-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Start to flesh out config and enablement
- Loading branch information
1 parent
311d16e
commit 7aa7336
Showing
9 changed files
with
167 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
#!/usr/bin/env sh | ||
|
||
# certificate authority bundles for common distributions | ||
bundles=" | ||
/etc/ssl/certs/ca-certificates.crt \ | ||
/etc/pki/tls/certs/ca-bundle.crt \ | ||
/etc/ssl/ca-bundle.pem \ | ||
/etc/pki/tls/cacert.pem \ | ||
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ | ||
/etc/ssl/cert.pem | ||
" | ||
|
||
# qpoint ca | ||
qpoint_ca="/mnt/ca/qpoint.pem" | ||
|
||
# tls config destination | ||
destination="/mnt/tls" | ||
|
||
# initialize a flag to check if config was copied | ||
config_copied="no" | ||
|
||
# convert string to an array-like structure | ||
set -- $bundles | ||
|
||
# iterate over the possible bundles | ||
for bundle; do | ||
if [ -f "$bundle" ]; then | ||
echo "Found ca bundle: ${bundle}" | ||
|
||
# extract the directly/file from the bundle | ||
directory=$(dirname "$bundle") | ||
file=$(basename "$bundle") | ||
|
||
# copy the contents of the bundle into the shared mount | ||
echo "Copying contents of $directory to $destination" | ||
cp -R "$directory"/* "$destination" | ||
|
||
# append the qpoint root ca | ||
cat "$qpoint_ca" >> "$destination/$file" | ||
|
||
# leave the breadcrumb | ||
config_copied="yes" | ||
|
||
# stop after the first found bundle | ||
break | ||
fi | ||
done | ||
|
||
# we didn't find a matching config, likely there is no openssl installed | ||
# | ||
# in this case our approach is to just add our ca to all of the bundles | ||
# for the potential distributions | ||
if [ "$config_copied" = "no" ]; then | ||
echo "No config copied, creating new CA bundles." | ||
set -- $bundles | ||
for bundle; do | ||
file=$(basename "$bundle") | ||
cat "$qpoint_ca" > "$destination/$file" | ||
done | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,14 @@ | ||
package v1 | ||
|
||
import ( | ||
_ "embed" | ||
|
||
corev1 "k8s.io/api/core/v1" | ||
) | ||
|
||
//go:embed assets/build-ca.sh | ||
var buildCaScript string | ||
|
||
func MutateCaInjection(pod *corev1.Pod, config *Config) error { | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,27 +1,66 @@ | ||
package v1 | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
|
||
corev1 "k8s.io/api/core/v1" | ||
"sigs.k8s.io/controller-runtime/pkg/client" | ||
) | ||
|
||
var ( | ||
defaultAnnotations = map[string]string{ | ||
"key1": "value1", | ||
"key2": "value2", | ||
} | ||
) | ||
|
||
type Config struct { | ||
Enabled bool | ||
InjectCa bool | ||
Namespace string | ||
Enabled bool | ||
InjectCa bool | ||
|
||
apiClient client.Client | ||
apiClient client.Client | ||
annotations map[string]string | ||
} | ||
|
||
func InitConfig(apiClient client.Client, namespace string, pod *corev1.Pod) (*Config, error) { | ||
// start with a default config | ||
config := &Config{ | ||
Enabled: false, | ||
InjectCa: true, | ||
apiClient: apiClient, | ||
func (c *Config) Init(ctx context.Context, pod *corev1.Pod) error { | ||
// check to see if an annotation is set on the pod to enable egress | ||
egress, exists := pod.Annotations["qpoint.io/egress"] | ||
if exists && egress == "enabled" { | ||
c.Enabled = true | ||
} | ||
|
||
// if we're not enabled yet, let's check the namespace | ||
if !c.Enabled { | ||
namespace := &corev1.Namespace{} | ||
if err := c.apiClient.Get(ctx, client.ObjectKey{Name: c.Namespace}, namespace); err != nil { | ||
return fmt.Errorf("fetching namespace '%s' from the api: %w", c.Namespace, err) | ||
} | ||
|
||
// if the namespace is labeled, then we enable | ||
if namespace.Labels["qpoint-egress"] == "enabled" { | ||
c.Enabled = true | ||
} | ||
} | ||
|
||
// if we're enabled | ||
if c.Enabled { | ||
|
||
// let's apply the default annotations to the pod (for transparency to the admin) | ||
for key, value := range defaultAnnotations { | ||
if _, exists := pod.Annotations[key]; !exists { | ||
pod.Annotations[key] = value | ||
} | ||
} | ||
|
||
// and store a direct reference to the annotations for config | ||
c.annotations = pod.Annotations | ||
} | ||
|
||
// enable for time-being | ||
config.Enabled = true | ||
return nil | ||
} | ||
|
||
return config, nil | ||
func (c *Config) Get(key string) string { | ||
return c.annotations[fmt.Sprintf("qpoint.io/%s", key)] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters