From 566c1b6f2cbd27a6983a525df8f064f24e726595 Mon Sep 17 00:00:00 2001 From: Alessio Pragliola Date: Tue, 14 May 2024 10:07:24 +0200 Subject: [PATCH] feat: added option removeCAFromKubeconfig --- .goreleaser.yml | 4 ++-- cmd/gangplank/handlers.go | 4 ++++ deployments/helm/Chart.yaml | 4 ++-- deployments/helm/values.yaml | 4 ++++ internal/config/config.go | 3 +++ internal/config/config_test.go | 5 +++++ templates/commandline.tmpl | 6 ++++-- 7 files changed, 24 insertions(+), 6 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 1a00cc9..9223d7a 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -60,7 +60,7 @@ dockers: - registry.sighup.io/fury/gangplank-amd64:{{ .Major }} - registry.sighup.io/fury/gangplank-amd64:{{ .Major }}.{{ .Minor }} - registry.sighup.io/fury/gangplank-amd64:{{ .Major }}.{{ .Minor }}.{{ .Patch }} - skip_push: auto + skip_push: false - build_flag_templates: - --platform=linux/arm64 @@ -70,7 +70,7 @@ dockers: - registry.sighup.io/fury/gangplank-arm64:{{ .Major }} - registry.sighup.io/fury/gangplank-arm64:{{ .Major }}.{{ .Minor }} - registry.sighup.io/fury/gangplank-arm64:{{ .Major }}.{{ .Minor }}.{{ .Patch }} - skip_push: auto + skip_push: false docker_manifests: - name_template: registry.sighup.io/fury/gangplank:latest diff --git a/cmd/gangplank/handlers.go b/cmd/gangplank/handlers.go index c7de171..399cf86 100644 --- a/cmd/gangplank/handlers.go +++ b/cmd/gangplank/handlers.go @@ -301,6 +301,10 @@ func generateInfo(w http.ResponseWriter, r *http.Request) *userInfo { slog.Warn("Could not read CA file", "error", err) } + if cfg.RemoveCAFromKubeconfig { + caBytes = []byte{} + } + // load the session cookies sessionIDToken, err := gangplankUserSession.Session.Get(r, "gangplank_id_token") if err != nil { diff --git a/deployments/helm/Chart.yaml b/deployments/helm/Chart.yaml index 27c3b7a..41ff70d 100644 --- a/deployments/helm/Chart.yaml +++ b/deployments/helm/Chart.yaml @@ -16,5 +16,5 @@ apiVersion: v2 name: gangplank description: A Helm chart for Gangplank type: application -version: 0.1.0 -appVersion: "0.1.0" +version: 0.2.0 +appVersion: "1.1.0" diff --git a/deployments/helm/values.yaml b/deployments/helm/values.yaml index 41a798f..cfee5e3 100644 --- a/deployments/helm/values.yaml +++ b/deployments/helm/values.yaml @@ -138,3 +138,7 @@ config: # The path to find custom HTML templates # Env var: GANGPLANK_CONFIG_CUSTOM_HTTP_TEMPLATES_DIR # customHTMLTemplatesDir: /custom-templates + + # Flag to remove the CA from the kubeconfig. + # Env var: GANGPLANK_CONFIG_REMOVE_CA_FROM_KUBECONFIG + # removeCAFromKubeconfig: false diff --git a/internal/config/config.go b/internal/config/config.go index ac8b09d..be9aa7e 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -48,6 +48,8 @@ type Config struct { SessionSecurityKey string `yaml:"sessionSecurityKey" envconfig:"SESSION_SECURITY_KEY"` CustomHTMLTemplatesDir string `yaml:"customHTMLTemplatesDir" envconfig:"custom_http_templates_dir"` + + RemoveCAFromKubeconfig bool `yaml:"removeCAFromKubeconfig" envconfig:"remove_ca_from_kubeconfig"` } // NewConfig returns a Config struct from serialized config file @@ -65,6 +67,7 @@ func NewConfig(configFile string) (*Config, error) { KeyFile: "/etc/gangplank/tls/tls.key", ClusterCAPath: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt", HTTPPath: "", + RemoveCAFromKubeconfig: false, } if configFile != "" { diff --git a/internal/config/config_test.go b/internal/config/config_test.go index a8a0d6b..99ea231 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -37,6 +37,7 @@ func TestEnvionmentOverrides(t *testing.T) { os.Setenv("GANGPLANK_CONFIG_TOKEN_URL", "https://foo.bar/token") os.Setenv("GANGPLANK_CONFIG_AUDIENCE", "foo") os.Setenv("GANGPLANK_CONFIG_SCOPES", "groups,sub") + os.Setenv("GANGPLANK_CONFIG_REMOVE_CA_FROM_KUBECONFIG", "true") cfg, err := NewConfig("") if err != nil { t.Errorf("Failed to test config overrides with error: %s", err) @@ -53,6 +54,10 @@ func TestEnvionmentOverrides(t *testing.T) { if cfg.Scopes[0] != "groups" || cfg.Scopes[1] != "sub" { t.Errorf("Failed to set scopes via environment variable. Expected %s but got %s", "[groups, sub]", cfg.Scopes) } + + if cfg.RemoveCAFromKubeconfig != true { + t.Errorf("Failed to set RemoveCAFromKubeconfig via environment variable. Expected %t but got %t", true, cfg.RemoveCAFromKubeconfig) + } } func TestGetRootPathPrefix(t *testing.T) { diff --git a/templates/commandline.tmpl b/templates/commandline.tmpl index 435c365..f462a79 100644 --- a/templates/commandline.tmpl +++ b/templates/commandline.tmpl @@ -90,8 +90,10 @@ tabindex="-1" > + {{ if not (eq .ClusterCA "") }} echo "{{ .ClusterCA }}" \ > "ca-{{ .ClusterName }}.pem" - kubectl config set-cluster "{{ .ClusterName }}" --server={{ .APIServerURL }} --certificate-authority="ca-{{ .ClusterName }}.pem" --embed-certs + {{ end }} + kubectl config set-cluster "{{ .ClusterName }}" --server={{ .APIServerURL }}{{ if not (eq .ClusterCA "") }} --certificate-authority="ca-{{ .ClusterName }}.pem" --embed-certs{{ end }} kubectl config set-credentials "{{ .KubeCfgUser }}" \ --auth-provider=oidc \ --auth-provider-arg='idp-issuer-url={{ .IssuerURL }}' \ @@ -101,7 +103,7 @@ --auth-provider-arg='id-token={{ .IDToken }}' kubectl config set-context "{{ .ClusterName }}" --cluster="{{ .ClusterName }}" --user="{{ .KubeCfgUser }}" kubectl config use-context "{{ .ClusterName }}" - rm "ca-{{ .ClusterName }}.pem" + {{ if not (eq .ClusterCA "") }}rm "ca-{{ .ClusterName }}.pem"{{ end }}