Move basic authentication to k3s

k3s-io · Aug 28, 2020 · 78a5dd9 · 78a5dd9
1 parent 2ca9622
commit 78a5dd9
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 9 deletions.
diff --git a/pkg/daemons/control/auth.go b/pkg/daemons/control/auth.go
@@ -0,0 +1,30 @@
+package control
+
+import (
+	"github.com/rancher/k3s/pkg/authenticator/basicauth"
+	"github.com/rancher/k3s/pkg/authenticator/passwordfile"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/apiserver/pkg/authentication/group"
+	"k8s.io/apiserver/pkg/authentication/request/union"
+)
+
+func basicAuthenticator(basicAuthFile string) (authenticator.Request, error) {
+	if basicAuthFile == "" {
+		return nil, nil
+	}
+	basicAuthenticator, err := passwordfile.NewCSV(basicAuthFile)
+	if err != nil {
+		return nil, err
+	}
+	return basicauth.New(basicAuthenticator), nil
+}
+
+func combineAuthenticators(auths ...authenticator.Request) authenticator.Request {
+	var authenticators []authenticator.Request
+	for _, auth := range auths {
+		if auth != nil {
+			authenticators = append(authenticators, auth)
+		}
+	}
+	return group.NewAuthenticatedGroupAdder(union.New(authenticators...))
+}
diff --git a/pkg/daemons/control/server.go b/pkg/daemons/control/server.go
@@ -93,15 +93,19 @@ func Server(ctx context.Context, cfg *config.Control) error {
 	cfg.Runtime.Tunnel = setupTunnel()
 	util.DisableProxyHostnameCheck = true
 
-	auth, handler, err := apiServer(ctx, cfg, runtime)
-	if err != nil {
+	if err := apiServer(ctx, cfg, runtime); err != nil {
 		return err
 	}
 
 	if err := waitForAPIServerInBackground(ctx, runtime); err != nil {
 		return err
 	}
 
+	auth, handler, err := authHandler(runtime)
+	if err != nil {
+		return err
+	}
+
 	runtime.Handler = handler
 	runtime.Authenticator = auth
 
@@ -166,7 +170,7 @@ func scheduler(cfg *config.Control, runtime *config.ControlRuntime) error {
 	return executor.Scheduler(runtime.APIServerReady, args)
 }
 
-func apiServer(ctx context.Context, cfg *config.Control, runtime *config.ControlRuntime) (authenticator.Request, http.Handler, error) {
+func apiServer(ctx context.Context, cfg *config.Control, runtime *config.ControlRuntime) error {
 	argsMap := make(map[string]string)
 
 	setupStorageBackend(argsMap, cfg)
@@ -195,7 +199,6 @@ func apiServer(ctx context.Context, cfg *config.Control, runtime *config.Control
 	argsMap["service-account-key-file"] = runtime.ServiceKey
 	argsMap["service-account-issuer"] = version.Program
 	argsMap["api-audiences"] = "unknown"
-	argsMap["basic-auth-file"] = runtime.PasswdFile
 	argsMap["kubelet-certificate-authority"] = runtime.ServerCA
 	argsMap["kubelet-client-certificate"] = runtime.ClientKubeAPICert
 	argsMap["kubelet-client-key"] = runtime.ClientKubeAPIKey
@@ -1058,3 +1061,15 @@ func genEncryptionConfig(controlConfig *config.Control, runtime *config.ControlR
 	}
 	return ioutil.WriteFile(runtime.EncryptionConfig, jsonfile, 0600)
 }
+
+func authHandler(runtime *config.ControlRuntime) (authenticator.Request, http.Handler, error) {
+	basicAuth, err := basicAuthenticator(runtime.PasswdFile)
+	if err != nil {
+		return nil, nil, err
+	}
+	execAuth, handler, err := executor.AuthHandler()
+	if err != nil {
+		return nil, nil, err
+	}
+	return combineAuthenticators(basicAuth, execAuth), handler, nil
+}
diff --git a/pkg/daemons/executor/embed.go b/pkg/daemons/executor/embed.go
@@ -45,7 +45,7 @@ func (Embedded) KubeProxy(args []string) error {
 	return nil
 }
 
-func (Embedded) APIServer(ctx context.Context, etcdReady <-chan struct{}, args []string) (authenticator.Request, http.Handler, error) {
+func (Embedded) APIServer(ctx context.Context, etcdReady <-chan struct{}, args []string) error {
 	<-etcdReady
 	command := app.NewAPIServerCommand(ctx.Done())
 	command.SetArgs(args)
@@ -54,8 +54,7 @@ func (Embedded) APIServer(ctx context.Context, etcdReady <-chan struct{}, args [
 		logrus.Fatalf("apiserver exited: %v", command.Execute())
 	}()
 
-	startupConfig := <-app.StartupConfig
-	return startupConfig.Authenticator, startupConfig.Handler, nil
+	return nil
 }
 
 func (Embedded) Scheduler(apiReady <-chan struct{}, args []string) error {
@@ -81,3 +80,8 @@ func (Embedded) ControllerManager(apiReady <-chan struct{}, args []string) error
 
 	return nil
 }
+
+func (Embedded) AuthHandler() (authenticator.Request, http.Handler, error) {
+	startupConfig := <-app.StartupConfig
+	return startupConfig.Authenticator, startupConfig.Handler, nil
+}
diff --git a/pkg/daemons/executor/executor.go b/pkg/daemons/executor/executor.go
@@ -19,11 +19,12 @@ var (
 type Executor interface {
 	Kubelet(args []string) error
 	KubeProxy(args []string) error
-	APIServer(ctx context.Context, etcdReady <-chan struct{}, args []string) (authenticator.Request, http.Handler, error)
+	APIServer(ctx context.Context, etcdReady <-chan struct{}, args []string) error
 	Scheduler(apiReady <-chan struct{}, args []string) error
 	ControllerManager(apiReady <-chan struct{}, args []string) error
 	CurrentETCDOptions() (InitialOptions, error)
 	ETCD(args ETCDConfig) error
+	AuthHandler() (authenticator.Request, http.Handler, error)
 }
 
 type ETCDConfig struct {
@@ -87,7 +88,7 @@ func KubeProxy(args []string) error {
 	return executor.KubeProxy(args)
 }
 
-func APIServer(ctx context.Context, etcdReady <-chan struct{}, args []string) (authenticator.Request, http.Handler, error) {
+func APIServer(ctx context.Context, etcdReady <-chan struct{}, args []string) error {
 	return executor.APIServer(ctx, etcdReady, args)
 }
 
@@ -106,3 +107,7 @@ func CurrentETCDOptions() (InitialOptions, error) {
 func ETCD(args ETCDConfig) error {
 	return executor.ETCD(args)
 }
+
+func AuthHandler() (authenticator.Request, http.Handler, error) {
+	return executor.AuthHandler()
+}