Merge pull request #266 from ankeesler/fix-jwt-auth-ca-bundle

Fix `JWTAuthenticator` CA bundle
2020-12-09 10:43:33 -05:00 · 2020-12-09 10:43:33 -05:00 · 5f4348c57d
parent 8fcc176d8b 4c0fb12cf6
commit 5f4348c57d
3 changed files with 14 additions and 6 deletions
--- a/hack/lib/tilt/Tiltfile
+++ b/hack/lib/tilt/Tiltfile
@ -149,7 +149,7 @@ k8s_yaml(local([
    '--data-value image_repo=image/concierge ' +
    '--data-value image_tag=tilt-dev ' +
    '--data-value kube_cert_agent_image=debian:10.6-slim ' +
-    '--data-value discovery_url=$(TERM=dumb kubectl cluster-info | awk \'/Kubernetes master/ {print $NF}\') ' +
+    '--data-value discovery_url=$(TERM=dumb kubectl cluster-info | awk \'/master|control plane/ {print $NF}\') ' +
    '--data-value log_level=debug ' +
    '--data-value-yaml replicas=1 ' +
    '--data-value-yaml "custom_labels={myConciergeCustomLabelName: myConciergeCustomLabelValue}"'
--- a/hack/prepare-for-integration-tests.sh
+++ b/hack/prepare-for-integration-tests.sh
@ -123,7 +123,7 @@ if ! tilt_mode; then
    # Our kind config exposes node port 31234 as 127.0.0.1:12345, 31243 as 127.0.0.1:12344, and 31235 as 127.0.0.1:12346
    ./hack/kind-up.sh
  else
-    if ! kubectl cluster-info | grep master | grep -q 127.0.0.1; then
+    if ! kubectl cluster-info | grep -E '(master|control plane)' | grep -q 127.0.0.1; then
      log_error "Seems like your kubeconfig is not targeting a local cluster."
      log_error "Exiting to avoid accidentally running tests against a real cluster."
      exit 1
@ -249,7 +249,7 @@ concierge_app_name="pinniped-concierge"
 concierge_namespace="concierge"
 webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
 webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
-discovery_url="$(TERM=dumb kubectl cluster-info | awk '/Kubernetes master/ {print $NF}')"
+discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
 concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
 if ! tilt_mode; then
--- a/test/library/client.go
+++ b/test/library/client.go
@ -180,14 +180,22 @@ func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T) corev1.TypedL
 	createContext, cancel := context.WithTimeout(ctx, 5*time.Second)
 	defer cancel()
 	// If the test upstream does not have a CA bundle specified, then don't configure one in the
 	// JWTAuthenticator. Leaving TLSSpec set to nil will result in OIDC discovery using the OS's root
 	// CA store.
 	tlsSpec := &auth1alpha1.TLSSpec{
 		CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(testEnv.CLITestUpstream.CABundle)),
 	}
 	if testEnv.CLITestUpstream.CABundle == "" {
 		tlsSpec = nil
 	}
 	jwtAuthenticator, err := jwtAuthenticators.Create(createContext, &auth1alpha1.JWTAuthenticator{
 		ObjectMeta: testObjectMeta(t, "jwt-authenticator"),
 		Spec: auth1alpha1.JWTAuthenticatorSpec{
 			Issuer:   testEnv.CLITestUpstream.Issuer,
 			Audience: testEnv.CLITestUpstream.ClientID,
-			TLS: &auth1alpha1.TLSSpec{
+			TLS:      tlsSpec,
 				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(testEnv.CLITestUpstream.CABundle)),
 			},
 		},
 	}, metav1.CreateOptions{})
 	require.NoError(t, err, "could not create test JWTAuthenticator")