Add new behavior to "pinniped get kubeconfig" to wait for pending strategies to become non-pending.

This behavior can be disabled with "--concierge-skip-wait". Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 14:48:16 -06:00 · 2021-03-09 14:48:16 -06:00 · 0abe10e6b2
commit 0abe10e6b2
parent 883b90923d
2 changed files with 39 additions and 0 deletions
--- a/cmd/pinniped/cmd/kubeconfig.go
+++ b/cmd/pinniped/cmd/kubeconfig.go
@ -87,6 +87,7 @@ type getKubeconfigConciergeParams struct {
 	caBundle          caBundleFlag
 	endpoint          string
 	mode              conciergeModeFlag
+	skipWait          bool
 }

 type getKubeconfigParams struct {
@ -123,6 +124,7 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
 	f.StringVar(&flags.concierge.authenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)")
 	f.StringVar(&flags.concierge.authenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name (default: autodiscover)")
 	f.StringVar(&flags.concierge.apiGroupSuffix, "concierge-api-group-suffix", groupsuffix.PinnipedDefaultSuffix, "Concierge API group suffix")
+	f.BoolVar(&flags.concierge.skipWait, "concierge-skip-wait", false, "Skip waiting for any pending Concierge strategies to become ready (default: false)")

 	f.Var(&flags.concierge.caBundle, "concierge-ca-bundle", "Path to TLS certificate authority bundle (PEM format, optional, can be repeated) to use when connecting to the Concierge")
 	f.StringVar(&flags.concierge.endpoint, "concierge-endpoint", "", "API base for the Concierge endpoint")
@ -205,6 +207,33 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 			return err
 		}

+		if !flags.concierge.skipWait {
+			ticker := time.NewTicker(2 * time.Second)
+			defer ticker.Stop()
+
+			deadline, _ := ctx.Deadline()
+			attempts := 1
+
+			for {
+				if !hasPendingStrategy(credentialIssuer) {
+					break
+				}
+				deps.log.Info("waiting for CredentialIssuer pending strategies to finish",
+					"attempts", attempts,
+					"remaining", time.Until(deadline).Round(time.Second).String(),
+				)
+				select {
+				case <-ctx.Done():
+					return ctx.Err()
+				case <-ticker.C:
+					credentialIssuer, err = lookupCredentialIssuer(clientset, flags.concierge.credentialIssuer, deps.log)
+					if err != nil {
+						return err
+					}
+				}
+			}
+		}
+
 		authenticator, err := lookupAuthenticator(
 			clientset,
 			flags.concierge.authenticatorType,
@ -636,3 +665,12 @@ func countCACerts(pemData []byte) int {
 	pool.AppendCertsFromPEM(pemData)
 	return len(pool.Subjects())
 }
+
+func hasPendingStrategy(credentialIssuer *configv1alpha1.CredentialIssuer) bool {
+	for _, strategy := range credentialIssuer.Status.Strategies {
+		if strategy.Reason == configv1alpha1.PendingStrategyReason {
+			return true
+		}
+	}
+	return false
+}
--- a/cmd/pinniped/cmd/kubeconfig_test.go
+++ b/cmd/pinniped/cmd/kubeconfig_test.go
@ -73,6 +73,7 @@ func TestGetKubeconfig(t *testing.T) {
 				      --concierge-credential-issuer string    Concierge CredentialIssuer object to use for autodiscovery (default: autodiscover)
 				      --concierge-endpoint string             API base for the Concierge endpoint
 				      --concierge-mode mode                   Concierge mode of operation (default TokenCredentialRequestAPI)
+				      --concierge-skip-wait                   Skip waiting for any pending Concierge strategies to become ready (default: false)
 				  -h, --help                                  help for kubeconfig
 				      --kubeconfig string                     Path to kubeconfig file
 				      --kubeconfig-context string             Kubeconfig context name (default: current active context)