introduce examples/dyplomat (#336)

* introduce examples/dyplomat

Signed-off-by: Ashley Kasim <[email protected]>

* build dyplomat in CI, specify terraform version required

Signed-off-by: Ashley Kasim <[email protected]>

Author: ashleycutalo

.circleci/config.yml

@@ -9,6 +9,7 @@ jobs:
       - run: make create_version
       - run: make check_version_dirty
       - run: make build
+      - run: make examples
       - run: make test
       - run: make integration
       - run:

Makefile

@@ -32,6 +32,10 @@ create_version:
 check_version_dirty:
 	./scripts/check_version_dirty.sh
 
+.PHONY: examples
+examples:
+	@pushd examples/dyplomat && go build ./... && popd
+
 #-----------------
 #-- integration
 #-----------------

examples/dyplomat/Dockerfile

@@ -0,0 +1,7 @@
+FROM golang:1.14
+
+WORKDIR /go/src/dyplomat
+COPY . /go/src/dyplomat
+
+RUN go install -v ./...
+CMD ["dyplomat"]

examples/dyplomat/auth.go

@@ -0,0 +1,161 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+	"sync"
+	"time"
+
+	utilnet "k8s.io/apimachinery/pkg/util/net"
+	heptiotoken "sigs.k8s.io/aws-iam-authenticator/pkg/token"
+)
+
+// TokenKind defines the token type used for remote authentication to your cluster(s).
+// An example NullToken and the implementation for HeptioToken (AWS) are provided.
+type TokenKind int
+
+const (
+	HeptioTokenKind TokenKind = iota
+	NullTokenKind
+)
+
+// NullTokenProvider always returns a nil token
+type NullTokenProvider struct{}
+
+func (t *NullTokenProvider) Kind() TokenKind {
+	return NullTokenKind
+}
+
+// AuthToken contains an auth token and its expiry time
+type AuthToken struct {
+	Token   string
+	expires time.Time
+}
+
+// Expired return whether or not the token has past its expiry time
+func (t *AuthToken) Expired() bool {
+	return time.Now().After(t.expires)
+}
+
+type Provider interface {
+	// Token provides a time limited token
+	Token() (*AuthToken, error)
+	Kind() TokenKind
+}
+
+// Generator interface defines the ability to grab token providers based on the cluster name
+type Generator interface {
+	ProviderForCluster(cluster string) (Provider, error)
+}
+
+// GeneratorProvider is a token provider which mints tokens as well
+type GeneratorProvider interface {
+	Provider
+	Generator
+}
+
+type heptioTokenProvider struct {
+	lastToken   *AuthToken
+	clusterName string
+	lock        sync.Mutex
+}
+
+func (t *heptioTokenProvider) refresh() error {
+	t.lock.Lock()
+	defer t.lock.Unlock()
+
+	gen, err := heptiotoken.NewGenerator(false, false)
+	if err != nil {
+		fmt.Printf("heptio authenticator error %v", err)
+		return err
+	}
+	rawToken, err := gen.Get(t.clusterName)
+
+	if err != nil {
+		fmt.Printf("token data invalid %v", err)
+		return err
+	}
+
+	token := AuthToken{
+		Token:   rawToken.Token,
+		expires: rawToken.Expiration,
+	}
+
+	t.lastToken = &token
+	return nil
+}
+
+// Token returns a heptio token, refreshing it if need be
+func (t *heptioTokenProvider) Token() (*AuthToken, error) {
+	if t.lastToken != nil {
+		if time.Now().After(t.lastToken.expires) {
+			err := t.refresh()
+			if err != nil {
+				return nil, err
+			}
+		}
+	} else {
+		err := t.refresh()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return t.lastToken, nil
+}
+
+func (t *heptioTokenProvider) Kind() TokenKind {
+	return HeptioTokenKind
+}
+
+// NewHeptioProvider returns an initialized heptio token provider
+func NewHeptioProvider(clusterName string) Provider {
+	return &heptioTokenProvider{
+		clusterName: clusterName,
+	}
+}
+
+type heptioGenerator struct {
+	clusters sync.Map
+}
+
+func (h *heptioGenerator) ProviderForCluster(cluster string) (Provider, error) {
+	provider := NewHeptioProvider(cluster)
+	providerFromMap, _ := h.clusters.LoadOrStore(cluster, provider)
+	return providerFromMap.(*heptioTokenProvider), nil
+}
+
+func NewHeptioGenetor() Generator {
+	return &heptioGenerator{}
+}
+
+type requestCanceler interface {
+	CancelRequest(*http.Request)
+}
+
+type TokenRoundtripper struct {
+	RoundTripper  http.RoundTripper
+	TokenProvider Provider
+}
+
+func (rt *TokenRoundtripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if len(req.Header.Get("Authorization")) != 0 {
+		return rt.RoundTripper.RoundTrip(req)
+	}
+
+	req = utilnet.CloneRequest(req)
+	token, err := rt.TokenProvider.Token()
+	if err != nil {
+		return nil, err
+
+	}
+
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token.Token))
+	return rt.RoundTripper.RoundTrip(req)
+}
+
+func (rt *TokenRoundtripper) CancelRequest(req *http.Request) {
+	if canceler, ok := rt.RoundTripper.(requestCanceler); ok {
+		canceler.CancelRequest(req)
+	}
+}

examples/dyplomat/bootstrap.go

@@ -0,0 +1,70 @@
+package main
+
+import (
+	"encoding/base64"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"time"
+
+	yaml "gopkg.in/yaml.v2"
+
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+)
+
+type BootstrapConfig struct {
+	Name   string
+	Server string
+	CA     string // CA is expected to be base64 encoded PEM file
+}
+
+var bootstrapConfigs []BootstrapConfig
+
+func CreateBootstrapClients() ([]kubernetes.Interface, error) {
+	var bootstrapClients []kubernetes.Interface
+
+	bootstrapYaml, err := ioutil.ReadFile("./bootstrap.yaml")
+	if err != nil {
+		panic(err)
+	}
+
+	err = yaml.Unmarshal(bootstrapYaml, &bootstrapConfigs)
+	if err != nil {
+		panic(err)
+	}
+
+	for _, cluster := range bootstrapConfigs {
+		// CA is base64 encoded, so we decode
+		caReader := base64.NewDecoder(base64.StdEncoding, strings.NewReader(cluster.CA))
+		caBytes, _ := ioutil.ReadAll(caReader)
+
+		var restConfig *rest.Config
+		restConfig = &rest.Config{
+			Host: cluster.Server,
+			TLSClientConfig: rest.TLSClientConfig{
+				CAData: caBytes,
+			},
+		}
+
+		previousWrappedTransport := restConfig.WrapTransport
+		restConfig.WrapTransport = func(rt http.RoundTripper) http.RoundTripper {
+			if previousWrappedTransport != nil {
+				rt = previousWrappedTransport(rt)
+			}
+			return &TokenRoundtripper{
+				TokenProvider: NewHeptioProvider(cluster.Name),
+				RoundTripper:  rt,
+			}
+		}
+
+		restConfig.Timeout = time.Second * 5
+
+		client, err := kubernetes.NewForConfig(restConfig)
+		if err != nil {
+			return nil, err
+		}
+		bootstrapClients = append(bootstrapClients, client)
+	}
+	return bootstrapClients, nil
+}

examples/dyplomat/bootstrap.yaml

@@ -0,0 +1,7 @@
+# bootstrapYaml is a simple cluster discovery mechanism to register the Kubernetes clusters we will be extending the mesh to.
+- name: demo1-eks
+  server: DEMO1_API_SERVER_URL
+  ca: DEMO1_BASE_64_ENCODED_CA
+- name: demo2-eks
+  server: DEMO2_API_SERVER_URL
+  ca: DEMO2_BASE_64_ENCODED_CA

examples/dyplomat/go.mod

@@ -0,0 +1,20 @@
+module kubecon-demo/dyplomat
+
+go 1.14
+
+require (
+	github.com/envoyproxy/go-control-plane v0.9.6
+	golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e // indirect
+	google.golang.org/grpc v1.30.0
+	gopkg.in/yaml.v2 v2.2.8
+	k8s.io/api v0.18.6
+	k8s.io/apimachinery v0.18.6
+	k8s.io/client-go v11.0.0+incompatible
+	sigs.k8s.io/aws-iam-authenticator v0.5.1
+)
+
+replace (
+	k8s.io/api => k8s.io/api v0.18.6
+	k8s.io/apimachinery => k8s.io/apimachinery v0.18.6
+	k8s.io/client-go => k8s.io/client-go v0.18.6
+)