feat: added option removeCAFromKubeconfig

sighupio · May 14, 2024 · 566c1b6 · 566c1b6
1 parent 286f521
commit 566c1b6
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 6 deletions.
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -60,7 +60,7 @@ dockers:
       - registry.sighup.io/fury/gangplank-amd64:{{ .Major }}
       - registry.sighup.io/fury/gangplank-amd64:{{ .Major }}.{{ .Minor }}
       - registry.sighup.io/fury/gangplank-amd64:{{ .Major }}.{{ .Minor }}.{{ .Patch }}
-    skip_push: auto
+    skip_push: false
 
   - build_flag_templates:
       - --platform=linux/arm64
@@ -70,7 +70,7 @@ dockers:
       - registry.sighup.io/fury/gangplank-arm64:{{ .Major }}
       - registry.sighup.io/fury/gangplank-arm64:{{ .Major }}.{{ .Minor }}
       - registry.sighup.io/fury/gangplank-arm64:{{ .Major }}.{{ .Minor }}.{{ .Patch }}
-    skip_push: auto
+    skip_push: false
 
 docker_manifests:
   - name_template: registry.sighup.io/fury/gangplank:latest

diff --git a/cmd/gangplank/handlers.go b/cmd/gangplank/handlers.go
@@ -301,6 +301,10 @@ func generateInfo(w http.ResponseWriter, r *http.Request) *userInfo {
 		slog.Warn("Could not read CA file", "error", err)
 	}
 
+	if cfg.RemoveCAFromKubeconfig {
+		caBytes = []byte{}
+	}
+
 	// load the session cookies
 	sessionIDToken, err := gangplankUserSession.Session.Get(r, "gangplank_id_token")
 	if err != nil {

diff --git a/deployments/helm/Chart.yaml b/deployments/helm/Chart.yaml
@@ -16,5 +16,5 @@ apiVersion: v2
 name: gangplank
 description: A Helm chart for Gangplank
 type: application
-version: 0.1.0
-appVersion: "0.1.0"
+version: 0.2.0
+appVersion: "1.1.0"
diff --git a/deployments/helm/values.yaml b/deployments/helm/values.yaml
@@ -138,3 +138,7 @@ config:
   # The path to find custom HTML templates
   # Env var: GANGPLANK_CONFIG_CUSTOM_HTTP_TEMPLATES_DIR
   # customHTMLTemplatesDir: /custom-templates
+
+  # Flag to remove the CA from the kubeconfig.
+  # Env var: GANGPLANK_CONFIG_REMOVE_CA_FROM_KUBECONFIG
+  # removeCAFromKubeconfig: false
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -48,6 +48,8 @@ type Config struct {
 
 	SessionSecurityKey     string `yaml:"sessionSecurityKey" envconfig:"SESSION_SECURITY_KEY"`
 	CustomHTMLTemplatesDir string `yaml:"customHTMLTemplatesDir" envconfig:"custom_http_templates_dir"`
+
+	RemoveCAFromKubeconfig bool `yaml:"removeCAFromKubeconfig" envconfig:"remove_ca_from_kubeconfig"`
 }
 
 // NewConfig returns a Config struct from serialized config file
@@ -65,6 +67,7 @@ func NewConfig(configFile string) (*Config, error) {
 		KeyFile:                "/etc/gangplank/tls/tls.key",
 		ClusterCAPath:          "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
 		HTTPPath:               "",
+		RemoveCAFromKubeconfig: false,
 	}
 
 	if configFile != "" {

diff --git a/internal/config/config_test.go b/internal/config/config_test.go
@@ -37,6 +37,7 @@ func TestEnvionmentOverrides(t *testing.T) {
 	os.Setenv("GANGPLANK_CONFIG_TOKEN_URL", "https://foo.bar/token")
 	os.Setenv("GANGPLANK_CONFIG_AUDIENCE", "foo")
 	os.Setenv("GANGPLANK_CONFIG_SCOPES", "groups,sub")
+	os.Setenv("GANGPLANK_CONFIG_REMOVE_CA_FROM_KUBECONFIG", "true")
 	cfg, err := NewConfig("")
 	if err != nil {
 		t.Errorf("Failed to test config overrides with error: %s", err)
@@ -53,6 +54,10 @@ func TestEnvionmentOverrides(t *testing.T) {
 	if cfg.Scopes[0] != "groups" || cfg.Scopes[1] != "sub" {
 		t.Errorf("Failed to set scopes via environment variable. Expected %s but got %s", "[groups, sub]", cfg.Scopes)
 	}
+
+	if cfg.RemoveCAFromKubeconfig != true {
+		t.Errorf("Failed to set RemoveCAFromKubeconfig via environment variable. Expected %t but got %t", true, cfg.RemoveCAFromKubeconfig)
+	}
 }
 
 func TestGetRootPathPrefix(t *testing.T) {

diff --git a/templates/commandline.tmpl b/templates/commandline.tmpl
@@ -90,8 +90,10 @@
                 tabindex="-1"
               >
                 <code class="euiCodeBlock__code euiCodeBlock__code">
+                  {{ if not (eq .ClusterCA  "") }}
                   <span class="euiCodeBlock__line">echo "{{ .ClusterCA }}" \ > "ca-{{ .ClusterName }}.pem"</span>
-                  <span class="euiCodeBlock__line">kubectl config set-cluster "{{ .ClusterName }}" --server={{ .APIServerURL }} --certificate-authority="ca-{{ .ClusterName }}.pem" --embed-certs</span>
+                  {{ end }}
+                  <span class="euiCodeBlock__line">kubectl config set-cluster "{{ .ClusterName }}" --server={{ .APIServerURL }}{{ if not (eq .ClusterCA  "") }} --certificate-authority="ca-{{ .ClusterName }}.pem" --embed-certs{{ end }}</span>
                   <span class="euiCodeBlock__line">kubectl config set-credentials "{{ .KubeCfgUser }}"  \
     --auth-provider=oidc  \
     --auth-provider-arg='idp-issuer-url={{ .IssuerURL }}'  \
@@ -101,7 +103,7 @@
     --auth-provider-arg='id-token={{ .IDToken }}'</span>
                   <span class="euiCodeBlock__line">kubectl config set-context "{{ .ClusterName }}" --cluster="{{ .ClusterName }}" --user="{{ .KubeCfgUser }}"</span>
                   <span class="euiCodeBlock__line">kubectl config use-context "{{ .ClusterName }}"</span>
-                  <span class="euiCodeBlock__line">rm "ca-{{ .ClusterName }}.pem"</span>
+                  {{ if not (eq .ClusterCA  "") }}<span class="euiCodeBlock__line">rm "ca-{{ .ClusterName }}.pem"</span>{{ end }}
                 </code>
               </pre>
             </div>