-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcontroller.go
126 lines (114 loc) · 3.18 KB
/
controller.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
package main
import (
"context"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"fmt"
"strings"
log "github.com/sirupsen/logrus"
v1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/watch"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
)
func run(k8sConfigFile string) {
// creates the in-cluster config
var config *rest.Config
var err error
if k8sConfigFile != "" {
config, err = clientcmd.BuildConfigFromFlags("", k8sConfigFile)
} else {
config, err = rest.InClusterConfig()
}
if err != nil {
panic(err.Error())
}
// creates the clientset
clientset, err := kubernetes.NewForConfig(config)
if err != nil {
panic(err.Error())
}
if err = loadSigningKey(clientset); err != nil {
panic(err.Error())
}
w, err := clientset.CoreV1().ServiceAccounts("").Watch(context.TODO(), metav1.ListOptions{})
for event := range w.ResultChan() {
//fmt.Printf("Type: %v\n", event.Type)
p, ok := event.Object.(*v1.ServiceAccount)
if !ok {
log.Infof("unexpected type")
continue
}
for ak, _ := range p.Annotations {
if strings.EqualFold(ak, "azure.pod.identity/use") {
s := v1.Secret{}
s.Name = "arc-" + p.Name
if event.Type == watch.Deleted {
err = clientset.CoreV1().Secrets(p.Namespace).Delete(context.TODO(), s.Name, metav1.DeleteOptions{})
if err != nil && !errors.IsNotFound(err) {
log.Errorf("Unable to delete secret %s:%s. %v ", p.Namespace, s.Name, err.Error())
} else if err == nil {
log.Infof("Deleted secret %s:%s", p.Namespace, s.Name)
}
} else {
s.StringData = make(map[string]string)
token, err := getSAToken(p.Namespace, s.Name)
if err != nil {
panic(err)
}
s.StringData["token"] = token
_, err = clientset.CoreV1().Secrets(p.Namespace).Create(context.TODO(), &s, metav1.CreateOptions{})
if err != nil && !errors.IsAlreadyExists(err) {
log.Errorf("Unable to add secret %s:%s. %v", p.Namespace, s.Name, err.Error())
} else if err == nil {
log.Infof("Created secret %s:%s", p.Namespace, s.Name)
}
}
break
}
}
}
return
}
func loadSigningKey(clientset *kubernetes.Clientset) error {
var key *rsa.PrivateKey
s, err := clientset.CoreV1().Secrets("azure-arc").Get(context.TODO(), "arc-cidp", metav1.GetOptions{})
if err != nil {
if !errors.IsNotFound(err) {
panic(err.Error())
}
log.Info("Generating signing key")
key, err = rsa.GenerateKey(rand.Reader, 2096)
if err != nil {
panic(err)
}
privateKeyBytes := x509.MarshalPKCS1PrivateKey(key)
cs := v1.Secret{}
cs.Name = "arc-cidp"
cs.Data = make(map[string][]byte)
cs.Data["signing-key"] = privateKeyBytes
_, err = clientset.CoreV1().Secrets("azure-arc").Create(context.TODO(), &cs, metav1.CreateOptions{})
if err != nil {
panic(err)
}
} else {
log.Info("Loading signing key azure-arc:arc-cidp")
pkb := s.Data["signing-key"]
if err != nil {
panic(err)
}
key, err = x509.ParsePKCS1PrivateKey(pkb)
if err != nil {
panic(err)
}
}
if err = initSwSKey(key); err != nil {
panic(err)
}
fmt.Printf("Signing JWK: %s\n", getSwSKey().JWK())
return nil
}