Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 96b03c7bd9e850f6159b3304afb245e694ce716b / . / metropolis / cli / metroctl / k8scredplugin.go
blob: d2e591aa2e869c8c53f2e22dbe65feca9480947a [file] [log] [blame]
Lorenz Brun705a4022021-12-23 11:51:06 +0100[diff] [blame]1package main
2
3import (
4 "crypto/x509"
5 "encoding/json"
6 "encoding/pem"
7 "log"
8 "os"
9
10 "github.com/spf13/cobra"
11 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
12 clientauthentication "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
13)
14
15var k8scredpluginCmd = &cobra.Command{
16 Use: "k8scredplugin",
17 Short: "Kubernetes client-go credential plugin [internal use]",
18 Long: `This implements a Kubernetes client-go credential plugin to
19authenticate client-go based callers including kubectl against a Metropolis
20cluster. This should never be directly called by end users.`,
21 Args: cobra.ExactArgs(0),
22 Run: doK8sCredPlugin,
23}
24
25func doK8sCredPlugin(cmd *cobra.Command, args []string) {
26 cert, key, err := getCredentials()
27 if err == noCredentialsError {
28 log.Fatal("No credentials found on your machine")
29 }
30 if err != nil {
31 log.Fatalf("failed to get Metropolis credentials: %v", err)
32 }
33
34 pkcs8Key, err := x509.MarshalPKCS8PrivateKey(key)
35 if err != nil {
36 // We explicitly pass an Ed25519 private key in, so this can't happen
37 panic(err)
38 }
39
40 cred := clientauthentication.ExecCredential{
41 TypeMeta: metav1.TypeMeta{
42 APIVersion: clientauthentication.SchemeGroupVersion.String(),
43 Kind: "ExecCredential",
44 },
45 Status: &clientauthentication.ExecCredentialStatus{
46 ClientCertificateData: string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})),
47 ClientKeyData: string(pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: pkcs8Key})),
48 },
49 }
50 if err := json.NewEncoder(os.Stdout).Encode(cred); err != nil {
51 log.Fatalf("failed to encode ExecCredential: %v", err)
52 }
53}
54
55func init() {
56 rootCmd.AddCommand(k8scredpluginCmd)
57}