Path to ci bundle rather than the actual value for get kubeconfig

Also changed a function param to a pointer
This commit is contained in:
Margo Crawford 2021-01-27 15:39:16 -08:00
parent 12e41d783f
commit 343c275f46
4 changed files with 55 additions and 27 deletions

View File

@ -78,7 +78,7 @@ type getKubeconfigConciergeParams struct {
authenticatorName string authenticatorName string
authenticatorType string authenticatorType string
apiGroupSuffix string apiGroupSuffix string
caBundleData string caBundlePath string
endpoint string endpoint string
useImpersonationProxy bool useImpersonationProxy bool
} }
@ -113,7 +113,7 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
f.StringVar(&flags.concierge.authenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name (default: autodiscover)") f.StringVar(&flags.concierge.authenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name (default: autodiscover)")
f.StringVar(&flags.concierge.apiGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix") f.StringVar(&flags.concierge.apiGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix")
f.StringVar(&flags.concierge.caBundleData, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the concierge") f.StringVar(&flags.concierge.caBundlePath, "concierge-ca-bundle", "", "Path to TLS certificate authority bundle (PEM format, optional, can be repeated) to use when connecting to the concierge")
f.StringVar(&flags.concierge.endpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint") f.StringVar(&flags.concierge.endpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint")
f.BoolVar(&flags.concierge.useImpersonationProxy, "concierge-use-impersonation-proxy", false, "Whether the concierge cluster uses an impersonation proxy") f.BoolVar(&flags.concierge.useImpersonationProxy, "concierge-use-impersonation-proxy", false, "Whether the concierge cluster uses an impersonation proxy")
@ -170,7 +170,14 @@ func runGetKubeconfig(out io.Writer, deps kubeconfigDeps, flags getKubeconfigPar
return fmt.Errorf("could not load --kubeconfig/--kubeconfig-context: %w", err) return fmt.Errorf("could not load --kubeconfig/--kubeconfig-context: %w", err)
} }
if flags.concierge.useImpersonationProxy { if flags.concierge.useImpersonationProxy {
cluster.CertificateAuthorityData = []byte(flags.concierge.caBundleData) // TODO what to do if --use-impersonation-proxy is set but flags.concierge.caBundlePath is not???
// TODO dont do this twice
conciergeCaBundleData, err := loadCABundlePaths([]string{flags.concierge.caBundlePath})
if err != nil {
return fmt.Errorf("could not read --concierge-ca-bundle: %w", err)
}
cluster.CertificateAuthorityData = []byte(conciergeCaBundleData)
cluster.Server = flags.concierge.endpoint cluster.Server = flags.concierge.endpoint
} }
clientset, err := deps.getClientset(clientConfig, flags.concierge.apiGroupSuffix) clientset, err := deps.getClientset(clientConfig, flags.concierge.apiGroupSuffix)
@ -280,8 +287,16 @@ func configureConcierge(authenticator metav1.Object, flags *getKubeconfigParams,
if flags.concierge.endpoint == "" { if flags.concierge.endpoint == "" {
flags.concierge.endpoint = v1Cluster.Server flags.concierge.endpoint = v1Cluster.Server
} }
if flags.concierge.caBundleData == "" {
flags.concierge.caBundleData = base64.StdEncoding.EncodeToString(v1Cluster.CertificateAuthorityData) var encodedConciergeCaBundleData string
if flags.concierge.caBundlePath == "" {
encodedConciergeCaBundleData = base64.StdEncoding.EncodeToString(v1Cluster.CertificateAuthorityData)
} else {
conciergeCaBundleData, err := loadCABundlePaths([]string{flags.concierge.caBundlePath})
if err != nil {
return fmt.Errorf("could not read --concierge-ca-bundle: %w", err)
}
encodedConciergeCaBundleData = base64.StdEncoding.EncodeToString([]byte(conciergeCaBundleData))
} }
// Append the flags to configure the Concierge credential exchange at runtime. // Append the flags to configure the Concierge credential exchange at runtime.
@ -292,7 +307,7 @@ func configureConcierge(authenticator metav1.Object, flags *getKubeconfigParams,
"--concierge-authenticator-name="+flags.concierge.authenticatorName, "--concierge-authenticator-name="+flags.concierge.authenticatorName,
"--concierge-authenticator-type="+flags.concierge.authenticatorType, "--concierge-authenticator-type="+flags.concierge.authenticatorType,
"--concierge-endpoint="+flags.concierge.endpoint, "--concierge-endpoint="+flags.concierge.endpoint,
"--concierge-ca-bundle-data="+flags.concierge.caBundleData, "--concierge-ca-bundle-data="+encodedConciergeCaBundleData,
) )
if flags.concierge.useImpersonationProxy { if flags.concierge.useImpersonationProxy {
execConfig.Args = append(execConfig.Args, execConfig.Args = append(execConfig.Args,

View File

@ -28,11 +28,14 @@ import (
) )
func TestGetKubeconfig(t *testing.T) { func TestGetKubeconfig(t *testing.T) {
testCA, err := certauthority.New(pkix.Name{CommonName: "Test CA"}, 1*time.Hour) testOIDCCA, err := certauthority.New(pkix.Name{CommonName: "Test CA"}, 1*time.Hour)
require.NoError(t, err) require.NoError(t, err)
tmpdir := testutil.TempDir(t) tmpdir := testutil.TempDir(t)
testCABundlePath := filepath.Join(tmpdir, "testca.pem") testOIDCCABundlePath := filepath.Join(tmpdir, "testca.pem")
require.NoError(t, ioutil.WriteFile(testCABundlePath, testCA.Bundle(), 0600)) require.NoError(t, ioutil.WriteFile(testOIDCCABundlePath, testOIDCCA.Bundle(), 0600))
testConciergeCABundlePath := filepath.Join(tmpdir, "testconciergeca.pem")
require.NoError(t, ioutil.WriteFile(testConciergeCABundlePath, []byte("test-concierge-ca"), 0600))
tests := []struct { tests := []struct {
name string name string
@ -61,7 +64,7 @@ func TestGetKubeconfig(t *testing.T) {
--concierge-api-group-suffix string Concierge API group suffix (default "pinniped.dev") --concierge-api-group-suffix string Concierge API group suffix (default "pinniped.dev")
--concierge-authenticator-name string Concierge authenticator name (default: autodiscover) --concierge-authenticator-name string Concierge authenticator name (default: autodiscover)
--concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover) --concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)
--concierge-ca-bundle-data string CA bundle to use when connecting to the concierge --concierge-ca-bundle string Path to TLS certificate authority bundle (PEM format, optional, can be repeated) to use when connecting to the concierge
--concierge-endpoint string API base for the Pinniped concierge endpoint --concierge-endpoint string API base for the Pinniped concierge endpoint
--concierge-namespace string Namespace in which the concierge was installed (default "pinniped-concierge") --concierge-namespace string Namespace in which the concierge was installed (default "pinniped-concierge")
--concierge-use-impersonation-proxy Whether the concierge cluster uses an impersonation proxy --concierge-use-impersonation-proxy Whether the concierge cluster uses an impersonation proxy
@ -268,6 +271,19 @@ func TestGetKubeconfig(t *testing.T) {
Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-namespace/test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7 Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-namespace/test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7
`), `),
}, },
{
name: " invalid concierge ca bundle",
args: []string{
"--kubeconfig", "./testdata/kubeconfig.yaml",
"--concierge-ca-bundle", "./does/not/exist",
"--concierge-endpoint", "https://impersonation-proxy-endpoint.test",
"--concierge-use-impersonation-proxy",
},
wantError: true,
wantStderr: here.Doc(`
Error: could not read --concierge-ca-bundle: open ./does/not/exist: no such file or directory
`),
},
{ {
name: "invalid static token flags", name: "invalid static token flags",
args: []string{ args: []string{
@ -399,7 +415,7 @@ func TestGetKubeconfig(t *testing.T) {
Issuer: "https://example.com/issuer", Issuer: "https://example.com/issuer",
Audience: "test-audience", Audience: "test-audience",
TLS: &conciergev1alpha1.TLSSpec{ TLS: &conciergev1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString(testCA.Bundle()), CertificateAuthorityData: base64.StdEncoding.EncodeToString(testOIDCCA.Bundle()),
}, },
}, },
}, },
@ -442,7 +458,7 @@ func TestGetKubeconfig(t *testing.T) {
command: '.../path/to/pinniped' command: '.../path/to/pinniped'
env: [] env: []
provideClusterInfo: true provideClusterInfo: true
`, base64.StdEncoding.EncodeToString(testCA.Bundle())), `, base64.StdEncoding.EncodeToString(testOIDCCA.Bundle())),
}, },
{ {
name: "autodetect nothing, set a bunch of options", name: "autodetect nothing, set a bunch of options",
@ -454,7 +470,7 @@ func TestGetKubeconfig(t *testing.T) {
"--oidc-issuer", "https://example.com/issuer", "--oidc-issuer", "https://example.com/issuer",
"--oidc-skip-browser", "--oidc-skip-browser",
"--oidc-listen-port", "1234", "--oidc-listen-port", "1234",
"--oidc-ca-bundle", testCABundlePath, "--oidc-ca-bundle", testOIDCCABundlePath,
"--oidc-session-cache", "/path/to/cache/dir/sessions.yaml", "--oidc-session-cache", "/path/to/cache/dir/sessions.yaml",
"--oidc-debug-session-cache", "--oidc-debug-session-cache",
"--oidc-request-audience", "test-audience", "--oidc-request-audience", "test-audience",
@ -506,14 +522,14 @@ func TestGetKubeconfig(t *testing.T) {
command: '.../path/to/pinniped' command: '.../path/to/pinniped'
env: [] env: []
provideClusterInfo: true provideClusterInfo: true
`, base64.StdEncoding.EncodeToString(testCA.Bundle())), `, base64.StdEncoding.EncodeToString(testOIDCCA.Bundle())),
wantAPIGroupSuffix: "tuna.io", wantAPIGroupSuffix: "tuna.io",
}, },
{ {
name: "configure impersonation proxy with autodetected JWT authenticator", name: "configure impersonation proxy with autodetected JWT authenticator",
args: []string{ args: []string{
"--kubeconfig", "./testdata/kubeconfig.yaml", "--kubeconfig", "./testdata/kubeconfig.yaml",
"--concierge-ca-bundle-data", "blah", // TODO make this more realistic, maybe do some validation? "--concierge-ca-bundle", testConciergeCABundlePath,
"--concierge-endpoint", "https://impersonation-proxy-endpoint.test", "--concierge-endpoint", "https://impersonation-proxy-endpoint.test",
"--concierge-use-impersonation-proxy", "--concierge-use-impersonation-proxy",
}, },
@ -524,7 +540,7 @@ func TestGetKubeconfig(t *testing.T) {
Issuer: "https://example.com/issuer", Issuer: "https://example.com/issuer",
Audience: "test-audience", Audience: "test-audience",
TLS: &conciergev1alpha1.TLSSpec{ TLS: &conciergev1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString(testCA.Bundle()), CertificateAuthorityData: base64.StdEncoding.EncodeToString(testOIDCCA.Bundle()),
}, },
}, },
}, },
@ -533,7 +549,7 @@ func TestGetKubeconfig(t *testing.T) {
apiVersion: v1 apiVersion: v1
clusters: clusters:
- cluster: - cluster:
certificate-authority-data: YmxhaA== certificate-authority-data: dGVzdC1jb25jaWVyZ2UtY2E=
server: https://impersonation-proxy-endpoint.test server: https://impersonation-proxy-endpoint.test
name: pinniped name: pinniped
contexts: contexts:
@ -558,7 +574,7 @@ func TestGetKubeconfig(t *testing.T) {
- --concierge-authenticator-name=test-authenticator - --concierge-authenticator-name=test-authenticator
- --concierge-authenticator-type=jwt - --concierge-authenticator-type=jwt
- --concierge-endpoint=https://impersonation-proxy-endpoint.test - --concierge-endpoint=https://impersonation-proxy-endpoint.test
- --concierge-ca-bundle-data=blah - --concierge-ca-bundle-data=dGVzdC1jb25jaWVyZ2UtY2E=
- --concierge-use-impersonation-proxy - --concierge-use-impersonation-proxy
- --issuer=https://example.com/issuer - --issuer=https://example.com/issuer
- --client-id=pinniped-cli - --client-id=pinniped-cli
@ -568,7 +584,7 @@ func TestGetKubeconfig(t *testing.T) {
command: '.../path/to/pinniped' command: '.../path/to/pinniped'
env: [] env: []
provideClusterInfo: true provideClusterInfo: true
`, base64.StdEncoding.EncodeToString(testCA.Bundle())), `, base64.StdEncoding.EncodeToString(testOIDCCA.Bundle())),
}, },
} }
for _, tt := range tests { for _, tt := range tests {

View File

@ -189,7 +189,7 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
if concierge != nil && flags.useImpersonationProxy { if concierge != nil && flags.useImpersonationProxy {
// Put the token into a TokenCredentialRequest // Put the token into a TokenCredentialRequest
// put the TokenCredentialRequest in an ExecCredential // put the TokenCredentialRequest in an ExecCredential
req, err := execCredentialForImpersonationProxy(token.IDToken.Token, flags.conciergeAuthenticatorType, flags.conciergeNamespace, flags.conciergeAuthenticatorName, token.IDToken.Expiry) req, err := execCredentialForImpersonationProxy(token.IDToken.Token, flags.conciergeAuthenticatorType, flags.conciergeNamespace, flags.conciergeAuthenticatorName, &token.IDToken.Expiry)
if err != nil { if err != nil {
return err return err
} }
@ -262,7 +262,7 @@ func execCredentialForImpersonationProxy(
conciergeAuthenticatorType string, conciergeAuthenticatorType string,
conciergeNamespace string, conciergeNamespace string,
conciergeAuthenticatorName string, conciergeAuthenticatorName string,
tokenExpiry metav1.Time, tokenExpiry *metav1.Time,
) (*clientauthv1beta1.ExecCredential, error) { ) (*clientauthv1beta1.ExecCredential, error) {
// TODO maybe de-dup this with conciergeclient.go // TODO maybe de-dup this with conciergeclient.go
var kind string var kind string
@ -292,7 +292,7 @@ func execCredentialForImpersonationProxy(
}, },
}) })
if err != nil { if err != nil {
return nil, err return nil, fmt.Errorf("Error creating TokenCredentialRequest for impersonation proxy: %w", err)
} }
encodedToken := base64.RawURLEncoding.EncodeToString(reqJSON) encodedToken := base64.RawURLEncoding.EncodeToString(reqJSON)
cred := &clientauthv1beta1.ExecCredential{ cred := &clientauthv1beta1.ExecCredential{
@ -305,7 +305,7 @@ func execCredentialForImpersonationProxy(
}, },
} }
if !tokenExpiry.IsZero() { if !tokenExpiry.IsZero() {
cred.Status.ExpirationTimestamp = &tokenExpiry cred.Status.ExpirationTimestamp = tokenExpiry
} }
return cred, nil return cred, nil
} }

View File

@ -11,8 +11,6 @@ import (
"os" "os"
"time" "time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/spf13/cobra" "github.com/spf13/cobra"
clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
@ -124,10 +122,9 @@ func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams
} }
} }
if concierge != nil && flags.useImpersonationProxy { if concierge != nil && flags.useImpersonationProxy {
var nilExpiry metav1.Time
// Put the token into a TokenCredentialRequest // Put the token into a TokenCredentialRequest
// put the TokenCredentialRequest in an ExecCredential // put the TokenCredentialRequest in an ExecCredential
req, err := execCredentialForImpersonationProxy(token, flags.conciergeAuthenticatorType, flags.conciergeNamespace, flags.conciergeAuthenticatorName, nilExpiry) req, err := execCredentialForImpersonationProxy(token, flags.conciergeAuthenticatorType, flags.conciergeNamespace, flags.conciergeAuthenticatorName, nil)
if err != nil { if err != nil {
return err return err
} }