From 3b461572eae544c183426748a34a6cd4d6ac35b5 Mon Sep 17 00:00:00 2001
From: Matt Moyer <moyerm@vmware.com>
Date: Thu, 8 Apr 2021 17:00:14 -0500
Subject: [PATCH] Add cluster info to cache key for cluster-specific credential
 cache.

This isn't strictly necessary because we currently always have the concierge endpoint and CA as CLI flags, but it doesn't hurt and it's better to err on the side of _not_ reusing a cache entry.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
---
 cmd/pinniped/cmd/login.go        | 14 ++++++++++++++
 cmd/pinniped/cmd/login_oidc.go   |  8 +++++---
 cmd/pinniped/cmd/login_static.go | 12 +++++++-----
 3 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/cmd/pinniped/cmd/login.go b/cmd/pinniped/cmd/login.go
index e27442ee..d1d1d151 100644
--- a/cmd/pinniped/cmd/login.go
+++ b/cmd/pinniped/cmd/login.go
@@ -5,6 +5,8 @@ package cmd
 
 import (
 	"github.com/spf13/cobra"
+	clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
+	"k8s.io/client-go/tools/auth/exec"
 )
 
 //nolint: gochecknoglobals
@@ -20,3 +22,15 @@ var loginCmd = &cobra.Command{
 func init() {
 	rootCmd.AddCommand(loginCmd)
 }
+
+func loadClusterInfo() *clientauthv1beta1.Cluster {
+	obj, _, err := exec.LoadExecCredentialFromEnv()
+	if err != nil {
+		return nil
+	}
+	cred, ok := obj.(*clientauthv1beta1.ExecCredential)
+	if !ok {
+		return nil
+	}
+	return cred.Spec.Cluster
+}
diff --git a/cmd/pinniped/cmd/login_oidc.go b/cmd/pinniped/cmd/login_oidc.go
index 4d751d35..34ead8f8 100644
--- a/cmd/pinniped/cmd/login_oidc.go
+++ b/cmd/pinniped/cmd/login_oidc.go
@@ -167,11 +167,13 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
 		opts = append(opts, oidcclient.WithClient(client))
 	}
 
-	// Look up cached credentials based on a hash of all the CLI arguments.
+	// Look up cached credentials based on a hash of all the CLI arguments and the cluster info.
 	cacheKey := struct {
-		Args []string `json:"args"`
+		Args        []string                   `json:"args"`
+		ClusterInfo *clientauthv1beta1.Cluster `json:"cluster"`
 	}{
-		Args: os.Args[1:],
+		Args:        os.Args[1:],
+		ClusterInfo: loadClusterInfo(),
 	}
 	var credCache *execcredcache.Cache
 	if flags.credentialCachePath != "" {
diff --git a/cmd/pinniped/cmd/login_static.go b/cmd/pinniped/cmd/login_static.go
index da7ff8e6..4b9ac2fd 100644
--- a/cmd/pinniped/cmd/login_static.go
+++ b/cmd/pinniped/cmd/login_static.go
@@ -117,13 +117,15 @@ func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams
 	}
 	cred := tokenCredential(&oidctypes.Token{IDToken: &oidctypes.IDToken{Token: token}})
 
-	// Look up cached credentials based on a hash of all the CLI arguments and the current token value.
+	// Look up cached credentials based on a hash of all the CLI arguments, the current token value, and the cluster info.
 	cacheKey := struct {
-		Args  []string `json:"args"`
-		Token string   `json:"token"`
+		Args        []string                   `json:"args"`
+		Token       string                     `json:"token"`
+		ClusterInfo *clientauthv1beta1.Cluster `json:"cluster"`
 	}{
-		Args:  os.Args[1:],
-		Token: token,
+		Args:        os.Args[1:],
+		Token:       token,
+		ClusterInfo: loadClusterInfo(),
 	}
 	var credCache *execcredcache.Cache
 	if flags.credentialCachePath != "" {