| Lorenz Brun | 705a402 | 2021-12-23 11:51:06 +0100 | [diff] [blame] | 1 | package main |
| 2 | |
| 3 | import ( |
| 4 | "crypto/x509" |
| 5 | "encoding/json" |
| 6 | "encoding/pem" |
| Tim Windelschmidt | d5f851b | 2024-04-23 14:59:37 +0200 | [diff] [blame] | 7 | "errors" |
| Tim Windelschmidt | 0b4fb8c | 2024-09-18 17:34:23 +0200 | [diff] [blame^] | 8 | "fmt" |
| Lorenz Brun | 705a402 | 2021-12-23 11:51:06 +0100 | [diff] [blame] | 9 | "os" |
| 10 | |
| 11 | "github.com/spf13/cobra" |
| 12 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| Lorenz Brun | 20d1dd1 | 2022-07-01 12:21:42 +0000 | [diff] [blame] | 13 | clientauthentication "k8s.io/client-go/pkg/apis/clientauthentication/v1" |
| Serge Bazanski | cf23ebc | 2023-03-14 17:02:04 +0100 | [diff] [blame] | 14 | |
| 15 | "source.monogon.dev/metropolis/cli/metroctl/core" |
| Lorenz Brun | 705a402 | 2021-12-23 11:51:06 +0100 | [diff] [blame] | 16 | ) |
| 17 | |
| 18 | var k8scredpluginCmd = &cobra.Command{ |
| 19 | Use: "k8scredplugin", |
| 20 | Short: "Kubernetes client-go credential plugin [internal use]", |
| 21 | Long: `This implements a Kubernetes client-go credential plugin to |
| 22 | authenticate client-go based callers including kubectl against a Metropolis |
| 23 | cluster. This should never be directly called by end users.`, |
| Tim Windelschmidt | fc6e1cf | 2024-09-18 17:34:07 +0200 | [diff] [blame] | 24 | Args: PrintUsageOnWrongArgs(cobra.ExactArgs(0)), |
| Serge Bazanski | 1f8cad7 | 2023-03-20 16:58:10 +0100 | [diff] [blame] | 25 | Hidden: true, |
| Tim Windelschmidt | 0b4fb8c | 2024-09-18 17:34:23 +0200 | [diff] [blame^] | 26 | RunE: func(cmd *cobra.Command, args []string) error { |
| 27 | cert, key, err := core.GetOwnerCredentials(flags.configPath) |
| 28 | if errors.Is(err, core.ErrNoCredentials) { |
| 29 | return fmt.Errorf("no credentials found on your machine") |
| 30 | } |
| 31 | if err != nil { |
| 32 | return fmt.Errorf("failed to get Metropolis credentials: %w", err) |
| 33 | } |
| Lorenz Brun | 705a402 | 2021-12-23 11:51:06 +0100 | [diff] [blame] | 34 | |
| Tim Windelschmidt | 0b4fb8c | 2024-09-18 17:34:23 +0200 | [diff] [blame^] | 35 | pkcs8Key, err := x509.MarshalPKCS8PrivateKey(key) |
| 36 | if err != nil { |
| 37 | // We explicitly pass an Ed25519 private key in, so this can't happen |
| 38 | panic(err) |
| 39 | } |
| Lorenz Brun | 705a402 | 2021-12-23 11:51:06 +0100 | [diff] [blame] | 40 | |
| Tim Windelschmidt | 0b4fb8c | 2024-09-18 17:34:23 +0200 | [diff] [blame^] | 41 | cred := clientauthentication.ExecCredential{ |
| 42 | TypeMeta: metav1.TypeMeta{ |
| 43 | APIVersion: clientauthentication.SchemeGroupVersion.String(), |
| 44 | Kind: "ExecCredential", |
| 45 | }, |
| 46 | Status: &clientauthentication.ExecCredentialStatus{ |
| 47 | ClientCertificateData: string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})), |
| 48 | ClientKeyData: string(pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: pkcs8Key})), |
| 49 | }, |
| 50 | } |
| 51 | if err := json.NewEncoder(os.Stdout).Encode(cred); err != nil { |
| 52 | return fmt.Errorf("failed to encode ExecCredential: %w", err) |
| 53 | } |
| 54 | return nil |
| 55 | }, |
| Lorenz Brun | 705a402 | 2021-12-23 11:51:06 +0100 | [diff] [blame] | 56 | } |
| 57 | |
| 58 | func init() { |
| 59 | rootCmd.AddCommand(k8scredpluginCmd) |
| 60 | } |