-
Notifications
You must be signed in to change notification settings - Fork 40
/
main.go
291 lines (237 loc) · 11 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package main
import (
goflag "flag"
"fmt"
"os"
"time"
capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
capsuleindexer "github.com/projectcapsule/capsule/pkg/indexer"
"github.com/projectcapsule/capsule/pkg/indexer/tenant"
flag "github.com/spf13/pflag"
"github.com/thediveo/enumflag"
"go.uber.org/zap/zapcore"
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
"k8s.io/apimachinery/pkg/runtime"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
clientgoscheme "k8s.io/client-go/kubernetes/scheme"
"k8s.io/component-base/featuregate"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/log/zap"
capsuleproxyv1beta1 "github.com/projectcapsule/capsule-proxy/api/v1beta1"
"github.com/projectcapsule/capsule-proxy/internal/controllers"
"github.com/projectcapsule/capsule-proxy/internal/controllers/watchdog"
"github.com/projectcapsule/capsule-proxy/internal/features"
"github.com/projectcapsule/capsule-proxy/internal/indexer"
"github.com/projectcapsule/capsule-proxy/internal/options"
"github.com/projectcapsule/capsule-proxy/internal/request"
"github.com/projectcapsule/capsule-proxy/internal/webserver"
)
//nolint:funlen,cyclop,maintidx,gocognit
func main() {
scheme := runtime.NewScheme()
log := ctrl.Log.WithName("main")
utilruntime.Must(clientgoscheme.AddToScheme(scheme))
utilruntime.Must(capsulev1beta1.AddToScheme(scheme))
utilruntime.Must(capsulev1beta2.AddToScheme(scheme))
utilruntime.Must(capsuleproxyv1beta1.AddToScheme(scheme))
utilruntime.Must(apiextensionsv1.AddToScheme(scheme))
var (
err error
mgr ctrl.Manager
certPath, keyPath, usernameClaimField, capsuleConfigurationName, impersonationGroupsRegexp string
capsuleUserGroups, ignoredUserGroups, ignoreImpersonationGroups []string
listeningPort uint
bindSsl, disableCaching bool
rolebindingsResyncPeriod time.Duration
clientConnectionQPS float32
clientConnectionBurst int32
)
gates := featuregate.NewFeatureGate()
utilruntime.Must(gates.Add(map[featuregate.Feature]featuregate.FeatureSpec{
features.ProxyAllNamespaced: {
Default: false,
LockToDefault: false,
PreRelease: featuregate.Alpha,
},
features.SkipImpersonationReview: {
Default: false,
LockToDefault: false,
PreRelease: featuregate.Alpha,
},
features.ProxyClusterScoped: {
Default: false,
LockToDefault: false,
PreRelease: featuregate.Alpha,
},
}))
authTypes := []request.AuthType{
request.TLSCertificate,
request.BearerToken,
}
authTypesMap := map[request.AuthType][]string{
request.BearerToken: {request.BearerToken.String()},
request.TLSCertificate: {request.TLSCertificate.String()},
}
flag.StringVar(&capsuleConfigurationName, "capsule-configuration-name", "default", "Name of the CapsuleConfiguration used to retrieve the Capsule user groups names")
flag.StringSliceVar(&capsuleUserGroups, "capsule-user-group", []string{}, "Names of the groups for capsule users (deprecated: use capsule-configuration-name)")
flag.StringSliceVar(&ignoredUserGroups, "ignored-user-group", []string{}, "Names of the groups which requests must be ignored and proxy-passed to the upstream server")
flag.StringSliceVar(&ignoreImpersonationGroups, "ignored-impersonation-group", []string{}, "Names of the groups which are not used for impersonation (considered after impersonation-group-regexp)")
flag.StringVar(&impersonationGroupsRegexp, "impersonation-group-regexp", "", "Regular expression to match the groups which are considered for impersonation")
flag.UintVar(&listeningPort, "listening-port", 9001, "HTTP port the proxy listens to (default: 9001)")
flag.StringVar(&usernameClaimField, "oidc-username-claim", "preferred_username", "The OIDC field name used to identify the user (default: preferred_username)")
flag.BoolVar(&bindSsl, "enable-ssl", true, "Enable the bind on HTTPS for secure communication (default: true)")
flag.StringVar(&certPath, "ssl-cert-path", "", "Path to the TLS certificate (default: /opt/capsule-proxy/tls.crt)")
flag.StringVar(&keyPath, "ssl-key-path", "", "Path to the TLS certificate key (default: /opt/capsule-proxy/tls.key)")
flag.DurationVar(&rolebindingsResyncPeriod, "rolebindings-resync-period", 10*time.Hour, "Resync period for rolebindings reflector")
flag.Var(enumflag.NewSlice(&authTypes, "string", authTypesMap, enumflag.EnumCaseSensitive), "auth-preferred-types",
`Authentication types to be used for requests. Possible Auth Types: [BearerToken, TLSCertificate]
First match is used and can be specified multiple times as comma separated values or by using the flag multiple times.`)
flag.BoolVar(&disableCaching, "disable-caching", false, "Disable the go-client caching to hit directly the Kubernetes API Server, it disables any local caching as the rolebinding reflector (default: false)")
flag.Float32Var(&clientConnectionQPS, "client-connection-qps", 20.0, "QPS to use for interacting with kubernetes apiserver.")
flag.Int32Var(&clientConnectionBurst, "client-connection-burst", 30, "Burst to use for interacting with kubernetes apiserver.")
gates.AddFlag(flag.CommandLine)
opts := zap.Options{
EncoderConfigOptions: append([]zap.EncoderConfigOption{}, func(config *zapcore.EncoderConfig) {
config.EncodeTime = zapcore.ISO8601TimeEncoder
}),
}
var goFlagSet goflag.FlagSet
opts.BindFlags(&goFlagSet)
flag.CommandLine.AddGoFlagSet(&goFlagSet)
flag.Parse()
logger := zap.New(zap.UseFlagOptions(&opts))
ctrl.SetLogger(logger)
for feat := range gates.GetAll() {
log.Info("feature gate status", "name", feat, "enabled", gates.Enabled(feat))
}
log.Info("---")
log.Info(fmt.Sprintf("Manager listening on port %d", listeningPort))
log.Info(fmt.Sprintf("Listening on HTTPS: %t", bindSsl))
if !bindSsl {
switch {
case len(certPath) > 0:
log.Info("cannot use a Certificate when TLS/SSL mode is disabled")
os.Exit(1)
case len(keyPath) > 0:
log.Info("cannot use a Certificate key when TLS/SSL mode is disabled")
os.Exit(1)
}
}
if len(capsuleUserGroups) > 0 {
log.Info(
"the CLI flags --capsule-user-group is deprecated, " +
"please use the new one --capsule-configuration-name to select the CapsuleConfiguration")
log.Info(fmt.Sprintf("The selected Capsule User Groups are %v", capsuleUserGroups))
}
log.Info(fmt.Sprintf("The ignored User Groups are %v", ignoredUserGroups))
log.Info(fmt.Sprintf("The OIDC username selected is %s", usernameClaimField))
if impersonationGroupsRegexp != "" {
log.Info(fmt.Sprintf("The Group impersonation Regexp %s", impersonationGroupsRegexp))
}
if len(ignoreImpersonationGroups) > 0 {
log.Info(fmt.Sprintf("The Groups dropped for impersonation %s", ignoreImpersonationGroups))
}
if gates.Enabled(features.SkipImpersonationReview) {
log.Info("SECURITY IMPLICATION: Skipping Impersonation reviews are enabled!")
}
log.Info("---")
log.Info("Creating the manager")
config := ctrl.GetConfigOrDie()
config.QPS = clientConnectionQPS
config.Burst = int(clientConnectionBurst)
mgr, err = ctrl.NewManager(config, ctrl.Options{
Scheme: scheme,
HealthProbeBindAddress: ":8081",
})
if err != nil {
log.Error(err, "cannot create new Manager")
os.Exit(1)
}
var rbReflector *controllers.RoleBindingReflector
if !disableCaching {
log.Info("Creating the Rolebindings reflector")
if rbReflector, err = controllers.NewRoleBindingReflector(config, rolebindingsResyncPeriod); err != nil {
log.Error(err, "cannot create Rolebindings reflector")
os.Exit(1)
}
log.Info("Adding the Rolebindings reflector to the Manager")
if err = mgr.Add(rbReflector); err != nil {
log.Error(err, "cannot add Rolebindings reflector as Runnable")
os.Exit(1)
}
} else {
log.Info("Cache is disabled, cannot create Rolebindings reflector")
}
ctx := ctrl.SetupSignalHandler()
log.Info("Creating the Field Indexer")
indexers := []capsuleindexer.CustomIndexer{
&tenant.NamespacesReference{Obj: &capsulev1beta2.Tenant{}},
&tenant.OwnerReference{},
&indexer.ProxySetting{},
}
for _, fieldIndex := range indexers {
if err = mgr.GetFieldIndexer().IndexField(ctx, fieldIndex.Object(), fieldIndex.Field(), fieldIndex.Func()); err != nil {
log.Error(err, "cannot create new Field Indexer")
os.Exit(1)
}
}
var r webserver.Filter
log.Info("Creating the NamespaceFilter runner")
var listenerOpts options.ListenerOpts
if listenerOpts, err = options.NewKube(authTypes, ignoredUserGroups, usernameClaimField, config, ignoreImpersonationGroups, impersonationGroupsRegexp, gates.Enabled(features.SkipImpersonationReview)); err != nil {
log.Error(err, "cannot create Kubernetes options")
os.Exit(1)
}
var serverOpts options.ServerOptions
if serverOpts, err = options.NewServer(bindSsl, listeningPort, certPath, keyPath, config); err != nil {
log.Error(err, "cannot create Kubernetes options")
os.Exit(1)
}
var clientOverride client.Reader
if disableCaching {
clientOverride = mgr.GetAPIReader()
} else {
clientOverride = mgr.GetClient()
}
r, err = webserver.NewKubeFilter(listenerOpts, serverOpts, gates, rbReflector, clientOverride, mgr.GetClient())
if err != nil {
log.Error(err, "cannot create NamespaceFilter runner")
os.Exit(1)
}
log.Info("Adding the NamespaceFilter runner to the Manager")
if err = (&controllers.CapsuleConfiguration{
Client: mgr.GetClient(),
CapsuleConfigurationName: capsuleConfigurationName,
DeprecatedCapsuleUserGroups: capsuleUserGroups,
}).SetupWithManager(ctx, mgr); err != nil {
log.Error(err, "cannot start CapsuleConfiguration controller for User Group list retrieval")
os.Exit(1)
}
if gates.Enabled(features.ProxyAllNamespaced) {
if err = (&watchdog.CRDWatcher{Client: mgr.GetClient()}).SetupWithManager(ctx, mgr); err != nil {
log.Error(err, "cannot start watchdog.CRDWatcher controller for features.ProxyAllNamespaced")
os.Exit(1)
}
}
if err = mgr.Add(r); err != nil {
log.Error(err, "cannot add NameSpaceFilter as Runnable")
os.Exit(1)
}
if err = mgr.AddHealthzCheck("healthz", r.LivenessProbe); err != nil {
log.Error(err, "cannot create healthcheck probe")
os.Exit(1)
}
if err = mgr.AddReadyzCheck("ready", r.ReadinessProbe); err != nil {
log.Error(err, "cannot create readiness probe")
os.Exit(1)
}
log.Info("Starting the Manager")
if err = mgr.Start(ctx); err != nil {
log.Error(err, "cannot start the Manager")
os.Exit(1)
}
}