Add cluster info to cache key for cluster-specific credential cache.

This isn't strictly necessary because we currently always have the concierge endpoint and CA as CLI flags, but it doesn't hurt and it's better to err on the side of _not_ reusing a cache entry. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 17:00:14 -05:00 · 2021-04-08 17:00:14 -05:00 · 3b461572ea
commit 3b461572ea
parent 271c006b6c
3 changed files with 26 additions and 8 deletions
--- a/cmd/pinniped/cmd/login.go
+++ b/cmd/pinniped/cmd/login.go
@ -5,6 +5,8 @@ package cmd

 import (
 	"github.com/spf13/cobra"
+	clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
+	"k8s.io/client-go/tools/auth/exec"
 )

 //nolint: gochecknoglobals
@ -20,3 +22,15 @@ var loginCmd = &cobra.Command{
 func init() {
 	rootCmd.AddCommand(loginCmd)
 }
+
+func loadClusterInfo() *clientauthv1beta1.Cluster {
+	obj, _, err := exec.LoadExecCredentialFromEnv()
+	if err != nil {
+		return nil
+	}
+	cred, ok := obj.(*clientauthv1beta1.ExecCredential)
+	if !ok {
+		return nil
+	}
+	return cred.Spec.Cluster
+}
--- a/cmd/pinniped/cmd/login_oidc.go
+++ b/cmd/pinniped/cmd/login_oidc.go
@ -167,11 +167,13 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
 		opts = append(opts, oidcclient.WithClient(client))
 	}

-	// Look up cached credentials based on a hash of all the CLI arguments.
+	// Look up cached credentials based on a hash of all the CLI arguments and the cluster info.
 	cacheKey := struct {
-		Args []string `json:"args"`
+		Args        []string                   `json:"args"`
+		ClusterInfo *clientauthv1beta1.Cluster `json:"cluster"`
 	}{
-		Args: os.Args[1:],
+		Args:        os.Args[1:],
+		ClusterInfo: loadClusterInfo(),
 	}
 	var credCache *execcredcache.Cache
 	if flags.credentialCachePath != "" {
--- a/cmd/pinniped/cmd/login_static.go
+++ b/cmd/pinniped/cmd/login_static.go
@ -117,13 +117,15 @@ func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams
 	}
 	cred := tokenCredential(&oidctypes.Token{IDToken: &oidctypes.IDToken{Token: token}})

-	// Look up cached credentials based on a hash of all the CLI arguments and the current token value.
+	// Look up cached credentials based on a hash of all the CLI arguments, the current token value, and the cluster info.
 	cacheKey := struct {
-		Args  []string `json:"args"`
-		Token string   `json:"token"`
+		Args        []string                   `json:"args"`
+		Token       string                     `json:"token"`
+		ClusterInfo *clientauthv1beta1.Cluster `json:"cluster"`
 	}{
-		Args:  os.Args[1:],
-		Token: token,
+		Args:        os.Args[1:],
+		Token:       token,
+		ClusterInfo: loadClusterInfo(),
 	}
 	var credCache *execcredcache.Cache
 	if flags.credentialCachePath != "" {