2019-01-18 01:50:10 +00:00
|
|
|
/*
|
|
|
|
|
Copyright 2014 The Kubernetes Authors.
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
package rest
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"crypto/tls"
|
|
|
|
|
"errors"
|
|
|
|
|
"net/http"
|
|
|
|
|
|
2021-05-15 10:08:31 +00:00
|
|
|
"k8s.io/client-go/pkg/apis/clientauthentication"
|
2019-01-18 01:50:10 +00:00
|
|
|
"k8s.io/client-go/plugin/pkg/client/auth/exec"
|
|
|
|
|
"k8s.io/client-go/transport"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// TLSConfigFor returns a tls.Config that will provide the transport level security defined
|
|
|
|
|
// by the provided Config. Will return nil if no transport level security is requested.
|
|
|
|
|
func TLSConfigFor(config *Config) (*tls.Config, error) {
|
|
|
|
|
cfg, err := config.TransportConfig()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return transport.TLSConfigFor(cfg)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// TransportFor returns an http.RoundTripper that will provide the authentication
|
|
|
|
|
// or transport level security defined by the provided Config. Will return the
|
|
|
|
|
// default http.DefaultTransport if no special case behavior is needed.
|
|
|
|
|
func TransportFor(config *Config) (http.RoundTripper, error) {
|
|
|
|
|
cfg, err := config.TransportConfig()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return transport.New(cfg)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// HTTPWrappersForConfig wraps a round tripper with any relevant layered behavior from the
|
|
|
|
|
// config. Exposed to allow more clients that need HTTP-like behavior but then must hijack
|
|
|
|
|
// the underlying connection (like WebSocket or HTTP2 clients). Pure HTTP clients should use
|
|
|
|
|
// the higher level TransportFor or RESTClientFor methods.
|
|
|
|
|
func HTTPWrappersForConfig(config *Config, rt http.RoundTripper) (http.RoundTripper, error) {
|
|
|
|
|
cfg, err := config.TransportConfig()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return transport.HTTPWrappersForConfig(cfg, rt)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// TransportConfig converts a client config to an appropriate transport config.
|
|
|
|
|
func (c *Config) TransportConfig() (*transport.Config, error) {
|
|
|
|
|
conf := &transport.Config{
|
2021-05-15 10:08:31 +00:00
|
|
|
UserAgent: c.UserAgent,
|
|
|
|
|
Transport: c.Transport,
|
|
|
|
|
WrapTransport: c.WrapTransport,
|
|
|
|
|
DisableCompression: c.DisableCompression,
|
2019-01-18 01:50:10 +00:00
|
|
|
TLS: transport.TLSConfig{
|
|
|
|
|
Insecure: c.Insecure,
|
|
|
|
|
ServerName: c.ServerName,
|
|
|
|
|
CAFile: c.CAFile,
|
|
|
|
|
CAData: c.CAData,
|
|
|
|
|
CertFile: c.CertFile,
|
|
|
|
|
CertData: c.CertData,
|
|
|
|
|
KeyFile: c.KeyFile,
|
|
|
|
|
KeyData: c.KeyData,
|
2021-05-15 10:08:31 +00:00
|
|
|
NextProtos: c.NextProtos,
|
2019-01-18 01:50:10 +00:00
|
|
|
},
|
2021-05-15 10:08:31 +00:00
|
|
|
Username: c.Username,
|
|
|
|
|
Password: c.Password,
|
|
|
|
|
BearerToken: c.BearerToken,
|
|
|
|
|
BearerTokenFile: c.BearerTokenFile,
|
2019-01-18 01:50:10 +00:00
|
|
|
Impersonate: transport.ImpersonationConfig{
|
|
|
|
|
UserName: c.Impersonate.UserName,
|
|
|
|
|
Groups: c.Impersonate.Groups,
|
|
|
|
|
Extra: c.Impersonate.Extra,
|
|
|
|
|
},
|
2021-05-15 10:08:31 +00:00
|
|
|
Dial: c.Dial,
|
|
|
|
|
Proxy: c.Proxy,
|
2019-01-18 01:50:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if c.ExecProvider != nil && c.AuthProvider != nil {
|
|
|
|
|
return nil, errors.New("execProvider and authProvider cannot be used in combination")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if c.ExecProvider != nil {
|
2021-05-15 10:08:31 +00:00
|
|
|
var cluster *clientauthentication.Cluster
|
|
|
|
|
if c.ExecProvider.ProvideClusterInfo {
|
|
|
|
|
var err error
|
|
|
|
|
cluster, err = ConfigToExecCluster(c)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
provider, err := exec.GetAuthenticator(c.ExecProvider, cluster)
|
2019-01-18 01:50:10 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if err := provider.UpdateTransportConfig(conf); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if c.AuthProvider != nil {
|
|
|
|
|
provider, err := GetAuthProvider(c.Host, c.AuthProvider, c.AuthConfigPersister)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2019-05-03 10:50:21 +00:00
|
|
|
conf.Wrap(provider.WrapTransport)
|
2019-01-18 01:50:10 +00:00
|
|
|
}
|
|
|
|
|
return conf, nil
|
|
|
|
|
}
|
2019-05-03 10:50:21 +00:00
|
|
|
|
|
|
|
|
// Wrap adds a transport middleware function that will give the caller
|
|
|
|
|
// an opportunity to wrap the underlying http.RoundTripper prior to the
|
|
|
|
|
// first API call being made. The provided function is invoked after any
|
|
|
|
|
// existing transport wrappers are invoked.
|
|
|
|
|
func (c *Config) Wrap(fn transport.WrapperFunc) {
|
|
|
|
|
c.WrapTransport = transport.Wrappers(c.WrapTransport, fn)
|
|
|
|
|
}
|
