cmd/pinniped: wire API group suffix through to client components
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
parent
88fd9e5c5e
commit
1c3518e18a
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package cmd
|
package cmd
|
||||||
@ -70,6 +70,7 @@ func legacyGetKubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
|
|||||||
namespace: namespace,
|
namespace: namespace,
|
||||||
authenticatorName: authenticatorName,
|
authenticatorName: authenticatorName,
|
||||||
authenticatorType: authenticatorType,
|
authenticatorType: authenticatorType,
|
||||||
|
apiGroupSuffix: "pinniped.dev",
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -73,6 +73,7 @@ type getKubeconfigConciergeParams struct {
|
|||||||
namespace string
|
namespace string
|
||||||
authenticatorName string
|
authenticatorName string
|
||||||
authenticatorType string
|
authenticatorType string
|
||||||
|
apiGroupSuffix string
|
||||||
}
|
}
|
||||||
|
|
||||||
type getKubeconfigParams struct {
|
type getKubeconfigParams struct {
|
||||||
@ -103,6 +104,7 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
|
|||||||
f.StringVar(&flags.concierge.namespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
|
f.StringVar(&flags.concierge.namespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
|
||||||
f.StringVar(&flags.concierge.authenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)")
|
f.StringVar(&flags.concierge.authenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)")
|
||||||
f.StringVar(&flags.concierge.authenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name (default: autodiscover)")
|
f.StringVar(&flags.concierge.authenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name (default: autodiscover)")
|
||||||
|
f.StringVar(&flags.concierge.apiGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix")
|
||||||
|
|
||||||
f.StringVar(&flags.oidc.issuer, "oidc-issuer", "", "OpenID Connect issuer URL (default: autodiscover)")
|
f.StringVar(&flags.oidc.issuer, "oidc-issuer", "", "OpenID Connect issuer URL (default: autodiscover)")
|
||||||
f.StringVar(&flags.oidc.clientID, "oidc-client-id", "pinniped-cli", "OpenID Connect client ID (default: autodiscover)")
|
f.StringVar(&flags.oidc.clientID, "oidc-client-id", "pinniped-cli", "OpenID Connect client ID (default: autodiscover)")
|
||||||
@ -258,6 +260,7 @@ func configureConcierge(authenticator metav1.Object, flags *getKubeconfigParams,
|
|||||||
// Append the flags to configure the Concierge credential exchange at runtime.
|
// Append the flags to configure the Concierge credential exchange at runtime.
|
||||||
execConfig.Args = append(execConfig.Args,
|
execConfig.Args = append(execConfig.Args,
|
||||||
"--enable-concierge",
|
"--enable-concierge",
|
||||||
|
"--concierge-api-group-suffix="+flags.concierge.apiGroupSuffix,
|
||||||
"--concierge-namespace="+flags.concierge.namespace,
|
"--concierge-namespace="+flags.concierge.namespace,
|
||||||
"--concierge-authenticator-name="+flags.concierge.authenticatorName,
|
"--concierge-authenticator-name="+flags.concierge.authenticatorName,
|
||||||
"--concierge-authenticator-type="+flags.concierge.authenticatorType,
|
"--concierge-authenticator-type="+flags.concierge.authenticatorType,
|
||||||
|
@ -57,6 +57,7 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
kubeconfig [flags]
|
kubeconfig [flags]
|
||||||
|
|
||||||
Flags:
|
Flags:
|
||||||
|
--concierge-api-group-suffix string Concierge API group suffix (default "pinniped.dev")
|
||||||
--concierge-authenticator-name string Concierge authenticator name (default: autodiscover)
|
--concierge-authenticator-name string Concierge authenticator name (default: autodiscover)
|
||||||
--concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)
|
--concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)
|
||||||
--concierge-namespace string Namespace in which the concierge was installed (default "pinniped-concierge")
|
--concierge-namespace string Namespace in which the concierge was installed (default "pinniped-concierge")
|
||||||
@ -313,6 +314,7 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
- login
|
- login
|
||||||
- static
|
- static
|
||||||
- --enable-concierge
|
- --enable-concierge
|
||||||
|
- --concierge-api-group-suffix=pinniped.dev
|
||||||
- --concierge-namespace=test-namespace
|
- --concierge-namespace=test-namespace
|
||||||
- --concierge-authenticator-name=test-authenticator
|
- --concierge-authenticator-name=test-authenticator
|
||||||
- --concierge-authenticator-type=webhook
|
- --concierge-authenticator-type=webhook
|
||||||
@ -358,6 +360,7 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
- login
|
- login
|
||||||
- static
|
- static
|
||||||
- --enable-concierge
|
- --enable-concierge
|
||||||
|
- --concierge-api-group-suffix=pinniped.dev
|
||||||
- --concierge-namespace=test-namespace
|
- --concierge-namespace=test-namespace
|
||||||
- --concierge-authenticator-name=test-authenticator
|
- --concierge-authenticator-name=test-authenticator
|
||||||
- --concierge-authenticator-type=webhook
|
- --concierge-authenticator-type=webhook
|
||||||
@ -410,6 +413,7 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
- login
|
- login
|
||||||
- oidc
|
- oidc
|
||||||
- --enable-concierge
|
- --enable-concierge
|
||||||
|
- --concierge-api-group-suffix=pinniped.dev
|
||||||
- --concierge-namespace=pinniped-concierge
|
- --concierge-namespace=pinniped-concierge
|
||||||
- --concierge-authenticator-name=test-authenticator
|
- --concierge-authenticator-name=test-authenticator
|
||||||
- --concierge-authenticator-type=jwt
|
- --concierge-authenticator-type=jwt
|
||||||
@ -429,6 +433,7 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
name: "autodetect nothing, set a bunch of options",
|
name: "autodetect nothing, set a bunch of options",
|
||||||
args: []string{
|
args: []string{
|
||||||
"--kubeconfig", "./testdata/kubeconfig.yaml",
|
"--kubeconfig", "./testdata/kubeconfig.yaml",
|
||||||
|
"--concierge-api-group-suffix", "tuna.io",
|
||||||
"--concierge-authenticator-type", "webhook",
|
"--concierge-authenticator-type", "webhook",
|
||||||
"--concierge-authenticator-name", "test-authenticator",
|
"--concierge-authenticator-name", "test-authenticator",
|
||||||
"--oidc-issuer", "https://example.com/issuer",
|
"--oidc-issuer", "https://example.com/issuer",
|
||||||
@ -468,6 +473,7 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
- login
|
- login
|
||||||
- oidc
|
- oidc
|
||||||
- --enable-concierge
|
- --enable-concierge
|
||||||
|
- --concierge-api-group-suffix=tuna.io
|
||||||
- --concierge-namespace=pinniped-concierge
|
- --concierge-namespace=pinniped-concierge
|
||||||
- --concierge-authenticator-name=test-authenticator
|
- --concierge-authenticator-name=test-authenticator
|
||||||
- --concierge-authenticator-type=webhook
|
- --concierge-authenticator-type=webhook
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package cmd
|
package cmd
|
||||||
@ -64,6 +64,7 @@ type oidcLoginFlags struct {
|
|||||||
conciergeAuthenticatorName string
|
conciergeAuthenticatorName string
|
||||||
conciergeEndpoint string
|
conciergeEndpoint string
|
||||||
conciergeCABundle string
|
conciergeCABundle string
|
||||||
|
conciergeAPIGroupSuffix string
|
||||||
}
|
}
|
||||||
|
|
||||||
func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
|
func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
|
||||||
@ -92,6 +93,7 @@ func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
|
|||||||
cmd.Flags().StringVar(&flags.conciergeAuthenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name")
|
cmd.Flags().StringVar(&flags.conciergeAuthenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name")
|
||||||
cmd.Flags().StringVar(&flags.conciergeEndpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint")
|
cmd.Flags().StringVar(&flags.conciergeEndpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint")
|
||||||
cmd.Flags().StringVar(&flags.conciergeCABundle, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the concierge")
|
cmd.Flags().StringVar(&flags.conciergeCABundle, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the concierge")
|
||||||
|
cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix")
|
||||||
|
|
||||||
mustMarkHidden(&cmd, "debug-session-cache")
|
mustMarkHidden(&cmd, "debug-session-cache")
|
||||||
mustMarkRequired(&cmd, "issuer")
|
mustMarkRequired(&cmd, "issuer")
|
||||||
@ -135,6 +137,7 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
|
|||||||
conciergeclient.WithEndpoint(flags.conciergeEndpoint),
|
conciergeclient.WithEndpoint(flags.conciergeEndpoint),
|
||||||
conciergeclient.WithBase64CABundle(flags.conciergeCABundle),
|
conciergeclient.WithBase64CABundle(flags.conciergeCABundle),
|
||||||
conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName),
|
conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName),
|
||||||
|
conciergeclient.WithAPIGroupSuffix(flags.conciergeAPIGroupSuffix),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("invalid concierge parameters: %w", err)
|
return fmt.Errorf("invalid concierge parameters: %w", err)
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package cmd
|
package cmd
|
||||||
@ -60,6 +60,7 @@ func TestLoginOIDCCommand(t *testing.T) {
|
|||||||
--ca-bundle strings Path to TLS certificate authority bundle (PEM format, optional, can be repeated)
|
--ca-bundle strings Path to TLS certificate authority bundle (PEM format, optional, can be repeated)
|
||||||
--ca-bundle-data strings Base64 endcoded TLS certificate authority bundle (base64 encoded PEM format, optional, can be repeated)
|
--ca-bundle-data strings Base64 endcoded TLS certificate authority bundle (base64 encoded PEM format, optional, can be repeated)
|
||||||
--client-id string OpenID Connect client ID (default "pinniped-cli")
|
--client-id string OpenID Connect client ID (default "pinniped-cli")
|
||||||
|
--concierge-api-group-suffix string Concierge API group suffix (default "pinniped.dev")
|
||||||
--concierge-authenticator-name string Concierge authenticator name
|
--concierge-authenticator-name string Concierge authenticator name
|
||||||
--concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt')
|
--concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt')
|
||||||
--concierge-ca-bundle-data string CA bundle to use when connecting to the concierge
|
--concierge-ca-bundle-data string CA bundle to use when connecting to the concierge
|
||||||
@ -175,6 +176,7 @@ func TestLoginOIDCCommand(t *testing.T) {
|
|||||||
"--concierge-authenticator-name", "test-authenticator",
|
"--concierge-authenticator-name", "test-authenticator",
|
||||||
"--concierge-endpoint", "https://127.0.0.1:1234/",
|
"--concierge-endpoint", "https://127.0.0.1:1234/",
|
||||||
"--concierge-ca-bundle-data", base64.StdEncoding.EncodeToString(testCA.Bundle()),
|
"--concierge-ca-bundle-data", base64.StdEncoding.EncodeToString(testCA.Bundle()),
|
||||||
|
"--concierge-api-group-suffix", "some.suffix.com",
|
||||||
},
|
},
|
||||||
wantOptionsCount: 7,
|
wantOptionsCount: 7,
|
||||||
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{},"status":{"token":"exchanged-token"}}` + "\n",
|
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{},"status":{"token":"exchanged-token"}}` + "\n",
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package cmd
|
package cmd
|
||||||
@ -46,6 +46,7 @@ type staticLoginParams struct {
|
|||||||
conciergeAuthenticatorName string
|
conciergeAuthenticatorName string
|
||||||
conciergeEndpoint string
|
conciergeEndpoint string
|
||||||
conciergeCABundle string
|
conciergeCABundle string
|
||||||
|
conciergeAPIGroupSuffix string
|
||||||
}
|
}
|
||||||
|
|
||||||
func staticLoginCommand(deps staticLoginDeps) *cobra.Command {
|
func staticLoginCommand(deps staticLoginDeps) *cobra.Command {
|
||||||
@ -66,6 +67,7 @@ func staticLoginCommand(deps staticLoginDeps) *cobra.Command {
|
|||||||
cmd.Flags().StringVar(&flags.conciergeAuthenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name")
|
cmd.Flags().StringVar(&flags.conciergeAuthenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name")
|
||||||
cmd.Flags().StringVar(&flags.conciergeEndpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint")
|
cmd.Flags().StringVar(&flags.conciergeEndpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint")
|
||||||
cmd.Flags().StringVar(&flags.conciergeCABundle, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the concierge")
|
cmd.Flags().StringVar(&flags.conciergeCABundle, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the concierge")
|
||||||
|
cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix")
|
||||||
cmd.RunE = func(cmd *cobra.Command, args []string) error { return runStaticLogin(cmd.OutOrStdout(), deps, flags) }
|
cmd.RunE = func(cmd *cobra.Command, args []string) error { return runStaticLogin(cmd.OutOrStdout(), deps, flags) }
|
||||||
return &cmd
|
return &cmd
|
||||||
}
|
}
|
||||||
@ -83,6 +85,7 @@ func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams
|
|||||||
conciergeclient.WithEndpoint(flags.conciergeEndpoint),
|
conciergeclient.WithEndpoint(flags.conciergeEndpoint),
|
||||||
conciergeclient.WithBase64CABundle(flags.conciergeCABundle),
|
conciergeclient.WithBase64CABundle(flags.conciergeCABundle),
|
||||||
conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName),
|
conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName),
|
||||||
|
conciergeclient.WithAPIGroupSuffix(flags.conciergeAPIGroupSuffix),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("invalid concierge parameters: %w", err)
|
return fmt.Errorf("invalid concierge parameters: %w", err)
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package cmd
|
package cmd
|
||||||
@ -51,6 +51,7 @@ func TestLoginStaticCommand(t *testing.T) {
|
|||||||
static [--token TOKEN] [--token-env TOKEN_NAME] [flags]
|
static [--token TOKEN] [--token-env TOKEN_NAME] [flags]
|
||||||
|
|
||||||
Flags:
|
Flags:
|
||||||
|
--concierge-api-group-suffix string Concierge API group suffix (default "pinniped.dev")
|
||||||
--concierge-authenticator-name string Concierge authenticator name
|
--concierge-authenticator-name string Concierge authenticator name
|
||||||
--concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt')
|
--concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt')
|
||||||
--concierge-ca-bundle-data string CA bundle to use when connecting to the concierge
|
--concierge-ca-bundle-data string CA bundle to use when connecting to the concierge
|
||||||
|
@ -37,6 +37,7 @@ type Client struct {
|
|||||||
authenticator *corev1.TypedLocalObjectReference
|
authenticator *corev1.TypedLocalObjectReference
|
||||||
caBundle string
|
caBundle string
|
||||||
endpoint *url.URL
|
endpoint *url.URL
|
||||||
|
apiGroupSuffix string
|
||||||
}
|
}
|
||||||
|
|
||||||
// WithNamespace configures the namespace where the TokenCredentialRequest is to be sent.
|
// WithNamespace configures the namespace where the TokenCredentialRequest is to be sent.
|
||||||
@ -112,9 +113,20 @@ func WithEndpoint(endpoint string) Option {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// WithAPIGroupSuffix configures the concierge's API group suffix (e.g., "pinniped.dev").
|
||||||
|
func WithAPIGroupSuffix(apiGroupSuffix string) Option {
|
||||||
|
return func(c *Client) error {
|
||||||
|
if apiGroupSuffix == "" {
|
||||||
|
return fmt.Errorf("api group suffix must not be empty")
|
||||||
|
}
|
||||||
|
c.apiGroupSuffix = apiGroupSuffix
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// New validates the specified options and returns a newly initialized *Client.
|
// New validates the specified options and returns a newly initialized *Client.
|
||||||
func New(opts ...Option) (*Client, error) {
|
func New(opts ...Option) (*Client, error) {
|
||||||
c := Client{namespace: "pinniped-concierge"}
|
c := Client{namespace: "pinniped-concierge", apiGroupSuffix: "pinniped.dev"}
|
||||||
for _, opt := range opts {
|
for _, opt := range opts {
|
||||||
if err := opt(&c); err != nil {
|
if err := opt(&c); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -151,6 +163,7 @@ func (c *Client) clientset() (conciergeclientset.Interface, error) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
_ = c.apiGroupSuffix // TODO: wire API group into kubeclient.
|
||||||
client, err := kubeclient.New(kubeclient.WithConfig(cfg))
|
client, err := kubeclient.New(kubeclient.WithConfig(cfg))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -104,6 +104,15 @@ func TestNew(t *testing.T) {
|
|||||||
},
|
},
|
||||||
wantErr: "WithEndpoint must be specified",
|
wantErr: "WithEndpoint must be specified",
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "empty api group suffix",
|
||||||
|
opts: []Option{
|
||||||
|
WithAuthenticator("jwt", "test-authenticator"),
|
||||||
|
WithEndpoint("https://example.com"),
|
||||||
|
WithAPIGroupSuffix(""),
|
||||||
|
},
|
||||||
|
wantErr: "api group suffix must not be empty",
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name: "valid",
|
name: "valid",
|
||||||
opts: []Option{
|
opts: []Option{
|
||||||
@ -114,6 +123,7 @@ func TestNew(t *testing.T) {
|
|||||||
WithBase64CABundle(base64.StdEncoding.EncodeToString(testCA.Bundle())),
|
WithBase64CABundle(base64.StdEncoding.EncodeToString(testCA.Bundle())),
|
||||||
WithAuthenticator("jwt", "test-authenticator"),
|
WithAuthenticator("jwt", "test-authenticator"),
|
||||||
WithAuthenticator("webhook", "test-authenticator"),
|
WithAuthenticator("webhook", "test-authenticator"),
|
||||||
|
WithAPIGroupSuffix("suffix.com"),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user