ca-gip · evrardjp-cagip · Dec 16, 2024 · Dec 18, 2024 · Dec 19, 2024 · Dec 19, 2024
diff --git a/cmd/api/main.go b/cmd/api/main.go
@@ -1,13 +1,15 @@
 package main
 
 import (
-	"crypto/ecdsa"
+	"fmt"
+	"io"
 	"net/http"
 	"os"
 
+	"github.com/ca-gip/kubi/internal/ldap"
+	"github.com/ca-gip/kubi/internal/middlewares"
 	"github.com/ca-gip/kubi/internal/services"
 	"github.com/ca-gip/kubi/internal/utils"
-	"github.com/dgrijalva/jwt-go"
 	"github.com/gorilla/mux"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/rs/zerolog/log"
@@ -17,11 +19,14 @@ func main() {
 
 	config, err := utils.MakeConfig()
 	if err != nil {
-		log.Fatal().Msg("Config error")
-		os.Exit(1)
+		log.Fatal().Msg(fmt.Sprintf("Config error: %v", err))
 	}
+	// TODO Remove this aberration - L17 should be a constructor and we should
+	// use the config as live object instead of mutating it.
 	utils.Config = config
 
+	ldapClient := ldap.NewLDAPClient(config.Ldap)
+
 	// TODO Move to config ( for validation )
 	ecdsaPem, err := os.ReadFile(utils.ECDSAKeyPath)
 	if err != nil {
@@ -31,35 +36,34 @@ func main() {
 	if err != nil {
 		utils.Log.Fatal().Msgf("Unable to read ECDSA public key: %v", err)
 	}
-	var ecdsaKey *ecdsa.PrivateKey
-	var ecdsaPub *ecdsa.PublicKey
-	if ecdsaKey, err = jwt.ParseECPrivateKeyFromPEM(ecdsaPem); err != nil {
-		utils.Log.Fatal().Msgf("Unable to parse ECDSA private key: %v", err)
-	}
-	if ecdsaPub, err = jwt.ParseECPublicKeyFromPEM(ecdsaPubPem); err != nil {
-		utils.Log.Fatal().Msgf("Unable to parse ECDSA public key: %v", err)
-	}
 
-	tokenIssuer := &services.TokenIssuer{
-		EcdsaPrivate:       ecdsaKey,
-		EcdsaPublic:        ecdsaPub,
-		TokenDuration:      utils.Config.TokenLifeTime,
-		ExtraTokenDuration: utils.Config.ExtraTokenLifeTime,
-		Locator:            utils.Config.Locator,
-		PublicApiServerURL: utils.Config.PublicApiServerURL,
-		Tenant:             utils.Config.Tenant,
+	tokenIssuer, err := services.NewTokenIssuer(
+		ecdsaPem,
+		ecdsaPubPem,
+		config.TokenLifeTime,
+		config.ExtraTokenLifeTime,
+		config.Locator,
+		config.PublicApiServerURL,
+		config.Tenant,
+	)
+	if err != nil {
+		utils.Log.Fatal().Msgf("Unable to create token issuer: %v", err)
 	}
 
 	router := mux.NewRouter()
-	router.Use(utils.PrometheusMiddleware)
+	router.Use(middlewares.Prometheus)
 	router.NotFoundHandler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		w.WriteHeader(http.StatusNotFound)
 		utils.Log.Warn().Msgf("%d %s %s", http.StatusNotFound, req.Method, req.URL.String())
 	})
 
-	router.HandleFunc("/ca", services.CA).Methods(http.MethodGet)
-	router.HandleFunc("/config", tokenIssuer.GenerateConfig).Methods(http.MethodGet)
-	router.HandleFunc("/token", tokenIssuer.GenerateJWT).Methods(http.MethodGet)
+	router.HandleFunc("/ca", func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		io.WriteString(w, config.KubeCaText)
+	}).Methods(http.MethodGet)
+
+	router.HandleFunc("/config", middlewares.WithBasicAuth(ldapClient, tokenIssuer.GenerateConfig)).Methods(http.MethodGet)
+	router.HandleFunc("/token", middlewares.WithBasicAuth(ldapClient, tokenIssuer.GenerateJWT)).Methods(http.MethodGet)
 	router.Handle("/metrics", promhttp.Handler())
 
 	utils.Log.Info().Msgf(" Preparing to serve request, port: %d", 8000)

diff --git a/cmd/authorization-webhook/main.go b/cmd/authorization-webhook/main.go
@@ -1,13 +1,13 @@
 package main
 
 import (
-	"crypto/ecdsa"
+	"fmt"
 	"net/http"
 	"os"
 
+	"github.com/ca-gip/kubi/internal/middlewares"
 	"github.com/ca-gip/kubi/internal/services"
 	"github.com/ca-gip/kubi/internal/utils"
-	"github.com/dgrijalva/jwt-go"
 	"github.com/gorilla/mux"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/rs/zerolog/log"
@@ -17,8 +17,7 @@ func main() {
 
 	config, err := utils.MakeConfig()
 	if err != nil {
-		log.Fatal().Msg("Config error")
-		os.Exit(1)
+		log.Fatal().Msg(fmt.Sprintf("Config error: %v", err))
 	}
 	utils.Config = config
 
@@ -31,26 +30,22 @@ func main() {
 	if err != nil {
 		utils.Log.Fatal().Msgf("Unable to read ECDSA public key: %v", err)
 	}
-	var ecdsaKey *ecdsa.PrivateKey
-	var ecdsaPub *ecdsa.PublicKey
-	if ecdsaKey, err = jwt.ParseECPrivateKeyFromPEM(ecdsaPem); err != nil {
-		utils.Log.Fatal().Msgf("Unable to parse ECDSA private key: %v", err)
-	}
-	if ecdsaPub, err = jwt.ParseECPublicKeyFromPEM(ecdsaPubPem); err != nil {
-		utils.Log.Fatal().Msgf("Unable to parse ECDSA public key: %v", err)
-	}
 
-	tokenIssuer := &services.TokenIssuer{
-		EcdsaPrivate:       ecdsaKey,
-		EcdsaPublic:        ecdsaPub,
-		TokenDuration:      utils.Config.TokenLifeTime,
-		Locator:            utils.Config.Locator,
-		PublicApiServerURL: utils.Config.PublicApiServerURL,
-		Tenant:             utils.Config.Tenant,
+	tokenIssuer, err := services.NewTokenIssuer(
+		ecdsaPem,
+		ecdsaPubPem,
+		config.TokenLifeTime,
+		config.ExtraTokenLifeTime, // This had to be included in refactor. TODO: Check side effects
+		config.Locator,
+		config.PublicApiServerURL,
+		config.Tenant,
+	)
+	if err != nil {
+		utils.Log.Fatal().Msgf("Unable to create token issuer: %v", err)
 	}
 
 	router := mux.NewRouter()
-	router.Use(utils.PrometheusMiddleware)
+	router.Use(middlewares.Prometheus)
 	router.NotFoundHandler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		w.WriteHeader(http.StatusNotFound)
 		utils.Log.Warn().Msgf("%d %s %s", http.StatusNotFound, req.Method, req.URL.String())

diff --git a/cmd/operator/main.go b/cmd/operator/main.go
@@ -1,10 +1,11 @@
 package main
 
 import (
+	"fmt"
 	"net/http"
-	"os"
-	"time"
 
+	"github.com/ca-gip/kubi/internal/ldap"
+	"github.com/ca-gip/kubi/internal/middlewares"
 	"github.com/ca-gip/kubi/internal/services"
 	"github.com/ca-gip/kubi/internal/utils"
 	"github.com/gorilla/mux"
@@ -16,42 +17,36 @@ func main() {
 
 	config, err := utils.MakeConfig()
 	if err != nil {
-		log.Fatal().Msg("Config error")
-		os.Exit(1)
+		log.Fatal().Msg(fmt.Sprintf("Config error: %v", err))
 	}
+
+	ldapClient := ldap.NewLDAPClient(config.Ldap)
+
+	go services.RefreshProjectsFromLdap(ldapClient, config.Whitelist)
+
 	utils.Config = config
 
 	// Generate namespace and role binding for ldap groups
 	// no need to wait here
 	utils.Log.Info().Msg("Generating resources from LDAP groups")
 
-	err = services.GenerateResources()
-	if err != nil {
-		log.Error().Err(err)
-	}
 	router := mux.NewRouter()
-	router.Use(utils.PrometheusMiddleware)
+	router.Use(middlewares.Prometheus)
 	router.NotFoundHandler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		w.WriteHeader(http.StatusNotFound)
 		utils.Log.Warn().Msgf("%d %s %s", http.StatusNotFound, req.Method, req.URL.String())
 	})
 	router.Handle("/metrics", promhttp.Handler())
 
+	services.WatchProjects()
+
+	// TODO, get rid of the guard and auto watch netpol config if that's
+	// relevant to keep.
 	if config.NetworkPolicy {
 		services.WatchNetPolConfig()
 	} else {
 		utils.Log.Info().Msg("NetworkPolicies generation is disabled.")
 	}
-	services.WatchProjects()
-
-	timerKubiRefresh := time.NewTicker(10 * time.Minute)
-	go func() {
-		for t := range timerKubiRefresh.C {
-
-			utils.Log.Info().Msgf("Refreshing Projects at %s", t.String())
-			services.RefreshK8SResources()
-		}
-	}()
 
 	utils.Log.Info().Msgf(" Preparing to serve request, port: %d", 8002)
 	utils.Log.Info().Msg(http.ListenAndServeTLS(":8002", utils.TlsCertPath, utils.TlsKeyPath, router).Error())

diff --git a/go.mod b/go.mod
@@ -4,7 +4,6 @@ go 1.23.3
 
 require (
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
-	github.com/go-ozzo/ozzo-validation v3.6.0+incompatible
 	github.com/gorilla/mux v1.8.1
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.20.5
@@ -20,7 +19,6 @@ require (
 )
 
 require (
-	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect

diff --git a/go.sum b/go.sum
@@ -1,5 +1,3 @@
-github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
-github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -22,8 +20,6 @@ github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF
 github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
 github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
-github.com/go-ozzo/ozzo-validation v3.6.0+incompatible h1:msy24VGS42fKO9K1vLz82/GeYW1cILu7Nuuj1N3BBkE=
-github.com/go-ozzo/ozzo-validation v3.6.0+incompatible/go.mod h1:gsEKFIVnabGBt6mXmxK0MoFy+cZoTJY6mu5Ll3LVLBU=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=