Add new behavior to "pinniped get kubeconfig" to wait for pending strategies to become non-pending.

This behavior can be disabled with "--concierge-skip-wait". Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 14:48:16 -06:00 · 2021-03-09 14:48:16 -06:00 · 0abe10e6b2
commit 0abe10e6b2
parent 883b90923d
2 changed files with 39 additions and 0 deletions
--- a/cmd/pinniped/cmd/kubeconfig.go
+++ b/cmd/pinniped/cmd/kubeconfig.go
@ -87,6 +87,7 @@ type getKubeconfigConciergeParams struct {
 	caBundle          caBundleFlag
 	endpoint          string
 	mode              conciergeModeFlag
 	skipWait          bool
 }
 type getKubeconfigParams struct {
@ -123,6 +124,7 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
 	f.StringVar(&flags.concierge.authenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)")
 	f.StringVar(&flags.concierge.authenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name (default: autodiscover)")
 	f.StringVar(&flags.concierge.apiGroupSuffix, "concierge-api-group-suffix", groupsuffix.PinnipedDefaultSuffix, "Concierge API group suffix")
 	f.BoolVar(&flags.concierge.skipWait, "concierge-skip-wait", false, "Skip waiting for any pending Concierge strategies to become ready (default: false)")
 	f.Var(&flags.concierge.caBundle, "concierge-ca-bundle", "Path to TLS certificate authority bundle (PEM format, optional, can be repeated) to use when connecting to the Concierge")
 	f.StringVar(&flags.concierge.endpoint, "concierge-endpoint", "", "API base for the Concierge endpoint")
@ -205,6 +207,33 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
 			return err
 		}
 		if !flags.concierge.skipWait {
 			ticker := time.NewTicker(2 * time.Second)
 			defer ticker.Stop()
 			deadline, _ := ctx.Deadline()
 			attempts := 1
 			for {
 				if !hasPendingStrategy(credentialIssuer) {
 					break
 				}
 				deps.log.Info("waiting for CredentialIssuer pending strategies to finish",
 					"attempts", attempts,
 					"remaining", time.Until(deadline).Round(time.Second).String(),
 				)
 				select {
 				case <-ctx.Done():
 					return ctx.Err()
 				case <-ticker.C:
 					credentialIssuer, err = lookupCredentialIssuer(clientset, flags.concierge.credentialIssuer, deps.log)
 					if err != nil {
 						return err
 					}
 				}
 			}
 		}
 		authenticator, err := lookupAuthenticator(
 			clientset,
 			flags.concierge.authenticatorType,
@ -636,3 +665,12 @@ func countCACerts(pemData []byte) int {
 	pool.AppendCertsFromPEM(pemData)
 	return len(pool.Subjects())
 }
 func hasPendingStrategy(credentialIssuer *configv1alpha1.CredentialIssuer) bool {
 	for _, strategy := range credentialIssuer.Status.Strategies {
 		if strategy.Reason == configv1alpha1.PendingStrategyReason {
 			return true
 		}
 	}
 	return false
 }
--- a/cmd/pinniped/cmd/kubeconfig_test.go
+++ b/cmd/pinniped/cmd/kubeconfig_test.go
@ -73,6 +73,7 @@ func TestGetKubeconfig(t *testing.T) {
 				      --concierge-credential-issuer string    Concierge CredentialIssuer object to use for autodiscovery (default: autodiscover)
 				      --concierge-endpoint string             API base for the Concierge endpoint
 				      --concierge-mode mode                   Concierge mode of operation (default TokenCredentialRequestAPI)
 				      --concierge-skip-wait                   Skip waiting for any pending Concierge strategies to become ready (default: false)
 				  -h, --help                                  help for kubeconfig
 				      --kubeconfig string                     Path to kubeconfig file
 				      --kubeconfig-context string             Kubeconfig context name (default: current active context)