server.flask.py 4.60 KiB
# openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=172.29.7.11" -out server.csr
# openssl x509 -req -extfile <(printf "subjectAltName=DNS:172.29.7.11,IP:172.29.7.11") -days 365 -in server.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out server.crt
# kubectl create secret generic tls-secret --from-file=server.key --from-file=server.crt
# openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=172.29.7.11" -out server.csr
# openssl x509 -req -extfile <(printf "subjectAltName=DNS:172.29.7.11,IP:172.29.7.11") -days 365 -in server.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out server.crt
# python3 -m venv ~/https
# source ~/https/bin/activate
# pip3 install -r requirements.txt
from flask import Flask, request, jsonify
import argparse
import os
def check_environment_variables():
"""
Checks and returns the 'KEY', 'CERTIFICATE', and 'PORT' values.
- Both 'KEY' and 'CERTIFICATE' are optional environment variables, but if one is set,
both must be defined. If only one is set without the other, a ValueError is raised.
- 'PORT' can be provided via an environment variable. Defaults to 80 if 'KEY' is not defined,
and 443 if 'KEY' is defined, if the environment variable is not set.
Returns:
tuple: A tuple containing the values of 'KEY', 'CERTIFICATE', and 'PORT'. If neither
'KEY' nor 'CERTIFICATE' is set, both values will be None.
Raises:
ValueError: If one of 'KEY' or 'CERTIFICATE' is set but the other is not.
"""
key = os.getenv('KEY')
certificate = os.getenv('CERTIFICATE')
if key is not None or certificate is not None:
if not (key and certificate):
raise ValueError("Both 'KEY' and 'CERTIFICATE' must be defined if one is set.")
# Determine port value from environment variable
port_env = os.getenv('PORT')
if port_env is not None:
try:
port = int(port_env)
except ValueError:
raise ValueError("Environment variable 'PORT' must be an integer.")
else:
# Default port values based on the presence of 'key'
if key is not None:
port = 443
else:
port = 80
return key, certificate, port
app = Flask(__name__)
@app.route("/namespace", methods = ['GET', 'POST'])
def hello():
print (request.json)
uid = request.json['request']['uid']
ns = request.json['request']['name']
operation = request.json['request']['operation']
username = request.json['request']['userInfo']['username']
groups = request.json['request']['userInfo']['groups']
if "SLICES-RI" not in groups:
print ("skip check")
msg = { "apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"response": {
"uid": f"{uid}",
"allowed": True
}
}
return msg
if not ns.startswith(username):
if operation == "CREATE":
msg = {
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"response": {
"uid": f"{uid}",
"allowed": False,
"status": {
"code": 403,
"message": f"Invalid namespace, your namsespace must be of the form '{username}-*'"
}
}
}
elif operation == "DELETE":
msg = {
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"response": {
"uid": f"{uid}",
"allowed": False,
"status": {
"code": 403,
"message": f"Invalid namespace, your namsespace to delete must be of the form '{username}-*'"
}
}
}
else:
msg = { "apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"response": {
"uid": f"{uid}",
"allowed": True
}
}
print ("Should install everything in the ns {}".format(ns))
print (request.remote_addr)
return msg
if __name__ == "__main__":
try:
key, certificate, port = check_environment_variables()
except ValueError as e:
print(f"Error: {e}")
if key is None:
app.run(host='0.0.0.0', port=port)
else:
app.run(host='0.0.0.0', port=port, ssl_context=(certificate, key))