Add a way to set a default supervisor TLS cert for when SNI won't work

- Setting a Secret in the supervisor's namespace with a special name
  will cause it to get picked up and served as the supervisor's TLS
  cert for any request which does not have a matching SNI cert.
- This is especially useful for when there is no DNS record for an
  issuer and the user will be accessing it via IP address. This
  is not how we would expect it to be used in production, but it
  might be useful for other cases.
- Includes a new integration test
- Also suppress all of the warnings about ignoring the error returned by
  Close() in lines like `defer x.Close()` to make GoLand happier
This commit is contained in:
Ryan Richard 2020-10-27 16:33:08 -07:00
parent 1f1b6c884e
commit 38802c2184
10 changed files with 192 additions and 58 deletions

View File

@ -109,7 +109,7 @@ func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
if err != nil {
return
}
defer req.Body.Close()
defer func() { _ = req.Body.Close() }()
secret, err := w.secretInformer.Lister().Secrets(namespace).Get(username)
notFound := k8serrors.IsNotFound(err)
@ -379,7 +379,7 @@ func run() error {
if err != nil {
return fmt.Errorf("cannot create listener: %w", err)
}
defer l.Close()
defer func() { _ = l.Close() }()
err = startWebhook(ctx, l, dynamicCertProvider, kubeInformers.Core().V1().Secrets())
if err != nil {

View File

@ -106,7 +106,7 @@ func TestWebhook(t *testing.T) {
l, err := net.Listen("tcp", "127.0.0.1:0")
require.NoError(t, err)
defer l.Close()
defer func() { _ = l.Close() }()
require.NoError(t, w.start(ctx, l))
client := newClient(caBundle, serverName)
@ -412,7 +412,7 @@ func TestWebhook(t *testing.T) {
Body: body,
})
require.NoError(t, err)
defer rsp.Body.Close()
defer func() { _ = rsp.Body.Close() }()
require.Equal(t, test.wantStatus, rsp.StatusCode)
@ -470,7 +470,7 @@ func newCertProvider(t *testing.T) (dynamiccert.Provider, []byte, string) {
ca, err := certauthority.New(pkix.Name{CommonName: serverName + " CA"}, time.Hour*24)
require.NoError(t, err)
cert, err := ca.Issue(pkix.Name{CommonName: serverName}, []string{serverName}, time.Hour*24)
cert, err := ca.Issue(pkix.Name{CommonName: serverName}, []string{serverName}, nil, time.Hour*24)
require.NoError(t, err)
certPEM, keyPEM, err := certauthority.ToPEM(cert)

View File

@ -201,7 +201,7 @@ func run(serverInstallationNamespace string, cfg *supervisor.Config) error {
if err != nil {
return fmt.Errorf("cannot create listener: %w", err)
}
defer httpListener.Close()
defer func() { _ = httpListener.Close() }()
start(ctx, httpListener, oidProvidersManager)
//nolint: gosec // Intentionally binding to all network interfaces.
@ -209,14 +209,22 @@ func run(serverInstallationNamespace string, cfg *supervisor.Config) error {
MinVersion: tls.VersionTLS12, // Allow v1.2 because clients like the default `curl` on MacOS don't support 1.3 yet.
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
cert := dynamicTLSCertProvider.GetTLSCert(strings.ToLower(info.ServerName))
klog.InfoS("GetCertificate called for port 443", "info.ServerName", info.ServerName, "foundCert", cert != nil)
defaultCert := dynamicTLSCertProvider.GetDefaultTLSCert()
klog.InfoS("GetCertificate called for port 443",
"info.ServerName", info.ServerName,
"foundSNICert", cert != nil,
"foundDefaultCert", defaultCert != nil,
)
if cert == nil {
cert = defaultCert
}
return cert, nil
},
})
if err != nil {
return fmt.Errorf("cannot create listener: %w", err)
}
defer httpsListener.Close()
defer func() { _ = httpsListener.Close() }()
start(ctx, httpsListener, oidProvidersManager)
klog.InfoS("supervisor is ready",

View File

@ -17,6 +17,7 @@ import (
"fmt"
"io"
"math/big"
"net"
"time"
)
@ -136,7 +137,7 @@ func (c *CA) Bundle() []byte {
}
// Issue a new server certificate for the given identity and duration.
func (c *CA) Issue(subject pkix.Name, dnsNames []string, ttl time.Duration) (*tls.Certificate, error) {
func (c *CA) Issue(subject pkix.Name, dnsNames []string, ips []net.IP, ttl time.Duration) (*tls.Certificate, error) {
// Choose a random 128 bit serial number.
serialNumber, err := randomSerial(c.env.serialRNG)
if err != nil {
@ -171,6 +172,7 @@ func (c *CA) Issue(subject pkix.Name, dnsNames []string, ttl time.Duration) (*tl
BasicConstraintsValid: true,
IsCA: false,
DNSNames: dnsNames,
IPAddresses: ips,
}
certBytes, err := x509.CreateCertificate(rand.Reader, &template, caCert, &privateKey.PublicKey, c.signer)
if err != nil {
@ -194,7 +196,7 @@ func (c *CA) Issue(subject pkix.Name, dnsNames []string, ttl time.Duration) (*tl
// IssuePEM issues a new server certificate for the given identity and duration, returning it as a pair of
// PEM-formatted byte slices for the certificate and private key.
func (c *CA) IssuePEM(subject pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error) {
return toPEM(c.Issue(subject, dnsNames, ttl))
return toPEM(c.Issue(subject, dnsNames, nil, ttl))
}
func toPEM(cert *tls.Certificate, err error) ([]byte, []byte, error) {

View File

@ -11,6 +11,7 @@ import (
"fmt"
"io"
"io/ioutil"
"net"
"strings"
"testing"
"time"
@ -282,7 +283,7 @@ func TestIssue(t *testing.T) {
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
got, err := tt.ca.Issue(pkix.Name{CommonName: "Test Server"}, []string{"example.com"}, 10*time.Minute)
got, err := tt.ca.Issue(pkix.Name{CommonName: "Test Server"}, []string{"example.com"}, []net.IP{net.IPv4(1, 2, 3, 4)}, 10*time.Minute)
if tt.wantErr != "" {
require.EqualError(t, err, tt.wantErr)
require.Nil(t, got)

View File

@ -103,6 +103,7 @@ func (c *certsManagerController) Sync(ctx controllerlib.Context) error {
aggregatedAPIServerTLSCert, err := aggregatedAPIServerCA.Issue(
pkix.Name{CommonName: serviceEndpoint},
[]string{serviceEndpoint},
nil,
c.certDuration,
)
if err != nil {

View File

@ -18,18 +18,21 @@ import (
"go.pinniped.dev/internal/controllerlib"
)
const SecretNameForDefaultTLSCertificate = "default-tls-certificate" //nolint:gosec // this is not a hardcoded credential
type tlsCertObserverController struct {
issuerHostToTLSCertMapSetter IssuerHostToTLSCertMapSetter
oidcProviderConfigInformer v1alpha1.OIDCProviderConfigInformer
secretInformer corev1informers.SecretInformer
issuerTLSCertSetter IssuerTLSCertSetter
oidcProviderConfigInformer v1alpha1.OIDCProviderConfigInformer
secretInformer corev1informers.SecretInformer
}
type IssuerHostToTLSCertMapSetter interface {
type IssuerTLSCertSetter interface {
SetIssuerHostToTLSCertMap(issuerHostToTLSCertMap map[string]*tls.Certificate)
SetDefaultTLSCert(certificate *tls.Certificate)
}
func NewTLSCertObserverController(
issuerHostToTLSCertMapSetter IssuerHostToTLSCertMapSetter,
issuerTLSCertSetter IssuerTLSCertSetter,
secretInformer corev1informers.SecretInformer,
oidcProviderConfigInformer v1alpha1.OIDCProviderConfigInformer,
withInformer pinnipedcontroller.WithInformerOptionFunc,
@ -38,9 +41,9 @@ func NewTLSCertObserverController(
controllerlib.Config{
Name: "tls-certs-observer-controller",
Syncer: &tlsCertObserverController{
issuerHostToTLSCertMapSetter: issuerHostToTLSCertMapSetter,
oidcProviderConfigInformer: oidcProviderConfigInformer,
secretInformer: secretInformer,
issuerTLSCertSetter: issuerTLSCertSetter,
oidcProviderConfigInformer: oidcProviderConfigInformer,
secretInformer: secretInformer,
},
},
withInformer(
@ -74,26 +77,41 @@ func (c *tlsCertObserverController) Sync(ctx controllerlib.Context) error {
klog.InfoS("tlsCertObserverController Sync found an invalid issuer URL", "namespace", ns, "issuer", provider.Spec.Issuer)
continue
}
tlsSecret, err := c.secretInformer.Lister().Secrets(ns).Get(secretName)
certFromSecret, err := c.certFromSecret(ns, secretName)
if err != nil {
klog.InfoS("tlsCertObserverController Sync could not find TLS cert secret", "namespace", ns, "secretName", secretName)
continue
}
certFromSecret, err := tls.X509KeyPair(tlsSecret.Data["tls.crt"], tlsSecret.Data["tls.key"])
if err != nil {
klog.InfoS("tlsCertObserverController Sync found a TLS secret with Data in an unexpected format", "namespace", ns, "secretName", secretName)
continue
}
// Lowercase the host part of the URL because hostnames should be treated as case-insensitive.
issuerHostToTLSCertMap[lowercaseHostWithoutPort(issuerURL)] = &certFromSecret
issuerHostToTLSCertMap[lowercaseHostWithoutPort(issuerURL)] = certFromSecret
}
klog.InfoS("tlsCertObserverController Sync updated the TLS cert cache", "issuerHostCount", len(issuerHostToTLSCertMap))
c.issuerHostToTLSCertMapSetter.SetIssuerHostToTLSCertMap(issuerHostToTLSCertMap)
c.issuerTLSCertSetter.SetIssuerHostToTLSCertMap(issuerHostToTLSCertMap)
defaultCert, err := c.certFromSecret(ns, SecretNameForDefaultTLSCertificate)
if err != nil {
c.issuerTLSCertSetter.SetDefaultTLSCert(nil)
} else {
c.issuerTLSCertSetter.SetDefaultTLSCert(defaultCert)
}
return nil
}
func (c *tlsCertObserverController) certFromSecret(ns string, secretName string) (*tls.Certificate, error) {
tlsSecret, err := c.secretInformer.Lister().Secrets(ns).Get(secretName)
if err != nil {
klog.InfoS("tlsCertObserverController Sync could not find TLS cert secret", "namespace", ns, "secretName", secretName)
return nil, err
}
certFromSecret, err := tls.X509KeyPair(tlsSecret.Data["tls.crt"], tlsSecret.Data["tls.key"])
if err != nil {
klog.InfoS("tlsCertObserverController Sync found a TLS secret with Data in an unexpected format", "namespace", ns, "secretName", secretName)
return nil, err
}
return &certFromSecret, nil
}
func lowercaseHostWithoutPort(issuerURL *url.URL) string {
lowercaseHost := strings.ToLower(issuerURL.Host)
colonSegments := strings.Split(lowercaseHost, ":")

View File

@ -96,31 +96,38 @@ func TestTLSCertObserverControllerInformerFilters(t *testing.T) {
}, spec.Parallel(), spec.Report(report.Terminal{}))
}
type fakeIssuerHostToTLSCertMapSetter struct {
type fakeIssuerTLSCertSetter struct {
setIssuerHostToTLSCertMapWasCalled bool
setDefaultTLSCertWasCalled bool
issuerHostToTLSCertMapReceived map[string]*tls.Certificate
setDefaultTLSCertReceived *tls.Certificate
}
func (f *fakeIssuerHostToTLSCertMapSetter) SetIssuerHostToTLSCertMap(issuerHostToTLSCertMap map[string]*tls.Certificate) {
func (f *fakeIssuerTLSCertSetter) SetIssuerHostToTLSCertMap(issuerHostToTLSCertMap map[string]*tls.Certificate) {
f.setIssuerHostToTLSCertMapWasCalled = true
f.issuerHostToTLSCertMapReceived = issuerHostToTLSCertMap
}
func (f *fakeIssuerTLSCertSetter) SetDefaultTLSCert(certificate *tls.Certificate) {
f.setDefaultTLSCertWasCalled = true
f.setDefaultTLSCertReceived = certificate
}
func TestTLSCertObserverControllerSync(t *testing.T) {
spec.Run(t, "Sync", func(t *testing.T, when spec.G, it spec.S) {
const installedInNamespace = "some-namespace"
var (
r *require.Assertions
subject controllerlib.Controller
pinnipedInformerClient *pinnipedfake.Clientset
kubeInformerClient *kubernetesfake.Clientset
pinnipedInformers pinnipedinformers.SharedInformerFactory
kubeInformers kubeinformers.SharedInformerFactory
timeoutContext context.Context
timeoutContextCancel context.CancelFunc
syncContext *controllerlib.Context
issuerHostToTLSCertSetter *fakeIssuerHostToTLSCertMapSetter
r *require.Assertions
subject controllerlib.Controller
pinnipedInformerClient *pinnipedfake.Clientset
kubeInformerClient *kubernetesfake.Clientset
pinnipedInformers pinnipedinformers.SharedInformerFactory
kubeInformers kubeinformers.SharedInformerFactory
timeoutContext context.Context
timeoutContextCancel context.CancelFunc
syncContext *controllerlib.Context
issuerTLSCertSetter *fakeIssuerTLSCertSetter
)
// Defer starting the informers until the last possible moment so that the
@ -128,7 +135,7 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
var startInformersAndController = func() {
// Set this at the last second to allow for injection of server override.
subject = NewTLSCertObserverController(
issuerHostToTLSCertSetter,
issuerTLSCertSetter,
kubeInformers.Core().V1().Secrets(),
pinnipedInformers.Config().V1alpha1().OIDCProviderConfigs(),
controllerlib.WithInformer,
@ -165,7 +172,7 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
kubeInformers = kubeinformers.NewSharedInformerFactory(kubeInformerClient, 0)
pinnipedInformerClient = pinnipedfake.NewSimpleClientset()
pinnipedInformers = pinnipedinformers.NewSharedInformerFactory(pinnipedInformerClient, 0)
issuerHostToTLSCertSetter = &fakeIssuerHostToTLSCertMapSetter{}
issuerTLSCertSetter = &fakeIssuerTLSCertSetter{}
unrelatedSecret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
@ -181,13 +188,15 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
})
when("there are no OIDCProviderConfigs and no TLS Secrets yet", func() {
it("sets the issuerHostToTLSCertSetter's map to be empty", func() {
it("sets the issuerTLSCertSetter's map to be empty", func() {
startInformersAndController()
err := controllerlib.TestSync(t, subject, *syncContext)
r.NoError(err)
r.True(issuerHostToTLSCertSetter.setIssuerHostToTLSCertMapWasCalled)
r.Empty(issuerHostToTLSCertSetter.issuerHostToTLSCertMapReceived)
r.True(issuerTLSCertSetter.setIssuerHostToTLSCertMapWasCalled)
r.Empty(issuerTLSCertSetter.issuerHostToTLSCertMapReceived)
r.True(issuerTLSCertSetter.setDefaultTLSCertWasCalled)
r.Nil(issuerTLSCertSetter.setDefaultTLSCertReceived)
})
})
@ -293,24 +302,61 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
r.NoError(kubeInformerClient.Tracker().Add(badTLSSecret))
})
it("updates the issuerHostToTLSCertSetter's map to include only the issuers that had valid certs", func() {
it("updates the issuerTLSCertSetter's map to include only the issuers that had valid certs", func() {
startInformersAndController()
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
r.True(issuerHostToTLSCertSetter.setIssuerHostToTLSCertMapWasCalled)
r.Len(issuerHostToTLSCertSetter.issuerHostToTLSCertMapReceived, 2)
r.True(issuerTLSCertSetter.setDefaultTLSCertWasCalled)
r.Nil(issuerTLSCertSetter.setDefaultTLSCertReceived)
r.True(issuerTLSCertSetter.setIssuerHostToTLSCertMapWasCalled)
r.Len(issuerTLSCertSetter.issuerHostToTLSCertMapReceived, 2)
// They keys in the map should be lower case and should not include the port numbers, because
// TLS SNI says that SNI hostnames must be DNS names (not ports) and must be case insensitive.
// See https://tools.ietf.org/html/rfc3546#section-3.1
actualCertificate1 := issuerHostToTLSCertSetter.issuerHostToTLSCertMapReceived["www.issuer-with-good-secret1.com"]
actualCertificate1 := issuerTLSCertSetter.issuerHostToTLSCertMapReceived["www.issuer-with-good-secret1.com"]
r.NotNil(actualCertificate1)
// The actual cert should match the one from the test fixture that was put into the secret.
r.Equal(expectedCertificate1, *actualCertificate1)
actualCertificate2 := issuerHostToTLSCertSetter.issuerHostToTLSCertMapReceived["www.issuer-with-good-secret2.com"]
actualCertificate2 := issuerTLSCertSetter.issuerHostToTLSCertMapReceived["www.issuer-with-good-secret2.com"]
r.NotNil(actualCertificate2)
r.Equal(expectedCertificate2, *actualCertificate2)
})
when("there is also a default TLS cert secret called default-tls-certificate", func() {
var (
expectedDefaultCertificate tls.Certificate
)
it.Before(func() {
var err error
testCrt := readTestFile("testdata/test3.crt")
r.NotEmpty(testCrt)
testKey := readTestFile("testdata/test3.key")
r.NotEmpty(testKey)
expectedDefaultCertificate, err = tls.X509KeyPair(testCrt, testKey)
r.NoError(err)
defaultTLSCertSecret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Name: "default-tls-certificate", Namespace: installedInNamespace},
Data: map[string][]byte{"tls.crt": testCrt, "tls.key": testKey},
}
r.NoError(kubeInformerClient.Tracker().Add(defaultTLSCertSecret))
})
it("updates the issuerTLSCertSetter's map as before but also updates the default certificate", func() {
startInformersAndController()
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
r.True(issuerTLSCertSetter.setDefaultTLSCertWasCalled)
actualDefaultCertificate := issuerTLSCertSetter.setDefaultTLSCertReceived
r.NotNil(actualDefaultCertificate)
r.Equal(expectedDefaultCertificate, *actualDefaultCertificate)
r.True(issuerTLSCertSetter.setIssuerHostToTLSCertMapWasCalled)
r.Len(issuerTLSCertSetter.issuerHostToTLSCertMapReceived, 2)
})
})
})
}, spec.Parallel(), spec.Report(report.Terminal{}))
}

View File

@ -10,11 +10,14 @@ import (
type DynamicTLSCertProvider interface {
SetIssuerHostToTLSCertMap(issuerToJWKSMap map[string]*tls.Certificate)
SetDefaultTLSCert(certificate *tls.Certificate)
GetTLSCert(lowercaseIssuerHostName string) *tls.Certificate
GetDefaultTLSCert() *tls.Certificate
}
type dynamicTLSCertProvider struct {
issuerHostToTLSCertMap map[string]*tls.Certificate
defaultCert *tls.Certificate
mutex sync.RWMutex
}
@ -30,8 +33,20 @@ func (p *dynamicTLSCertProvider) SetIssuerHostToTLSCertMap(issuerHostToTLSCertMa
p.issuerHostToTLSCertMap = issuerHostToTLSCertMap
}
func (p *dynamicTLSCertProvider) SetDefaultTLSCert(certificate *tls.Certificate) {
p.mutex.Lock() // acquire a write lock
defer p.mutex.Unlock()
p.defaultCert = certificate
}
func (p *dynamicTLSCertProvider) GetTLSCert(issuerHostName string) *tls.Certificate {
p.mutex.RLock() // acquire a read lock
defer p.mutex.RUnlock()
return p.issuerHostToTLSCertMap[issuerHostName]
}
func (p *dynamicTLSCertProvider) GetDefaultTLSCert() *tls.Certificate {
p.mutex.RLock() // acquire a read lock
defer p.mutex.RUnlock()
return p.defaultCert
}

View File

@ -31,6 +31,49 @@ import (
"go.pinniped.dev/test/library"
)
func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) {
env := library.IntegrationEnv(t)
pinnipedClient := library.NewPinnipedClientset(t)
kubeClient := library.NewClientset(t)
ns := env.SupervisorNamespace
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
defer cancel()
temporarilyRemoveAllOIDCProviderConfigs(ctx, t, ns, pinnipedClient)
scheme := "https"
address := env.SupervisorHTTPSAddress // hostname and port for direct access to the supervisor's port 443
hostAndPortSegments := strings.Split(address, ":")
hostname := hostAndPortSegments[0]
port := "443"
if len(hostAndPortSegments) > 1 {
port = hostAndPortSegments[1]
}
ips, err := net.DefaultResolver.LookupIP(ctx, "ip4", hostname)
require.NoError(t, err)
ip := ips[0]
ipAsString := ip.String()
ipWithPort := ipAsString + ":" + port
issuerUsingIPAddress := fmt.Sprintf("%s://%s/issuer1", scheme, ipWithPort)
// Create an OIDCProviderConfig without an sniCertificateSecretName.
oidcProviderConfig1 := library.CreateTestOIDCProvider(ctx, t, issuerUsingIPAddress, "")
requireStatus(t, pinnipedClient, oidcProviderConfig1.Namespace, oidcProviderConfig1.Name, v1alpha1.SuccessOIDCProviderStatus)
// There is no default TLS cert and the sniCertificateSecretName was not set, so the endpoints should fail with TLS errors.
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuerUsingIPAddress)
// Create a Secret at the special name which represents the default TLS cert.
specialNameForDefaultTLSCertSecret := "default-tls-certificate" //nolint:gosec // this is not a hardcoded credential
ca := createTLSCertificateSecret(ctx, t, ns, "cert-hostname-doesnt-matter", []net.IP{ip}, specialNameForDefaultTLSCertSecret, kubeClient)
// Now that the Secret exists, we should be able to access the endpoints by IP address using the CA.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(ca.Bundle()), issuerUsingIPAddress, nil)
}
func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
env := library.IntegrationEnv(t)
pinnipedClient := library.NewPinnipedClientset(t)
@ -57,7 +100,7 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1)
// Create the Secret.
ca1 := createSNICertificateSecret(ctx, t, ns, hostname1, sniCertificateSecretName1, kubeClient)
ca1 := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, sniCertificateSecretName1, kubeClient)
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1.Bundle()), issuer1, nil)
@ -74,7 +117,7 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1)
// Create a Secret at the updated name.
ca1update := createSNICertificateSecret(ctx, t, ns, hostname1, sniCertificateSecretName1update, kubeClient)
ca1update := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, sniCertificateSecretName1update, kubeClient)
// Now that the Secret exists at the new name, we should be able to access the endpoints by hostname using the CA.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1update.Bundle()), issuer1, nil)
@ -90,7 +133,7 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
requireStatus(t, pinnipedClient, oidcProviderConfig2.Namespace, oidcProviderConfig2.Name, v1alpha1.SuccessOIDCProviderStatus)
// Create the Secret.
ca2 := createSNICertificateSecret(ctx, t, ns, hostname2, sniCertificateSecretName2, kubeClient)
ca2 := createTLSCertificateSecret(ctx, t, ns, hostname2, nil, sniCertificateSecretName2, kubeClient)
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, hostname2+":"+hostnamePort2, string(ca2.Bundle()), issuer2, map[string]string{
@ -195,13 +238,13 @@ func TestSupervisorOIDCDiscovery(t *testing.T) {
}
}
func createSNICertificateSecret(ctx context.Context, t *testing.T, ns string, hostname string, sniCertificateSecretName string, kubeClient kubernetes.Interface) *certauthority.CA {
func createTLSCertificateSecret(ctx context.Context, t *testing.T, ns string, hostname string, ips []net.IP, secretName string, kubeClient kubernetes.Interface) *certauthority.CA {
// Create a CA.
ca, err := certauthority.New(pkix.Name{CommonName: "Acme Corp"}, 1000*time.Hour)
require.NoError(t, err)
// Using the CA, create a TLS server cert.
tlsCert, err := ca.Issue(pkix.Name{CommonName: hostname}, []string{hostname}, 1000*time.Hour)
tlsCert, err := ca.Issue(pkix.Name{CommonName: hostname}, []string{hostname}, ips, 1000*time.Hour)
require.NoError(t, err)
// Write the serving cert to the SNI secret.
@ -210,7 +253,7 @@ func createSNICertificateSecret(ctx context.Context, t *testing.T, ns string, ho
secret := corev1.Secret{
TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{
Name: sniCertificateSecretName,
Name: secretName,
Namespace: ns,
},
StringData: map[string]string{
@ -226,7 +269,7 @@ func createSNICertificateSecret(ctx context.Context, t *testing.T, ns string, ho
t.Helper()
deleteCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
err := kubeClient.CoreV1().Secrets(ns).Delete(deleteCtx, sniCertificateSecretName, metav1.DeleteOptions{})
err := kubeClient.CoreV1().Secrets(ns).Delete(deleteCtx, secretName, metav1.DeleteOptions{})
require.NoError(t, err)
})
@ -308,7 +351,7 @@ func requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t *testing.T, url
return err != nil && strings.Contains(err.Error(), "tls: unrecognized name")
}, 10*time.Second, 200*time.Millisecond)
require.Error(t, err)
require.EqualError(t, err, `Get "https://localhost:12344/issuer1": remote error: tls: unrecognized name`)
require.EqualError(t, err, fmt.Sprintf(`Get "%s": remote error: tls: unrecognized name`, url))
}
func requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(