authHeaders.ClusterURL, ok = data[string(CustomClusterURLHeader)].(string)
-	if !ok || authHeaders.ClusterURL == "" {
-		return nil, fmt.Errorf("%s header is required", CustomClusterURLHeader)
+	var err error
+
+	// Initialize auth headers.
+	authHeaders := &K8sAuthHeaders{
+		InsecureSkipTLSVerify: false,
+	}
+
+	// Get cluster URL from headers.
+	authHeaders.Server, ok = data[string(CustomServerHeader)].(string)
+	if !ok || authHeaders.Server == "" {
+		return nil, fmt.Errorf("%s header is required", CustomServerHeader)
 	}
 
-	authHeaders.ClusterCertificateAuthorityData, ok = data[string(CustomCertificateAuthorityDataHeader)].(string)
-	if !ok || authHeaders.ClusterCertificateAuthorityData == "" {
+	// Get certificate authority data from headers.
+	certificateAuthorityDataBase64, ok := data[string(CustomCertificateAuthorityDataHeader)].(string)
+	if !ok || certificateAuthorityDataBase64 == "" {
 		return nil, fmt.Errorf("%s header is required", CustomCertificateAuthorityDataHeader)
 	}
+	// Decode certificate authority data.
+	authHeaders.CertificateAuthorityData, err = GetDecodedData(certificateAuthorityDataBase64)
+	if err != nil {
+		return nil, fmt.Errorf("invalid certificate authority data: %w", err)
+	}
+
+	// Get insecure skip TLS verify flag from headers.
+	if data[string(CustomInsecureSkipTLSVerifyHeader)] != nil && strings.ToLower(data[string(CustomInsecureSkipTLSVerifyHeader)].(string)) == "true" {
+		authHeaders.InsecureSkipTLSVerify = true
+	}
 
-	// Token or client certificate and key data (optional).
+	// Get authorization token from headers.
 	authHeaders.AuthorizationToken, _ = data[string(CustomAuthorizationHeader)].(string)
-	authHeaders.ClientCertificateData, _ = data[string(CustomClientCertificateDataHeader)].(string)
-	authHeaders.ClientKeyData, _ = data[string(CustomClientKeyDataHeader)].(string)
 
-	// Check if either token auth or client certificate auth is provided
-	hasTokenAuth := authHeaders.AuthorizationToken != ""
-	hasClientCertAuth := authHeaders.ClientCertificateData != "" && authHeaders.ClientKeyData != ""
+	// Get client certificate data from headers.
+	clientCertificateDataBase64, _ := data[string(CustomClientCertificateDataHeader)].(string)
+	if clientCertificateDataBase64 != "" {
+		authHeaders.ClientCertificateData, err = GetDecodedData(clientCertificateDataBase64)
+		if err != nil {
+			return nil, fmt.Errorf("invalid client certificate data: %w", err)
+		}
+	}
+	// Get client key data from headers.
+	clientKeyDataBase64, _ := data[string(CustomClientKeyDataHeader)].(string)
+	if clientKeyDataBase64 != "" {
+		authHeaders.ClientKeyData, err = GetDecodedData(clientKeyDataBase64)
+		if err != nil {
+			return nil, fmt.Errorf("invalid client key data: %w", err)
+		}
+	}
 
-	if !hasTokenAuth && !hasClientCertAuth {
-		return nil, fmt.Errorf("either %s header or (%s and %s) headers are required", CustomAuthorizationHeader, CustomClientCertificateDataHeader, CustomClientKeyDataHeader)
+	// Check if a valid authentication type is provided.
+	_, err = authHeaders.GetAuthType()
+	if err != nil {
+		return nil, fmt.Errorf("either %s header for token authentication or (%s and %s) headers for client certificate authentication required", CustomAuthorizationHeader, CustomClientCertificateDataHeader, CustomClientKeyDataHeader)
 	}
 
 	return authHeaders, nil
 }
 
 // GetAuthType returns the authentication type based on the provided headers.
-func (h *K8sAuthHeaders) GetAuthType() AuthType {
+func (h *K8sAuthHeaders) GetAuthType() (AuthType, error) {
 	if h.AuthorizationToken != "" {
-		return AuthTypeToken
+		return AuthTypeToken, nil
 	}
-	if h.ClientCertificateData != "" && h.ClientKeyData != "" {
-		return AuthTypeClientCertificate
+	if h.ClientCertificateData != nil && h.ClientKeyData != nil {
+		return AuthTypeClientCertificate, nil
 	}
-	return AuthTypeUnknown
+	return "", fmt.Errorf("invalid authentication type")
 }
-
-// GetDecodedCertificateAuthorityData decodes and returns the CA certificate data.
-func (h *K8sAuthHeaders) GetDecodedCertificateAuthorityData() ([]byte, error) {
-	data, err := base64.StdEncoding.DecodeString(h.ClusterCertificateAuthorityData)
-	if err != nil {
-		return nil, fmt.Errorf("failed to decode certificate authority data: %w", err)
-	}
-	return data, nil
-}
-
-// // GetDecodedClientCertificateData decodes and returns the client certificate data.
-// func (h *K8sAuthHeaders) GetDecodedClientCertificateData() ([]byte, error) {
-// 	if h.ClientCertificateData == nil || *h.ClientCertificateData == "" {
-// 		return nil, errors.New("client certificate data is not available")
-// 	}
-// 	data, err := base64.StdEncoding.DecodeString(*h.ClientCertificateData)
-// 	if err != nil {
-// 		return nil, fmt.Errorf("failed to decode client certificate data: %w", err)
-// 	}
-// 	return data, nil
-// }
-
-// // GetDecodedClientKeyData decodes and returns the client key data.
-// func (h *K8sAuthHeaders) GetDecodedClientKeyData() ([]byte, error) {
-// 	if h.ClientKeyData == nil || *h.ClientKeyData == "" {
-// 		return nil, errors.New("client key data is not available")
-// 	}
-// 	data, err := base64.StdEncoding.DecodeString(*h.ClientKeyData)
-// 	if err != nil {
-// 		return nil, fmt.Errorf("failed to decode client key data: %w", err)
-// 	}
-// 	return data, nil
-// }

pkg/kubernetes/kubernetes.go

@@ -12,14 +12,18 @@ import (
 type HeaderKey string
 
 const (
-	CustomClusterURLHeader    = HeaderKey("kubernetes-cluster-url")
-	CustomAuthorizationHeader = HeaderKey("kubernetes-authorization")
+	// CustomServerHeader is the Kubernetes cluster URL.
+	CustomServerHeader = HeaderKey("kubernetes-server")
 	// CustomCertificateAuthorityData is the base64-encoded CA certificate.
 	CustomCertificateAuthorityDataHeader = HeaderKey("kubernetes-certificate-authority-data")
+	// CustomAuthorizationHeader is the optional bearer token for authentication.
+	CustomAuthorizationHeader = HeaderKey("kubernetes-authorization")
 	// CustomClientCertificateData is the base64-encoded client certificate.
 	CustomClientCertificateDataHeader = HeaderKey("kubernetes-client-certificate-data")
 	// CustomClientKeyData is the base64-encoded client key.
 	CustomClientKeyDataHeader = HeaderKey("kubernetes-client-key-data")
+	// CustomInsecureSkipTLSVerify is the optional flag to skip TLS verification.
+	CustomInsecureSkipTLSVerifyHeader = HeaderKey("kubernetes-insecure-skip-tls-verify")
 
 	OAuthAuthorizationHeader = HeaderKey("Authorization")
 

pkg/kubernetes/manager.go

@@ -91,6 +91,43 @@ func NewInClusterManager(config *config.StaticConfig) (*Manager, error) {
 	return newManager(config, restConfig, clientcmd.NewDefaultClientConfig(*clientCmdConfig, nil))
 }
 
+func NewAuthHeadersClusterManager(authHeaders *K8sAuthHeaders, config *config.StaticConfig) (*Manager, error) {
+
+	var certData []byte = nil
+	if len(authHeaders.ClientCertificateData) > 0 {
+		certData = authHeaders.ClientCertificateData
+	}
+
+	var keyData []byte = nil
+	if len(authHeaders.ClientKeyData) > 0 {
+		keyData = authHeaders.ClientKeyData
+	}
+
+	restConfig := &rest.Config{
+		Host:        authHeaders.Server,
+		BearerToken: authHeaders.AuthorizationToken,
+		TLSClientConfig: rest.TLSClientConfig{
+			Insecure: authHeaders.InsecureSkipTLSVerify,
+			CAData:   authHeaders.CertificateAuthorityData,
+			CertData: certData,
+			KeyData:  keyData,
+		},
+	}
+	// Create a dummy kubeconfig clientcmdapi.Config for in-cluster config to be used in places where clientcmd.ClientConfig is required
+	clientCmdConfig := clientcmdapi.NewConfig()
+	clientCmdConfig.Clusters["cluster"] = &clientcmdapi.Cluster{
+		Server:                authHeaders.Server,
+		InsecureSkipTLSVerify: authHeaders.InsecureSkipTLSVerify,
+	}
+	clientCmdConfig.AuthInfos["user"] = &clientcmdapi.AuthInfo{
+		Token:                 authHeaders.AuthorizationToken,
+		ClientCertificateData: certData,
+		ClientKeyData:         keyData,
+	}
+
+	return newManager(config, restConfig, clientcmd.NewDefaultClientConfig(*clientCmdConfig, nil))
+}
+
 func newManager(config *config.StaticConfig, restConfig *rest.Config, clientCmdConfig clientcmd.ClientConfig) (*Manager, error) {
 	k8s := &Manager{
 		staticConfig:    config,