Updates proxy to use http.Handler with passing context

Signed-off-by: JoshVanL <[email protected]>

Author: JoshVanL

cmd/app/options/options.go

@@ -80,6 +80,11 @@ func (o *Options) Validate(cmd *cobra.Command) error {
 		errs = append(errs, errors.New("unable to securely serve on port 8080 (used by readiness probe)"))
 	}
 
+	if o.App.DisableImpersonation &&
+		(o.App.ExtraHeaderOptions.EnableClientIPExtraUserHeader || len(o.App.ExtraHeaderOptions.ExtraUserHeaders) > 0) {
+		errs = append(errs, errors.New("cannot add extra user headers when impersonation disabled"))
+	}
+
 	if len(errs) > 0 {
 		return k8sErrors.NewAggregate(errs)
 	}

cmd/app/run.go

@@ -72,7 +72,7 @@ func buildRunCommand(stopCh <-chan struct{}, opts *options.Options) *cobra.Comma
 				return err
 			}
 
-			proxyOptions := &proxy.Options{
+			proxyConfig := &proxy.Config{
 				TokenReview:          opts.App.TokenPassthrough.Enabled,
 				DisableImpersonation: opts.App.DisableImpersonation,
 
@@ -84,7 +84,7 @@ func buildRunCommand(stopCh <-chan struct{}, opts *options.Options) *cobra.Comma
 
 			// Initialise proxy with OIDC token authenticator
 			p, err := proxy.New(restConfig, opts.OIDCAuthentication,
-				tokenReviewer, secureServingInfo, proxyOptions)
+				tokenReviewer, secureServingInfo, proxyConfig)
 			if err != nil {
 				return err
 			}

pkg/proxy/context/context.go

@@ -0,0 +1,56 @@
+// Copyright Jetstack Ltd. See LICENSE for details.
+package context
+
+import (
+	"context"
+	"net/http"
+
+	"k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/client-go/transport"
+)
+
+type key int
+
+const (
+	// noImpersonationKey is the context key for whether to use impersonation.
+	noImpersonationKey key = iota
+
+	// impersonationConfigKey is the context key for the impersonation config.
+	impersonationConfigKey
+
+	// bearerTokenKey is the context key for the bearer token.
+	bearerTokenKey
+)
+
+// WithNoImpersonation returns a copy of parent in which the noImpersonation value is set.
+func WithNoImpersonation(parent context.Context) context.Context {
+	return request.WithValue(parent, noImpersonationKey, true)
+}
+
+// NoImpersonation returns whether the noImpersonation key has been set
+func NoImpersonation(ctx context.Context) bool {
+	noImp, _ := ctx.Value(noImpersonationKey).(bool)
+	return noImp
+}
+
+// WithImpersonationConfig returns a copy of parent in which contains the impersonation configuration.
+func WithImpersonationConfig(parent context.Context, conf *transport.ImpersonationConfig) context.Context {
+	return request.WithValue(parent, impersonationConfigKey, conf)
+}
+
+// ImpersonationConfig returns the impersonation configuration held in the context if existing.
+func ImpersonationConfig(ctx context.Context) *transport.ImpersonationConfig {
+	conf, _ := ctx.Value(impersonationConfigKey).(*transport.ImpersonationConfig)
+	return conf
+}
+
+// WithBearerToken will add the bearer token from an http.Header to the context.
+func WithBearerToken(parent context.Context, header http.Header) context.Context {
+	return request.WithValue(parent, bearerTokenKey, header.Get("Authorization"))
+}
+
+// BearerToken will return the bearer token stored in the context.
+func BearerToken(ctx context.Context) string {
+	token, _ := ctx.Value(bearerTokenKey).(string)
+	return token
+}