k3s/pkg/authenticator/authenticator.go

package authenticator

import (
	"strings"

	"github.com/k3s-io/k3s/pkg/authenticator/basicauth"
	"github.com/k3s-io/k3s/pkg/authenticator/passwordfile"
	"k8s.io/apiserver/pkg/authentication/authenticator"
	"k8s.io/apiserver/pkg/authentication/group"
	"k8s.io/apiserver/pkg/authentication/request/union"
	"k8s.io/apiserver/pkg/authentication/request/x509"
	"k8s.io/apiserver/pkg/server/dynamiccertificates"
)

func FromArgs(args []string) (authenticator.Request, error) {
	var authenticators []authenticator.Request
	basicFile := getArg("--basic-auth-file", args)
	if basicFile != "" {
		basicAuthenticator, err := passwordfile.NewCSV(basicFile)
		if err != nil {
			return nil, err
		}
		authenticators = append(authenticators, basicauth.New(basicAuthenticator))
	}

	clientCA := getArg("--client-ca-file", args)
	if clientCA != "" {
		ca, err := dynamiccertificates.NewDynamicCAContentFromFile("client-ca", clientCA)
		if err != nil {
			return nil, err
		}
		authenticators = append(authenticators, x509.NewDynamic(ca.VerifyOptions, x509.CommonNameUserConversion))
	}

	return Combine(authenticators...), nil
}

func getArg(key string, args []string) string {
	for _, arg := range args {
		if !strings.HasPrefix(arg, key) {
			continue
		}
		return strings.SplitN(arg, "=", 2)[1]
	}
	return ""
}

func Combine(auths ...authenticator.Request) authenticator.Request {
	var authenticators []authenticator.Request
	for _, auth := range auths {
		if auth != nil {
			authenticators = append(authenticators, auth)
		}
	}
	return group.NewAuthenticatedGroupAdder(union.New(authenticators...))
}
Add client certificate authentication support to core Authenticator This is required to make the websocket tunnel server functional on etcd-only nodes, and will save some code on the RKE2 side once pulled through. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2022-03-28 20:45:39 +00:00			`package authenticator`

			`import (`
			`"strings"`

			`"github.com/k3s-io/k3s/pkg/authenticator/basicauth"`
			`"github.com/k3s-io/k3s/pkg/authenticator/passwordfile"`
			`"k8s.io/apiserver/pkg/authentication/authenticator"`
			`"k8s.io/apiserver/pkg/authentication/group"`
			`"k8s.io/apiserver/pkg/authentication/request/union"`
			`"k8s.io/apiserver/pkg/authentication/request/x509"`
			`"k8s.io/apiserver/pkg/server/dynamiccertificates"`
			`)`

			`func FromArgs(args []string) (authenticator.Request, error) {`
			`var authenticators []authenticator.Request`
			`basicFile := getArg("--basic-auth-file", args)`
			`if basicFile != "" {`
			`basicAuthenticator, err := passwordfile.NewCSV(basicFile)`
			`if err != nil {`
			`return nil, err`
			`}`
			`authenticators = append(authenticators, basicauth.New(basicAuthenticator))`
			`}`

			`clientCA := getArg("--client-ca-file", args)`
			`if clientCA != "" {`
			`ca, err := dynamiccertificates.NewDynamicCAContentFromFile("client-ca", clientCA)`
			`if err != nil {`
			`return nil, err`
			`}`
			`authenticators = append(authenticators, x509.NewDynamic(ca.VerifyOptions, x509.CommonNameUserConversion))`
			`}`

			`return Combine(authenticators...), nil`
			`}`

			`func getArg(key string, args []string) string {`
			`for _, arg := range args {`
			`if !strings.HasPrefix(arg, key) {`
			`continue`
			`}`
			`return strings.SplitN(arg, "=", 2)[1]`
			`}`
			`return ""`
			`}`

			`func Combine(auths ...authenticator.Request) authenticator.Request {`
			`var authenticators []authenticator.Request`
			`for _, auth := range auths {`
			`if auth != nil {`
			`authenticators = append(authenticators, auth)`
			`}`
			`}`
			`return group.NewAuthenticatedGroupAdder(union.New(authenticators...))`
			`}`