temp commit

cmd/cube/app/options/flags/apiserver.go

@@ -49,5 +49,13 @@ func init() {
 			Name:        "tls-key",
 			Destination: &CubeOpts.APIServerOpts.TlsKey,
 		},
+		&cli.StringFlag{
+			Name:        "ca-cert",
+			Destination: &CubeOpts.APIServerOpts.CaCert,
+		},
+		&cli.StringFlag{
+			Name:        "ca-key",
+			Destination: &CubeOpts.APIServerOpts.CaKey,
+		},
 	}...)
 }

deploy/manifests/tlsSecret.yaml

@@ -2,6 +2,8 @@ apiVersion: v1
 data:
   tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lKQU05MFN5eVZqTnFWTUEwR0NTcUdTSWIzRFFFQkN3VUFNQ0F4SGpBY0JnTlYKQkFNTUZTb3VhM1ZpWldOMVltVXRjM2x6ZEdWdExuTjJZekFlRncweU1UQTBNamN3TmpBNU5ESmFGdzAwT0RBNQpNVEl3TmpBNU5ESmFNRm94Q3pBSkJnTlZCQVlUQW1Ob01Rc3dDUVlEVlFRSURBSjZhakVMTUFrR0ExVUVCd3dDCmFIb3hFVEFQQmdOVkJBb01DR3QxWW1WamRXSmxNUjR3SEFZRFZRUUREQlVxTG10MVltVmpkV0psTFhONWMzUmwKYlM1emRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEaDA5RHJFTGZyS0lSbwpDM2dxMXFvSHFxa0ZlYTFXTUZaQWhVL3JYbGhLblI4SDVuNTlaeWtZUWlLa25BVFVWQ2lLbWVrbGRCU1NUTWd4Ck9ab0NoWTh1bnJHSlJsOFEwUTRYODVQa1JCZ1RlWDB1OHRBRVEzUjhMamgxNG5NaE5hSG1CeGMyQ1BFbkFJVlQKZ3lqeUQrczdwYVF6MXRsNFRzUERzNTNnZFkzZnk2a0Fkc2d2WkxXQ2hmYldsT0lrOGl2UlpsSHp4REN1a1FieAozRDFXaUh3UzZIcUJMUzFUZERjazBUSUwxK1ZqT1VFMzFNSEt0ZTRkTTRFTmI4M3JoQkRGc09IS3I3Zlc1blVOCkE4ejVYWjJuT096RkJMYjYvVVhpRkRVSm1KMTdBU0piR3EvZVBXZUhHbHVOQnZGSllXa3NpVVlnbmRZR2RsVDUKUDVPbENsNkpBZ01CQUFHamdjQXdnYjB3VUFZRFZSMGpCRWt3UjRBVVRNa1p1M0dPYVQzSjFuVkgrdGQxTDhEOQo5a2loSktRaU1DQXhIakFjQmdOVkJBTU1GU291YTNWaVpXTjFZbVV0YzNsemRHVnRMbk4yWTRJSkFONFUvTXFJCm80dHRNQWtHQTFVZEV3UUNNQUF3Q3dZRFZSMFBCQVFEQWdRd01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUIKQmdnckJnRUZCUWNEQWpBeUJnTlZIUkVFS3pBcGdoVXFMbXQxWW1WamRXSmxMWE41YzNSbGJTNXpkbU9IQkg4QQpBQUdIQkFxdElJV0hCQXF0SUlRd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDYkxBRU5nZUEvUUNGd3lUYSt2CmNoZnJwbWNVbmdXb04reVl4aDU1aCs3TENvYklQWkZ6QUVSdjdZVzZOdkgzVHdCZys4UGM5SzFVZm1oRnRoV3AKQ1V5a1NYM3BodXB2YUZVKzFIV2xpNGxwWXE2QSt6QW00T05ZcTcxMVNSMXk3RnlLMFZlQVRlalQyWHc5dFhxTQo4QStoUnMvOGNFN0p3L0JWU2dleXlFUnpOdXF3L1NueVNrT0xjamk1OXRqRUN0cmgrUHpDME9zcGNvdCtDWXlKCmlJWEpvRWNZanpkbmF4TERsVlNRNzFrbEV5SDY4YTB4eWtZTGV4NWRnazhNaVArbjd0SDhDWUlwSDFSdzIwYi8KZjdJMEVObTR2WU14SGJCbVl0YlFQUXRDU3YweVRMeGFqOTFNNml2ckdBZWY3alpDalhTaVQ0Z0FLZXdtR3VuMQpnN0k9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
   tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNGRQUTZ4QzM2eWlFYUF0NEt0YXFCNnFwQlhtdFZqQldRSVZQNjE1WVNwMGZCK1orCmZXY3BHRUlpcEp3RTFGUW9pcG5wSlhRVWtreklNVG1hQW9XUExwNnhpVVpmRU5FT0YvT1Q1RVFZRTNsOUx2TFEKQkVOMGZDNDRkZUp6SVRXaDVnY1hOZ2p4SndDRlU0TW84Zy9yTzZXa005YlplRTdEdzdPZDRIV04zOHVwQUhiSQpMMlMxZ29YMjFwVGlKUElyMFdaUjg4UXdycEVHOGR3OVZvaDhFdWg2Z1MwdFUzUTNKTkV5QzlmbFl6bEJOOVRCCnlyWHVIVE9CRFcvTjY0UVF4YkRoeXErMzF1WjFEUVBNK1YyZHB6anN4UVMyK3YxRjRoUTFDWmlkZXdFaVd4cXYKM2oxbmh4cGJqUWJ4U1dGcExJbEdJSjNXQm5aVStUK1RwUXBlaVFJREFRQUJBb0lCQUY0a2lHN0dYSFhyUVMrQwp3SWpUVHJTOWY1THB3OG92Z25XSlhlVFlRdVJ3RmZTY01WVWtBV3k4ZldhMEtBdEFQbHB4aVZGMHovS2hrYjk3CnJPbXFOaU9RUXFEZ3RsYnpYL1c2Tklndm52M1hZc21FcmhWbzdaR3JUeHhOMkFNYk1iQU1lcStyRUtWYXdUb3MKYnBCaTlJUzhLL1QwZDFxQk0zbE5VdDYxQXYwdFNHKzhlemZjakpzZ0tHOHE4OHNsdXZJZk1LcEhQMEw1eE9pQgpncDViR3hSTkFsNzBjRTBxQm5VSzBSeGRKUUpYRlRzSVZFUjVzTGhST2ZrdVJ5c2Z2NThSeS84cWVOOHBKeFlxCitKbitVRGduNGxZTFBiWEhvYnJCRkJ2VnpmYVBuNWxhNTYveFZid0dtZXlkTDBBRzZicXk4MHo4WkZNaVRxMDgKVzFPT1JKRUNnWUVBOXNVbFdEaWs0dEN1bS9TKzh4NDRRR2VWck9jUE9Gc1FzRHh6bW9KNzNYdnRsR0YweHNtbwplcFBOOWxaUGZpNkJEb255ZGg5eGVITUpuUjk3a3FnaENnS1UxMm9iQ3o5Wi9ESXpqcS82TjV5WGFSSTRJaXQ5CmlVS0FweGUwanNvSG5wMitKTmhCNDBVc1h4NGpIVmtyMUhUVEFNRXBqZzdjSFNJWElFRWZDQTBDZ1lFQTZrWWsKTGllUjBpZCtneE9uSEp4Y2ppSzBSaXhVN2xYb3ZjSVo3UnN3aFlWZmM4ekV6ZHRFQVZCcHAvcU02b0VjNldCQgp5SVNQWExzWWl5bTBaalBhSFBpUDJxZmg5N2Npa2JFYlR5YzAvdmRiRG1LOFdzZ0w2dmJTc1AxamhUOWR4ZUlmCi9rSVFNS2QvaURIK0psUFVtbFY5Q2QwMEh3c0tGdHl2b0swK2RXMENnWUVBOGdlT2h5YVhZZmEzS3pNekRaUjQKSzRMdEpIWkRVVXpQNDJxSEgrWVd3cmJINEI1dHdJTU5BWnh5QjhmRGs4amN2M3ZCR09YaUR2Y1ZXTXdHRVdOaApkRVh2NGcrcGtyQ0IrMzdwWG10dkNKaEhVTUNUMmIrNkVxUHROdlZqSENFK3MrMlhEdUFrVDFvTEdRZWYvU3IyCmVCeFV6NHFrelRYNTRZRU1HWkNGZFFrQ2dZRUF5V3BlaHRQOFdkc2N1T0wzcFBDRjNxblZwaE5OUGMvY2x2Qy8KUzR3NXprSFp5L3g4STZSbE5tQUZScWR4NmRmeG5HL21mdGdCVGErSnJYUEFwckhqejA2Z2wxUUpRZWxRcmtPLwpmL0RzYmwwS0N6YzJTeko4bEpsNmtUSjVFc0ZsQk5HaHdmN1lYb3hUYUN2Ykh1YXAvYnFNRXlQOFFNaEQ5MTNyCkhWQjFSNDBDZ1lBVEhOVG5LVlV1NWFEVW14SlVKbUZPZ2NrakVMd3puc1dDRklpbHE1SHdiZUJlZUtQcmNNVkEKRVphcENuc0hHOHh2eVNYMkNtVy9oL0Z1Q3B2elp5aldlR3c3MGhqSnF6amRCd1FGTU9LN3grcXJoYWxEQ3BRSQpwb0NwczN4ejM1QUcyamQ0ZFpuajl0azV0Qk9qOU55RTlxVklnNkJrbGNaVlQwc0tlcXA1WWc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==
+  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lKQU40VS9NcUlvNHR0TUEwR0NTcUdTSWIzRFFFQkN3VUFNQ0F4SGpBY0JnTlYKQkFNTUZTb3VhM1ZpWldOMVltVXRjM2x6ZEdWdExuTjJZekFlRncweU1UQTBNamN3TmpBNU1qRmFGdzAwT0RBNQpNVEl3TmpBNU1qRmFNQ0F4SGpBY0JnTlZCQU1NRlNvdWEzVmlaV04xWW1VdGMzbHpkR1Z0TG5OMll6Q0NBU0l3CkRRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFPc2YyWEdJMmNtQkZSbXVJdTNLTUFTcCt2bWkKdWN6WlpxZ1ljV3JXUUcyNUY0aG9FU1BxRFFJRHVkTlVIMFpZWUFGbExieEllSWhnMEVhWFZmU2NuOVUxMFFEMwpqYmp6dFVBWS9mQlNsMEltaXNkWTU2QjVEYWhxdUNuNTA5Vk9OR2lSYUErL1hHWTE0djZMbElSZGJlUWlONE1JCmtMenloaVd2NVNtYTBhSTB0Q1YybkFia0QyR0Y2dU9yMHZWK2ZxVGwzR1FDWHhmUzhuZkRNWWxwQkRidFFjUTUKc3k3OXZUSzhnOWtOM3dsVEdTeENuaC9MbUtQR0lBRDNLeDdSQy9mTnhMdDJIU0tpRFN2Y1c1bzhHbGV0amoxaQpVT0MxR0tOSzRmM1FDb29EVjYycmdBOFJINDU4a2RpVlNyY0NkaWpvN2ZOMDc4YWMreExsT1BxTmc3OENBd0VBCkFhTlFNRTR3SFFZRFZSME9CQllFRkV6SkdidHhqbWs5eWRaMVIvclhkUy9BL2ZaSU1COEdBMVVkSXdRWU1CYUEKRkV6SkdidHhqbWs5eWRaMVIvclhkUy9BL2ZaSU1Bd0dBMVVkRXdRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFIaDJVejY4Z0YyRUlScTdPOGVyQVlQeVpqRWdCL3VjdE0ybThvYnFtelBzWHVnMXZxZk9udFVGClVONWsxZFBWY2J2djM0cHE3Y29UcnpsL0JtdnVhVTRCakJ0VzNLanJKSVJla1JmbkJxdU5ja05UMVpGWEtOUHgKUTAyU2o2MWpnMHVRazBBeG9FeFM0aUtYZ2Y1REdnck5rdWJGNGZ3S1JuajJ4SmJIWVVpUkdjRVRlQW9lNXI1dAptWCtnYjJNVTdQZktwQnVYTC9GV3hVNS9uNVY4S2xnTVMvdTlDVzhSTzhuZ24wTXlUWFdmd0FJWVpVTGRPMU9BCnBIT09zVUdqcmIrUVEwblFkL1V5aGZOSE9ueG9HRUNldFdiOU9tZGxSWWRXN1hROS9wZjVlZThqS1d3MmFESWgKZVBIdmYvZUFvQmpIS1k5dWNhUUNhNmdTM3pkQlA3VT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
+  ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBNngvWmNZalp5WUVWR2E0aTdjb3dCS242K2FLNXpObG1xQmh4YXRaQWJia1hpR2dSCkkrb05BZ081MDFRZlJsaGdBV1V0dkVoNGlHRFFScGRWOUp5ZjFUWFJBUGVOdVBPMVFCajk4RktYUWlhS3gxam4Kb0hrTnFHcTRLZm5UMVU0MGFKRm9ENzljWmpYaS9vdVVoRjF0NUNJM2d3aVF2UEtHSmEvbEtaclJvalMwSlhhYwpCdVFQWVlYcTQ2dlM5WDUrcE9YY1pBSmZGOUx5ZDhNeGlXa0VOdTFCeERtekx2MjlNcnlEMlEzZkNWTVpMRUtlCkg4dVlvOFlnQVBjckh0RUw5ODNFdTNZZElxSU5LOXhibWp3YVY2Mk9QV0pRNExVWW8wcmgvZEFLaWdOWHJhdUEKRHhFZmpueVIySlZLdHdKMktPanQ4M1R2eHB6N0V1VTQrbzJEdndJREFRQUJBb0lCQUNINHR4VWxYYm8wa1ZUbAppUnhzVXlYSlhYN0dHU3hVMlBVK210eUIya3RBSy90RWRmMkhhcHU0NkJkMWx4TTEzNkV6K2ppekM5OUFoYmM5ClZHa0VYRCtWQi82b3hleE1JZ3NCMFdid3QvUVIxNGxYK2hlQWhnMm9aYldDNkMxd29EZmZrblo4QXFDdDluOHEKc2FteVNoZGxMam9iZWJZaklHaS9ray9Cazdwb3RodmJVMVNBdkNkaEE0Y0hTdzl6TXhYc2I1NUZhU2owYzZMSApPRWg2VXkrdzF2UlZERTFGWWxMSGY4VDdZVmJ3ZHdqbXdtMXQ1UXM2Rm1uK3dsVjBuUytIQ2JoT2ZJUVRUVW5LCnhyMTZBdGg5VjZSdkkyREFLdWRrbWNkdnN3OHJtTXl1L25mNUY0VHA2dStORWhsdmNVdmNiZWtPcXJmMWxnQ1oKMlZvWFdwRUNnWUVBK0V6d0hlYTVTSmNvajJEenQyWUc2Tm9kb2JhMjhCR1lVaFM4a2Z5dXVxcTMyRVFMQnNEbgpsY3hYa1ZSQlVPVDh2Wm9LZDJOZ1RtVWN5UlJOOC9aZ1lYc3IzUTV2d2tlK3hwMGNZbnZSTU9zV3YwbWordzVpCllDUmxXUmhKZWZ6ZkJRaFdTa2M3U0JTZUlTUFZOMTJvQmgwQXZOb09LcjFXVFUzMUI0dElpcmNDZ1lFQThtcFIKQ2N2UWRid1YyZEhiY05adHMrRWdZS3Q3aExKdDNybUVRWWN5TEJRV3ZIN05yZ1E1UWM4d1p3Q0pjYmdKdlZKcgp3TnhkMEVIRVc1bHcxbDFnai96MjN3UGlkTmtidmozYmorT3ordlRzcTN6SzkwZjNucjRlaFdoeU1ZWldsVE1xCnlZRURrcGJXMk9wamcrSnZwQTRGNytjOEhSTUFLOGJ4WWtvaFp6a0NnWUFyWFpTYVJFK2I0L3FMZ0ExUXZKcjgKVkF2VTBJcUd4eXZwT2dIdEpVcUhBNFgwV1gzcmdnbHdXaTM1RGRRU2dzdTVlWXZXYWg3SjBsTUNzMjhoNnFmTwpucXA4Z3liMXNYNGFSaHBOQVA3NklqVG8xNzJ4L1VNbE0zWVg1MnY5eURKVE9LK0piWU5uQldMUXV1ZGtNaEZFCmNCQk82MjZKL0dOMFFPZEltQVRsWlFLQmdEUG9JZndZQVVZRWhTVkQ4MW9CQURLQkpSNnQrVi9ibVAwVStrWFIKdmlPRUZhNDg5S3VyU2R0V2t3V3JMc01ENWtuOHFRZjk1N1NkTUg5d3BxR3dFdW9oLzNhWGJWa1oxLy92WE9FOQpuNTgvN0tGM3Nqb3ExZEhPNGRndEdpNlNsbDJTUERvemZ1RlhuUitMYU0ybm9jSWVJcFZSRFNVb21XUEdVSTk4ClVoUzVBb0dBSlpUU1RoVWhjUFBGdWptVEplOXFyWmZLMmZ6NDcwNlVHNlpoc0lONVdWUnl4N0lNK0hVNWtkL20KcXhSSkVjZHVTWm5Fb204SEVMelE5bG40UHUvL3RmSnRFWFdlaHRCR0NJZVlXNWpzck1hRkhsRW9VZmpPQXZVWQpNcEdaWUZobUFTdS9JbnhUM3puTGlrOGxOcHNxYnZrSjYrVGpGWVBUOCtJMUN6VVJQRTg9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t
 kind: Secret
 metadata:
   name: cube-tls-secret

pkg/apiserver/apiserver.go

@@ -19,6 +19,7 @@ package apiserver
 import (
 	"context"
 	"fmt"
+	"github.com/kubecube-io/kubecube/pkg/apiserver/middlewares"
 	"net/http"
 	"time"
 
@@ -33,7 +34,6 @@ import (
 	"github.com/kubecube-io/kubecube/pkg/apiserver/cubeapi/key"
 	resourcemanage "github.com/kubecube-io/kubecube/pkg/apiserver/cubeapi/resourcemanage/handle"
 	"github.com/kubecube-io/kubecube/pkg/apiserver/cubeapi/user"
-	"github.com/kubecube-io/kubecube/pkg/apiserver/middlewares"
 	"github.com/kubecube-io/kubecube/pkg/clog"
 	"github.com/kubecube-io/kubecube/pkg/utils/constants"
 	_ "github.com/kubecube-io/kubecube/pkg/utils/errcode"
@@ -56,7 +56,7 @@ type APIServer struct {
 // @version 1.0
 // @description This is KubeCube api documentation.
 // registerCubeAPI register apis for cube api server
-func registerCubeAPI() http.Handler {
+func registerCubeAPI(cfg *Config) http.Handler {
 	router := gin.New()
 	cubeApis := router.Group(constants.ApiPathRoot)
 
@@ -64,8 +64,12 @@ func registerCubeAPI() http.Handler {
 
 	scout.AddApisTo(cubeApis)
 	middlewares.SetUpMiddlewares(router)
-	cluster.AddApisTo(cubeApis)
-	authorization.AddApisTo(cubeApis)
+
+	// clusters apis handler
+	cluster.NewHandler().AddApisTo(cubeApis)
+
+	// authZ apis handler
+	authorization.NewHandler().AddApisTo(cubeApis)
 
 	router.POST(constants.ApiPathRoot+"/login", user.Login)
 	router.GET(constants.ApiPathRoot+"/oauth/redirect", user.GitHubLogin)
@@ -108,7 +112,7 @@ func registerCubeAPI() http.Handler {
 }
 
 func NewAPIServerWithOpts(ops *Config) *APIServer {
-	router := registerCubeAPI()
+	router := registerCubeAPI(ops)
 
 	s := &APIServer{
 		Server: &http.Server{

pkg/apiserver/config.go

@@ -34,6 +34,8 @@ type HttpConfig struct {
 	GenericPort  int    `yaml:"genericPort,omitempty"`
 	TlsCert      string `yaml:"tlsCert,omitempty"`
 	TlsKey       string `yaml:"tlsKey,omitempty"`
+	CaCert       string `yaml:"caCert,omitempty"`
+	CaKey        string `yaml:"caKey,omitempty"`
 }
 
 func (c *Config) Validate() []error {

pkg/apiserver/cubeapi/authorization/handler.go

@@ -42,8 +42,7 @@ import (
 
 const subPath = "authorization"
 
-func AddApisTo(root *gin.RouterGroup) {
-	h := newHandler()
+func (h *handler) AddApisTo(root *gin.RouterGroup) {
 	r := root.Group(subPath)
 	r.GET("roles", h.getRolesByUser)
 	r.GET("clusterroles", h.getClusterRolesByLevel)
@@ -66,7 +65,7 @@ type handler struct {
 	kubernetes.Client
 }
 
-func newHandler() *handler {
+func NewHandler() *handler {
 	h := new(handler)
 	h.Interface = rbac.NewDefaultResolver(constants.PivotCluster)
 	h.Client = clients.Interface().Kubernetes(constants.PivotCluster)

pkg/apiserver/cubeapi/cluster/handler.go

@@ -51,8 +51,7 @@ import (
 
 const subPath = "clusters"
 
-func AddApisTo(root *gin.RouterGroup) {
-	h := newHandler()
+func (h *handler) AddApisTo(root *gin.RouterGroup) {
 	r := root.Group(subPath)
 	r.GET("info", h.getClusterInfo)
 	r.GET("/:cluster/monitor", h.getClusterMonitorInfo)
@@ -99,7 +98,7 @@ type handler struct {
 	kubernetes.Client
 }
 
-func newHandler() *handler {
+func NewHandler() *handler {
 	h := new(handler)
 	h.Interface = rbac.NewDefaultResolver(constants.PivotCluster)
 	h.Client = clients.Interface().Kubernetes(constants.PivotCluster)

pkg/apiserver/cubeapi/user/user.go

@@ -19,9 +19,12 @@ package user
 import (
 	"bufio"
 	"bytes"
+	"context"
 	"encoding/csv"
 	"encoding/json"
 	"fmt"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"net/http"
 	"regexp"
 	"strconv"
@@ -518,6 +521,30 @@ func GetKubeConfig(c *gin.Context) {
 		response.FailReturn(c, errcode.AuthenticateError)
 	}
 
+	// todo: pass ca cert by args as soon as user apis rewrite
+	cli := clients.Interface().Kubernetes(constants.PivotCluster)
+	if cli == nil {
+		response.FailReturn(c, errcode.InternalServerError)
+		return
+	}
+
+	kubeConfigSecret := corev1.Secret{}
+	key := types.NamespacedName{Name: "cube-tls-secret", Namespace: constants.CubeNamespace}
+
+	err := cli.Cache().Get(context.Background(), key, &kubeConfigSecret)
+	if err != nil {
+		clog.Error(err.Error())
+		response.FailReturn(c, errcode.InternalServerError)
+		return
+	}
+
+	caCert, ok := kubeConfigSecret.Data["ca.crt"]
+	if !ok {
+		clog.Error("cloud not found ca cert in cube-tls=secret")
+		response.FailReturn(c, errcode.InternalServerError)
+		return
+	}
+
 	clusters := multicluster.Interface().FuzzyCopy()
 	cms := make([]*kubeconfig.ConfigMeta, 0, len(clusters))
 
@@ -528,6 +555,11 @@ func GetKubeConfig(c *gin.Context) {
 			User:    user,
 			Token:   token,
 		}
+		// set auth proxy server address
+		// todo: make port settable
+		cm.Config.Host = strings.Replace(cm.Config.Host, "6443", "31443", 1)
+		// set cube ca to access auth proxy server
+		cm.Config.CAData = caCert
 		cms = append(cms, cm)
 	}
 

pkg/authentication/authenticators/jwt/transition.go

-/*
-Copyright 2021 KubeCube Authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package jwt
-
-import (
-	"fmt"
-	"time"
-
-	"github.com/dgrijalva/jwt-go"
-	"github.com/kubecube-io/kubecube/pkg/clog"
-	"github.com/kubecube-io/kubecube/pkg/utils/constants"
-	"k8s.io/api/authentication/v1beta1"
-)
-
-type AuthJwtImpl struct{}
-
-func (a *AuthJwtImpl) Authentication(token string) (*v1beta1.UserInfo, error) {
-	claims := &Claims{}
-
-	// Empty bearer tokens aren't valid
-	if len(token) == 0 {
-		return nil, fmt.Errorf("invaild token")
-	}
-
-	newToken, parseErr := jwt.ParseWithClaims(token, claims, func(token *jwt.Token) (interface{}, error) {
-		return []byte(Config.JwtSecret), nil
-	})
-	if parseErr != nil {
-		return nil, fmt.Errorf("parse token error, jwt secret: %v, token: %v, error: %v", Config.JwtSecret, token, parseErr)
-	}
-	if claims, ok := newToken.Claims.(*Claims); ok && newToken.Valid {
-		return &claims.UserInfo, nil
-	}
-	return nil, fmt.Errorf("invaild token")
-}
-
-func (a *AuthJwtImpl) GenerateToken(user *v1beta1.UserInfo) (string, error) {
-	return a.GenerateTokenWithExpired(user, constants.DefaultTokenExpireDuration)
-}
-
-func (a *AuthJwtImpl) GenerateTokenWithExpired(user *v1beta1.UserInfo, expireDuration int64) (string, error) {
-	var tokenExpireDuration int64 = constants.DefaultTokenExpireDuration
-	if Config.TokenExpireDuration > 0 {
-		tokenExpireDuration = Config.TokenExpireDuration
-	}
-	if expireDuration > 0 {
-		tokenExpireDuration = expireDuration
-	}
-
-	claims := Claims{
-		UserInfo: v1beta1.UserInfo{
-			Username: user.Username,
-			Groups:   []string{constants.KubeCube},
-		},
-		StandardClaims: jwt.StandardClaims{
-			ExpiresAt: time.Now().Unix() + tokenExpireDuration,
-			Issuer:    Config.JwtIssuer,
-		},
-	}
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	signedToken, signErr := token.SignedString([]byte(Config.JwtSecret))
-	if signErr != nil {
-		return "", fmt.Errorf("sign token with jwt secret error: %s", signErr)
-	}
-	clog.Debug("generate token success, new token is %v, secret is %v, issuer is %v", signedToken, Config.JwtSecret, Config.JwtIssuer)
-	return signedToken, nil
-}
-
-func (a *AuthJwtImpl) RefreshToken(token string) (string, error) {
-	claims, err := ParseToken(token)
-	if err != nil {
-		return "", fmt.Errorf("parse token error: %s", err)
-	}
-	return a.GenerateToken(&claims.UserInfo)
-}

pkg/warden/localmgr/manager.go

 /*
 Copyright 2021 KubeCube Authors
-
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
-
     http://www.apache.org/licenses/LICENSE-2.0
-
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,6 +15,9 @@ package localmgr
 
 import (
 	"context"
+	"fmt"
+	"net/http"
+
 	"github.com/kubecube-io/kubecube/pkg/clog"
 	"github.com/kubecube-io/kubecube/pkg/utils/constants"
 	"github.com/kubecube-io/kubecube/pkg/warden/localmgr/controllers"
@@ -59,8 +59,6 @@ type LocalManager struct {
 	WebhookServerPort int
 
 	ctrl.Manager
-
-	ready bool
 }
 
 func (m *LocalManager) Initialize() error {
@@ -101,7 +99,23 @@ func (m *LocalManager) Initialize() error {
 }
 
 func (m *LocalManager) readyzCheck() bool {
-	return m.ready
+	path := fmt.Sprintf("http://%s/readyz", healthProbeAddr)
+
+	resp, err := http.Get(path)
+	if err != nil {
+		log.Debug("local controller manager not ready: %v", err)
+		return false
+	}
+
+	_ = resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return false
+	}
+
+	log.Info("local controller manager ready")
+
+	return true
 }
 
 func (m *LocalManager) Run(stop <-chan struct{}) {
@@ -110,7 +124,4 @@ func (m *LocalManager) Run(stop <-chan struct{}) {
 	if err != nil {
 		log.Fatal("start local controller manager failed: %s", err)
 	}
-
-	// mark manager ready
-	m.ready = true
 }

pkg/warden/server/authproxy/authproxy.go

 package authproxy
 
 import (
+	"context"
+	"fmt"
+	"github.com/kubecube-io/kubecube/pkg/clog"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
 	"time"
 
+	v1 "github.com/kubecube-io/kubecube/pkg/apis/cluster/v1"
 	"github.com/kubecube-io/kubecube/pkg/authentication/authenticators"
 	"github.com/kubecube-io/kubecube/pkg/authentication/authenticators/jwt"
+	"github.com/kubecube-io/kubecube/pkg/authentication/authenticators/token"
 	"github.com/kubecube-io/kubecube/pkg/utils/ctls"
-	"k8s.io/api/authentication/v1beta1"
+	"github.com/kubecube-io/kubecube/pkg/utils/kubeconfig"
+	"github.com/kubecube-io/kubecube/pkg/warden/utils"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/rest"
-	ctrl "sigs.k8s.io/controller-runtime"
 )
 
 const (
@@ -35,21 +41,28 @@ type Handler struct {
 
 func NewHandler() (*Handler, error) {
 	h := &Handler{}
-	h.authMgr = &jwt.AuthJwtImpl{}
+	h.authMgr = jwt.GetAuthJwtImpl()
 
 	// get cluster info from rest config
-	cfg, err := ctrl.GetConfig()
+	cluster := v1.Cluster{}
+	err := utils.PivotClient.Get(context.Background(), types.NamespacedName{Name: utils.Cluster}, &cluster)
 	if err != nil {
 		return nil, err
 	}
 
-	target, err := url.Parse(cfg.Host)
+	restConfig, err := kubeconfig.LoadKubeConfigFromBytes(cluster.Spec.KubeConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	target, err := url.Parse(restConfig.Host)
 	if err != nil {
 		return nil, err
 	}
 
 	// k8s-apiserver needs extract user info from client cert
-	ts, err := ctls.MakeMTlsTransportByPem(cfg.CAData, cfg.CertData, cfg.KeyData)
+	// we use admin cert to access k8s-apiserver
+	ts, err := ctls.MakeMTlsTransportByPem(restConfig.CAData, restConfig.CertData, restConfig.KeyData)
 	if err != nil {
 		return nil, err
 	}
@@ -73,11 +86,15 @@ func NewHandler() (*Handler, error) {
 }
 
 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	//_, err := token.GetUserFromReq(r)
-	//if err != nil {
-	//}
+	// parse token transfer to user info
+	user, err := token.GetUserFromReq(r)
+	if err != nil {
+		w.WriteHeader(http.StatusUnauthorized)
+		fmt.Fprintf(w, "token invalid: %v", err)
+		return
+	}
 
-	var user v1beta1.UserInfo
+	clog.Debug("user(%v) access to %v with verb(%v)", user.Username, r.Method)
 
 	// impersonate given user to access k8s-apiserver
 	r.Header.Set(impersonateUserKey, user.Username)

pkg/warden/syncmgr/manager.go

 /*
 Copyright 2021 KubeCube Authors
-
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
-
     http://www.apache.org/licenses/LICENSE-2.0
-
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -19,6 +16,8 @@ package syncmgr
 import (
 	"context"
 	"fmt"
+	"net/http"
+
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 
 	"sigs.k8s.io/multi-tenancy/incubator/hnc/api/v1alpha2"
@@ -28,6 +27,8 @@ import (
 	"github.com/kubecube-io/kubecube/pkg/clog"
 
 	"github.com/kubecube-io/kubecube/pkg/warden/reporter"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+
 	//v1 "k8s.io/api/rbac/v1"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
@@ -43,6 +44,8 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 )
 
+const healthProbeAddr = "0.0.0.0:9777"
+
 var (
 	log clog.CubeLogger
 
@@ -64,8 +67,6 @@ type SyncManager struct {
 	ctrl.Manager
 	LocalClient            client.Client
 	PivotClusterKubeConfig string
-
-	ready bool
 }
 
 func (s *SyncManager) Initialize() error {
@@ -76,7 +77,7 @@ func (s *SyncManager) Initialize() error {
 		return fmt.Errorf("error building kubeconfig: %s", err.Error())
 	}
 
-	s.Manager, err = manager.New(cfg, ctrl.Options{Scheme: scheme})
+	s.Manager, err = manager.New(cfg, ctrl.Options{Scheme: scheme, HealthProbeBindAddress: healthProbeAddr})
 	if err != nil {
 		return fmt.Errorf("error new sync mgr: %s", err.Error())
 	}
@@ -96,13 +97,34 @@ func (s *SyncManager) Initialize() error {
 		}
 	}
 
+	err = s.Manager.AddReadyzCheck("readyz", healthz.Ping)
+	if err != nil {
+		return err
+	}
+
 	reporter.RegisterCheckFunc(s.readyzCheck)
 
 	return nil
 }
 
 func (s *SyncManager) readyzCheck() bool {
-	return s.ready
+	path := fmt.Sprintf("http://%s/readyz", healthProbeAddr)
+
+	resp, err := http.Get(path)
+	if err != nil {
+		log.Debug("sync manager not ready: %v", err)
+		return false
+	}
+
+	_ = resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return false
+	}
+
+	log.Info("sync manager ready")
+
+	return true
 }
 
 func (s *SyncManager) Run(stop <-chan struct{}) {
@@ -111,7 +133,4 @@ func (s *SyncManager) Run(stop <-chan struct{}) {
 	if err != nil {
 		log.Fatal("start sync manager failed: %s", err)
 	}
-
-	// mark sync manager ready
-	s.ready = true
 }