Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy

2021-03-04 12:38:00 -06:00 · 2021-03-04 12:38:00 -06:00 · 1734280a19
parent 9a0f75980d f99c186c55
commit 1734280a19
5 changed files with 54 additions and 27 deletions
--- a/go.mod
+++ b/go.mod
@ -36,7 +36,7 @@ require (
 	k8s.io/client-go v0.20.4
 	k8s.io/component-base v0.20.4
 	k8s.io/gengo v0.0.0-20201113003025-83324d819ded
-	k8s.io/klog/v2 v2.5.0
+	k8s.io/klog/v2 v2.6.0
 	k8s.io/kube-aggregator v0.20.4
 	k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd
 	k8s.io/utils v0.0.0-20201110183641-67b214c5f920
--- a/go.sum
+++ b/go.sum
@ -1528,8 +1528,8 @@ k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAE
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/klog/v2 v2.5.0 h1:8mOnjf1RmUPW6KRqQCfYSZq/K20Unmp3IhuZUhxl8KI=
+k8s.io/klog/v2 v2.6.0 h1:c1wFxejFMBkp/VxCdc6kYdgrBkC2gzmcl6afuJAkJyU=
-k8s.io/klog/v2 v2.5.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
+k8s.io/klog/v2 v2.6.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
 k8s.io/kube-aggregator v0.20.4 h1:j/SUwPy1eO+ud3XOUGmH18gISPyerqhXOoNRZDbv3fs=
 k8s.io/kube-aggregator v0.20.4/go.mod h1:0ixQ9De7KXyHteXizS6nVtrnKqGa4kiuxl9rEBsNccw=
 k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd h1:sOHNzJIkytDF6qadMNKhhDRpc6ODik8lVC6nOur7B2c=
--- a/internal/oidc/discovery/discovery_handler.go
+++ b/internal/oidc/discovery/discovery_handler.go
@ -5,6 +5,7 @@
 package discovery
 import (
 	"bytes"
 	"encoding/json"
 	"net/http"
@ -40,28 +41,38 @@ type Metadata struct {
 // NewHandler returns an http.Handler that serves an OIDC discovery endpoint.
 func NewHandler(issuerURL string) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	oidcConfig := Metadata{
-		w.Header().Set("Content-Type", "application/json")
+		Issuer:                            issuerURL,
 		AuthorizationEndpoint:             issuerURL + oidc.AuthorizationEndpointPath,
 		TokenEndpoint:                     issuerURL + oidc.TokenEndpointPath,
 		JWKSURI:                           issuerURL + oidc.JWKSEndpointPath,
 		ResponseTypesSupported:            []string{"code"},
 		SubjectTypesSupported:             []string{"public"},
 		IDTokenSigningAlgValuesSupported:  []string{"ES256"},
 		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
 		ScopesSupported:                   []string{"openid", "offline"},
 		ClaimsSupported:                   []string{"groups"},
 	}
 	var b bytes.Buffer
 	encodeErr := json.NewEncoder(&b).Encode(&oidcConfig)
 	encodedMetadata := b.Bytes()
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodGet {
 			http.Error(w, `Method not allowed (try GET)`, http.StatusMethodNotAllowed)
 			return
 		}
-		oidcConfig := Metadata{
+		if encodeErr != nil {
-			Issuer:                            issuerURL,
+			http.Error(w, encodeErr.Error(), http.StatusInternalServerError)
-			AuthorizationEndpoint:             issuerURL + oidc.AuthorizationEndpointPath,
+			return
 			TokenEndpoint:                     issuerURL + oidc.TokenEndpointPath,
 			JWKSURI:                           issuerURL + oidc.JWKSEndpointPath,
 			ResponseTypesSupported:            []string{"code"},
 			SubjectTypesSupported:             []string{"public"},
 			IDTokenSigningAlgValuesSupported:  []string{"ES256"},
 			TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
 			ScopesSupported:                   []string{"openid", "offline"},
 			ClaimsSupported:                   []string{"groups"},
 		}
-		if err := json.NewEncoder(w).Encode(&oidcConfig); err != nil {
+
 		w.Header().Set("Content-Type", "application/json")
 		if _, err := w.Write(encodedMetadata); err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
 	})
 }
--- a/test/integration/category_test.go
+++ b/test/integration/category_test.go
@ -7,6 +7,7 @@ import (
 	"bytes"
 	"os/exec"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/require"
@ -20,13 +21,21 @@ func TestGetPinnipedCategory(t *testing.T) {
 	t.Run("category, no special params", func(t *testing.T) {
 		var stdOut, stdErr bytes.Buffer
-		cmd := exec.Command("kubectl", "get", "pinniped", "-A")
+		var err error
-		cmd.Stdout = &stdOut
+		require.Eventuallyf(t, func() bool {
-		cmd.Stderr = &stdErr
+			cmd := exec.Command("kubectl", "get", "pinniped", "-A")
-		err := cmd.Run()
+			cmd.Stdout = &stdOut
-		require.NoError(t, err, stdErr.String(), stdOut.String())
+			cmd.Stderr = &stdErr
 			err = cmd.Run()
 			return err == nil
 		},
 			60*time.Second,
 			1*time.Second,
 			"never ran 'kubectl get pinniped -A' successfully:\n%s\n\n%s",
 			stdErr.String(),
 			stdOut.String(),
 		)
 		require.Empty(t, stdErr.String())
 		require.NotContains(t, stdOut.String(), "MethodNotAllowed")
 		require.Contains(t, stdOut.String(), dotSuffix)
 	})
--- a/test/integration/kubeclient_test.go
+++ b/test/integration/kubeclient_test.go
@ -5,6 +5,7 @@ package integration
 import (
 	"context"
 	"fmt"
 	"testing"
 	"time"
@ -74,15 +75,18 @@ func TestKubeClientOwnerRef(t *testing.T) {
 		UID:        parentSecret.UID,
 	}
 	snorlaxAPIGroup := fmt.Sprintf("%s.snorlax.dev", library.RandHex(t, 8))
 	parentAPIService, err := regularAggregationClient.ApiregistrationV1().APIServices().Create(
 		ctx,
 		&apiregistrationv1.APIService{
 			ObjectMeta: metav1.ObjectMeta{
-				Name: "v1.snorlax.dev",
+				Name:        "v1." + snorlaxAPIGroup,
 				Labels:      map[string]string{"pinniped.dev/test": ""},
 				Annotations: map[string]string{"pinniped.dev/testName": t.Name()},
 			},
 			Spec: apiregistrationv1.APIServiceSpec{
 				Version:              "v1",
-				Group:                "snorlax.dev",
+				Group:                snorlaxAPIGroup,
 				GroupPriorityMinimum: 10_000,
 				VersionPriority:      500,
 			},
@ -184,16 +188,19 @@ func TestKubeClientOwnerRef(t *testing.T) {
 	})
 	// cluster scoped API service should be owned by the other one we created above
 	pandasAPIGroup := fmt.Sprintf("%s.pandas.dev", library.RandHex(t, 8))
 	apiService, err := ownerRefClient.Aggregation.ApiregistrationV1().APIServices().Create(
 		ctx,
 		&apiregistrationv1.APIService{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:            "v1.pandas.dev",
+				Name:            "v1." + pandasAPIGroup,
 				OwnerReferences: nil, // no owner refs set
 				Labels:          map[string]string{"pinniped.dev/test": ""},
 				Annotations:     map[string]string{"pinniped.dev/testName": t.Name()},
 			},
 			Spec: apiregistrationv1.APIServiceSpec{
 				Version:              "v1",
-				Group:                "pandas.dev",
+				Group:                pandasAPIGroup,
 				GroupPriorityMinimum: 10_000,
 				VersionPriority:      500,
 			},