2021-08-10 20:22:40 +00:00
|
|
|
package cmd
|
|
|
|
|
|
|
|
|
|
import (
|
images/kube-webhook-certgen/rootfs: add support for patching APIService objects (#7641)
* images/kube-webhook-certgen/rootfs/pkg/k8s: return err from functions
Initially only from some to preserve existing behavior.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs: make patching return error
So we don't call log.Fatal in so many places, which makes code testable.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/pkg/k8s: require context
So initialize top-level contexts in tests and CLI, then pass them around
all the way down, so there is an ability e.g. to add timeouts to patch
operations, if needed and to follow general conventions.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/pkg/k8s: support patching APIService
APIService object is very similar to MutatingWebhookConfiguration and
ValidatingWebhookConfiguration objects, so support for patching it
shouldn't be too much of a burden.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/cmd: use new patch API
So old function PatchWebhookConfigurations can be unexported and CLI can
be extended to also support patching APIService.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/pkg/k8s: unexport old patch function
PatchObjects should be now used instead.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs: add .gitignore
To ignore manually built binaries during development process.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/cmd: test patching
By adding a PatchConfig and Patch function, it is now possible to test
logic of flag validation, which was previously tied to CLI options.
This commit adds nice set of tests covering existing logic.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/cmd: improve formatting
Those strings will be changed anyway in future commits, so at first we
can properly capitalize used names.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/cmd: support patching APIService
As logic for creating a CA certificate and patching an object is almost
the same for both webhook configuration and API services, this commit
adds support to kube-webhook-certgen CLI to also patch APIService
objects, so they can be served over TLS as well.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs: pass failure policy by value
k8s.k8s.patchWebhookConfigurations() always dereferences it and we do
not do a nil check, so the code may panic in some conditions, so it's
safer to just pass it by value, as it's just a wrapped string.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
2021-09-26 17:44:22 +00:00
|
|
|
"context"
|
|
|
|
|
|
2021-08-10 20:22:40 +00:00
|
|
|
"github.com/jet/kube-webhook-certgen/pkg/certs"
|
|
|
|
|
"github.com/jet/kube-webhook-certgen/pkg/k8s"
|
|
|
|
|
log "github.com/sirupsen/logrus"
|
|
|
|
|
"github.com/spf13/cobra"
|
|
|
|
|
)
|
|
|
|
|
|
2021-09-16 20:59:26 +00:00
|
|
|
var create = &cobra.Command{
|
|
|
|
|
Use: "create",
|
|
|
|
|
Short: "Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'",
|
|
|
|
|
Long: "Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'",
|
|
|
|
|
PreRun: configureLogging,
|
|
|
|
|
Run: createCommand,
|
|
|
|
|
}
|
2021-08-10 20:22:40 +00:00
|
|
|
|
|
|
|
|
func createCommand(cmd *cobra.Command, args []string) {
|
images/kube-webhook-certgen/rootfs: add support for patching APIService objects (#7641)
* images/kube-webhook-certgen/rootfs/pkg/k8s: return err from functions
Initially only from some to preserve existing behavior.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs: make patching return error
So we don't call log.Fatal in so many places, which makes code testable.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/pkg/k8s: require context
So initialize top-level contexts in tests and CLI, then pass them around
all the way down, so there is an ability e.g. to add timeouts to patch
operations, if needed and to follow general conventions.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/pkg/k8s: support patching APIService
APIService object is very similar to MutatingWebhookConfiguration and
ValidatingWebhookConfiguration objects, so support for patching it
shouldn't be too much of a burden.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/cmd: use new patch API
So old function PatchWebhookConfigurations can be unexported and CLI can
be extended to also support patching APIService.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/pkg/k8s: unexport old patch function
PatchObjects should be now used instead.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs: add .gitignore
To ignore manually built binaries during development process.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/cmd: test patching
By adding a PatchConfig and Patch function, it is now possible to test
logic of flag validation, which was previously tied to CLI options.
This commit adds nice set of tests covering existing logic.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/cmd: improve formatting
Those strings will be changed anyway in future commits, so at first we
can properly capitalize used names.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/cmd: support patching APIService
As logic for creating a CA certificate and patching an object is almost
the same for both webhook configuration and API services, this commit
adds support to kube-webhook-certgen CLI to also patch APIService
objects, so they can be served over TLS as well.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs: pass failure policy by value
k8s.k8s.patchWebhookConfigurations() always dereferences it and we do
not do a nil check, so the code may panic in some conditions, so it's
safer to just pass it by value, as it's just a wrapped string.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
2021-09-26 17:44:22 +00:00
|
|
|
clientset, aggregatorClientset := newKubernetesClients(cfg.kubeconfig)
|
|
|
|
|
k := k8s.New(clientset, aggregatorClientset)
|
|
|
|
|
|
|
|
|
|
ctx := context.TODO()
|
|
|
|
|
|
|
|
|
|
ca := k.GetCaFromSecret(ctx, cfg.secretName, cfg.namespace)
|
2021-08-10 20:22:40 +00:00
|
|
|
if ca == nil {
|
|
|
|
|
log.Info("creating new secret")
|
|
|
|
|
newCa, newCert, newKey := certs.GenerateCerts(cfg.host)
|
|
|
|
|
ca = newCa
|
images/kube-webhook-certgen/rootfs: add support for patching APIService objects (#7641)
* images/kube-webhook-certgen/rootfs/pkg/k8s: return err from functions
Initially only from some to preserve existing behavior.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs: make patching return error
So we don't call log.Fatal in so many places, which makes code testable.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/pkg/k8s: require context
So initialize top-level contexts in tests and CLI, then pass them around
all the way down, so there is an ability e.g. to add timeouts to patch
operations, if needed and to follow general conventions.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/pkg/k8s: support patching APIService
APIService object is very similar to MutatingWebhookConfiguration and
ValidatingWebhookConfiguration objects, so support for patching it
shouldn't be too much of a burden.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/cmd: use new patch API
So old function PatchWebhookConfigurations can be unexported and CLI can
be extended to also support patching APIService.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/pkg/k8s: unexport old patch function
PatchObjects should be now used instead.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs: add .gitignore
To ignore manually built binaries during development process.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/cmd: test patching
By adding a PatchConfig and Patch function, it is now possible to test
logic of flag validation, which was previously tied to CLI options.
This commit adds nice set of tests covering existing logic.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/cmd: improve formatting
Those strings will be changed anyway in future commits, so at first we
can properly capitalize used names.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs/cmd: support patching APIService
As logic for creating a CA certificate and patching an object is almost
the same for both webhook configuration and API services, this commit
adds support to kube-webhook-certgen CLI to also patch APIService
objects, so they can be served over TLS as well.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
* images/kube-webhook-certgen/rootfs: pass failure policy by value
k8s.k8s.patchWebhookConfigurations() always dereferences it and we do
not do a nil check, so the code may panic in some conditions, so it's
safer to just pass it by value, as it's just a wrapped string.
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
2021-09-26 17:44:22 +00:00
|
|
|
k.SaveCertsToSecret(ctx, cfg.secretName, cfg.namespace, cfg.certName, cfg.keyName, ca, newCert, newKey)
|
2021-08-10 20:22:40 +00:00
|
|
|
} else {
|
|
|
|
|
log.Info("secret already exists")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
|
rootCmd.AddCommand(create)
|
|
|
|
|
create.Flags().StringVar(&cfg.host, "host", "", "Comma-separated hostnames and IPs to generate a certificate for")
|
|
|
|
|
create.Flags().StringVar(&cfg.secretName, "secret-name", "", "Name of the secret where certificate information will be written")
|
|
|
|
|
create.Flags().StringVar(&cfg.namespace, "namespace", "", "Namespace of the secret where certificate information will be written")
|
|
|
|
|
create.Flags().StringVar(&cfg.certName, "cert-name", "cert", "Name of cert file in the secret")
|
|
|
|
|
create.Flags().StringVar(&cfg.keyName, "key-name", "key", "Name of key file in the secret")
|
|
|
|
|
create.MarkFlagRequired("host")
|
|
|
|
|
create.MarkFlagRequired("secret-name")
|
|
|
|
|
create.MarkFlagRequired("namespace")
|
|
|
|
|
}
|