// ParseAnnotations parses the annotations contained in the ingress
// rule used to add authentication in the paths defined in the rule
// and generated an htpasswd compatible file to be used as source
// during the authentication process
func ParseAnnotations(kubeClient client.Interface, ing *extensions.Ingress, authDir string) (*Nginx, error) {
if ing.GetAnnotations() == nil {
return &Nginx{}, ErrMissingAnnotations
}
at, err := ingAnnotations(ing.GetAnnotations()).authType()
if err != nil {
return &Nginx{}, err
}
s, err := ingAnnotations(ing.GetAnnotations()).secretName()
if err != nil {
return &Nginx{}, err
}
secret, err := kubeClient.Secrets(ing.Namespace).Get(s)
if err != nil {
return &Nginx{}, err
}
realm := ingAnnotations(ing.GetAnnotations()).realm()
passFile := fmt.Sprintf("%v/%v-%v.passwd", authDir, ing.GetNamespace(), ing.GetName())
err = dumpSecret(passFile, secret)
if err != nil {
return &Nginx{}, err
}
return &Nginx{
Type: at,
Realm: realm,
File: passFile,
Secured: true,
}, nil
}
func deleteSecrets(kubeClient client.Interface, ns string) error {
items, err := kubeClient.Secrets(ns).List(unversioned.ListOptions{})
if err != nil {
return err
}
for i := range items.Items {
err := kubeClient.Secrets(ns).Delete(items.Items[i].Name)
if err != nil && !errors.IsNotFound(err) {
return err
}
}
return nil
}
func deleteSecrets(kubeClient client.Interface, ns string) error {
items, err := kubeClient.Secrets(ns).List(labels.Everything(), fields.Everything())
if err != nil {
return err
}
for i := range items.Items {
err := kubeClient.Secrets(ns).Delete(items.Items[i].Name)
if err != nil && !errors.IsNotFound(err) {
return err
}
}
return nil
}
// NewServiceAccount returns an admission.Interface implementation which limits admission of Pod CREATE requests based on the pod's ServiceAccount:
// 1. If the pod does not specify a ServiceAccount, it sets the pod's ServiceAccount to "default"
// 2. It ensures the ServiceAccount referenced by the pod exists
// 3. If LimitSecretReferences is true, it rejects the pod if the pod references Secret objects which the pod's ServiceAccount does not reference
// 4. If the pod does not contain any ImagePullSecrets, the ImagePullSecrets of the service account are added.
// 5. If MountServiceAccountToken is true, it adds a VolumeMount with the pod's ServiceAccount's api token secret to containers
func NewServiceAccount(cl client.Interface) *serviceAccount {
serviceAccountsIndexer, serviceAccountsReflector := cache.NewNamespaceKeyedIndexerAndReflector(
&cache.ListWatch{
ListFunc: func(options unversioned.ListOptions) (runtime.Object, error) {
return cl.ServiceAccounts(api.NamespaceAll).List(options)
},
WatchFunc: func(options unversioned.ListOptions) (watch.Interface, error) {
return cl.ServiceAccounts(api.NamespaceAll).Watch(options)
},
},
&api.ServiceAccount{},
0,
)
tokenSelector := fields.SelectorFromSet(map[string]string{client.SecretType: string(api.SecretTypeServiceAccountToken)})
secretsIndexer, secretsReflector := cache.NewNamespaceKeyedIndexerAndReflector(
&cache.ListWatch{
ListFunc: func(options unversioned.ListOptions) (runtime.Object, error) {
options.FieldSelector.Selector = tokenSelector
return cl.Secrets(api.NamespaceAll).List(options)
},
WatchFunc: func(options unversioned.ListOptions) (watch.Interface, error) {
options.FieldSelector.Selector = tokenSelector
return cl.Secrets(api.NamespaceAll).Watch(options)
},
},
&api.Secret{},
0,
)
return &serviceAccount{
Handler: admission.NewHandler(admission.Create),
// TODO: enable this once we've swept secret usage to account for adding secret references to service accounts
LimitSecretReferences: false,
// Auto mount service account API token secrets
MountServiceAccountToken: true,
// Reject pod creation until a service account token is available
RequireAPIToken: true,
client: cl,
serviceAccounts: serviceAccountsIndexer,
serviceAccountsReflector: serviceAccountsReflector,
secrets: secretsIndexer,
secretsReflector: secretsReflector,
}
}
func followInstallation(f *clientcmd.Factory, input string, pod *kapi.Pod, kclient kclient.Interface, out io.Writer) error {
fmt.Fprintf(out, "--> Installing ...\n")
// we cannot retrieve logs until the pod is out of pending
// TODO: move this to the server side
podClient := kclient.Pods(pod.Namespace)
if err := wait.PollImmediate(500*time.Millisecond, 60*time.Second, installationStarted(podClient, pod.Name, kclient.Secrets(pod.Namespace))); err != nil {
return err
}
mapper, typer := f.Object()
opts := &kcmd.LogsOptions{
Namespace: pod.Namespace,
ResourceArg: pod.Name,
Options: &kapi.PodLogOptions{
Follow: true,
Container: pod.Spec.Containers[0].Name,
},
Mapper: mapper,
Typer: typer,
ClientMapper: resource.ClientMapperFunc(f.ClientForMapping),
LogsForObject: f.LogsForObject,
Out: out,
}
_, logErr := opts.RunLogs()
// status of the pod may take tens of seconds to propagate
if err := wait.PollImmediate(500*time.Millisecond, 30*time.Second, installationComplete(podClient, pod.Name, out)); err != nil {
if err == wait.ErrWaitTimeout {
if logErr != nil {
// output the log error if one occurred
err = logErr
} else {
err = fmt.Errorf("installation may not have completed, see logs for %q for more information", pod.Name)
}
}
return err
}
return nil
}