|
|
@@ -2,12 +2,24 @@ package com.redhat.training;
|
|
|
|
|
|
import java.io.BufferedReader;
|
|
|
import java.io.File;
|
|
|
+import java.io.FileInputStream;
|
|
|
import java.io.FileReader;
|
|
|
import java.io.IOException;
|
|
|
import java.net.URI;
|
|
|
import java.net.URISyntaxException;
|
|
|
+import java.security.KeyManagementException;
|
|
|
+import java.security.KeyStore;
|
|
|
+import java.security.KeyStoreException;
|
|
|
+import java.security.NoSuchAlgorithmException;
|
|
|
+import java.security.cert.CertificateException;
|
|
|
+import java.security.cert.CertificateFactory;
|
|
|
+import java.security.cert.X509Certificate;
|
|
|
import java.util.Optional;
|
|
|
|
|
|
+import javax.net.ssl.SSLContext;
|
|
|
+
|
|
|
+import org.apache.http.ssl.SSLContextBuilder;
|
|
|
+import org.apache.http.ssl.SSLContexts;
|
|
|
import org.eclipse.microprofile.config.inject.ConfigProperty;
|
|
|
import org.eclipse.microprofile.rest.client.RestClientBuilder;
|
|
|
import org.jboss.logging.Logger;
|
|
|
@@ -28,8 +40,8 @@ public class Activator {
|
|
|
@ConfigProperty(name = "api.endpoint")
|
|
|
Optional<String> apiserver;
|
|
|
|
|
|
-
|
|
|
-
|
|
|
+ @ConfigProperty(name = "api.tlsca.file")
|
|
|
+ Optional<String> tlsca;
|
|
|
|
|
|
ApiClient k8s;
|
|
|
|
|
|
@@ -62,50 +74,50 @@ public class Activator {
|
|
|
apiserver = Optional.of("https://kubernetes.default/");
|
|
|
}
|
|
|
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
+
|
|
|
+ SSLContext sc = null;
|
|
|
+ if (apiserver.get().startsWith("https://")) {
|
|
|
+
|
|
|
+ File tlscaFile;
|
|
|
+ if (tlsca.isPresent() && !tlsca.get().isEmpty()) {
|
|
|
+ LOG.debug("Got TLS CA cert file from environment, checking.");
|
|
|
+ tlscaFile = new File(tlsca.get());
|
|
|
+ } else {
|
|
|
+ LOG.warn("TLS CA cert not found in environment. Trying service account.");
|
|
|
+ tlscaFile = new File("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt");
|
|
|
+ }
|
|
|
+ if (!tlscaFile.exists()) {
|
|
|
+ throw new RuntimeException("TLS CA cert file set, but does not exist.");
|
|
|
+ }
|
|
|
+
|
|
|
+ LOG.info("Attempting to build SSLContext with " + tlscaFile.getAbsolutePath());
|
|
|
+ try {
|
|
|
+ KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
|
|
|
+ ks.load(null);
|
|
|
+
|
|
|
+ X509Certificate crt = (X509Certificate)CertificateFactory.getInstance("X509")
|
|
|
+ .generateCertificate(new FileInputStream(tlscaFile));
|
|
|
+
|
|
|
+ ks.setCertificateEntry(crt.getSubjectX500Principal().getName(), crt);
|
|
|
+
|
|
|
+ SSLContextBuilder scb = SSLContexts.custom().loadTrustMaterial(ks, (a, b) -> {return true;});
|
|
|
+ sc = scb.build();
|
|
|
+ } catch (NoSuchAlgorithmException | KeyStoreException | CertificateException | IOException | KeyManagementException e) {
|
|
|
+ throw new RuntimeException("Could not load TLS CA: " + e.getMessage(), e);
|
|
|
+ }
|
|
|
+ }
|
|
|
|
|
|
try {
|
|
|
-
|
|
|
+ if (sc == null) {
|
|
|
this.k8s = RestClientBuilder.newBuilder()
|
|
|
.baseUri(new URI(this.apiserver.get()))
|
|
|
.build(ApiClient.class);
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
+ } else {
|
|
|
+ this.k8s = RestClientBuilder.newBuilder()
|
|
|
+ .baseUri(new URI(this.apiserver.get()))
|
|
|
+ .sslContext(sc)
|
|
|
+ .build(ApiClient.class);
|
|
|
+ }
|
|
|
} catch (URISyntaxException use) {
|
|
|
throw new RuntimeException("Could not construct BASE URI for REST client: " + use.getMessage(), use);
|
|
|
}
|
