Move basic authentication to k3s

k3s-io · Aug 28, 2020 · aa586a4 · aa586a4
1 parent 2d2a962
commit aa586a4
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 3 deletions.
diff --git a/pkg/daemons/control/auth.go b/pkg/daemons/control/auth.go
@@ -0,0 +1,30 @@
+package control
+
+import (
+	"github.com/rancher/k3s/pkg/authenticator/basicauth"
+	"github.com/rancher/k3s/pkg/authenticator/passwordfile"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/apiserver/pkg/authentication/group"
+	"k8s.io/apiserver/pkg/authentication/request/union"
+)
+
+func basicAuthenticator(basicAuthFile string) (authenticator.Request, error) {
+	if basicAuthFile == "" {
+		return nil, nil
+	}
+	basicAuthenticator, err := passwordfile.NewCSV(basicAuthFile)
+	if err != nil {
+		return nil, err
+	}
+	return basicauth.New(basicAuthenticator), nil
+}
+
+func combineAuthenticators(auths ...authenticator.Request) authenticator.Request {
+	var authenticators []authenticator.Request
+	for _, auth := range auths {
+		if auth != nil {
+			authenticators = append(authenticators, auth)
+		}
+	}
+	return group.NewAuthenticatedGroupAdder(union.New(authenticators...))
+}
diff --git a/pkg/daemons/control/server.go b/pkg/daemons/control/server.go
@@ -102,8 +102,13 @@ func Server(ctx context.Context, cfg *config.Control) error {
 		return err
 	}
 
+	basicAuth, err := basicAuthenticator(cfg.Runtime.PasswdFile)
+	if err != nil {
+		return err
+	}
+
+	runtime.Authenticator = combineAuthenticators(basicAuth, auth)
 	runtime.Handler = handler
-	runtime.Authenticator = auth
 
 	if !cfg.NoScheduler {
 		if err := scheduler(cfg, runtime); err != nil {
@@ -195,7 +200,6 @@ func apiServer(ctx context.Context, cfg *config.Control, runtime *config.Control
 	argsMap["service-account-key-file"] = runtime.ServiceKey
 	argsMap["service-account-issuer"] = version.Program
 	argsMap["api-audiences"] = "unknown"
-	argsMap["basic-auth-file"] = runtime.PasswdFile
 	argsMap["kubelet-certificate-authority"] = runtime.ServerCA
 	argsMap["kubelet-client-certificate"] = runtime.ClientKubeAPICert
 	argsMap["kubelet-client-key"] = runtime.ClientKubeAPIKey

diff --git a/pkg/daemons/executor/embed.go b/pkg/daemons/executor/embed.go
@@ -7,7 +7,6 @@ import (
 	"net/http"
 
 	"k8s.io/apiserver/pkg/authentication/authenticator"
-
 	proxy "k8s.io/kubernetes/cmd/kube-proxy/app"
 	kubelet "k8s.io/kubernetes/cmd/kubelet/app"