Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / e69e98da47c6c00a968571e3a3fad5edc3eaa1ee / . / cluster / prodaccess / kubernetes.go
blob: c50cd0729d971faaf76fc0265328562060f312be [file] [log] [blame]
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]1package main
2
3import (
4 "crypto/tls"
5 "crypto/x509"
6 "fmt"
7 "io/ioutil"
8 "os"
9 "os/exec"
10 "path"
11 "path/filepath"
12 "time"
13
14 "github.com/golang/glog"
15
16 pb "code.hackerspace.pl/hscloud/cluster/prodvider/proto"
Serge Bazanski0f8e5a22021-10-16 20:53:51 +0000[diff] [blame]17 "code.hackerspace.pl/hscloud/go/workspace"
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]18)
19
20func kubernetesPaths() (string, string, string) {
Serge Bazanski0f8e5a22021-10-16 20:53:51 +0000[diff] [blame]21 ws, err := workspace.Get()
22 if err != nil {
23 glog.Exitf("%v", err)
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]24 }
25
Serge Bazanski0f8e5a22021-10-16 20:53:51 +0000[diff] [blame]26 localKey := path.Join(ws, ".kubectl", fmt.Sprintf("%s.key", flagUsername))
27 localCert := path.Join(ws, ".kubectl", fmt.Sprintf("%s.crt", flagUsername))
28 localCA := path.Join(ws, ".kubectl", fmt.Sprintf("ca.crt"))
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]29
30 return localKey, localCert, localCA
31}
32
33func needKubernetesCreds() bool {
34 localKey, localCert, _ := kubernetesPaths()
35
36 // Check for existence of cert/key.
37 if _, err := os.Stat(localKey); os.IsNotExist(err) {
38 return true
39 }
40 if _, err := os.Stat(localCert); os.IsNotExist(err) {
41 return true
42 }
43
44 // Cert/key exist, try to load and parse.
45 creds, err := tls.LoadX509KeyPair(localCert, localKey)
46 if err != nil {
47 return true
48 }
49 if len(creds.Certificate) != 1 {
50 return true
51 }
52 cert, err := x509.ParseCertificate(creds.Certificate[0])
53 if err != nil {
54 return true
55 }
56 creds.Leaf = cert
57
58 // Check if certificate will still be valid in 2 hours.
59 target := time.Now().Add(2 * time.Hour)
60 if creds.Leaf.NotAfter.Before(target) {
61 return true
62 }
63
64 return false
65}
66
67func useKubernetesKeys(keys *pb.KubernetesKeys) {
68 localKey, localCert, localCA := kubernetesPaths()
69
70 parent := filepath.Dir(localKey)
71 if _, err := os.Stat(parent); os.IsNotExist(err) {
72 os.MkdirAll(parent, 0700)
73 }
74
75 if err := ioutil.WriteFile(localKey, keys.Key, 0600); err != nil {
76 glog.Exitf("WriteFile(%q): %v", localKey, err)
77 }
78 if err := ioutil.WriteFile(localCert, keys.Cert, 0600); err != nil {
79 glog.Exitf("WriteFile(%q): %v", localCert, err)
80 }
81 if err := ioutil.WriteFile(localCA, keys.Ca, 0600); err != nil {
82 glog.Exitf("WriteFile(%q): %v", localCA, err)
83 }
84
85 kubectl := func(args ...string) {
86 cmd := exec.Command("kubectl", args...)
87 out, err := cmd.CombinedOutput()
88 if err != nil {
89 glog.Exitf("kubectl %v: %v: %v", args, err, string(out))
90 }
91 }
92
93 kubectl("config",
94 "set-cluster", keys.Cluster,
95 "--certificate-authority="+localCA,
96 "--embed-certs=true",
97 "--server=https://"+keys.Cluster+":4001")
98
99 kubectl("config",
100 "set-credentials", flagUsername,
101 "--client-certificate="+localCert,
102 "--client-key="+localKey,
103 "--embed-certs=true")
104
105 kubectl("config",
106 "set-context", keys.Cluster,
107 "--cluster="+keys.Cluster,
108 "--user="+flagUsername)
109
110 kubectl("config", "use-context", keys.Cluster)
111}