clusterstorage first pass

cmd/main.go

@@ -1,15 +1,17 @@
 package main
 
 import (
+	"github.com/mesosphere/traefik-forward-auth/internal/api/storage/v1alpha1"
+	kubernetes "github.com/mesosphere/traefik-forward-auth/internal/kubernetes"
+	"github.com/mesosphere/traefik-forward-auth/internal/storage"
+	"github.com/mesosphere/traefik-forward-auth/internal/storage/cluster"
 	"net/http"
 	"time"
 
 	"github.com/gorilla/sessions"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
-
 	internal "github.com/mesosphere/traefik-forward-auth/internal"
 	logger "github.com/mesosphere/traefik-forward-auth/internal/log"
+	k8s "k8s.io/client-go/kubernetes"
 )
 
 // Main
@@ -27,28 +29,38 @@ func main() {
 	config.SetOidcProvider()
 
 	// Get clientset for Authorizers
-	var clientset kubernetes.Interface
-	if config.EnableRBAC {
-		icc, err := rest.InClusterConfig()
-		if err != nil {
-			log.Fatalf("error getting in cluster configuration for RBAC client: %v", err)
-		}
-		clientset, err = kubernetes.NewForConfig(icc)
+	var clientset *k8s.Clientset
+	if config.EnableRBAC || config.EnableInClusterStorage {
+		var err error
+		clientset, err = kubernetes.GetClientSet()
 		if err != nil {
 			log.Fatalf("error getting kubernetes client: %v", err)
 		}
 	} else {
 		clientset = nil
 	}
 
-	// Prepare cookie session store (first key is for auth, the second one for encryption)
-	cookieStore := sessions.NewCookieStore(config.Secret, []byte(config.SessionKey))
-	cookieStore.Options.MaxAge = int(config.Lifetime / time.Second)
-	cookieStore.Options.HttpOnly = true
-	cookieStore.Options.Secure = !config.InsecureCookie
+	var userInfoStore v1alpha1.UserInfoInterface
+	if !config.EnableInClusterStorage {
+		// Prepare cookie session store (first key is for auth, the second one for encryption)
+		cookieStore := sessions.NewCookieStore(config.Secret, []byte(config.SessionKey))
+		cookieStore.Options.MaxAge = int(config.Lifetime / time.Second)
+		cookieStore.Options.HttpOnly = true
+		cookieStore.Options.Secure = !config.InsecureCookie
 
+		userInfoStore = &storage.GorillaUserInfoStore{
+			SessionStore: cookieStore,
+			SessionName:  config.ClaimsSessionName,
+		}
+	} else {
+		clusterStorage := cluster.NewClusterStore(clientset, config.ClusterStoreNamespace, config.Lifetime)
+		gc := cluster.NewGC(clusterStorage, time.Minute, false, true)
+		if err := gc.Start(); err != nil {
+			log.Fatalf("error starting GC process: %v", err)
+		}
+	}
 	// Build server
-	server := internal.NewServer(cookieStore, clientset)
+	server := internal.NewServer(userInfoStore, clientset)
 
 	// Attach router to default server
 	http.HandleFunc("/", server.RootHandler)

go.sum

@@ -59,7 +59,6 @@ github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4er
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
@@ -93,19 +92,16 @@ github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/jonboulle/clockwork v0.1.0 h1:VKV+ZcuP6l3yW9doeqz6ziZGgcynBVQO+obU0+0hcPo=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.7 h1:KfgG9LzI+pYjr4xvmz/5H4FXjokeP+rlHLhv3iH62Fo=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
 github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -128,12 +124,10 @@ github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8m
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.8.0 h1:VkHVNpR4iVnU8XQR6DBm8BqYjN7CRzw+xKUbVVbbW9w=
 github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.10.1 h1:q/mM8GF/n0shIN8SaAZ0V+jnLPzen6WIVZdiwrRlMlo=
 github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.5.0 h1:izbySO9zDPmjJ8rDjLvkA2zJHIo+HkYXHnf7eN7SSyo=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
@@ -170,7 +164,6 @@ github.com/vulcand/predicate v1.1.0/go.mod h1:mlccC5IRBoc2cIFmCB8ZM62I3VDb6p2GXE
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 h1:1wopBVtVdWnn03fZelqdXTqk7U7zPQCb+T4rbU9ZEoU=
 golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586 h1:7KByu05hhLed2MO29w7p1XfZvZ13m8mub3shuVftRs0=
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -185,7 +178,6 @@ golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20191004110552-13f9640d40b9 h1:rjwSpXsdiK0dV8/Naq3kAw9ymfAeJIyd0upUIElB+lI=
@@ -207,12 +199,10 @@ golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a h1:aYOabOQFp6Vj6W1F80affTUvO9UxmJRx8K0gsfABByQ=
 golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456 h1:ng0gs1AKnRRuEMZoTLLlbOd+C17zUDepwGQBb/n+JVg=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
@@ -228,7 +218,6 @@ golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=

internal/api/storage/v1alpha1/errors.go

@@ -0,0 +1,12 @@
+package v1alpha1
+
+import (
+	"errors"
+	"fmt"
+)
+
+var ErrUserDataStore = errors.New("userdata storage error")
+
+func UserDataStoreError(msg string) error {
+	return fmt.Errorf("%w: %s", ErrUserDataStore, msg)
+}

internal/api/storage/v1alpha1/interface.go

@@ -0,0 +1,9 @@
+package v1alpha1
+
+import "net/http"
+
+type UserInfoInterface interface {
+	Clear(r *http.Request, w http.ResponseWriter) error
+	Get(r *http.Request) (*UserInfo, error)
+	Save(r *http.Request, w http.ResponseWriter, info *UserInfo) error
+}

internal/api/storage/v1alpha1/types.go

@@ -0,0 +1,7 @@
+package v1alpha1
+
+type UserInfo struct {
+	Username string
+	Email    string
+	Groups   []string
+}

internal/auth.go

@@ -132,7 +132,7 @@ func MakeIDCookie(r *http.Request, email string) *http.Cookie {
 		Name:     config.CookieName,
 		Value:    value,
 		Path:     "/",
-		Domain:   cookieDomain(r),
+		Domain:   GetCookieDomain(r),
 		HttpOnly: true,
 		Secure:   !config.InsecureCookie,
 		Expires:  expires,
@@ -147,7 +147,7 @@ func MakeNameCookie(r *http.Request, name string) *http.Cookie {
 		Name:     config.UserCookieName,
 		Value:    name,
 		Path:     "/",
-		Domain:   cookieDomain(r),
+		Domain:   GetCookieDomain(r),
 		HttpOnly: false,
 		Secure:   false,
 		Expires:  expires,
@@ -213,7 +213,7 @@ func Nonce() (error, string) {
 }
 
 // Cookie domain
-func cookieDomain(r *http.Request) string {
+func GetCookieDomain(r *http.Request) string {
 	host := r.Header.Get("X-Forwarded-Host")
 
 	// Check if any of the given cookie domains matches
@@ -252,7 +252,7 @@ func matchCookieDomains(domain string) (bool, string) {
 // Create cookie hmac
 func cookieSignature(r *http.Request, email, expires string) string {
 	hash := hmac.New(sha256.New, config.Secret)
-	hash.Write([]byte(cookieDomain(r)))
+	hash.Write([]byte(GetCookieDomain(r)))
 	hash.Write([]byte(email))
 	hash.Write([]byte(expires))
 	return base64.URLEncoding.EncodeToString(hash.Sum(nil))

internal/authorization/rbac/rbac.go

@@ -16,9 +16,7 @@ import (
 )
 
 const (
-	// using config would be a circular import unless I wanted to fix everything now
-	// TODO (jr): fix everything
-	cacheSyncDuration = time.Minute * time.Duration(10)
+	cacheSyncDuration = time.Minute * 10
 )
 
 type RBACAuthorizer struct {

internal/authorization/rbac/rbac_test.go

@@ -139,14 +139,12 @@ func TestRBACAuthorizer_Authorize(t *testing.T) {
 	}
 }
 
-
 func TestRBACAuthorizer_Authorize2(t *testing.T) {
 	test := testCase{
 
-			user: authorization.User{Name: "[email protected]", Groups:[]string{"oidc:chemists"}},
-			url: "/ops/portal/grafana/public/fonts/roboto/RxZJdnzeo3R5zSexge8UUVtXRa8TVwTICgirnJhmVJw.woff2",
-			should: allow,
-
+		user:   authorization.User{Name: "[email protected]", Groups: []string{"oidc:chemists"}},
+		url:    "/ops/portal/grafana/public/fonts/roboto/RxZJdnzeo3R5zSexge8UUVtXRa8TVwTICgirnJhmVJw.woff2",
+		should: allow,
 	}
 
 	role := makeRole("grafana-admin", []string{"*"}, []string{"/ops/portal/grafana", "/ops/portal/grafana/*"})
@@ -157,4 +155,4 @@ func TestRBACAuthorizer_Authorize2(t *testing.T) {
 
 	assert.NilError(t, err)
 	assert.Equal(t, result, test.should)
-}
+}

internal/config.go

@@ -43,7 +43,7 @@ type Config struct {
 	EmailHeaderNames        CommaSeparatedList   `long:"email-header-names" env:"EMAIL_HEADER_NAMES" default:"X-Forwarded-User" description:"Response headers containing the authenticated user's username"`
 	UserCookieName          string               `long:"user-cookie-name" env:"USER_COOKIE_NAME" default:"_forward_auth_name" description:"User Cookie Name"`
 	CSRFCookieName          string               `long:"csrf-cookie-name" env:"CSRF_COOKIE_NAME" default:"_forward_auth_csrf" description:"CSRF Cookie Name"`
-	GroupsSessionName       string               `long:"groups-session-name" env:"GROUPS_SESSION_NAME" default:"_forward_auth_claims" description:"Groups Session Name"`
+	ClaimsSessionName       string               `long:"claims-session-name" env:"CLAIMS_SESSION_NAME" default:"_forward_auth_claims" description:"Name of the claims session"`
 	DefaultAction           string               `long:"default-action" env:"DEFAULT_ACTION" default:"auth" choice:"auth" choice:"allow" description:"Default action"`
 	Domains                 CommaSeparatedList   `long:"domain" env:"DOMAIN" description:"Only allow given email domains, can be set multiple times"`
 	LifetimeString          int                  `long:"lifetime" env:"LIFETIME" default:"43200" description:"Lifetime in seconds"`
@@ -56,11 +56,14 @@ type Config struct {
 	GroupClaimPrefix        string               `long:"group-claim-prefix" env:"GROUP_CLAIM_PREFIX" default:"oidc:" description:"prefix oidc group claims with this value"`
 	SessionKey              string               `long:"session-key" env:"SESSION_KEY" description:"A session key used to encrypt browser sessions"`
 	GroupsAttributeName     string               `long:"groups-attribute-name" env:"GROUPS_ATTRIBUTE_NAME" default:"groups" description:"Map the correct attribute that contain the user groups"`
-
+	ClusterStoreNamespace   string               `long:"cluster-store-namespace" env:"CLUSTER_STORE_NAMESPACE" default:"default" description:"Namespace to store userinfo secrets"`
 	// RBAC
 	EnableRBAC       bool               `long:"enable-rbac" env:"ENABLE_RBAC" description:"Indicates that RBAC support should be enabled"`
 	AuthZPassThrough CommaSeparatedList `long:"authz-pass-through" env:"AUTHZ_PASS_THROUGH" description:"One or more routes which bypass authorization checks"`
 
+	// Storage
+	EnableInClusterStorage bool `long:"enable-in-cluster-storage" env:"ENABLE_IN_CLUSTER_STORAGE" description:"When true, sessions are store in a kubernetes apiserver"`
+
 	// Filled during transformations
 	OIDCContext         context.Context
 	OIDCProvider        *oidc.Provider

internal/kubernetes/client.go

@@ -0,0 +1,38 @@
+package kubernetes
+
+import (
+	"fmt"
+	k8s "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	"os"
+)
+
+const (
+	KubeConfigEnv = "KUBECONFIG"
+)
+
+// GetClientSet will attempt to get an external cluster configuration if the KUBECONFIG environment
+// variable is set. Otherwise will attempt to get an in-cluster configuration.
+func GetClientSet() (*k8s.Clientset, error) {
+	configPath := os.Getenv(KubeConfigEnv)
+	var config *rest.Config
+	var err error
+	if configPath != "" {
+		config, err = clientcmd.BuildConfigFromFlags("", configPath)
+		if err != nil {
+			return nil, fmt.Errorf("error getting rest config from %s: %w", configPath, err)
+		}
+	} else {
+		config, err = rest.InClusterConfig()
+		if err != nil {
+			return nil, fmt.Errorf("error getting in cluster configuration: %w", err)
+		}
+	}
+
+	clientset, err := k8s.NewForConfig(config)
+	if err != nil {
+		return nil, fmt.Errorf("error getting clientset from config: %w", err)
+	}
+	return clientset, nil
+}