From d19d63ad7df70fc102a8b54775526c14952e0f97 Mon Sep 17 00:00:00 2001 From: Guangyuan Wang Date: Thu, 24 Jun 2021 22:35:16 +0000 Subject: [PATCH 1/3] Set Proxy on oidc upstream watcher transport - this allows the oidc upsream watcher to honor the HTTP_PROXY,HTTPS_PROXY,NO_PROXY environment variables Co-authored-by: Christian Ang --- .../oidcupstreamwatcher/oidc_upstream_watcher.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go index b610a2c6..0768fd2c 100644 --- a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go +++ b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go @@ -263,7 +263,12 @@ func (c *oidcWatcherController) validateIssuer(ctx context.Context, upstream *v1 Message: err.Error(), } } - httpClient = &http.Client{Transport: &http.Transport{TLSClientConfig: tlsConfig}} + httpClient = &http.Client{ + Transport: &http.Transport{ + Proxy: http.ProxyFromEnvironment, + TLSClientConfig: tlsConfig, + }, + } discoveredProvider, err = oidc.NewProvider(oidc.ClientContext(ctx, httpClient), upstream.Spec.Issuer) if err != nil { From 8026729c43a07606f2a5cd0e6fbe4eb7bb72c9b4 Mon Sep 17 00:00:00 2001 From: Christian Ang Date: Thu, 24 Jun 2021 23:19:11 +0000 Subject: [PATCH 2/3] Use net.JoinHostPort instead of Sprintf Co-authored-by: Guangyuan Wang --- pkg/oidcclient/login.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/oidcclient/login.go b/pkg/oidcclient/login.go index 40739eb8..fdf34eff 100644 --- a/pkg/oidcclient/login.go +++ b/pkg/oidcclient/login.go @@ -140,7 +140,7 @@ func WithLogger(logger logr.Logger) Option { // system at the time of the request. func WithListenPort(port uint16) Option { return func(h *handlerState) error { - h.listenAddr = fmt.Sprintf("localhost:%d", port) + h.listenAddr = net.JoinHostPort("localhost", fmt.Sprint(port)) return nil } } From 76dc39ac2d82a4e45f720f5c9abe36169a0787a4 Mon Sep 17 00:00:00 2001 From: Guangyuan Wang Date: Mon, 28 Jun 2021 23:03:05 +0000 Subject: [PATCH 3/3] Use hostname instead of host and split on ":" Co-authored-by: Christian Ang Co-authored-by: Tyler Schultz --- .../supervisorconfig/tls_cert_observer.go | 5 ++--- .../tls_cert_observer_test.go | 20 +++++++++++++++++-- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/internal/controller/supervisorconfig/tls_cert_observer.go b/internal/controller/supervisorconfig/tls_cert_observer.go index 463f1d47..7574a1bb 100644 --- a/internal/controller/supervisorconfig/tls_cert_observer.go +++ b/internal/controller/supervisorconfig/tls_cert_observer.go @@ -118,7 +118,6 @@ func (c *tlsCertObserverController) certFromSecret(ns string, secretName string) } func lowercaseHostWithoutPort(issuerURL *url.URL) string { - lowercaseHost := strings.ToLower(issuerURL.Host) - colonSegments := strings.Split(lowercaseHost, ":") - return colonSegments[0] + lowercaseHost := strings.ToLower(issuerURL.Hostname()) + return lowercaseHost } diff --git a/internal/controller/supervisorconfig/tls_cert_observer_test.go b/internal/controller/supervisorconfig/tls_cert_observer_test.go index 3e391942..670943f4 100644 --- a/internal/controller/supervisorconfig/tls_cert_observer_test.go +++ b/internal/controller/supervisorconfig/tls_cert_observer_test.go @@ -279,6 +279,17 @@ func TestTLSCertObserverControllerSync(t *testing.T) { TLS: &v1alpha1.FederationDomainTLSSpec{SecretName: "good-tls-secret-name2"}, }, } + federationDomainWithIPv6Issuer := &v1alpha1.FederationDomain{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ipv6-issuer-federationdomain", + Namespace: installedInNamespace, + }, + // Issuer hostname should be treated correctly when it is an IPv6 address. Test with a port number. + Spec: v1alpha1.FederationDomainSpec{ + Issuer: "https://[2001:db8::1]:1234/path", + TLS: &v1alpha1.FederationDomainTLSSpec{SecretName: "good-tls-secret-name1"}, + }, + } testCrt1 := readTestFile("testdata/test.crt") r.NotEmpty(testCrt1) testCrt2 := readTestFile("testdata/test2.crt") @@ -309,6 +320,7 @@ func TestTLSCertObserverControllerSync(t *testing.T) { r.NoError(pinnipedInformerClient.Tracker().Add(federationDomainWithBadIssuer)) r.NoError(pinnipedInformerClient.Tracker().Add(federationDomainWithGoodSecret1)) r.NoError(pinnipedInformerClient.Tracker().Add(federationDomainWithGoodSecret2)) + r.NoError(pinnipedInformerClient.Tracker().Add(federationDomainWithIPv6Issuer)) r.NoError(kubeInformerClient.Tracker().Add(goodTLSSecret1)) r.NoError(kubeInformerClient.Tracker().Add(goodTLSSecret2)) r.NoError(kubeInformerClient.Tracker().Add(badTLSSecret)) @@ -322,7 +334,7 @@ func TestTLSCertObserverControllerSync(t *testing.T) { r.Nil(issuerTLSCertSetter.setDefaultTLSCertReceived) r.True(issuerTLSCertSetter.setIssuerHostToTLSCertMapWasCalled) - r.Len(issuerTLSCertSetter.issuerHostToTLSCertMapReceived, 2) + r.Len(issuerTLSCertSetter.issuerHostToTLSCertMapReceived, 3) // They keys in the map should be lower case and should not include the port numbers, because // TLS SNI says that SNI hostnames must be DNS names (not ports) and must be case insensitive. @@ -334,6 +346,10 @@ func TestTLSCertObserverControllerSync(t *testing.T) { actualCertificate2 := issuerTLSCertSetter.issuerHostToTLSCertMapReceived["www.issuer-with-good-secret2.com"] r.NotNil(actualCertificate2) r.Equal(expectedCertificate2, *actualCertificate2) + + actualCertificate3 := issuerTLSCertSetter.issuerHostToTLSCertMapReceived["2001:db8::1"] + r.NotNil(actualCertificate3) + r.Equal(expectedCertificate1, *actualCertificate3) }) when("there is also a default TLS cert secret with the configured default TLS cert secret name", func() { @@ -366,7 +382,7 @@ func TestTLSCertObserverControllerSync(t *testing.T) { r.Equal(expectedDefaultCertificate, *actualDefaultCertificate) r.True(issuerTLSCertSetter.setIssuerHostToTLSCertMapWasCalled) - r.Len(issuerTLSCertSetter.issuerHostToTLSCertMapReceived, 2) + r.Len(issuerTLSCertSetter.issuerHostToTLSCertMapReceived, 3) }) }) })