Merge pull request #7 from sighupio/feature/remove-ca-flag

feat: added option removeCAFromKubeconfig
sighupio · Jun 17, 2024 · af65d78 · af65d78
2 parents 286f521 + 8bfd302
commit af65d78
Show file tree

Hide file tree

Showing 7 changed files with 56 additions and 7 deletions.
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -62,6 +62,12 @@ dockers:
       - registry.sighup.io/fury/gangplank-amd64:{{ .Major }}.{{ .Minor }}.{{ .Patch }}
     skip_push: auto
 
+  - build_flag_templates:
+      - --platform=linux/amd64
+    image_templates:
+      - registry.sighup.io/fury/gangplank-amd64:{{ .Tag }}
+    skip_push: false
+
   - build_flag_templates:
       - --platform=linux/arm64
     goarch: arm64
@@ -72,6 +78,13 @@ dockers:
       - registry.sighup.io/fury/gangplank-arm64:{{ .Major }}.{{ .Minor }}.{{ .Patch }}
     skip_push: auto
 
+  - build_flag_templates:
+      - --platform=linux/arm64
+    goarch: arm64
+    image_templates:
+      - registry.sighup.io/fury/gangplank-arm64:{{ .Tag }}
+    skip_push: false
+
 docker_manifests:
   - name_template: registry.sighup.io/fury/gangplank:latest
     image_templates:
@@ -93,6 +106,11 @@ docker_manifests:
       - registry.sighup.io/fury/gangplank-amd64:{{ .Major }}.{{ .Minor }}.{{ .Patch }}
       - registry.sighup.io/fury/gangplank-arm64:{{ .Major }}.{{ .Minor }}.{{ .Patch }}
 
+  - name_template: registry.sighup.io/fury/gangplank:{{ .Tag }}
+    image_templates:
+      - registry.sighup.io/fury/gangplank-amd64:{{ .Tag }}
+      - registry.sighup.io/fury/gangplank-arm64:{{ .Tag }}
+
 docker_signs:
   - artifacts: all
     stdin: "{{ .Env.COSIGN_PWD }}"

diff --git a/cmd/gangplank/handlers.go b/cmd/gangplank/handlers.go
@@ -53,6 +53,7 @@ type userInfo struct {
 	APIServerURL string
 	ClusterCA    string
 	HTTPPath     string
+	Namespace    string
 }
 
 // homeInfo is used to store dynamic properties on
@@ -111,8 +112,9 @@ func generateKubeConfig(cfg *userInfo) clientcmdapi.Config {
 			{
 				Name: cfg.ClusterName,
 				Context: clientcmdapi.Context{
-					Cluster:  cfg.ClusterName,
-					AuthInfo: cfg.KubeCfgUser,
+					Cluster:   cfg.ClusterName,
+					AuthInfo:  cfg.KubeCfgUser,
+					Namespace: cfg.Namespace,
 				},
 			},
 		},
@@ -301,6 +303,10 @@ func generateInfo(w http.ResponseWriter, r *http.Request) *userInfo {
 		slog.Warn("Could not read CA file", "error", err)
 	}
 
+	if cfg.RemoveCAFromKubeconfig {
+		caBytes = []byte{}
+	}
+
 	// load the session cookies
 	sessionIDToken, err := gangplankUserSession.Session.Get(r, "gangplank_id_token")
 	if err != nil {
@@ -375,6 +381,7 @@ func generateInfo(w http.ResponseWriter, r *http.Request) *userInfo {
 		APIServerURL: cfg.APIServerURL,
 		ClusterCA:    string(caBytes),
 		HTTPPath:     cfg.HTTPPath,
+		Namespace:    cfg.Namespace,
 	}
 	return info
 }
diff --git a/deployments/helm/Chart.yaml b/deployments/helm/Chart.yaml
@@ -16,5 +16,5 @@ apiVersion: v2
 name: gangplank
 description: A Helm chart for Gangplank
 type: application
-version: 0.1.0
-appVersion: "0.1.0"
+version: 0.2.0
+appVersion: "1.1.0"
diff --git a/deployments/helm/values.yaml b/deployments/helm/values.yaml
@@ -138,3 +138,11 @@ config:
   # The path to find custom HTML templates
   # Env var: GANGPLANK_CONFIG_CUSTOM_HTTP_TEMPLATES_DIR
   # customHTMLTemplatesDir: /custom-templates
+
+  # Flag to remove the CA from the kubeconfig.
+  # Env var: GANGPLANK_CONFIG_REMOVE_CA_FROM_KUBECONFIG
+  # removeCAFromKubeconfig: false
+
+  # Namespace to use in the kubeconfig.
+  # Env var: GANGPLANK_CONFIG_NAMESPACE
+  # namespace: "default"
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -48,6 +48,9 @@ type Config struct {
 
 	SessionSecurityKey     string `yaml:"sessionSecurityKey" envconfig:"SESSION_SECURITY_KEY"`
 	CustomHTMLTemplatesDir string `yaml:"customHTMLTemplatesDir" envconfig:"custom_http_templates_dir"`
+
+	RemoveCAFromKubeconfig bool   `yaml:"removeCAFromKubeconfig" envconfig:"remove_ca_from_kubeconfig"`
+	Namespace              string `yaml:"namespace" envconfig:"namespace"`
 }
 
 // NewConfig returns a Config struct from serialized config file
@@ -65,6 +68,7 @@ func NewConfig(configFile string) (*Config, error) {
 		KeyFile:                "/etc/gangplank/tls/tls.key",
 		ClusterCAPath:          "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
 		HTTPPath:               "",
+		RemoveCAFromKubeconfig: false,
 	}
 
 	if configFile != "" {

diff --git a/internal/config/config_test.go b/internal/config/config_test.go
@@ -37,6 +37,8 @@ func TestEnvionmentOverrides(t *testing.T) {
 	os.Setenv("GANGPLANK_CONFIG_TOKEN_URL", "https://foo.bar/token")
 	os.Setenv("GANGPLANK_CONFIG_AUDIENCE", "foo")
 	os.Setenv("GANGPLANK_CONFIG_SCOPES", "groups,sub")
+	os.Setenv("GANGPLANK_CONFIG_REMOVE_CA_FROM_KUBECONFIG", "true")
+	os.Setenv("GANGPLANK_CONFIG_NAMESPACE", "default")
 	cfg, err := NewConfig("")
 	if err != nil {
 		t.Errorf("Failed to test config overrides with error: %s", err)
@@ -53,6 +55,14 @@ func TestEnvionmentOverrides(t *testing.T) {
 	if cfg.Scopes[0] != "groups" || cfg.Scopes[1] != "sub" {
 		t.Errorf("Failed to set scopes via environment variable. Expected %s but got %s", "[groups, sub]", cfg.Scopes)
 	}
+
+	if cfg.RemoveCAFromKubeconfig != true {
+		t.Errorf("Failed to set RemoveCAFromKubeconfig via environment variable. Expected %t but got %t", true, cfg.RemoveCAFromKubeconfig)
+	}
+
+	if cfg.Namespace != "default" {
+		t.Errorf("Failed to set namespace via environment variable. Expected %s but got %s", "default", cfg.Namespace)
+	}
 }
 
 func TestGetRootPathPrefix(t *testing.T) {

diff --git a/templates/commandline.tmpl b/templates/commandline.tmpl
@@ -90,18 +90,20 @@
                 tabindex="-1"
               >
                 <code class="euiCodeBlock__code euiCodeBlock__code">
+                  {{ if not (eq .ClusterCA  "") }}
                   <span class="euiCodeBlock__line">echo "{{ .ClusterCA }}" \ > "ca-{{ .ClusterName }}.pem"</span>
-                  <span class="euiCodeBlock__line">kubectl config set-cluster "{{ .ClusterName }}" --server={{ .APIServerURL }} --certificate-authority="ca-{{ .ClusterName }}.pem" --embed-certs</span>
+                  {{ end }}
+                  <span class="euiCodeBlock__line">kubectl config set-cluster "{{ .ClusterName }}" --server={{ .APIServerURL }}{{ if not (eq .ClusterCA  "") }} --certificate-authority="ca-{{ .ClusterName }}.pem" --embed-certs{{ end }}</span>
                   <span class="euiCodeBlock__line">kubectl config set-credentials "{{ .KubeCfgUser }}"  \
     --auth-provider=oidc  \
     --auth-provider-arg='idp-issuer-url={{ .IssuerURL }}'  \
     --auth-provider-arg='client-id={{ .ClientID }}'  \
     --auth-provider-arg='client-secret={{ .ClientSecret }}' \
     --auth-provider-arg='refresh-token={{ .RefreshToken }}' \
     --auth-provider-arg='id-token={{ .IDToken }}'</span>
-                  <span class="euiCodeBlock__line">kubectl config set-context "{{ .ClusterName }}" --cluster="{{ .ClusterName }}" --user="{{ .KubeCfgUser }}"</span>
+                  <span class="euiCodeBlock__line">kubectl config set-context "{{ .ClusterName }}" --cluster="{{ .ClusterName }}" --user="{{ .KubeCfgUser }}" {{ if not (eq .Namespace "") }}--namespace="{{ .Namespace }}"{{ end }}</span>
                   <span class="euiCodeBlock__line">kubectl config use-context "{{ .ClusterName }}"</span>
-                  <span class="euiCodeBlock__line">rm "ca-{{ .ClusterName }}.pem"</span>
+                  {{ if not (eq .ClusterCA  "") }}<span class="euiCodeBlock__line">rm "ca-{{ .ClusterName }}.pem"</span>{{ end }}
                 </code>
               </pre>
             </div>