github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/enforcer/secretsproxy/transformer.go

github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/enforcer/secretsproxy/transformer.go (about)

     1  package secretsproxy
     2  
     3  import (
     4  	"crypto/tls"
     5  	"crypto/x509"
     6  	"fmt"
     7  	"net/http"
     8  	"net/url"
     9  	"strconv"
    10  
    11  	"go.aporeto.io/trireme-lib/common"
    12  )
    13  
    14  // SecretsDriver is a generic interface that the secrets driver must implement.
    15  type SecretsDriver interface {
    16  	Transport() http.RoundTripper
    17  	Transform(r *http.Request) error
    18  }
    19  
    20  // GenericSecretsDriver holds the configuration information for the driver and implements
    21  // the SecretsDriver interface.
    22  type GenericSecretsDriver struct {
    23  	transport *http.Transport
    24  	token     string
    25  	targetURL *url.URL
    26  }
    27  
    28  // NewGenericSecretsDriver creates a new Kubernetes Secrets Driver. It
    29  // always uses the incluster config to automatically derive all the
    30  // necessary values.
    31  func NewGenericSecretsDriver(ca []byte, token string, network *common.Service) (SecretsDriver, error) {
    32  
    33  	caPool := x509.NewCertPool()
    34  	if !caPool.AppendCertsFromPEM(ca) {
    35  		return nil, fmt.Errorf("No valid CA provided")
    36  	}
    37  
    38  	targetAddress := ""
    39  	if len(network.FQDNs) > 0 {
    40  		targetAddress = network.FQDNs[0]
    41  	} else if len(network.Addresses) > 0 {
    42  		targetAddress = network.Addresses[0].IP.String()
    43  	} else {
    44  		return nil, fmt.Errorf("No valid target")
    45  	}
    46  
    47  	if network.Ports.Min == 0 {
    48  		return nil, fmt.Errorf("Invalid port specification")
    49  	}
    50  
    51  	targetURL, err := url.Parse("https://" + targetAddress + ":" + strconv.Itoa(int(network.Ports.Min)))
    52  	if err != nil {
    53  		return nil, fmt.Errorf("Invalid URL for secrets service")
    54  	}
    55  
    56  	return &GenericSecretsDriver{
    57  		transport: &http.Transport{
    58  			TLSClientConfig: &tls.Config{
    59  				RootCAs: caPool,
    60  			},
    61  		},
    62  		token:     token,
    63  		targetURL: targetURL,
    64  	}, nil
    65  }
    66  
    67  // Transport implements the transport interface of the SecretsDriver.
    68  func (k *GenericSecretsDriver) Transport() http.RoundTripper {
    69  	return k.transport
    70  }
    71  
    72  // Transform transforms the request of the SecretsDriver
    73  func (k *GenericSecretsDriver) Transform(r *http.Request) error {
    74  
    75  	r.Host = k.targetURL.Host
    76  	r.URL = k.targetURL
    77  	r.Header.Add("Authorization", "Bearer "+k.token)
    78  
    79  	return nil
    80  }