mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor for session management (#193)

Browse Source 
Previously every Handler function was receiving the session token in the
form of a jwt string, in consequence every time we want to access the
encrypted claims of the jwt we needed to run a decryption process,
additionally we were decrypting the jwt twice, first at the session
validation then inside each handler function, this was also causing a
lot of using related to the merge between m3 and mcs

What changed:

Now we validate and decrypt the jwt once in `configure_mcs.go`, this
works for both, mcs (console) and operator sessions, and then pass the
decrypted claims to all the functions that need it, so no further token
validation or decryption is need it.
This commit is contained in:
Lenin Alevski
2020-07-10 19:14:28 -07:00
committed by GitHub
parent 93e1168141
commit 697bc4cd1d
34 changed files with 618 additions and 605 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
cluster/cluster.go
View File

@@ -23,15 +23,28 @@ import (
certutil "k8s.io/client-go/util/cert"
)
func GetK8sConfig(token string) *rest.Config {
// if console is running inside k8s by default he will have access to the ca cert from the k8s local authority
const (
rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
)
tlsClientConfig := rest.TLSClientConfig{Insecure: getK8sAPIServerInsecure()}
if _, err := certutil.NewPool(rootCAFile); err == nil {
tlsClientConfig.CAFile = rootCAFile
// getTLSClientConfig will return the right TLS configuration for the K8S client based on the configured TLS certificate
func getTLSClientConfig() rest.TLSClientConfig {
var defaultRootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
var customRootCAFile = getK8sAPIServerTLSRootCA()
tlsClientConfig := rest.TLSClientConfig{}
// if console is running inside k8s by default he will have access to the CA Cert from the k8s local authority
if _, err := certutil.NewPool(defaultRootCAFile); err == nil {
tlsClientConfig.CAFile = defaultRootCAFile
}
// if the user explicitly define a custom CA certificate, instead, we will use that
if customRootCAFile != "" {
if _, err := certutil.NewPool(customRootCAFile); err == nil {
tlsClientConfig.CAFile = customRootCAFile
}
}
return tlsClientConfig
}
// This operation will run only once at console startup
var tlsClientConfig = getTLSClientConfig()
func GetK8sConfig(token string) *rest.Config {
config := &rest.Config{
Host: GetK8sAPIServer(),
TLSClientConfig: tlsClientConfig,