Merge pull request #25 from rimolive/rmartine-cloud-1162

Add a token based implementation for kube-ping

Author: rcernich

common/src/main/java/org/openshift/ping/common/stream/TokenStreamProvider.java

@@ -0,0 +1,119 @@
+package org.openshift.ping.common.stream;
+
+import static org.openshift.ping.common.Utils.openFile;
+
+import java.io.FileNotFoundException;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URLConnection;
+import java.security.KeyStore;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+
+/**
+ * @author <a href="mailto:[email protected]">Ricardo Martinelli</a>
+ */
+public class TokenStreamProvider extends BaseStreamProvider {
+
+    private static final Logger log = Logger.getLogger(TokenStreamProvider.class.getName());
+
+    private String token;
+
+    private String caCertFile;
+
+    private SSLSocketFactory factory;
+
+    public TokenStreamProvider(String token, String caCertFile) {
+        this.token = token;
+        this.caCertFile = caCertFile;
+    }
+
+    @Override
+    public InputStream openStream(String url, Map<String, String> headers, int connectTimeout, int readTimeout)
+            throws IOException {
+        URLConnection connection = openConnection(url, headers, connectTimeout, readTimeout);
+
+        if (connection instanceof HttpsURLConnection) {
+            HttpsURLConnection httpsConnection = HttpsURLConnection.class.cast(connection);
+            //httpsConnection.setHostnameVerifier(InsecureStreamProvider.INSECURE_HOSTNAME_VERIFIER);
+            httpsConnection.setSSLSocketFactory(getSSLSocketFactory());
+            if (log.isLoggable(Level.FINE)) {
+                log.fine(String.format("Using HttpsURLConnection with SSLSocketFactory [%s] for url [%s].", factory, url));
+            }
+        } else {
+            if (log.isLoggable(Level.FINE)) {
+                log.fine(String.format("Using URLConnection for url [%s].", url));
+            }
+        }
+
+        if (token != null) {
+            // curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+            // https://172.30.0.2:443/api/v1/namespaces/dward/pods?labelSelector=application%3Deap-app
+            headers.put("Authorization", "Bearer " + token);
+        }
+        return connection.getInputStream();
+    }
+
+    private TrustManager[] configureCaCert(String caCertFile) throws Exception {
+        if (caCertFile != null) {
+            try {
+                InputStream pemInputStream = openFile(caCertFile);
+                try {
+                    CertificateFactory certFactory = CertificateFactory.getInstance("X509");
+                    X509Certificate cert = (X509Certificate)certFactory.generateCertificate(pemInputStream);
+
+                    KeyStore trustStore = KeyStore.getInstance("JKS");
+                    trustStore.load(null);
+
+                    String alias = cert.getSubjectX500Principal().getName();
+                    trustStore.setCertificateEntry(alias, cert);
+
+                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+                    trustManagerFactory.init(trustStore);
+
+                    return trustManagerFactory.getTrustManagers();
+                } finally {
+                    pemInputStream.close();
+                }
+            } catch (FileNotFoundException fnfe) {
+                log.log(Level.SEVERE, "ca cert file not found: " + caCertFile);
+                throw fnfe;
+            } catch (Exception e) {
+                log.log(Level.SEVERE, "Could not create trust manager for " + caCertFile, e);
+                throw e;
+            }
+        } else {
+            log.log(Level.WARNING, "ca cert file undefined");
+            return InsecureStreamProvider.INSECURE_TRUST_MANAGERS;
+        }
+    }
+
+    private SSLSocketFactory getSSLSocketFactory() throws IOException {
+        if(this.factory == null) {
+            synchronized(this) {
+                if(this.factory == null) {
+                    try {
+                        TrustManager[] trustManagers = configureCaCert(this.caCertFile);
+                        SSLContext context = SSLContext.getInstance("TLS");
+                        context.init(null, trustManagers, null);
+                        this.factory = context.getSocketFactory();
+                    } catch(Exception e) {
+                        throw new IOException(e);
+                    }
+                }
+            }
+        }
+        return this.factory;
+    }
+
+}

kube/src/main/java/org/openshift/ping/kube/KubePing.java

@@ -32,8 +32,8 @@
 import org.jgroups.conf.ClassConfigurator;
 import org.openshift.ping.common.OpenshiftPing;
 import org.openshift.ping.common.stream.CertificateStreamProvider;
-import org.openshift.ping.common.stream.InsecureStreamProvider;
 import org.openshift.ping.common.stream.StreamProvider;
+import org.openshift.ping.common.stream.TokenStreamProvider;
 
 /**
  * @author <a href="mailto:[email protected]">Ales Justin</a>
@@ -88,7 +88,7 @@ public class KubePing extends OpenshiftPing {
     private String clientKeyAlgo = "RSA";
 
     @Property
-    private String caCertFile;
+    private String caCertFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt";
 
     @Property
     private String saTokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token";
@@ -166,12 +166,9 @@ public void init() throws Exception {
             mHost = getSystemEnv(new String[]{getSystemEnvName("MASTER_HOST"), "KUBERNETES_SERVICE_HOST"}, masterHost, true);
             mPort = getSystemEnvInt(new String[]{getSystemEnvName("MASTER_PORT"), "KUBERNETES_SERVICE_PORT"}, masterPort);
             String saToken = readFileToString(getSystemEnv(getSystemEnvName("SA_TOKEN_FILE"), saTokenFile, true));
-            if (saToken != null) {
-                // curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
-                // https://172.30.0.2:443/api/v1/namespaces/dward/pods?labelSelector=application%3Deap-app
-                headers.put("Authorization", "Bearer " + saToken);
-            }
-            streamProvider = new InsecureStreamProvider();
+            String lCaCertFile = getSystemEnv(new String[]{getSystemEnvName("CA_CERT_FILE"), "KUBERNETES_CA_CERTIFICATE_FILE"}, caCertFile, true);
+
+            streamProvider = new TokenStreamProvider(saToken, lCaCertFile);
         }
         String ver = getSystemEnv(getSystemEnvName("API_VERSION"), apiVersion, true);
         String url = String.format("%s://%s:%s/api/%s", mProtocol, mHost, mPort, ver);