Support JWTAuthenticator in pinniped CLI
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Andrew Keesler
parent
57103e0a9f
commit
0efc19a1b7
@ -64,7 +64,7 @@ func newExchangeCredentialCmd(args []string, stdout, stderr io.Writer) *exchange
|
|||||||
- PINNIPED_NAMESPACE: the namespace of the authenticator to authenticate
|
- PINNIPED_NAMESPACE: the namespace of the authenticator to authenticate
|
||||||
against
|
against
|
||||||
- PINNIPED_AUTHENTICATOR_TYPE: the type of authenticator to authenticate
|
- PINNIPED_AUTHENTICATOR_TYPE: the type of authenticator to authenticate
|
||||||
against (e.g., "webhook")
|
against (e.g., "webhook", "jwt")
|
||||||
- PINNIPED_AUTHENTICATOR_NAME: the name of the authenticator to authenticate
|
- PINNIPED_AUTHENTICATOR_NAME: the name of the authenticator to authenticate
|
||||||
against
|
against
|
||||||
- PINNIPED_CA_BUNDLE: the CA bundle to trust when calling
|
- PINNIPED_CA_BUNDLE: the CA bundle to trust when calling
|
||||||
@ -148,8 +148,11 @@ func exchangeCredential(envGetter envGetter, tokenExchanger tokenExchanger, outp
|
|||||||
case "webhook":
|
case "webhook":
|
||||||
authenticator.APIGroup = &auth1alpha1.SchemeGroupVersion.Group
|
authenticator.APIGroup = &auth1alpha1.SchemeGroupVersion.Group
|
||||||
authenticator.Kind = "WebhookAuthenticator"
|
authenticator.Kind = "WebhookAuthenticator"
|
||||||
|
case "jwt":
|
||||||
|
authenticator.APIGroup = &auth1alpha1.SchemeGroupVersion.Group
|
||||||
|
authenticator.Kind = "JWTAuthenticator"
|
||||||
default:
|
default:
|
||||||
return fmt.Errorf(`%w: %q, supported values are "webhook"`, ErrInvalidAuthenticatorType, authenticatorType)
|
return fmt.Errorf(`%w: %q, supported values are "webhook" and "jwt"`, ErrInvalidAuthenticatorType, authenticatorType)
|
||||||
}
|
}
|
||||||
|
|
||||||
cred, err := tokenExchanger(ctx, namespace, authenticator, token, caBundle, apiEndpoint)
|
cred, err := tokenExchanger(ctx, namespace, authenticator, token, caBundle, apiEndpoint)
|
||||||
|
|||||||
@ -18,6 +18,7 @@ import (
|
|||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
|
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
|
||||||
|
|
||||||
|
auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
|
||||||
"go.pinniped.dev/internal/here"
|
"go.pinniped.dev/internal/here"
|
||||||
"go.pinniped.dev/internal/testutil"
|
"go.pinniped.dev/internal/testutil"
|
||||||
)
|
)
|
||||||
@ -46,7 +47,7 @@ var (
|
|||||||
- PINNIPED_NAMESPACE: the namespace of the authenticator to authenticate
|
- PINNIPED_NAMESPACE: the namespace of the authenticator to authenticate
|
||||||
against
|
against
|
||||||
- PINNIPED_AUTHENTICATOR_TYPE: the type of authenticator to authenticate
|
- PINNIPED_AUTHENTICATOR_TYPE: the type of authenticator to authenticate
|
||||||
against (e.g., "webhook")
|
against (e.g., "webhook", "jwt")
|
||||||
- PINNIPED_AUTHENTICATOR_NAME: the name of the authenticator to authenticate
|
- PINNIPED_AUTHENTICATOR_NAME: the name of the authenticator to authenticate
|
||||||
against
|
against
|
||||||
- PINNIPED_CA_BUNDLE: the CA bundle to trust when calling
|
- PINNIPED_CA_BUNDLE: the CA bundle to trust when calling
|
||||||
@ -193,7 +194,7 @@ func TestExchangeCredential(t *testing.T) {
|
|||||||
it("returns an error when PINNIPED_AUTHENTICATOR_TYPE is missing", func() {
|
it("returns an error when PINNIPED_AUTHENTICATOR_TYPE is missing", func() {
|
||||||
fakeEnv["PINNIPED_AUTHENTICATOR_TYPE"] = "invalid"
|
fakeEnv["PINNIPED_AUTHENTICATOR_TYPE"] = "invalid"
|
||||||
err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
|
err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
|
||||||
r.EqualError(err, `invalid authenticator type: "invalid", supported values are "webhook"`)
|
r.EqualError(err, `invalid authenticator type: "invalid", supported values are "webhook" and "jwt"`)
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
@ -292,5 +293,50 @@ func TestExchangeCredential(t *testing.T) {
|
|||||||
r.JSONEq(expected, buffer.String())
|
r.JSONEq(expected, buffer.String())
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
when("the authenticator info is passed", func() {
|
||||||
|
var actualAuthenticator corev1.TypedLocalObjectReference
|
||||||
|
|
||||||
|
it.Before(func() {
|
||||||
|
tokenExchanger = func(ctx context.Context, namespace string, authenticator corev1.TypedLocalObjectReference, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) {
|
||||||
|
actualAuthenticator = authenticator
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
when("the authenticator is of type webhook", func() {
|
||||||
|
it.Before(func() {
|
||||||
|
fakeEnv["PINNIPED_AUTHENTICATOR_TYPE"] = "webhook"
|
||||||
|
fakeEnv["PINNIPED_AUTHENTICATOR_NAME"] = "some-webhook-name"
|
||||||
|
})
|
||||||
|
|
||||||
|
it("passes the correct authenticator type to the token exchanger", func() {
|
||||||
|
err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
|
||||||
|
r.NoError(err)
|
||||||
|
require.Equal(t, corev1.TypedLocalObjectReference{
|
||||||
|
APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
|
||||||
|
Kind: "WebhookAuthenticator",
|
||||||
|
Name: "some-webhook-name",
|
||||||
|
}, actualAuthenticator)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
|
when("the authenticator is of type jwt", func() {
|
||||||
|
it.Before(func() {
|
||||||
|
fakeEnv["PINNIPED_AUTHENTICATOR_TYPE"] = "jwt"
|
||||||
|
fakeEnv["PINNIPED_AUTHENTICATOR_NAME"] = "some-jwt-authenticator-name"
|
||||||
|
})
|
||||||
|
|
||||||
|
it("passes the correct authenticator type to the token exchanger", func() {
|
||||||
|
err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
|
||||||
|
r.NoError(err)
|
||||||
|
require.Equal(t, corev1.TypedLocalObjectReference{
|
||||||
|
APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
|
||||||
|
Kind: "JWTAuthenticator",
|
||||||
|
Name: "some-jwt-authenticator-name",
|
||||||
|
}, actualAuthenticator)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
})
|
||||||
}, spec.Parallel(), spec.Report(report.Terminal{}))
|
}, spec.Parallel(), spec.Report(report.Terminal{}))
|
||||||
}
|
}
|
||||||
|
|||||||
@ -89,7 +89,7 @@ func (c *getKubeConfigCommand) Command() *cobra.Command {
|
|||||||
cmd.Flags().StringVar(&c.flags.kubeconfig, "kubeconfig", c.flags.kubeconfig, "Path to the kubeconfig file")
|
cmd.Flags().StringVar(&c.flags.kubeconfig, "kubeconfig", c.flags.kubeconfig, "Path to the kubeconfig file")
|
||||||
cmd.Flags().StringVar(&c.flags.contextOverride, "kubeconfig-context", c.flags.contextOverride, "Kubeconfig context override")
|
cmd.Flags().StringVar(&c.flags.contextOverride, "kubeconfig-context", c.flags.contextOverride, "Kubeconfig context override")
|
||||||
cmd.Flags().StringVar(&c.flags.namespace, "pinniped-namespace", c.flags.namespace, "Namespace in which Pinniped was installed")
|
cmd.Flags().StringVar(&c.flags.namespace, "pinniped-namespace", c.flags.namespace, "Namespace in which Pinniped was installed")
|
||||||
cmd.Flags().StringVar(&c.flags.authenticatorType, "authenticator-type", c.flags.authenticatorType, "Authenticator type (e.g., 'webhook')")
|
cmd.Flags().StringVar(&c.flags.authenticatorType, "authenticator-type", c.flags.authenticatorType, "Authenticator type (e.g., 'webhook', 'jwt')")
|
||||||
cmd.Flags().StringVar(&c.flags.authenticatorName, "authenticator-name", c.flags.authenticatorType, "Authenticator name")
|
cmd.Flags().StringVar(&c.flags.authenticatorName, "authenticator-name", c.flags.authenticatorType, "Authenticator name")
|
||||||
mustMarkRequired(cmd, "token")
|
mustMarkRequired(cmd, "token")
|
||||||
plog.RemoveKlogGlobalFlags()
|
plog.RemoveKlogGlobalFlags()
|
||||||
|
|||||||
@ -31,7 +31,7 @@ var (
|
|||||||
|
|
||||||
Flags:
|
Flags:
|
||||||
--authenticator-name string Authenticator name
|
--authenticator-name string Authenticator name
|
||||||
--authenticator-type string Authenticator type (e.g., 'webhook')
|
--authenticator-type string Authenticator type (e.g., 'webhook', 'jwt')
|
||||||
-h, --help help for get-kubeconfig
|
-h, --help help for get-kubeconfig
|
||||||
--kubeconfig string Path to the kubeconfig file
|
--kubeconfig string Path to the kubeconfig file
|
||||||
--kubeconfig-context string Kubeconfig context override
|
--kubeconfig-context string Kubeconfig context override
|
||||||
@ -62,7 +62,7 @@ var (
|
|||||||
|
|
||||||
Flags:
|
Flags:
|
||||||
--authenticator-name string Authenticator name
|
--authenticator-name string Authenticator name
|
||||||
--authenticator-type string Authenticator type (e.g., 'webhook')
|
--authenticator-type string Authenticator type (e.g., 'webhook', 'jwt')
|
||||||
-h, --help help for get-kubeconfig
|
-h, --help help for get-kubeconfig
|
||||||
--kubeconfig string Path to the kubeconfig file
|
--kubeconfig string Path to the kubeconfig file
|
||||||
--kubeconfig-context string Kubeconfig context override
|
--kubeconfig-context string Kubeconfig context override
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user