Set secret names on OIDCProvider status field

We believe this API is more forwards compatible with future secrets management
use cases. The implementation is a cry for help, but I was trying to follow the
previously established pattern of encapsulating the secret generation
functionality to a single group of packages.

This commit makes a breaking change to the current OIDCProvider API, but that
OIDCProvider API was added after the latest release, so it is technically still
in development until we release, and therefore we can continue to thrash on it.

I also took this opportunity to make some things private that didn't need to be
public.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Andrew Keesler 2020-12-15 09:13:01 -05:00
parent 60d4a7beac
commit 82ae98d9d0
No known key found for this signature in database
GPG Key ID: 27CE0444346F9413
28 changed files with 724 additions and 183 deletions

View File

@ -59,6 +59,30 @@ type OIDCProviderSpec struct {
TLS *OIDCProviderTLSSpec `json:"tls,omitempty"` TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
} }
// OIDCProviderSecrets holds information about this OIDC Provider's secrets.
type OIDCProviderSecrets struct {
// JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are
// stored. If it is empty, then the signing/verification keys are either unknown or they don't
// exist.
// +optional
JWKS corev1.LocalObjectReference `json:"jwks,omitempty"`
// TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// signing tokens is stored.
// +optional
TokenSigningKey corev1.LocalObjectReference `json:"tokenSigningKey,omitempty"`
// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// signing state parameters is stored.
// +optional
StateSigningKey corev1.LocalObjectReference `json:"stateSigningKey,omitempty"`
// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// encrypting state parameters is stored.
// +optional
StateEncryptionKey corev1.LocalObjectReference `json:"stateEncryptionKey,omitempty"`
}
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider. // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
type OIDCProviderStatus struct { type OIDCProviderStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can // Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
@ -76,11 +100,9 @@ type OIDCProviderStatus struct {
// +optional // +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"` LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// JWKSSecret holds the name of the secret in which this OIDC Provider's signing/verification keys // Secrets contains information about this OIDC Provider's secrets.
// are stored. If it is empty, then the signing/verification keys are either unknown or they don't
// exist.
// +optional // +optional
JWKSSecret corev1.LocalObjectReference `json:"jwksSecret,omitempty"` Secrets OIDCProviderSecrets `json:"secrets,omitempty"`
} }
// OIDCProvider describes the configuration of an OIDC provider. // OIDCProvider describes the configuration of an OIDC provider.

View File

@ -167,12 +167,14 @@ func startControllers(
"pinniped-oidc-provider-hmac-key-", "pinniped-oidc-provider-hmac-key-",
cfg.Labels, cfg.Labels,
rand.Reader, rand.Reader,
generator.SecretUsageTokenSigningKey,
func(oidcProviderIssuer string, symmetricKey []byte) { func(oidcProviderIssuer string, symmetricKey []byte) {
plog.Debug("setting hmac secret", "issuer", oidcProviderIssuer) plog.Debug("setting hmac secret", "issuer", oidcProviderIssuer)
secretCache.SetTokenHMACKey(oidcProviderIssuer, symmetricKey) secretCache.SetTokenHMACKey(oidcProviderIssuer, symmetricKey)
}, },
), ),
kubeClient, kubeClient,
pinnipedClient,
secretInformer, secretInformer,
opInformer, opInformer,
controllerlib.WithInformer, controllerlib.WithInformer,
@ -185,12 +187,14 @@ func startControllers(
"pinniped-oidc-provider-upstream-state-signature-key-", "pinniped-oidc-provider-upstream-state-signature-key-",
cfg.Labels, cfg.Labels,
rand.Reader, rand.Reader,
generator.SecretUsageStateSigningKey,
func(oidcProviderIssuer string, symmetricKey []byte) { func(oidcProviderIssuer string, symmetricKey []byte) {
plog.Debug("setting state signature key", "issuer", oidcProviderIssuer) plog.Debug("setting state signature key", "issuer", oidcProviderIssuer)
secretCache.SetStateEncoderHashKey(oidcProviderIssuer, symmetricKey) secretCache.SetStateEncoderHashKey(oidcProviderIssuer, symmetricKey)
}, },
), ),
kubeClient, kubeClient,
pinnipedClient,
secretInformer, secretInformer,
opInformer, opInformer,
controllerlib.WithInformer, controllerlib.WithInformer,
@ -203,12 +207,14 @@ func startControllers(
"pinniped-oidc-provider-upstream-state-encryption-key-", "pinniped-oidc-provider-upstream-state-encryption-key-",
cfg.Labels, cfg.Labels,
rand.Reader, rand.Reader,
generator.SecretUsageStateEncryptionKey,
func(oidcProviderIssuer string, symmetricKey []byte) { func(oidcProviderIssuer string, symmetricKey []byte) {
plog.Debug("setting state encryption key", "issuer", oidcProviderIssuer) plog.Debug("setting state encryption key", "issuer", oidcProviderIssuer)
secretCache.SetStateEncoderBlockKey(oidcProviderIssuer, symmetricKey) secretCache.SetStateEncoderBlockKey(oidcProviderIssuer, symmetricKey)
}, },
), ),
kubeClient, kubeClient,
pinnipedClient,
secretInformer, secretInformer,
opInformer, opInformer,
controllerlib.WithInformer, controllerlib.WithInformer,

View File

@ -81,17 +81,6 @@ spec:
status: status:
description: Status of the OIDC provider. description: Status of the OIDC provider.
properties: properties:
jwksSecret:
description: JWKSSecret holds the name of the secret in which this
OIDC Provider's signing/verification keys are stored. If it is empty,
then the signing/verification keys are either unknown or they don't
exist.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
lastUpdateTime: lastUpdateTime:
description: LastUpdateTime holds the time at which the Status was description: LastUpdateTime holds the time at which the Status was
last updated. It is a pointer to get around some undesirable behavior last updated. It is a pointer to get around some undesirable behavior
@ -101,6 +90,51 @@ spec:
message: message:
description: Message provides human-readable details about the Status. description: Message provides human-readable details about the Status.
type: string type: string
secrets:
description: Secrets contains information about this OIDC Provider's
secrets.
properties:
jwks:
description: JWKS holds the name of the corev1.Secret in which
this OIDC Provider's signing/verification keys are stored. If
it is empty, then the signing/verification keys are either unknown
or they don't exist.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
stateEncryptionKey:
description: StateSigningKey holds the name of the corev1.Secret
in which this OIDC Provider's key for encrypting state parameters
is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
stateSigningKey:
description: StateSigningKey holds the name of the corev1.Secret
in which this OIDC Provider's key for signing state parameters
is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
tokenSigningKey:
description: TokenSigningKey holds the name of the corev1.Secret
in which this OIDC Provider's key for signing tokens is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
type: object
status: status:
description: Status holds an enum that describes the state of this description: Status holds an enum that describes the state of this
OIDC Provider. Note that this Status can represent success or failure. OIDC Provider. Note that this Status can represent success or failure.

View File

@ -304,6 +304,26 @@ OIDCProvider describes the configuration of an OIDC provider.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcprovidersecrets"]
==== OIDCProviderSecrets
OIDCProviderSecrets holds information about this OIDC Provider's secrets.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderstatus[$$OIDCProviderStatus$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`jwks`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are stored. If it is empty, then the signing/verification keys are either unknown or they don't exist.
| *`tokenSigningKey`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for signing tokens is stored.
| *`stateSigningKey`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for signing state parameters is stored.
| *`stateEncryptionKey`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for encrypting state parameters is stored.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderspec"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderspec"]
==== OIDCProviderSpec ==== OIDCProviderSpec
@ -339,7 +359,7 @@ OIDCProviderStatus is a struct that describes the actual state of an OIDC Provid
| *`status`* __OIDCProviderStatusCondition__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure. | *`status`* __OIDCProviderStatusCondition__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
| *`message`* __string__ | Message provides human-readable details about the Status. | *`message`* __string__ | Message provides human-readable details about the Status.
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811). | *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
| *`jwksSecret`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | JWKSSecret holds the name of the secret in which this OIDC Provider's signing/verification keys are stored. If it is empty, then the signing/verification keys are either unknown or they don't exist. | *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcprovidersecrets[$$OIDCProviderSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|=== |===

View File

@ -59,6 +59,30 @@ type OIDCProviderSpec struct {
TLS *OIDCProviderTLSSpec `json:"tls,omitempty"` TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
} }
// OIDCProviderSecrets holds information about this OIDC Provider's secrets.
type OIDCProviderSecrets struct {
// JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are
// stored. If it is empty, then the signing/verification keys are either unknown or they don't
// exist.
// +optional
JWKS corev1.LocalObjectReference `json:"jwks,omitempty"`
// TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// signing tokens is stored.
// +optional
TokenSigningKey corev1.LocalObjectReference `json:"tokenSigningKey,omitempty"`
// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// signing state parameters is stored.
// +optional
StateSigningKey corev1.LocalObjectReference `json:"stateSigningKey,omitempty"`
// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// encrypting state parameters is stored.
// +optional
StateEncryptionKey corev1.LocalObjectReference `json:"stateEncryptionKey,omitempty"`
}
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider. // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
type OIDCProviderStatus struct { type OIDCProviderStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can // Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
@ -76,11 +100,9 @@ type OIDCProviderStatus struct {
// +optional // +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"` LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// JWKSSecret holds the name of the secret in which this OIDC Provider's signing/verification keys // Secrets contains information about this OIDC Provider's secrets.
// are stored. If it is empty, then the signing/verification keys are either unknown or they don't
// exist.
// +optional // +optional
JWKSSecret corev1.LocalObjectReference `json:"jwksSecret,omitempty"` Secrets OIDCProviderSecrets `json:"secrets,omitempty"`
} }
// OIDCProvider describes the configuration of an OIDC provider. // OIDCProvider describes the configuration of an OIDC provider.

View File

@ -72,6 +72,26 @@ func (in *OIDCProviderList) DeepCopyObject() runtime.Object {
return nil return nil
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCProviderSecrets) DeepCopyInto(out *OIDCProviderSecrets) {
*out = *in
out.JWKS = in.JWKS
out.TokenSigningKey = in.TokenSigningKey
out.StateSigningKey = in.StateSigningKey
out.StateEncryptionKey = in.StateEncryptionKey
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderSecrets.
func (in *OIDCProviderSecrets) DeepCopy() *OIDCProviderSecrets {
if in == nil {
return nil
}
out := new(OIDCProviderSecrets)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) { func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
*out = *in *out = *in
@ -100,7 +120,7 @@ func (in *OIDCProviderStatus) DeepCopyInto(out *OIDCProviderStatus) {
in, out := &in.LastUpdateTime, &out.LastUpdateTime in, out := &in.LastUpdateTime, &out.LastUpdateTime
*out = (*in).DeepCopy() *out = (*in).DeepCopy()
} }
out.JWKSSecret = in.JWKSSecret out.Secrets = in.Secrets
return return
} }

View File

@ -81,17 +81,6 @@ spec:
status: status:
description: Status of the OIDC provider. description: Status of the OIDC provider.
properties: properties:
jwksSecret:
description: JWKSSecret holds the name of the secret in which this
OIDC Provider's signing/verification keys are stored. If it is empty,
then the signing/verification keys are either unknown or they don't
exist.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
lastUpdateTime: lastUpdateTime:
description: LastUpdateTime holds the time at which the Status was description: LastUpdateTime holds the time at which the Status was
last updated. It is a pointer to get around some undesirable behavior last updated. It is a pointer to get around some undesirable behavior
@ -101,6 +90,51 @@ spec:
message: message:
description: Message provides human-readable details about the Status. description: Message provides human-readable details about the Status.
type: string type: string
secrets:
description: Secrets contains information about this OIDC Provider's
secrets.
properties:
jwks:
description: JWKS holds the name of the corev1.Secret in which
this OIDC Provider's signing/verification keys are stored. If
it is empty, then the signing/verification keys are either unknown
or they don't exist.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
stateEncryptionKey:
description: StateSigningKey holds the name of the corev1.Secret
in which this OIDC Provider's key for encrypting state parameters
is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
stateSigningKey:
description: StateSigningKey holds the name of the corev1.Secret
in which this OIDC Provider's key for signing state parameters
is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
tokenSigningKey:
description: TokenSigningKey holds the name of the corev1.Secret
in which this OIDC Provider's key for signing tokens is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
type: object
status: status:
description: Status holds an enum that describes the state of this description: Status holds an enum that describes the state of this
OIDC Provider. Note that this Status can represent success or failure. OIDC Provider. Note that this Status can represent success or failure.

View File

@ -304,6 +304,26 @@ OIDCProvider describes the configuration of an OIDC provider.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcprovidersecrets"]
==== OIDCProviderSecrets
OIDCProviderSecrets holds information about this OIDC Provider's secrets.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderstatus[$$OIDCProviderStatus$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`jwks`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are stored. If it is empty, then the signing/verification keys are either unknown or they don't exist.
| *`tokenSigningKey`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for signing tokens is stored.
| *`stateSigningKey`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for signing state parameters is stored.
| *`stateEncryptionKey`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for encrypting state parameters is stored.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderspec"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderspec"]
==== OIDCProviderSpec ==== OIDCProviderSpec
@ -339,7 +359,7 @@ OIDCProviderStatus is a struct that describes the actual state of an OIDC Provid
| *`status`* __OIDCProviderStatusCondition__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure. | *`status`* __OIDCProviderStatusCondition__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
| *`message`* __string__ | Message provides human-readable details about the Status. | *`message`* __string__ | Message provides human-readable details about the Status.
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811). | *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
| *`jwksSecret`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | JWKSSecret holds the name of the secret in which this OIDC Provider's signing/verification keys are stored. If it is empty, then the signing/verification keys are either unknown or they don't exist. | *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcprovidersecrets[$$OIDCProviderSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|=== |===

View File

@ -59,6 +59,30 @@ type OIDCProviderSpec struct {
TLS *OIDCProviderTLSSpec `json:"tls,omitempty"` TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
} }
// OIDCProviderSecrets holds information about this OIDC Provider's secrets.
type OIDCProviderSecrets struct {
// JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are
// stored. If it is empty, then the signing/verification keys are either unknown or they don't
// exist.
// +optional
JWKS corev1.LocalObjectReference `json:"jwks,omitempty"`
// TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// signing tokens is stored.
// +optional
TokenSigningKey corev1.LocalObjectReference `json:"tokenSigningKey,omitempty"`
// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// signing state parameters is stored.
// +optional
StateSigningKey corev1.LocalObjectReference `json:"stateSigningKey,omitempty"`
// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// encrypting state parameters is stored.
// +optional
StateEncryptionKey corev1.LocalObjectReference `json:"stateEncryptionKey,omitempty"`
}
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider. // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
type OIDCProviderStatus struct { type OIDCProviderStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can // Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
@ -76,11 +100,9 @@ type OIDCProviderStatus struct {
// +optional // +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"` LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// JWKSSecret holds the name of the secret in which this OIDC Provider's signing/verification keys // Secrets contains information about this OIDC Provider's secrets.
// are stored. If it is empty, then the signing/verification keys are either unknown or they don't
// exist.
// +optional // +optional
JWKSSecret corev1.LocalObjectReference `json:"jwksSecret,omitempty"` Secrets OIDCProviderSecrets `json:"secrets,omitempty"`
} }
// OIDCProvider describes the configuration of an OIDC provider. // OIDCProvider describes the configuration of an OIDC provider.

View File

@ -72,6 +72,26 @@ func (in *OIDCProviderList) DeepCopyObject() runtime.Object {
return nil return nil
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCProviderSecrets) DeepCopyInto(out *OIDCProviderSecrets) {
*out = *in
out.JWKS = in.JWKS
out.TokenSigningKey = in.TokenSigningKey
out.StateSigningKey = in.StateSigningKey
out.StateEncryptionKey = in.StateEncryptionKey
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderSecrets.
func (in *OIDCProviderSecrets) DeepCopy() *OIDCProviderSecrets {
if in == nil {
return nil
}
out := new(OIDCProviderSecrets)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) { func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
*out = *in *out = *in
@ -100,7 +120,7 @@ func (in *OIDCProviderStatus) DeepCopyInto(out *OIDCProviderStatus) {
in, out := &in.LastUpdateTime, &out.LastUpdateTime in, out := &in.LastUpdateTime, &out.LastUpdateTime
*out = (*in).DeepCopy() *out = (*in).DeepCopy()
} }
out.JWKSSecret = in.JWKSSecret out.Secrets = in.Secrets
return return
} }

View File

@ -81,17 +81,6 @@ spec:
status: status:
description: Status of the OIDC provider. description: Status of the OIDC provider.
properties: properties:
jwksSecret:
description: JWKSSecret holds the name of the secret in which this
OIDC Provider's signing/verification keys are stored. If it is empty,
then the signing/verification keys are either unknown or they don't
exist.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
lastUpdateTime: lastUpdateTime:
description: LastUpdateTime holds the time at which the Status was description: LastUpdateTime holds the time at which the Status was
last updated. It is a pointer to get around some undesirable behavior last updated. It is a pointer to get around some undesirable behavior
@ -101,6 +90,51 @@ spec:
message: message:
description: Message provides human-readable details about the Status. description: Message provides human-readable details about the Status.
type: string type: string
secrets:
description: Secrets contains information about this OIDC Provider's
secrets.
properties:
jwks:
description: JWKS holds the name of the corev1.Secret in which
this OIDC Provider's signing/verification keys are stored. If
it is empty, then the signing/verification keys are either unknown
or they don't exist.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
stateEncryptionKey:
description: StateSigningKey holds the name of the corev1.Secret
in which this OIDC Provider's key for encrypting state parameters
is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
stateSigningKey:
description: StateSigningKey holds the name of the corev1.Secret
in which this OIDC Provider's key for signing state parameters
is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
tokenSigningKey:
description: TokenSigningKey holds the name of the corev1.Secret
in which this OIDC Provider's key for signing tokens is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
type: object
status: status:
description: Status holds an enum that describes the state of this description: Status holds an enum that describes the state of this
OIDC Provider. Note that this Status can represent success or failure. OIDC Provider. Note that this Status can represent success or failure.

View File

@ -304,6 +304,26 @@ OIDCProvider describes the configuration of an OIDC provider.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcprovidersecrets"]
==== OIDCProviderSecrets
OIDCProviderSecrets holds information about this OIDC Provider's secrets.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderstatus[$$OIDCProviderStatus$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`jwks`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are stored. If it is empty, then the signing/verification keys are either unknown or they don't exist.
| *`tokenSigningKey`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for signing tokens is stored.
| *`stateSigningKey`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for signing state parameters is stored.
| *`stateEncryptionKey`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for encrypting state parameters is stored.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderspec"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderspec"]
==== OIDCProviderSpec ==== OIDCProviderSpec
@ -339,7 +359,7 @@ OIDCProviderStatus is a struct that describes the actual state of an OIDC Provid
| *`status`* __OIDCProviderStatusCondition__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure. | *`status`* __OIDCProviderStatusCondition__ | Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
| *`message`* __string__ | Message provides human-readable details about the Status. | *`message`* __string__ | Message provides human-readable details about the Status.
| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811). | *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
| *`jwksSecret`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | JWKSSecret holds the name of the secret in which this OIDC Provider's signing/verification keys are stored. If it is empty, then the signing/verification keys are either unknown or they don't exist. | *`secrets`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcprovidersecrets[$$OIDCProviderSecrets$$]__ | Secrets contains information about this OIDC Provider's secrets.
|=== |===

View File

@ -59,6 +59,30 @@ type OIDCProviderSpec struct {
TLS *OIDCProviderTLSSpec `json:"tls,omitempty"` TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
} }
// OIDCProviderSecrets holds information about this OIDC Provider's secrets.
type OIDCProviderSecrets struct {
// JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are
// stored. If it is empty, then the signing/verification keys are either unknown or they don't
// exist.
// +optional
JWKS corev1.LocalObjectReference `json:"jwks,omitempty"`
// TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// signing tokens is stored.
// +optional
TokenSigningKey corev1.LocalObjectReference `json:"tokenSigningKey,omitempty"`
// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// signing state parameters is stored.
// +optional
StateSigningKey corev1.LocalObjectReference `json:"stateSigningKey,omitempty"`
// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// encrypting state parameters is stored.
// +optional
StateEncryptionKey corev1.LocalObjectReference `json:"stateEncryptionKey,omitempty"`
}
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider. // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
type OIDCProviderStatus struct { type OIDCProviderStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can // Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
@ -76,11 +100,9 @@ type OIDCProviderStatus struct {
// +optional // +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"` LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// JWKSSecret holds the name of the secret in which this OIDC Provider's signing/verification keys // Secrets contains information about this OIDC Provider's secrets.
// are stored. If it is empty, then the signing/verification keys are either unknown or they don't
// exist.
// +optional // +optional
JWKSSecret corev1.LocalObjectReference `json:"jwksSecret,omitempty"` Secrets OIDCProviderSecrets `json:"secrets,omitempty"`
} }
// OIDCProvider describes the configuration of an OIDC provider. // OIDCProvider describes the configuration of an OIDC provider.

View File

@ -72,6 +72,26 @@ func (in *OIDCProviderList) DeepCopyObject() runtime.Object {
return nil return nil
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCProviderSecrets) DeepCopyInto(out *OIDCProviderSecrets) {
*out = *in
out.JWKS = in.JWKS
out.TokenSigningKey = in.TokenSigningKey
out.StateSigningKey = in.StateSigningKey
out.StateEncryptionKey = in.StateEncryptionKey
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderSecrets.
func (in *OIDCProviderSecrets) DeepCopy() *OIDCProviderSecrets {
if in == nil {
return nil
}
out := new(OIDCProviderSecrets)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) { func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
*out = *in *out = *in
@ -100,7 +120,7 @@ func (in *OIDCProviderStatus) DeepCopyInto(out *OIDCProviderStatus) {
in, out := &in.LastUpdateTime, &out.LastUpdateTime in, out := &in.LastUpdateTime, &out.LastUpdateTime
*out = (*in).DeepCopy() *out = (*in).DeepCopy()
} }
out.JWKSSecret = in.JWKSSecret out.Secrets = in.Secrets
return return
} }

View File

@ -81,17 +81,6 @@ spec:
status: status:
description: Status of the OIDC provider. description: Status of the OIDC provider.
properties: properties:
jwksSecret:
description: JWKSSecret holds the name of the secret in which this
OIDC Provider's signing/verification keys are stored. If it is empty,
then the signing/verification keys are either unknown or they don't
exist.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
lastUpdateTime: lastUpdateTime:
description: LastUpdateTime holds the time at which the Status was description: LastUpdateTime holds the time at which the Status was
last updated. It is a pointer to get around some undesirable behavior last updated. It is a pointer to get around some undesirable behavior
@ -101,6 +90,51 @@ spec:
message: message:
description: Message provides human-readable details about the Status. description: Message provides human-readable details about the Status.
type: string type: string
secrets:
description: Secrets contains information about this OIDC Provider's
secrets.
properties:
jwks:
description: JWKS holds the name of the corev1.Secret in which
this OIDC Provider's signing/verification keys are stored. If
it is empty, then the signing/verification keys are either unknown
or they don't exist.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
stateEncryptionKey:
description: StateSigningKey holds the name of the corev1.Secret
in which this OIDC Provider's key for encrypting state parameters
is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
stateSigningKey:
description: StateSigningKey holds the name of the corev1.Secret
in which this OIDC Provider's key for signing state parameters
is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
tokenSigningKey:
description: TokenSigningKey holds the name of the corev1.Secret
in which this OIDC Provider's key for signing tokens is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
type: object
status: status:
description: Status holds an enum that describes the state of this description: Status holds an enum that describes the state of this
OIDC Provider. Note that this Status can represent success or failure. OIDC Provider. Note that this Status can represent success or failure.

View File

@ -27,11 +27,11 @@ func generateSymmetricKey() ([]byte, error) {
} }
func isValid(secret *corev1.Secret) bool { func isValid(secret *corev1.Secret) bool {
if secret.Type != SymmetricSecretType { if secret.Type != symmetricSecretType {
return false return false
} }
data, ok := secret.Data[SymmetricSecretDataKey] data, ok := secret.Data[symmetricSecretDataKey]
if !ok { if !ok {
return false return false
} }
@ -49,7 +49,7 @@ func secretDataFunc() (map[string][]byte, error) {
} }
return map[string][]byte{ return map[string][]byte{
SymmetricSecretDataKey: symmetricKey, symmetricSecretDataKey: symmetricKey,
}, nil }, nil
} }
@ -73,7 +73,7 @@ func generateSecret(namespace, name string, labels map[string]string, secretData
}, },
Labels: labels, Labels: labels,
}, },
Type: SymmetricSecretType, Type: symmetricSecretType,
Data: secretData, Data: secretData,
}, nil }, nil
} }

View File

@ -6,6 +6,7 @@ package generator
import ( import (
"context" "context"
"fmt" "fmt"
"reflect"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
k8serrors "k8s.io/apimachinery/pkg/api/errors" k8serrors "k8s.io/apimachinery/pkg/api/errors"
@ -16,6 +17,7 @@ import (
"k8s.io/klog/v2" "k8s.io/klog/v2"
configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
pinnipedclientset "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned"
configinformers "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1" configinformers "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1"
pinnipedcontroller "go.pinniped.dev/internal/controller" pinnipedcontroller "go.pinniped.dev/internal/controller"
"go.pinniped.dev/internal/controllerlib" "go.pinniped.dev/internal/controllerlib"
@ -25,6 +27,7 @@ import (
type oidcProviderSecretsController struct { type oidcProviderSecretsController struct {
secretHelper SecretHelper secretHelper SecretHelper
kubeClient kubernetes.Interface kubeClient kubernetes.Interface
pinnipedClient pinnipedclientset.Interface
opcInformer configinformers.OIDCProviderInformer opcInformer configinformers.OIDCProviderInformer
secretInformer corev1informers.SecretInformer secretInformer corev1informers.SecretInformer
} }
@ -35,6 +38,7 @@ type oidcProviderSecretsController struct {
func NewOIDCProviderSecretsController( func NewOIDCProviderSecretsController(
secretHelper SecretHelper, secretHelper SecretHelper,
kubeClient kubernetes.Interface, kubeClient kubernetes.Interface,
pinnipedClient pinnipedclientset.Interface,
secretInformer corev1informers.SecretInformer, secretInformer corev1informers.SecretInformer,
opcInformer configinformers.OIDCProviderInformer, opcInformer configinformers.OIDCProviderInformer,
withInformer pinnipedcontroller.WithInformerOptionFunc, withInformer pinnipedcontroller.WithInformerOptionFunc,
@ -45,6 +49,7 @@ func NewOIDCProviderSecretsController(
Syncer: &oidcProviderSecretsController{ Syncer: &oidcProviderSecretsController{
secretHelper: secretHelper, secretHelper: secretHelper,
kubeClient: kubeClient, kubeClient: kubeClient,
pinnipedClient: pinnipedClient,
secretInformer: secretInformer, secretInformer: secretInformer,
opcInformer: opcInformer, opcInformer: opcInformer,
}, },
@ -116,7 +121,13 @@ func (c *oidcProviderSecretsController) Sync(ctx controllerlib.Context) error {
"secret", "secret",
klog.KObj(existingSecret), klog.KObj(existingSecret),
) )
c.secretHelper.Notify(op, existingSecret)
op = c.secretHelper.ObserveActiveSecretAndUpdateParentOIDCProvider(op, existingSecret)
if err := c.updateOIDCProvider(ctx.Context, op); err != nil {
return fmt.Errorf("failed to update oidcprovider: %w", err)
}
plog.Debug("updated oidcprovider", "oidcprovider", klog.KObj(op), "secret", klog.KObj(newSecret))
return nil return nil
} }
@ -127,7 +138,11 @@ func (c *oidcProviderSecretsController) Sync(ctx controllerlib.Context) error {
} }
plog.Debug("created/updated secret", "oidcprovider", klog.KObj(op), "secret", klog.KObj(newSecret)) plog.Debug("created/updated secret", "oidcprovider", klog.KObj(op), "secret", klog.KObj(newSecret))
c.secretHelper.Notify(op, newSecret) op = c.secretHelper.ObserveActiveSecretAndUpdateParentOIDCProvider(op, newSecret)
if err := c.updateOIDCProvider(ctx.Context, op); err != nil {
return fmt.Errorf("failed to update oidcprovider: %w", err)
}
plog.Debug("updated oidcprovider", "oidcprovider", klog.KObj(op), "secret", klog.KObj(newSecret))
return nil return nil
} }
@ -195,3 +210,24 @@ func (c *oidcProviderSecretsController) createOrUpdateSecret(
return err return err
}) })
} }
func (c *oidcProviderSecretsController) updateOIDCProvider(
ctx context.Context,
newOP *configv1alpha1.OIDCProvider,
) error {
opcClient := c.pinnipedClient.ConfigV1alpha1().OIDCProviders(newOP.Namespace)
return retry.RetryOnConflict(retry.DefaultRetry, func() error {
oldOP, err := opcClient.Get(ctx, newOP.Name, metav1.GetOptions{})
if err != nil {
return fmt.Errorf("failed to get oidcprovider %s/%s: %w", newOP.Namespace, newOP.Name, err)
}
if reflect.DeepEqual(newOP.Status.Secrets, oldOP.Status.Secrets) {
return nil
}
oldOP.Status.Secrets = newOP.Status.Secrets
_, err = opcClient.Update(ctx, oldOP, metav1.UpdateOptions{})
return err
})
}

View File

@ -158,6 +158,7 @@ func TestOIDCProviderControllerFilterSecret(t *testing.T) {
_ = NewOIDCProviderSecretsController( _ = NewOIDCProviderSecretsController(
secretHelper, secretHelper,
nil, // kubeClient, not needed nil, // kubeClient, not needed
nil, // pinnipedClient, not needed
secretInformer, secretInformer,
opcInformer, opcInformer,
withInformer.WithInformer, withInformer.WithInformer,
@ -216,6 +217,7 @@ func TestNewOIDCProviderSecretsControllerFilterOPC(t *testing.T) {
_ = NewOIDCProviderSecretsController( _ = NewOIDCProviderSecretsController(
secretHelper, secretHelper,
nil, // kubeClient, not needed nil, // kubeClient, not needed
nil, // pinnipedClient, not needed
secretInformer, secretInformer,
opcInformer, opcInformer,
withInformer.WithInformer, withInformer.WithInformer,
@ -291,6 +293,9 @@ func TestOIDCProviderSecretsControllerSync(t *testing.T) {
}, },
} }
goodOPWithStatus := goodOP.DeepCopy()
goodOPWithStatus.Status.Secrets.TokenSigningKey.Name = goodSecret.Name
invalidSecret := &corev1.Secret{ invalidSecret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: secretName, Name: secretName,
@ -309,26 +314,24 @@ func TestOIDCProviderSecretsControllerSync(t *testing.T) {
}, },
} }
once := sync.Once{}
tests := []struct { tests := []struct {
name string name string
storage func(**configv1alpha1.OIDCProvider, **corev1.Secret) storage func(**configv1alpha1.OIDCProvider, **corev1.Secret)
client func(*kubernetesfake.Clientset) client func(*pinnipedfake.Clientset, *kubernetesfake.Clientset)
secretHelper func(*mocksecrethelper.MockSecretHelper) secretHelper func(*mocksecrethelper.MockSecretHelper)
wantSecretActions []kubetesting.Action
wantOPActions []kubetesting.Action wantOPActions []kubetesting.Action
wantSecretActions []kubetesting.Action
wantError string wantError string
}{ }{
{ {
name: "OIDCProvider exists and secret does not exist", name: "OIDCProvider does not exist and secret does not exist",
storage: func(op **configv1alpha1.OIDCProvider, s **corev1.Secret) { storage: func(op **configv1alpha1.OIDCProvider, s **corev1.Secret) {
*op = nil *op = nil
*s = nil *s = nil
}, },
}, },
{ {
name: "OIDCProvider exists and secret exists", name: "OIDCProvider does not exist and secret exists",
storage: func(op **configv1alpha1.OIDCProvider, s **corev1.Secret) { storage: func(op **configv1alpha1.OIDCProvider, s **corev1.Secret) {
*op = nil *op = nil
}, },
@ -340,21 +343,17 @@ func TestOIDCProviderSecretsControllerSync(t *testing.T) {
}, },
secretHelper: func(secretHelper *mocksecrethelper.MockSecretHelper) { secretHelper: func(secretHelper *mocksecrethelper.MockSecretHelper) {
secretHelper.EXPECT().Generate(goodOP).Times(1).Return(goodSecret, nil) secretHelper.EXPECT().Generate(goodOP).Times(1).Return(goodSecret, nil)
secretHelper.EXPECT().Notify(goodOP, goodSecret).Times(1) secretHelper.EXPECT().ObserveActiveSecretAndUpdateParentOIDCProvider(goodOP, goodSecret).Times(1).Return(goodOPWithStatus)
},
wantOPActions: []kubetesting.Action{
kubetesting.NewGetAction(opGVR, namespace, goodOP.Name),
kubetesting.NewUpdateAction(opGVR, namespace, goodOPWithStatus),
}, },
wantSecretActions: []kubetesting.Action{ wantSecretActions: []kubetesting.Action{
kubetesting.NewGetAction(secretGVR, namespace, goodSecret.Name), kubetesting.NewGetAction(secretGVR, namespace, goodSecret.Name),
kubetesting.NewCreateAction(secretGVR, namespace, goodSecret), kubetesting.NewCreateAction(secretGVR, namespace, goodSecret),
}, },
}, },
{
name: "OIDCProvider exists and valid secret exists",
secretHelper: func(secretHelper *mocksecrethelper.MockSecretHelper) {
secretHelper.EXPECT().Generate(goodOP).Times(1).Return(goodSecret, nil)
secretHelper.EXPECT().IsValid(goodOP, goodSecret).Times(1).Return(true)
secretHelper.EXPECT().Notify(goodOP, goodSecret).Times(1)
},
},
{ {
name: "OIDCProvider exists and invalid secret exists", name: "OIDCProvider exists and invalid secret exists",
storage: func(op **configv1alpha1.OIDCProvider, s **corev1.Secret) { storage: func(op **configv1alpha1.OIDCProvider, s **corev1.Secret) {
@ -363,7 +362,11 @@ func TestOIDCProviderSecretsControllerSync(t *testing.T) {
secretHelper: func(secretHelper *mocksecrethelper.MockSecretHelper) { secretHelper: func(secretHelper *mocksecrethelper.MockSecretHelper) {
secretHelper.EXPECT().Generate(goodOP).Times(1).Return(goodSecret, nil) secretHelper.EXPECT().Generate(goodOP).Times(1).Return(goodSecret, nil)
secretHelper.EXPECT().IsValid(goodOP, invalidSecret).Times(2).Return(false) secretHelper.EXPECT().IsValid(goodOP, invalidSecret).Times(2).Return(false)
secretHelper.EXPECT().Notify(goodOP, goodSecret).Times(1) secretHelper.EXPECT().ObserveActiveSecretAndUpdateParentOIDCProvider(goodOP, goodSecret).Times(1).Return(goodOPWithStatus)
},
wantOPActions: []kubetesting.Action{
kubetesting.NewGetAction(opGVR, namespace, goodOP.Name),
kubetesting.NewUpdateAction(opGVR, namespace, goodOPWithStatus),
}, },
wantSecretActions: []kubetesting.Action{ wantSecretActions: []kubetesting.Action{
kubetesting.NewGetAction(secretGVR, namespace, goodSecret.Name), kubetesting.NewGetAction(secretGVR, namespace, goodSecret.Name),
@ -386,19 +389,23 @@ func TestOIDCProviderSecretsControllerSync(t *testing.T) {
secretHelper.EXPECT().Generate(goodOP).Times(1).Return(otherSecret, nil) secretHelper.EXPECT().Generate(goodOP).Times(1).Return(otherSecret, nil)
secretHelper.EXPECT().IsValid(goodOP, goodSecret).Times(1).Return(false) secretHelper.EXPECT().IsValid(goodOP, goodSecret).Times(1).Return(false)
secretHelper.EXPECT().IsValid(goodOP, goodSecret).Times(1).Return(true) secretHelper.EXPECT().IsValid(goodOP, goodSecret).Times(1).Return(true)
secretHelper.EXPECT().Notify(goodOP, goodSecret).Times(1) secretHelper.EXPECT().ObserveActiveSecretAndUpdateParentOIDCProvider(goodOP, goodSecret).Times(1).Return(goodOPWithStatus)
},
wantOPActions: []kubetesting.Action{
kubetesting.NewGetAction(opGVR, namespace, goodOP.Name),
kubetesting.NewUpdateAction(opGVR, namespace, goodOPWithStatus),
}, },
wantSecretActions: []kubetesting.Action{ wantSecretActions: []kubetesting.Action{
kubetesting.NewGetAction(secretGVR, namespace, goodSecret.Name), kubetesting.NewGetAction(secretGVR, namespace, goodSecret.Name),
}, },
}, },
{ {
name: "OIDCProvider exists and invalid secret exists and get fails", name: "OIDCProvider exists and invalid secret exists and getting secret fails",
secretHelper: func(secretHelper *mocksecrethelper.MockSecretHelper) { secretHelper: func(secretHelper *mocksecrethelper.MockSecretHelper) {
secretHelper.EXPECT().Generate(goodOP).Times(1).Return(goodSecret, nil) secretHelper.EXPECT().Generate(goodOP).Times(1).Return(goodSecret, nil)
secretHelper.EXPECT().IsValid(goodOP, goodSecret).Times(1).Return(false) secretHelper.EXPECT().IsValid(goodOP, goodSecret).Times(1).Return(false)
}, },
client: func(c *kubernetesfake.Clientset) { client: func(_ *pinnipedfake.Clientset, c *kubernetesfake.Clientset) {
c.PrependReactor("get", "secrets", func(_ kubetesting.Action) (bool, runtime.Object, error) { c.PrependReactor("get", "secrets", func(_ kubetesting.Action) (bool, runtime.Object, error) {
return true, nil, errors.New("some get error") return true, nil, errors.New("some get error")
}) })
@ -409,14 +416,14 @@ func TestOIDCProviderSecretsControllerSync(t *testing.T) {
wantError: fmt.Sprintf("failed to create or update secret: failed to get secret %s/%s: some get error", namespace, goodSecret.Name), wantError: fmt.Sprintf("failed to create or update secret: failed to get secret %s/%s: some get error", namespace, goodSecret.Name),
}, },
{ {
name: "OIDCProvider exists and secret does not exist and create fails", name: "OIDCProvider exists and secret does not exist and creating secret fails",
storage: func(op **configv1alpha1.OIDCProvider, s **corev1.Secret) { storage: func(op **configv1alpha1.OIDCProvider, s **corev1.Secret) {
*s = nil *s = nil
}, },
secretHelper: func(secretHelper *mocksecrethelper.MockSecretHelper) { secretHelper: func(secretHelper *mocksecrethelper.MockSecretHelper) {
secretHelper.EXPECT().Generate(goodOP).Times(1).Return(goodSecret, nil) secretHelper.EXPECT().Generate(goodOP).Times(1).Return(goodSecret, nil)
}, },
client: func(c *kubernetesfake.Clientset) { client: func(_ *pinnipedfake.Clientset, c *kubernetesfake.Clientset) {
c.PrependReactor("create", "secrets", func(_ kubetesting.Action) (bool, runtime.Object, error) { c.PrependReactor("create", "secrets", func(_ kubetesting.Action) (bool, runtime.Object, error) {
return true, nil, errors.New("some create error") return true, nil, errors.New("some create error")
}) })
@ -428,12 +435,12 @@ func TestOIDCProviderSecretsControllerSync(t *testing.T) {
wantError: fmt.Sprintf("failed to create or update secret: failed to create secret %s/%s: some create error", namespace, goodSecret.Name), wantError: fmt.Sprintf("failed to create or update secret: failed to create secret %s/%s: some create error", namespace, goodSecret.Name),
}, },
{ {
name: "OIDCProvider exists and invalid secret exists and update fails", name: "OIDCProvider exists and invalid secret exists and updating secret fails",
secretHelper: func(secretHelper *mocksecrethelper.MockSecretHelper) { secretHelper: func(secretHelper *mocksecrethelper.MockSecretHelper) {
secretHelper.EXPECT().Generate(goodOP).Times(1).Return(goodSecret, nil) secretHelper.EXPECT().Generate(goodOP).Times(1).Return(goodSecret, nil)
secretHelper.EXPECT().IsValid(goodOP, goodSecret).Times(2).Return(false) secretHelper.EXPECT().IsValid(goodOP, goodSecret).Times(2).Return(false)
}, },
client: func(c *kubernetesfake.Clientset) { client: func(_ *pinnipedfake.Clientset, c *kubernetesfake.Clientset) {
c.PrependReactor("update", "secrets", func(_ kubetesting.Action) (bool, runtime.Object, error) { c.PrependReactor("update", "secrets", func(_ kubetesting.Action) (bool, runtime.Object, error) {
return true, nil, errors.New("some update error") return true, nil, errors.New("some update error")
}) })
@ -445,22 +452,27 @@ func TestOIDCProviderSecretsControllerSync(t *testing.T) {
wantError: "failed to create or update secret: some update error", wantError: "failed to create or update secret: some update error",
}, },
{ {
name: "OIDCProvider exists and invalid secret exists and update fails due to conflict", name: "OIDCProvider exists and invalid secret exists and updating secret fails due to conflict",
storage: func(op **configv1alpha1.OIDCProvider, s **corev1.Secret) { storage: func(op **configv1alpha1.OIDCProvider, s **corev1.Secret) {
*s = invalidSecret.DeepCopy() *s = invalidSecret.DeepCopy()
}, },
secretHelper: func(secretHelper *mocksecrethelper.MockSecretHelper) { secretHelper: func(secretHelper *mocksecrethelper.MockSecretHelper) {
secretHelper.EXPECT().Generate(goodOP).Times(1).Return(goodSecret, nil) secretHelper.EXPECT().Generate(goodOP).Times(1).Return(goodSecret, nil)
secretHelper.EXPECT().IsValid(goodOP, invalidSecret).Times(3).Return(false) secretHelper.EXPECT().IsValid(goodOP, invalidSecret).Times(3).Return(false)
secretHelper.EXPECT().Notify(goodOP, goodSecret).Times(1) secretHelper.EXPECT().ObserveActiveSecretAndUpdateParentOIDCProvider(goodOP, goodSecret).Times(1).Return(goodOPWithStatus)
}, },
client: func(c *kubernetesfake.Clientset) { client: func(_ *pinnipedfake.Clientset, c *kubernetesfake.Clientset) {
once := sync.Once{}
c.PrependReactor("update", "secrets", func(_ kubetesting.Action) (bool, runtime.Object, error) { c.PrependReactor("update", "secrets", func(_ kubetesting.Action) (bool, runtime.Object, error) {
var err error var err error
once.Do(func() { err = k8serrors.NewConflict(secretGVR.GroupResource(), namespace, errors.New("some error")) }) once.Do(func() { err = k8serrors.NewConflict(secretGVR.GroupResource(), namespace, errors.New("some error")) })
return true, nil, err return true, nil, err
}) })
}, },
wantOPActions: []kubetesting.Action{
kubetesting.NewGetAction(opGVR, namespace, goodOP.Name),
kubetesting.NewUpdateAction(opGVR, namespace, goodOPWithStatus),
},
wantSecretActions: []kubetesting.Action{ wantSecretActions: []kubetesting.Action{
kubetesting.NewGetAction(secretGVR, namespace, goodSecret.Name), kubetesting.NewGetAction(secretGVR, namespace, goodSecret.Name),
kubetesting.NewUpdateAction(secretGVR, namespace, goodSecret), kubetesting.NewUpdateAction(secretGVR, namespace, goodSecret),
@ -468,6 +480,59 @@ func TestOIDCProviderSecretsControllerSync(t *testing.T) {
kubetesting.NewUpdateAction(secretGVR, namespace, goodSecret), kubetesting.NewUpdateAction(secretGVR, namespace, goodSecret),
}, },
}, },
{
name: "OIDCProvider exists and invalid secret exists and getting OIDCProvider fails",
storage: func(op **configv1alpha1.OIDCProvider, s **corev1.Secret) {
*s = invalidSecret.DeepCopy()
},
secretHelper: func(secretHelper *mocksecrethelper.MockSecretHelper) {
secretHelper.EXPECT().Generate(goodOP).Times(1).Return(goodSecret, nil)
secretHelper.EXPECT().IsValid(goodOP, invalidSecret).Times(2).Return(false)
secretHelper.EXPECT().ObserveActiveSecretAndUpdateParentOIDCProvider(goodOP, goodSecret).Times(1).Return(goodOPWithStatus)
},
client: func(c *pinnipedfake.Clientset, _ *kubernetesfake.Clientset) {
c.PrependReactor("get", "oidcproviders", func(_ kubetesting.Action) (bool, runtime.Object, error) {
return true, nil, errors.New("some get error")
})
},
wantOPActions: []kubetesting.Action{
kubetesting.NewGetAction(opGVR, namespace, goodOP.Name),
},
wantSecretActions: []kubetesting.Action{
kubetesting.NewGetAction(secretGVR, namespace, goodSecret.Name),
kubetesting.NewUpdateAction(secretGVR, namespace, goodSecret),
},
wantError: fmt.Sprintf("failed to update oidcprovider: failed to get oidcprovider %s/%s: some get error", goodOPWithStatus.Namespace, goodOPWithStatus.Name),
},
{
name: "OIDCProvider exists and invalid secret exists and updating OIDCProvider fails due to conflict",
storage: func(op **configv1alpha1.OIDCProvider, s **corev1.Secret) {
*s = invalidSecret.DeepCopy()
},
secretHelper: func(secretHelper *mocksecrethelper.MockSecretHelper) {
secretHelper.EXPECT().Generate(goodOP).Times(1).Return(goodSecret, nil)
secretHelper.EXPECT().IsValid(goodOP, invalidSecret).Times(2).Return(false)
secretHelper.EXPECT().ObserveActiveSecretAndUpdateParentOIDCProvider(goodOP, goodSecret).Times(1).Return(goodOPWithStatus)
},
client: func(c *pinnipedfake.Clientset, _ *kubernetesfake.Clientset) {
once := sync.Once{}
c.PrependReactor("update", "oidcproviders", func(_ kubetesting.Action) (bool, runtime.Object, error) {
var err error
once.Do(func() { err = k8serrors.NewConflict(secretGVR.GroupResource(), namespace, errors.New("some error")) })
return true, nil, err
})
},
wantOPActions: []kubetesting.Action{
kubetesting.NewGetAction(opGVR, namespace, goodOP.Name),
kubetesting.NewUpdateAction(opGVR, namespace, goodOPWithStatus),
kubetesting.NewGetAction(opGVR, namespace, goodOP.Name),
kubetesting.NewUpdateAction(opGVR, namespace, goodOPWithStatus),
},
wantSecretActions: []kubetesting.Action{
kubetesting.NewGetAction(secretGVR, namespace, goodSecret.Name),
kubetesting.NewUpdateAction(secretGVR, namespace, goodSecret),
},
},
} }
for _, test := range tests { for _, test := range tests {
test := test test := test
@ -477,6 +542,7 @@ func TestOIDCProviderSecretsControllerSync(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), time.Second*3) ctx, cancel := context.WithTimeout(context.Background(), time.Second*3)
defer cancel() defer cancel()
pinnipedAPIClient := pinnipedfake.NewSimpleClientset()
pinnipedInformerClient := pinnipedfake.NewSimpleClientset() pinnipedInformerClient := pinnipedfake.NewSimpleClientset()
kubeAPIClient := kubernetesfake.NewSimpleClientset() kubeAPIClient := kubernetesfake.NewSimpleClientset()
@ -488,6 +554,7 @@ func TestOIDCProviderSecretsControllerSync(t *testing.T) {
test.storage(&op, &secret) test.storage(&op, &secret)
} }
if op != nil { if op != nil {
require.NoError(t, pinnipedAPIClient.Tracker().Add(op))
require.NoError(t, pinnipedInformerClient.Tracker().Add(op)) require.NoError(t, pinnipedInformerClient.Tracker().Add(op))
} }
if secret != nil { if secret != nil {
@ -496,7 +563,7 @@ func TestOIDCProviderSecretsControllerSync(t *testing.T) {
} }
if test.client != nil { if test.client != nil {
test.client(kubeAPIClient) test.client(pinnipedAPIClient, kubeAPIClient)
} }
kubeInformers := kubeinformers.NewSharedInformerFactory( kubeInformers := kubeinformers.NewSharedInformerFactory(
@ -519,6 +586,7 @@ func TestOIDCProviderSecretsControllerSync(t *testing.T) {
c := NewOIDCProviderSecretsController( c := NewOIDCProviderSecretsController(
secretHelper, secretHelper,
kubeAPIClient, kubeAPIClient,
pinnipedAPIClient,
kubeInformers.Core().V1().Secrets(), kubeInformers.Core().V1().Secrets(),
pinnipedInformers.Config().V1alpha1().OIDCProviders(), pinnipedInformers.Config().V1alpha1().OIDCProviders(),
controllerlib.WithInformer, controllerlib.WithInformer,
@ -542,6 +610,10 @@ func TestOIDCProviderSecretsControllerSync(t *testing.T) {
} }
require.NoError(t, err) require.NoError(t, err)
if test.wantOPActions == nil {
test.wantOPActions = []kubetesting.Action{}
}
require.Equal(t, test.wantOPActions, pinnipedAPIClient.Actions())
if test.wantSecretActions == nil { if test.wantSecretActions == nil {
test.wantSecretActions = []kubetesting.Action{} test.wantSecretActions = []kubetesting.Action{}
} }

View File

@ -12,6 +12,7 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
"go.pinniped.dev/internal/plog"
) )
// SecretHelper describes an object that can Generate() a Secret and determine whether a Secret // SecretHelper describes an object that can Generate() a Secret and determine whether a Secret
@ -22,14 +23,14 @@ type SecretHelper interface {
NamePrefix() string NamePrefix() string
Generate(*configv1alpha1.OIDCProvider) (*corev1.Secret, error) Generate(*configv1alpha1.OIDCProvider) (*corev1.Secret, error)
IsValid(*configv1alpha1.OIDCProvider, *corev1.Secret) bool IsValid(*configv1alpha1.OIDCProvider, *corev1.Secret) bool
Notify(*configv1alpha1.OIDCProvider, *corev1.Secret) ObserveActiveSecretAndUpdateParentOIDCProvider(*configv1alpha1.OIDCProvider, *corev1.Secret) *configv1alpha1.OIDCProvider
} }
const ( const (
// SymmetricSecretType is corev1.Secret.Type of all corev1.Secret's generated by this helper. // symmetricSecretType is corev1.Secret.Type of all corev1.Secret's generated by this helper.
SymmetricSecretType = "secrets.pinniped.dev/symmetric" symmetricSecretType = "secrets.pinniped.dev/symmetric"
// SymmetricSecretDataKey is the corev1.Secret.Data key for the symmetric key value generated by this helper. // symmetricSecretDataKey is the corev1.Secret.Data key for the symmetric key value generated by this helper.
SymmetricSecretDataKey = "key" symmetricSecretDataKey = "key"
// symmetricKeySize is the default length, in bytes, of generated keys. It is set to 32 since this // symmetricKeySize is the default length, in bytes, of generated keys. It is set to 32 since this
// seems like reasonable entropy for our keys, and a 32-byte key will allow for AES-256 // seems like reasonable entropy for our keys, and a 32-byte key will allow for AES-256
@ -37,18 +38,30 @@ const (
symmetricKeySize = 32 symmetricKeySize = 32
) )
// SecretUsage describes how a cryptographic secret is going to be used. It is currently used to
// indicate to a SecretHelper which status field to set on the parent OIDCProvider for a Secret.
type SecretUsage int
const (
SecretUsageTokenSigningKey SecretUsage = iota
SecretUsageStateSigningKey
SecretUsageStateEncryptionKey
)
// New returns a SecretHelper that has been parameterized with common symmetric secret generation // New returns a SecretHelper that has been parameterized with common symmetric secret generation
// knobs. // knobs.
func NewSymmetricSecretHelper( func NewSymmetricSecretHelper(
namePrefix string, namePrefix string,
labels map[string]string, labels map[string]string,
rand io.Reader, rand io.Reader,
secretUsage SecretUsage,
updateCacheFunc func(cacheKey string, cacheValue []byte), updateCacheFunc func(cacheKey string, cacheValue []byte),
) SecretHelper { ) SecretHelper {
return &symmetricSecretHelper{ return &symmetricSecretHelper{
namePrefix: namePrefix, namePrefix: namePrefix,
labels: labels, labels: labels,
rand: rand, rand: rand,
secretUsage: secretUsage,
updateCacheFunc: updateCacheFunc, updateCacheFunc: updateCacheFunc,
} }
} }
@ -57,6 +70,7 @@ type symmetricSecretHelper struct {
namePrefix string namePrefix string
labels map[string]string labels map[string]string
rand io.Reader rand io.Reader
secretUsage SecretUsage
updateCacheFunc func(cacheKey string, cacheValue []byte) updateCacheFunc func(cacheKey string, cacheValue []byte)
} }
@ -82,9 +96,9 @@ func (s *symmetricSecretHelper) Generate(parent *configv1alpha1.OIDCProvider) (*
}), }),
}, },
}, },
Type: SymmetricSecretType, Type: symmetricSecretType,
Data: map[string][]byte{ Data: map[string][]byte{
SymmetricSecretDataKey: key, symmetricSecretDataKey: key,
}, },
}, nil }, nil
} }
@ -95,11 +109,11 @@ func (s *symmetricSecretHelper) IsValid(parent *configv1alpha1.OIDCProvider, sec
return false return false
} }
if secret.Type != SymmetricSecretType { if secret.Type != symmetricSecretType {
return false return false
} }
key, ok := secret.Data[SymmetricSecretDataKey] key, ok := secret.Data[symmetricSecretDataKey]
if !ok { if !ok {
return false return false
} }
@ -110,12 +124,28 @@ func (s *symmetricSecretHelper) IsValid(parent *configv1alpha1.OIDCProvider, sec
return true return true
} }
// Notify implements SecretHelper.Notify(). // ObserveActiveSecretAndUpdateParentOIDCProvider implements SecretHelper.ObserveActiveSecretAndUpdateParentOIDCProvider().
func (s *symmetricSecretHelper) Notify(op *configv1alpha1.OIDCProvider, secret *corev1.Secret) { func (s *symmetricSecretHelper) ObserveActiveSecretAndUpdateParentOIDCProvider(
op *configv1alpha1.OIDCProvider,
secret *corev1.Secret,
) *configv1alpha1.OIDCProvider {
var cacheKey string var cacheKey string
if op != nil { if op != nil {
cacheKey = op.Spec.Issuer cacheKey = op.Spec.Issuer
} }
s.updateCacheFunc(cacheKey, secret.Data[SymmetricSecretDataKey]) s.updateCacheFunc(cacheKey, secret.Data[symmetricSecretDataKey])
switch s.secretUsage {
case SecretUsageTokenSigningKey:
op.Status.Secrets.TokenSigningKey.Name = secret.Name
case SecretUsageStateSigningKey:
op.Status.Secrets.StateSigningKey.Name = secret.Name
case SecretUsageStateEncryptionKey:
op.Status.Secrets.StateEncryptionKey.Name = secret.Name
default:
plog.Warning("unknown secret usage enum value: %d", s.secretUsage)
}
return op
} }

View File

@ -17,57 +17,98 @@ import (
const keyWith32Bytes = "0123456789abcdef0123456789abcdef" const keyWith32Bytes = "0123456789abcdef0123456789abcdef"
func TestSymmetricSecretHHelper(t *testing.T) { func TestSymmetricSecretHelper(t *testing.T) {
labels := map[string]string{ t.Parallel()
"some-label-key-1": "some-label-value-1",
"some-label-key-2": "some-label-value-2",
}
randSource := strings.NewReader(keyWith32Bytes)
// var notifyParent *configv1alpha1.OIDCProvider
// var notifyChild *corev1.Secret
var oidcProviderIssuerValue string
var symmetricKeyValue []byte
h := NewSymmetricSecretHelper("some-name-prefix-", labels, randSource, func(oidcProviderIssuer string, symmetricKey []byte) {
require.True(t, oidcProviderIssuer == "" && symmetricKeyValue == nil, "expected notify func not to have been called yet")
oidcProviderIssuerValue = oidcProviderIssuer
symmetricKeyValue = symmetricKey
})
parent := &configv1alpha1.OIDCProvider{ tests := []struct {
ObjectMeta: metav1.ObjectMeta{ name string
UID: "some-uid", secretUsage SecretUsage
Namespace: "some-namespace", wantSetOIDCProviderField func(*configv1alpha1.OIDCProvider) string
}, }{
} {
child, err := h.Generate(parent) name: "token signing key",
require.NoError(t, err) secretUsage: SecretUsageTokenSigningKey,
require.Equal(t, child, &corev1.Secret{ wantSetOIDCProviderField: func(op *configv1alpha1.OIDCProvider) string {
ObjectMeta: metav1.ObjectMeta{ return op.Status.Secrets.TokenSigningKey.Name
Name: "some-name-prefix-some-uid",
Namespace: "some-namespace",
Labels: labels,
OwnerReferences: []metav1.OwnerReference{
*metav1.NewControllerRef(parent, schema.GroupVersionKind{
Group: configv1alpha1.SchemeGroupVersion.Group,
Version: configv1alpha1.SchemeGroupVersion.Version,
Kind: "OIDCProvider",
}),
}, },
}, },
Type: "secrets.pinniped.dev/symmetric", {
Data: map[string][]byte{ name: "state signing key",
"key": []byte(keyWith32Bytes), secretUsage: SecretUsageStateSigningKey,
wantSetOIDCProviderField: func(op *configv1alpha1.OIDCProvider) string {
return op.Status.Secrets.StateSigningKey.Name
},
}, },
}) {
name: "state encryption key",
secretUsage: SecretUsageStateEncryptionKey,
wantSetOIDCProviderField: func(op *configv1alpha1.OIDCProvider) string {
return op.Status.Secrets.StateEncryptionKey.Name
},
},
}
for _, test := range tests {
test := test
t.Run(test.name, func(t *testing.T) {
t.Parallel()
require.True(t, h.IsValid(parent, child)) labels := map[string]string{
"some-label-key-1": "some-label-value-1",
"some-label-key-2": "some-label-value-2",
}
randSource := strings.NewReader(keyWith32Bytes)
var oidcProviderIssuerValue string
var symmetricKeyValue []byte
h := NewSymmetricSecretHelper(
"some-name-prefix-",
labels,
randSource,
test.secretUsage,
func(oidcProviderIssuer string, symmetricKey []byte) {
require.True(t, oidcProviderIssuer == "" && symmetricKeyValue == nil, "expected notify func not to have been called yet")
oidcProviderIssuerValue = oidcProviderIssuer
symmetricKeyValue = symmetricKey
},
)
h.Notify(parent, child) parent := &configv1alpha1.OIDCProvider{
require.Equal(t, parent.Spec.Issuer, oidcProviderIssuerValue) ObjectMeta: metav1.ObjectMeta{
require.Equal(t, child.Data[SymmetricSecretDataKey], symmetricKeyValue) UID: "some-uid",
Namespace: "some-namespace",
},
}
child, err := h.Generate(parent)
require.NoError(t, err)
require.Equal(t, child, &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "some-name-prefix-some-uid",
Namespace: "some-namespace",
Labels: labels,
OwnerReferences: []metav1.OwnerReference{
*metav1.NewControllerRef(parent, schema.GroupVersionKind{
Group: configv1alpha1.SchemeGroupVersion.Group,
Version: configv1alpha1.SchemeGroupVersion.Version,
Kind: "OIDCProvider",
}),
},
},
Type: "secrets.pinniped.dev/symmetric",
Data: map[string][]byte{
"key": []byte(keyWith32Bytes),
},
})
require.True(t, h.IsValid(parent, child))
h.ObserveActiveSecretAndUpdateParentOIDCProvider(parent, child)
require.Equal(t, parent.Spec.Issuer, oidcProviderIssuerValue)
require.Equal(t, child.Name, test.wantSetOIDCProviderField(parent))
require.Equal(t, child.Data["key"], symmetricKeyValue)
})
}
} }
func TestSymmetricSecretHHelperIsValid(t *testing.T) { func TestSymmetricSecretHelperIsValid(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
child func(*corev1.Secret) child func(*corev1.Secret)
@ -117,7 +158,7 @@ func TestSymmetricSecretHHelperIsValid(t *testing.T) {
for _, test := range tests { for _, test := range tests {
test := test test := test
t.Run(test.name, func(t *testing.T) { t.Run(test.name, func(t *testing.T) {
h := NewSymmetricSecretHelper("none of these args matter", nil, nil, nil) h := NewSymmetricSecretHelper("none of these args matter", nil, nil, SecretUsageTokenSigningKey, nil)
parent := &configv1alpha1.OIDCProvider{ parent := &configv1alpha1.OIDCProvider{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{

View File

@ -79,7 +79,7 @@ func (c *supervisorSecretsController) Sync(ctx controllerlib.Context) error {
secretNeedsUpdate := isNotFound || !isValid(secret) secretNeedsUpdate := isNotFound || !isValid(secret)
if !secretNeedsUpdate { if !secretNeedsUpdate {
plog.Debug("secret is up to date", "secret", klog.KObj(secret)) plog.Debug("secret is up to date", "secret", klog.KObj(secret))
c.setCacheFunc(secret.Data[SymmetricSecretDataKey]) c.setCacheFunc(secret.Data[symmetricSecretDataKey])
return nil return nil
} }
@ -97,7 +97,7 @@ func (c *supervisorSecretsController) Sync(ctx controllerlib.Context) error {
return fmt.Errorf("failed to create/update secret %s/%s: %w", newSecret.Namespace, newSecret.Name, err) return fmt.Errorf("failed to create/update secret %s/%s: %w", newSecret.Namespace, newSecret.Name, err)
} }
c.setCacheFunc(newSecret.Data[SymmetricSecretDataKey]) c.setCacheFunc(newSecret.Data[symmetricSecretDataKey])
return nil return nil
} }

View File

@ -194,8 +194,8 @@ func TestSupervisorSecretsControllerInitialEvent(t *testing.T) {
initialEventOption.WithInitialEvent, initialEventOption.WithInitialEvent,
) )
require.Equal(t, &controllerlib.Key{ require.Equal(t, &controllerlib.Key{
owner.Namespace, Namespace: owner.Namespace,
owner.Name + "-key", Name: owner.Name + "-key",
}, initialEventOption.GetInitialEventKey()) }, initialEventOption.GetInitialEventKey())
} }

View File

@ -76,7 +76,7 @@ func (c *jwksObserverController) Sync(ctx controllerlib.Context) error {
issuerToActiveJWKMap := map[string]*jose.JSONWebKey{} issuerToActiveJWKMap := map[string]*jose.JSONWebKey{}
for _, provider := range allProviders { for _, provider := range allProviders {
secretRef := provider.Status.JWKSSecret secretRef := provider.Status.Secrets.JWKS
jwksSecret, err := c.secretInformer.Lister().Secrets(ns).Get(secretRef.Name) jwksSecret, err := c.secretInformer.Lister().Secrets(ns).Get(secretRef.Name)
if err != nil { if err != nil {
plog.Debug("jwksObserverController Sync could not find JWKS secret", "namespace", ns, "secretName", secretRef.Name) plog.Debug("jwksObserverController Sync could not find JWKS secret", "namespace", ns, "secretName", secretRef.Name)

View File

@ -202,7 +202,7 @@ func TestJWKSObserverControllerSync(t *testing.T) {
Namespace: installedInNamespace, Namespace: installedInNamespace,
}, },
Spec: v1alpha1.OIDCProviderSpec{Issuer: "https://no-secret-issuer1.com"}, Spec: v1alpha1.OIDCProviderSpec{Issuer: "https://no-secret-issuer1.com"},
Status: v1alpha1.OIDCProviderStatus{}, // no JWKSSecret field Status: v1alpha1.OIDCProviderStatus{}, // no Secrets.JWKS field
} }
oidcProviderWithoutSecret2 := &v1alpha1.OIDCProvider{ oidcProviderWithoutSecret2 := &v1alpha1.OIDCProvider{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
@ -219,7 +219,9 @@ func TestJWKSObserverControllerSync(t *testing.T) {
}, },
Spec: v1alpha1.OIDCProviderSpec{Issuer: "https://bad-secret-issuer.com"}, Spec: v1alpha1.OIDCProviderSpec{Issuer: "https://bad-secret-issuer.com"},
Status: v1alpha1.OIDCProviderStatus{ Status: v1alpha1.OIDCProviderStatus{
JWKSSecret: corev1.LocalObjectReference{Name: "bad-secret-name"}, Secrets: v1alpha1.OIDCProviderSecrets{
JWKS: corev1.LocalObjectReference{Name: "bad-secret-name"},
},
}, },
} }
oidcProviderWithBadJWKSSecret := &v1alpha1.OIDCProvider{ oidcProviderWithBadJWKSSecret := &v1alpha1.OIDCProvider{
@ -229,7 +231,9 @@ func TestJWKSObserverControllerSync(t *testing.T) {
}, },
Spec: v1alpha1.OIDCProviderSpec{Issuer: "https://bad-jwks-secret-issuer.com"}, Spec: v1alpha1.OIDCProviderSpec{Issuer: "https://bad-jwks-secret-issuer.com"},
Status: v1alpha1.OIDCProviderStatus{ Status: v1alpha1.OIDCProviderStatus{
JWKSSecret: corev1.LocalObjectReference{Name: "bad-jwks-secret-name"}, Secrets: v1alpha1.OIDCProviderSecrets{
JWKS: corev1.LocalObjectReference{Name: "bad-jwks-secret-name"},
},
}, },
} }
oidcProviderWithBadActiveJWKSecret := &v1alpha1.OIDCProvider{ oidcProviderWithBadActiveJWKSecret := &v1alpha1.OIDCProvider{
@ -239,7 +243,9 @@ func TestJWKSObserverControllerSync(t *testing.T) {
}, },
Spec: v1alpha1.OIDCProviderSpec{Issuer: "https://bad-active-jwk-secret-issuer.com"}, Spec: v1alpha1.OIDCProviderSpec{Issuer: "https://bad-active-jwk-secret-issuer.com"},
Status: v1alpha1.OIDCProviderStatus{ Status: v1alpha1.OIDCProviderStatus{
JWKSSecret: corev1.LocalObjectReference{Name: "bad-active-jwk-secret-name"}, Secrets: v1alpha1.OIDCProviderSecrets{
JWKS: corev1.LocalObjectReference{Name: "bad-active-jwk-secret-name"},
},
}, },
} }
oidcProviderWithGoodSecret1 := &v1alpha1.OIDCProvider{ oidcProviderWithGoodSecret1 := &v1alpha1.OIDCProvider{
@ -249,7 +255,9 @@ func TestJWKSObserverControllerSync(t *testing.T) {
}, },
Spec: v1alpha1.OIDCProviderSpec{Issuer: "https://issuer-with-good-secret1.com"}, Spec: v1alpha1.OIDCProviderSpec{Issuer: "https://issuer-with-good-secret1.com"},
Status: v1alpha1.OIDCProviderStatus{ Status: v1alpha1.OIDCProviderStatus{
JWKSSecret: corev1.LocalObjectReference{Name: "good-jwks-secret-name1"}, Secrets: v1alpha1.OIDCProviderSecrets{
JWKS: corev1.LocalObjectReference{Name: "good-jwks-secret-name1"},
},
}, },
} }
oidcProviderWithGoodSecret2 := &v1alpha1.OIDCProvider{ oidcProviderWithGoodSecret2 := &v1alpha1.OIDCProvider{
@ -259,7 +267,9 @@ func TestJWKSObserverControllerSync(t *testing.T) {
}, },
Spec: v1alpha1.OIDCProviderSpec{Issuer: "https://issuer-with-good-secret2.com"}, Spec: v1alpha1.OIDCProviderSpec{Issuer: "https://issuer-with-good-secret2.com"},
Status: v1alpha1.OIDCProviderStatus{ Status: v1alpha1.OIDCProviderStatus{
JWKSSecret: corev1.LocalObjectReference{Name: "good-jwks-secret-name2"}, Secrets: v1alpha1.OIDCProviderSecrets{
JWKS: corev1.LocalObjectReference{Name: "good-jwks-secret-name2"},
},
}, },
} }
expectedJWK1 = string(readJWKJSON(t, "testdata/public-jwk.json")) expectedJWK1 = string(readJWKJSON(t, "testdata/public-jwk.json"))

View File

@ -169,7 +169,7 @@ func (c *jwksWriterController) Sync(ctx controllerlib.Context) error {
// Ensure that the OPC points to the secret. // Ensure that the OPC points to the secret.
newOPC := opc.DeepCopy() newOPC := opc.DeepCopy()
newOPC.Status.JWKSSecret.Name = secret.Name newOPC.Status.Secrets.JWKS.Name = secret.Name
if err := c.updateOPC(ctx.Context, newOPC); err != nil { if err := c.updateOPC(ctx.Context, newOPC); err != nil {
return fmt.Errorf("cannot update opc: %w", err) return fmt.Errorf("cannot update opc: %w", err)
} }
@ -179,13 +179,13 @@ func (c *jwksWriterController) Sync(ctx controllerlib.Context) error {
} }
func (c *jwksWriterController) secretNeedsUpdate(opc *configv1alpha1.OIDCProvider) (bool, error) { func (c *jwksWriterController) secretNeedsUpdate(opc *configv1alpha1.OIDCProvider) (bool, error) {
if opc.Status.JWKSSecret.Name == "" { if opc.Status.Secrets.JWKS.Name == "" {
// If the OPC says it doesn't have a secret associated with it, then let's create one. // If the OPC says it doesn't have a secret associated with it, then let's create one.
return true, nil return true, nil
} }
// This OPC says it has a secret associated with it. Let's try to get it from the cache. // This OPC says it has a secret associated with it. Let's try to get it from the cache.
secret, err := c.secretInformer.Lister().Secrets(opc.Namespace).Get(opc.Status.JWKSSecret.Name) secret, err := c.secretInformer.Lister().Secrets(opc.Namespace).Get(opc.Status.Secrets.JWKS.Name)
notFound := k8serrors.IsNotFound(err) notFound := k8serrors.IsNotFound(err)
if err != nil && !notFound { if err != nil && !notFound {
return false, fmt.Errorf("cannot get secret: %w", err) return false, fmt.Errorf("cannot get secret: %w", err)
@ -301,12 +301,12 @@ func (c *jwksWriterController) updateOPC(
return fmt.Errorf("cannot get opc: %w", err) return fmt.Errorf("cannot get opc: %w", err)
} }
if newOPC.Status.JWKSSecret.Name == oldOPC.Status.JWKSSecret.Name { if newOPC.Status.Secrets.JWKS.Name == oldOPC.Status.Secrets.JWKS.Name {
// If the existing OPC is up to date, we don't need to update it. // If the existing OPC is up to date, we don't need to update it.
return nil return nil
} }
oldOPC.Status.JWKSSecret.Name = newOPC.Status.JWKSSecret.Name oldOPC.Status.Secrets.JWKS.Name = newOPC.Status.Secrets.JWKS.Name
_, err = opcClient.Update(ctx, oldOPC, metav1.UpdateOptions{}) _, err = opcClient.Update(ctx, oldOPC, metav1.UpdateOptions{})
return err return err
}) })

View File

@ -253,7 +253,7 @@ func TestJWKSWriterControllerSync(t *testing.T) {
}, },
} }
goodOPCWithStatus := goodOPC.DeepCopy() goodOPCWithStatus := goodOPC.DeepCopy()
goodOPCWithStatus.Status.JWKSSecret.Name = goodOPCWithStatus.Name + "-jwks" goodOPCWithStatus.Status.Secrets.JWKS.Name = goodOPCWithStatus.Name + "-jwks"
secretGVR := schema.GroupVersionResource{ secretGVR := schema.GroupVersionResource{
Group: corev1.SchemeGroupVersion.Group, Group: corev1.SchemeGroupVersion.Group,
@ -264,7 +264,7 @@ func TestJWKSWriterControllerSync(t *testing.T) {
newSecret := func(activeJWKPath, jwksPath string) *corev1.Secret { newSecret := func(activeJWKPath, jwksPath string) *corev1.Secret {
s := corev1.Secret{ s := corev1.Secret{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: goodOPCWithStatus.Status.JWKSSecret.Name, Name: goodOPCWithStatus.Status.Secrets.JWKS.Name,
Namespace: namespace, Namespace: namespace,
Labels: map[string]string{ Labels: map[string]string{
"myLabelKey1": "myLabelValue1", "myLabelKey1": "myLabelValue1",

View File

@ -81,14 +81,16 @@ func (mr *MockSecretHelperMockRecorder) NamePrefix() *gomock.Call {
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NamePrefix", reflect.TypeOf((*MockSecretHelper)(nil).NamePrefix)) return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NamePrefix", reflect.TypeOf((*MockSecretHelper)(nil).NamePrefix))
} }
// Notify mocks base method // ObserveActiveSecretAndUpdateParentOIDCProvider mocks base method
func (m *MockSecretHelper) Notify(arg0 *v1alpha1.OIDCProvider, arg1 *v1.Secret) { func (m *MockSecretHelper) ObserveActiveSecretAndUpdateParentOIDCProvider(arg0 *v1alpha1.OIDCProvider, arg1 *v1.Secret) *v1alpha1.OIDCProvider {
m.ctrl.T.Helper() m.ctrl.T.Helper()
m.ctrl.Call(m, "Notify", arg0, arg1) ret := m.ctrl.Call(m, "ObserveActiveSecretAndUpdateParentOIDCProvider", arg0, arg1)
ret0, _ := ret[0].(*v1alpha1.OIDCProvider)
return ret0
} }
// Notify indicates an expected call of Notify // ObserveActiveSecretAndUpdateParentOIDCProvider indicates an expected call of ObserveActiveSecretAndUpdateParentOIDCProvider
func (mr *MockSecretHelperMockRecorder) Notify(arg0, arg1 interface{}) *gomock.Call { func (mr *MockSecretHelperMockRecorder) ObserveActiveSecretAndUpdateParentOIDCProvider(arg0, arg1 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper() mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Notify", reflect.TypeOf((*MockSecretHelper)(nil).Notify), arg0, arg1) return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ObserveActiveSecretAndUpdateParentOIDCProvider", reflect.TypeOf((*MockSecretHelper)(nil).ObserveActiveSecretAndUpdateParentOIDCProvider), arg0, arg1)
} }

View File

@ -45,28 +45,28 @@ func TestSupervisorSecrets(t *testing.T) {
{ {
name: "jwks", name: "jwks",
secretName: func(op *configv1alpha1.OIDCProvider) string { secretName: func(op *configv1alpha1.OIDCProvider) string {
return op.Status.JWKSSecret.Name return op.Status.Secrets.JWKS.Name
}, },
ensureValid: ensureValidJWKS, ensureValid: ensureValidJWKS,
}, },
{ {
name: "hmac signing secret", name: "hmac signing secret",
secretName: func(op *configv1alpha1.OIDCProvider) string { secretName: func(op *configv1alpha1.OIDCProvider) string {
return "pinniped-oidc-provider-hmac-key-" + string(op.UID) return op.Status.Secrets.TokenSigningKey.Name
}, },
ensureValid: ensureValidSymmetricKey, ensureValid: ensureValidSymmetricKey,
}, },
{ {
name: "state signature secret", name: "state signature secret",
secretName: func(op *configv1alpha1.OIDCProvider) string { secretName: func(op *configv1alpha1.OIDCProvider) string {
return "pinniped-oidc-provider-upstream-state-signature-key-" + string(op.UID) return op.Status.Secrets.StateSigningKey.Name
}, },
ensureValid: ensureValidSymmetricKey, ensureValid: ensureValidSymmetricKey,
}, },
{ {
name: "state encryption secret", name: "state encryption secret",
secretName: func(op *configv1alpha1.OIDCProvider) string { secretName: func(op *configv1alpha1.OIDCProvider) string {
return "pinniped-oidc-provider-upstream-state-encryption-key-" + string(op.UID) return op.Status.Secrets.StateEncryptionKey.Name
}, },
ensureValid: ensureValidSymmetricKey, ensureValid: ensureValidSymmetricKey,
}, },