| Tim Windelschmidt | 6d33a43 | 2025-02-04 14:34:25 +0100 | [diff] [blame] | 1 | // Copyright The Monogon Project Authors. |
| 2 | // SPDX-License-Identifier: Apache-2.0 |
| 3 | |
| Lorenz Brun | 705a402 | 2021-12-23 11:51:06 +0100 | [diff] [blame] | 4 | package main |
| 5 | |
| 6 | import ( |
| 7 | "crypto/x509" |
| 8 | "encoding/json" |
| 9 | "encoding/pem" |
| Tim Windelschmidt | d5f851b | 2024-04-23 14:59:37 +0200 | [diff] [blame] | 10 | "errors" |
| Tim Windelschmidt | 0b4fb8c | 2024-09-18 17:34:23 +0200 | [diff] [blame] | 11 | "fmt" |
| Lorenz Brun | 705a402 | 2021-12-23 11:51:06 +0100 | [diff] [blame] | 12 | "os" |
| 13 | |
| 14 | "github.com/spf13/cobra" |
| 15 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| Lorenz Brun | 20d1dd1 | 2022-07-01 12:21:42 +0000 | [diff] [blame] | 16 | clientauthentication "k8s.io/client-go/pkg/apis/clientauthentication/v1" |
| Serge Bazanski | cf23ebc | 2023-03-14 17:02:04 +0100 | [diff] [blame] | 17 | |
| 18 | "source.monogon.dev/metropolis/cli/metroctl/core" |
| Lorenz Brun | 705a402 | 2021-12-23 11:51:06 +0100 | [diff] [blame] | 19 | ) |
| 20 | |
| 21 | var k8scredpluginCmd = &cobra.Command{ |
| 22 | Use: "k8scredplugin", |
| 23 | Short: "Kubernetes client-go credential plugin [internal use]", |
| 24 | Long: `This implements a Kubernetes client-go credential plugin to |
| 25 | authenticate client-go based callers including kubectl against a Metropolis |
| 26 | cluster. This should never be directly called by end users.`, |
| Tim Windelschmidt | fc6e1cf | 2024-09-18 17:34:07 +0200 | [diff] [blame] | 27 | Args: PrintUsageOnWrongArgs(cobra.ExactArgs(0)), |
| Serge Bazanski | 1f8cad7 | 2023-03-20 16:58:10 +0100 | [diff] [blame] | 28 | Hidden: true, |
| Tim Windelschmidt | 0b4fb8c | 2024-09-18 17:34:23 +0200 | [diff] [blame] | 29 | RunE: func(cmd *cobra.Command, args []string) error { |
| 30 | cert, key, err := core.GetOwnerCredentials(flags.configPath) |
| 31 | if errors.Is(err, core.ErrNoCredentials) { |
| 32 | return fmt.Errorf("no credentials found on your machine") |
| 33 | } |
| 34 | if err != nil { |
| 35 | return fmt.Errorf("failed to get Metropolis credentials: %w", err) |
| 36 | } |
| Lorenz Brun | 705a402 | 2021-12-23 11:51:06 +0100 | [diff] [blame] | 37 | |
| Tim Windelschmidt | 0b4fb8c | 2024-09-18 17:34:23 +0200 | [diff] [blame] | 38 | pkcs8Key, err := x509.MarshalPKCS8PrivateKey(key) |
| 39 | if err != nil { |
| 40 | // We explicitly pass an Ed25519 private key in, so this can't happen |
| 41 | panic(err) |
| 42 | } |
| Lorenz Brun | 705a402 | 2021-12-23 11:51:06 +0100 | [diff] [blame] | 43 | |
| Tim Windelschmidt | 0b4fb8c | 2024-09-18 17:34:23 +0200 | [diff] [blame] | 44 | cred := clientauthentication.ExecCredential{ |
| 45 | TypeMeta: metav1.TypeMeta{ |
| 46 | APIVersion: clientauthentication.SchemeGroupVersion.String(), |
| 47 | Kind: "ExecCredential", |
| 48 | }, |
| 49 | Status: &clientauthentication.ExecCredentialStatus{ |
| 50 | ClientCertificateData: string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})), |
| 51 | ClientKeyData: string(pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: pkcs8Key})), |
| 52 | }, |
| 53 | } |
| 54 | if err := json.NewEncoder(os.Stdout).Encode(cred); err != nil { |
| 55 | return fmt.Errorf("failed to encode ExecCredential: %w", err) |
| 56 | } |
| 57 | return nil |
| 58 | }, |
| Lorenz Brun | 705a402 | 2021-12-23 11:51:06 +0100 | [diff] [blame] | 59 | } |
| 60 | |
| 61 | func init() { |
| 62 | rootCmd.AddCommand(k8scredpluginCmd) |
| 63 | } |