Declare war on namespaces

Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan 2021-02-09 13:59:32 -05:00
parent d2480e6300
commit 89b00e3702
No known key found for this signature in database
GPG Key ID: 52C90ADA01B269B8
34 changed files with 207 additions and 304 deletions

View File

@ -22,3 +22,9 @@ func mustMarkHidden(cmd *cobra.Command, flags ...string) {
} }
} }
} }
func mustMarkDeprecated(cmd *cobra.Command, flag, usageMessage string) {
if err := cmd.Flags().MarkDeprecated(flag, usageMessage); err != nil {
panic(err)
}
}

View File

@ -74,7 +74,6 @@ type getKubeconfigOIDCParams struct {
type getKubeconfigConciergeParams struct { type getKubeconfigConciergeParams struct {
disabled bool disabled bool
namespace string
authenticatorName string authenticatorName string
authenticatorType string authenticatorType string
apiGroupSuffix string apiGroupSuffix string
@ -91,13 +90,14 @@ type getKubeconfigParams struct {
func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command { func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
var ( var (
cmd = cobra.Command{ cmd = &cobra.Command{
Args: cobra.NoArgs, Args: cobra.NoArgs,
Use: "kubeconfig", Use: "kubeconfig",
Short: "Generate a Pinniped-based kubeconfig for a cluster", Short: "Generate a Pinniped-based kubeconfig for a cluster",
SilenceUsage: true, SilenceUsage: true,
} }
flags getKubeconfigParams flags getKubeconfigParams
namespace string // unused now
) )
f := cmd.Flags() f := cmd.Flags()
@ -105,7 +105,7 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
f.StringVar(&flags.staticTokenEnvName, "static-token-env", "", "Instead of doing an OIDC-based login, read a static token from the environment") f.StringVar(&flags.staticTokenEnvName, "static-token-env", "", "Instead of doing an OIDC-based login, read a static token from the environment")
f.BoolVar(&flags.concierge.disabled, "no-concierge", false, "Generate a configuration which does not use the concierge, but sends the credential to the cluster directly") f.BoolVar(&flags.concierge.disabled, "no-concierge", false, "Generate a configuration which does not use the concierge, but sends the credential to the cluster directly")
f.StringVar(&flags.concierge.namespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed") f.StringVar(&namespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
f.StringVar(&flags.concierge.authenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)") f.StringVar(&flags.concierge.authenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)")
f.StringVar(&flags.concierge.authenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name (default: autodiscover)") f.StringVar(&flags.concierge.authenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name (default: autodiscover)")
f.StringVar(&flags.concierge.apiGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix") f.StringVar(&flags.concierge.apiGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix")
@ -122,10 +122,13 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
f.StringVar(&flags.kubeconfigPath, "kubeconfig", os.Getenv("KUBECONFIG"), "Path to kubeconfig file") f.StringVar(&flags.kubeconfigPath, "kubeconfig", os.Getenv("KUBECONFIG"), "Path to kubeconfig file")
f.StringVar(&flags.kubeconfigContextOverride, "kubeconfig-context", "", "Kubeconfig context name (default: current active context)") f.StringVar(&flags.kubeconfigContextOverride, "kubeconfig-context", "", "Kubeconfig context name (default: current active context)")
mustMarkHidden(&cmd, "oidc-debug-session-cache") mustMarkHidden(cmd, "oidc-debug-session-cache")
mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
mustMarkHidden(cmd, "concierge-namespace")
cmd.RunE = func(cmd *cobra.Command, args []string) error { return runGetKubeconfig(cmd.OutOrStdout(), deps, flags) } cmd.RunE = func(cmd *cobra.Command, args []string) error { return runGetKubeconfig(cmd.OutOrStdout(), deps, flags) }
return &cmd return cmd
} }
//nolint:funlen //nolint:funlen
@ -170,7 +173,6 @@ func runGetKubeconfig(out io.Writer, deps kubeconfigDeps, flags getKubeconfigPar
if !flags.concierge.disabled { if !flags.concierge.disabled {
authenticator, err := lookupAuthenticator( authenticator, err := lookupAuthenticator(
clientset, clientset,
flags.concierge.namespace,
flags.concierge.authenticatorType, flags.concierge.authenticatorType,
flags.concierge.authenticatorName, flags.concierge.authenticatorName,
) )
@ -260,7 +262,7 @@ func configureConcierge(authenticator metav1.Object, flags *getKubeconfigParams,
if *oidcCABundle == "" && auth.Spec.TLS != nil && auth.Spec.TLS.CertificateAuthorityData != "" { if *oidcCABundle == "" && auth.Spec.TLS != nil && auth.Spec.TLS.CertificateAuthorityData != "" {
decoded, err := base64.StdEncoding.DecodeString(auth.Spec.TLS.CertificateAuthorityData) decoded, err := base64.StdEncoding.DecodeString(auth.Spec.TLS.CertificateAuthorityData)
if err != nil { if err != nil {
return fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator %s/%s has invalid spec.tls.certificateAuthorityData: %w", auth.Namespace, auth.Name, err) return fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator %s has invalid spec.tls.certificateAuthorityData: %w", auth.Name, err)
} }
*oidcCABundle = string(decoded) *oidcCABundle = string(decoded)
} }
@ -270,7 +272,6 @@ func configureConcierge(authenticator metav1.Object, flags *getKubeconfigParams,
execConfig.Args = append(execConfig.Args, execConfig.Args = append(execConfig.Args,
"--enable-concierge", "--enable-concierge",
"--concierge-api-group-suffix="+flags.concierge.apiGroupSuffix, "--concierge-api-group-suffix="+flags.concierge.apiGroupSuffix,
"--concierge-namespace="+flags.concierge.namespace,
"--concierge-authenticator-name="+flags.concierge.authenticatorName, "--concierge-authenticator-name="+flags.concierge.authenticatorName,
"--concierge-authenticator-type="+flags.concierge.authenticatorType, "--concierge-authenticator-type="+flags.concierge.authenticatorType,
"--concierge-endpoint="+v1Cluster.Server, "--concierge-endpoint="+v1Cluster.Server,
@ -306,7 +307,7 @@ func newExecKubeconfig(cluster *clientcmdapi.Cluster, execConfig *clientcmdapi.E
} }
} }
func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, authType, authName string) (metav1.Object, error) { func lookupAuthenticator(clientset conciergeclientset.Interface, authType, authName string) (metav1.Object, error) {
ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20) ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
defer cancelFunc() defer cancelFunc()
@ -314,9 +315,9 @@ func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, auth
if authName != "" && authType != "" { if authName != "" && authType != "" {
switch strings.ToLower(authType) { switch strings.ToLower(authType) {
case "webhook": case "webhook":
return clientset.AuthenticationV1alpha1().WebhookAuthenticators(namespace).Get(ctx, authName, metav1.GetOptions{}) return clientset.AuthenticationV1alpha1().WebhookAuthenticators().Get(ctx, authName, metav1.GetOptions{})
case "jwt": case "jwt":
return clientset.AuthenticationV1alpha1().JWTAuthenticators(namespace).Get(ctx, authName, metav1.GetOptions{}) return clientset.AuthenticationV1alpha1().JWTAuthenticators().Get(ctx, authName, metav1.GetOptions{})
default: default:
return nil, fmt.Errorf(`invalid authenticator type %q, supported values are "webhook" and "jwt"`, authType) return nil, fmt.Errorf(`invalid authenticator type %q, supported values are "webhook" and "jwt"`, authType)
} }
@ -324,11 +325,11 @@ func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, auth
// Otherwise list all the available authenticators and hope there's just a single one. // Otherwise list all the available authenticators and hope there's just a single one.
jwtAuths, err := clientset.AuthenticationV1alpha1().JWTAuthenticators(namespace).List(ctx, metav1.ListOptions{}) jwtAuths, err := clientset.AuthenticationV1alpha1().JWTAuthenticators().List(ctx, metav1.ListOptions{})
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to list JWTAuthenticator objects for autodiscovery: %w", err) return nil, fmt.Errorf("failed to list JWTAuthenticator objects for autodiscovery: %w", err)
} }
webhooks, err := clientset.AuthenticationV1alpha1().WebhookAuthenticators(namespace).List(ctx, metav1.ListOptions{}) webhooks, err := clientset.AuthenticationV1alpha1().WebhookAuthenticators().List(ctx, metav1.ListOptions{})
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to list WebhookAuthenticator objects for autodiscovery: %w", err) return nil, fmt.Errorf("failed to list WebhookAuthenticator objects for autodiscovery: %w", err)
} }
@ -341,10 +342,10 @@ func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, auth
results = append(results, &webhooks.Items[i]) results = append(results, &webhooks.Items[i])
} }
if len(results) == 0 { if len(results) == 0 {
return nil, fmt.Errorf("no authenticators were found in namespace %q (try setting --concierge-namespace)", namespace) return nil, fmt.Errorf("no authenticators were found")
} }
if len(results) > 1 { if len(results) > 1 {
return nil, fmt.Errorf("multiple authenticators were found in namespace %q, so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified", namespace) return nil, fmt.Errorf("multiple authenticators were found, so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified")
} }
return results[0], nil return results[0], nil
} }

View File

@ -61,7 +61,6 @@ func TestGetKubeconfig(t *testing.T) {
--concierge-api-group-suffix string Concierge API group suffix (default "pinniped.dev") --concierge-api-group-suffix string Concierge API group suffix (default "pinniped.dev")
--concierge-authenticator-name string Concierge authenticator name (default: autodiscover) --concierge-authenticator-name string Concierge authenticator name (default: autodiscover)
--concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover) --concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)
--concierge-namespace string Namespace in which the concierge was installed (default "pinniped-concierge")
-h, --help help for kubeconfig -h, --help help for kubeconfig
--kubeconfig string Path to kubeconfig file --kubeconfig string Path to kubeconfig file
--kubeconfig-context string Kubeconfig context name (default: current active context) --kubeconfig-context string Kubeconfig context name (default: current active context)
@ -210,34 +209,32 @@ func TestGetKubeconfig(t *testing.T) {
}, },
wantError: true, wantError: true,
wantStderr: here.Doc(` wantStderr: here.Doc(`
Error: no authenticators were found in namespace "pinniped-concierge" (try setting --concierge-namespace) Error: no authenticators were found
`), `),
}, },
{ {
name: "fail to autodetect authenticator, multiple found", name: "fail to autodetect authenticator, multiple found",
args: []string{ args: []string{
"--kubeconfig", "./testdata/kubeconfig.yaml", "--kubeconfig", "./testdata/kubeconfig.yaml",
"--concierge-namespace", "test-namespace",
}, },
conciergeObjects: []runtime.Object{ conciergeObjects: []runtime.Object{
&conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-1", Namespace: "test-namespace"}}, &conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-1"}},
&conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-2", Namespace: "test-namespace"}}, &conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-2"}},
&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-3", Namespace: "test-namespace"}}, &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-3"}},
&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-4", Namespace: "test-namespace"}}, &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-4"}},
}, },
wantError: true, wantError: true,
wantStderr: here.Doc(` wantStderr: here.Doc(`
Error: multiple authenticators were found in namespace "test-namespace", so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified Error: multiple authenticators were found, so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified
`), `),
}, },
{ {
name: "autodetect webhook authenticator, missing --oidc-issuer", name: "autodetect webhook authenticator, missing --oidc-issuer",
args: []string{ args: []string{
"--kubeconfig", "./testdata/kubeconfig.yaml", "--kubeconfig", "./testdata/kubeconfig.yaml",
"--concierge-namespace", "test-namespace",
}, },
conciergeObjects: []runtime.Object{ conciergeObjects: []runtime.Object{
&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}}, &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
}, },
wantError: true, wantError: true,
wantStderr: here.Doc(` wantStderr: here.Doc(`
@ -248,11 +245,10 @@ func TestGetKubeconfig(t *testing.T) {
name: "autodetect JWT authenticator, invalid TLS bundle", name: "autodetect JWT authenticator, invalid TLS bundle",
args: []string{ args: []string{
"--kubeconfig", "./testdata/kubeconfig.yaml", "--kubeconfig", "./testdata/kubeconfig.yaml",
"--concierge-namespace", "test-namespace",
}, },
conciergeObjects: []runtime.Object{ conciergeObjects: []runtime.Object{
&conciergev1alpha1.JWTAuthenticator{ &conciergev1alpha1.JWTAuthenticator{
ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}, ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
Spec: conciergev1alpha1.JWTAuthenticatorSpec{ Spec: conciergev1alpha1.JWTAuthenticatorSpec{
TLS: &conciergev1alpha1.TLSSpec{ TLS: &conciergev1alpha1.TLSSpec{
CertificateAuthorityData: "invalid-base64", CertificateAuthorityData: "invalid-base64",
@ -262,19 +258,18 @@ func TestGetKubeconfig(t *testing.T) {
}, },
wantError: true, wantError: true,
wantStderr: here.Doc(` wantStderr: here.Doc(`
Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-namespace/test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7 Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7
`), `),
}, },
{ {
name: "invalid static token flags", name: "invalid static token flags",
args: []string{ args: []string{
"--kubeconfig", "./testdata/kubeconfig.yaml", "--kubeconfig", "./testdata/kubeconfig.yaml",
"--concierge-namespace", "test-namespace",
"--static-token", "test-token", "--static-token", "test-token",
"--static-token-env", "TEST_TOKEN", "--static-token-env", "TEST_TOKEN",
}, },
conciergeObjects: []runtime.Object{ conciergeObjects: []runtime.Object{
&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}}, &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
}, },
wantError: true, wantError: true,
wantStderr: here.Doc(` wantStderr: here.Doc(`
@ -295,11 +290,10 @@ func TestGetKubeconfig(t *testing.T) {
name: "valid static token", name: "valid static token",
args: []string{ args: []string{
"--kubeconfig", "./testdata/kubeconfig.yaml", "--kubeconfig", "./testdata/kubeconfig.yaml",
"--concierge-namespace", "test-namespace",
"--static-token", "test-token", "--static-token", "test-token",
}, },
conciergeObjects: []runtime.Object{ conciergeObjects: []runtime.Object{
&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}}, &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
}, },
wantStdout: here.Doc(` wantStdout: here.Doc(`
apiVersion: v1 apiVersion: v1
@ -326,7 +320,6 @@ func TestGetKubeconfig(t *testing.T) {
- static - static
- --enable-concierge - --enable-concierge
- --concierge-api-group-suffix=pinniped.dev - --concierge-api-group-suffix=pinniped.dev
- --concierge-namespace=test-namespace
- --concierge-authenticator-name=test-authenticator - --concierge-authenticator-name=test-authenticator
- --concierge-authenticator-type=webhook - --concierge-authenticator-type=webhook
- --concierge-endpoint=https://fake-server-url-value - --concierge-endpoint=https://fake-server-url-value
@ -341,11 +334,10 @@ func TestGetKubeconfig(t *testing.T) {
name: "valid static token from env var", name: "valid static token from env var",
args: []string{ args: []string{
"--kubeconfig", "./testdata/kubeconfig.yaml", "--kubeconfig", "./testdata/kubeconfig.yaml",
"--concierge-namespace", "test-namespace",
"--static-token-env", "TEST_TOKEN", "--static-token-env", "TEST_TOKEN",
}, },
conciergeObjects: []runtime.Object{ conciergeObjects: []runtime.Object{
&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}}, &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
}, },
wantStdout: here.Doc(` wantStdout: here.Doc(`
apiVersion: v1 apiVersion: v1
@ -372,7 +364,6 @@ func TestGetKubeconfig(t *testing.T) {
- static - static
- --enable-concierge - --enable-concierge
- --concierge-api-group-suffix=pinniped.dev - --concierge-api-group-suffix=pinniped.dev
- --concierge-namespace=test-namespace
- --concierge-authenticator-name=test-authenticator - --concierge-authenticator-name=test-authenticator
- --concierge-authenticator-type=webhook - --concierge-authenticator-type=webhook
- --concierge-endpoint=https://fake-server-url-value - --concierge-endpoint=https://fake-server-url-value
@ -390,7 +381,7 @@ func TestGetKubeconfig(t *testing.T) {
}, },
conciergeObjects: []runtime.Object{ conciergeObjects: []runtime.Object{
&conciergev1alpha1.JWTAuthenticator{ &conciergev1alpha1.JWTAuthenticator{
ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "pinniped-concierge"}, ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
Spec: conciergev1alpha1.JWTAuthenticatorSpec{ Spec: conciergev1alpha1.JWTAuthenticatorSpec{
Issuer: "https://example.com/issuer", Issuer: "https://example.com/issuer",
Audience: "test-audience", Audience: "test-audience",
@ -425,7 +416,6 @@ func TestGetKubeconfig(t *testing.T) {
- oidc - oidc
- --enable-concierge - --enable-concierge
- --concierge-api-group-suffix=pinniped.dev - --concierge-api-group-suffix=pinniped.dev
- --concierge-namespace=pinniped-concierge
- --concierge-authenticator-name=test-authenticator - --concierge-authenticator-name=test-authenticator
- --concierge-authenticator-type=jwt - --concierge-authenticator-type=jwt
- --concierge-endpoint=https://fake-server-url-value - --concierge-endpoint=https://fake-server-url-value
@ -457,7 +447,7 @@ func TestGetKubeconfig(t *testing.T) {
}, },
conciergeObjects: []runtime.Object{ conciergeObjects: []runtime.Object{
&conciergev1alpha1.WebhookAuthenticator{ &conciergev1alpha1.WebhookAuthenticator{
ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "pinniped-concierge"}, ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
}, },
}, },
wantStdout: here.Docf(` wantStdout: here.Docf(`
@ -485,7 +475,6 @@ func TestGetKubeconfig(t *testing.T) {
- oidc - oidc
- --enable-concierge - --enable-concierge
- --concierge-api-group-suffix=tuna.io - --concierge-api-group-suffix=tuna.io
- --concierge-namespace=pinniped-concierge
- --concierge-authenticator-name=test-authenticator - --concierge-authenticator-name=test-authenticator
- --concierge-authenticator-type=webhook - --concierge-authenticator-type=webhook
- --concierge-endpoint=https://fake-server-url-value - --concierge-endpoint=https://fake-server-url-value

View File

@ -59,7 +59,6 @@ type oidcLoginFlags struct {
debugSessionCache bool debugSessionCache bool
requestAudience string requestAudience string
conciergeEnabled bool conciergeEnabled bool
conciergeNamespace string
conciergeAuthenticatorType string conciergeAuthenticatorType string
conciergeAuthenticatorName string conciergeAuthenticatorName string
conciergeEndpoint string conciergeEndpoint string
@ -69,13 +68,14 @@ type oidcLoginFlags struct {
func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command { func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
var ( var (
cmd = cobra.Command{ cmd = &cobra.Command{
Args: cobra.NoArgs, Args: cobra.NoArgs,
Use: "oidc --issuer ISSUER", Use: "oidc --issuer ISSUER",
Short: "Login using an OpenID Connect provider", Short: "Login using an OpenID Connect provider",
SilenceUsage: true, SilenceUsage: true,
} }
flags oidcLoginFlags flags oidcLoginFlags
conciergeNamespace string // unused now
) )
cmd.Flags().StringVar(&flags.issuer, "issuer", "", "OpenID Connect issuer URL") cmd.Flags().StringVar(&flags.issuer, "issuer", "", "OpenID Connect issuer URL")
cmd.Flags().StringVar(&flags.clientID, "client-id", "pinniped-cli", "OpenID Connect client ID") cmd.Flags().StringVar(&flags.clientID, "client-id", "pinniped-cli", "OpenID Connect client ID")
@ -88,17 +88,21 @@ func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
cmd.Flags().BoolVar(&flags.debugSessionCache, "debug-session-cache", false, "Print debug logs related to the session cache") cmd.Flags().BoolVar(&flags.debugSessionCache, "debug-session-cache", false, "Print debug logs related to the session cache")
cmd.Flags().StringVar(&flags.requestAudience, "request-audience", "", "Request a token with an alternate audience using RFC8693 token exchange") cmd.Flags().StringVar(&flags.requestAudience, "request-audience", "", "Request a token with an alternate audience using RFC8693 token exchange")
cmd.Flags().BoolVar(&flags.conciergeEnabled, "enable-concierge", false, "Exchange the OIDC ID token with the Pinniped concierge during login") cmd.Flags().BoolVar(&flags.conciergeEnabled, "enable-concierge", false, "Exchange the OIDC ID token with the Pinniped concierge during login")
cmd.Flags().StringVar(&flags.conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed") cmd.Flags().StringVar(&conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
cmd.Flags().StringVar(&flags.conciergeAuthenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt')") cmd.Flags().StringVar(&flags.conciergeAuthenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt')")
cmd.Flags().StringVar(&flags.conciergeAuthenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name") cmd.Flags().StringVar(&flags.conciergeAuthenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name")
cmd.Flags().StringVar(&flags.conciergeEndpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint") cmd.Flags().StringVar(&flags.conciergeEndpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint")
cmd.Flags().StringVar(&flags.conciergeCABundle, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the concierge") cmd.Flags().StringVar(&flags.conciergeCABundle, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the concierge")
cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix") cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix")
mustMarkHidden(&cmd, "debug-session-cache") mustMarkHidden(cmd, "debug-session-cache")
mustMarkRequired(&cmd, "issuer") mustMarkRequired(cmd, "issuer")
cmd.RunE = func(cmd *cobra.Command, args []string) error { return runOIDCLogin(cmd, deps, flags) } cmd.RunE = func(cmd *cobra.Command, args []string) error { return runOIDCLogin(cmd, deps, flags) }
return &cmd
mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
mustMarkHidden(cmd, "concierge-namespace")
return cmd
} }
func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLoginFlags) error { func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLoginFlags) error {
@ -133,7 +137,6 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
if flags.conciergeEnabled { if flags.conciergeEnabled {
var err error var err error
concierge, err = conciergeclient.New( concierge, err = conciergeclient.New(
conciergeclient.WithNamespace(flags.conciergeNamespace),
conciergeclient.WithEndpoint(flags.conciergeEndpoint), conciergeclient.WithEndpoint(flags.conciergeEndpoint),
conciergeclient.WithBase64CABundle(flags.conciergeCABundle), conciergeclient.WithBase64CABundle(flags.conciergeCABundle),
conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName), conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName),

View File

@ -65,7 +65,6 @@ func TestLoginOIDCCommand(t *testing.T) {
--concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt') --concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt')
--concierge-ca-bundle-data string CA bundle to use when connecting to the concierge --concierge-ca-bundle-data string CA bundle to use when connecting to the concierge
--concierge-endpoint string API base for the Pinniped concierge endpoint --concierge-endpoint string API base for the Pinniped concierge endpoint
--concierge-namespace string Namespace in which the concierge was installed (default "pinniped-concierge")
--enable-concierge Exchange the OIDC ID token with the Pinniped concierge during login --enable-concierge Exchange the OIDC ID token with the Pinniped concierge during login
-h, --help help for oidc -h, --help help for oidc
--issuer string OpenID Connect issuer URL --issuer string OpenID Connect issuer URL
@ -186,7 +185,6 @@ func TestLoginOIDCCommand(t *testing.T) {
"--ca-bundle-data", base64.StdEncoding.EncodeToString(testCA.Bundle()), "--ca-bundle-data", base64.StdEncoding.EncodeToString(testCA.Bundle()),
"--ca-bundle", testCABundlePath, "--ca-bundle", testCABundlePath,
"--enable-concierge", "--enable-concierge",
"--concierge-namespace", "test-namespace",
"--concierge-authenticator-type", "webhook", "--concierge-authenticator-type", "webhook",
"--concierge-authenticator-name", "test-authenticator", "--concierge-authenticator-name", "test-authenticator",
"--concierge-endpoint", "https://127.0.0.1:1234/", "--concierge-endpoint", "https://127.0.0.1:1234/",

View File

@ -41,7 +41,6 @@ type staticLoginParams struct {
staticToken string staticToken string
staticTokenEnvName string staticTokenEnvName string
conciergeEnabled bool conciergeEnabled bool
conciergeNamespace string
conciergeAuthenticatorType string conciergeAuthenticatorType string
conciergeAuthenticatorName string conciergeAuthenticatorName string
conciergeEndpoint string conciergeEndpoint string
@ -51,25 +50,30 @@ type staticLoginParams struct {
func staticLoginCommand(deps staticLoginDeps) *cobra.Command { func staticLoginCommand(deps staticLoginDeps) *cobra.Command {
var ( var (
cmd = cobra.Command{ cmd = &cobra.Command{
Args: cobra.NoArgs, Args: cobra.NoArgs,
Use: "static [--token TOKEN] [--token-env TOKEN_NAME]", Use: "static [--token TOKEN] [--token-env TOKEN_NAME]",
Short: "Login using a static token", Short: "Login using a static token",
SilenceUsage: true, SilenceUsage: true,
} }
flags staticLoginParams flags staticLoginParams
conciergeNamespace string // unused now
) )
cmd.Flags().StringVar(&flags.staticToken, "token", "", "Static token to present during login") cmd.Flags().StringVar(&flags.staticToken, "token", "", "Static token to present during login")
cmd.Flags().StringVar(&flags.staticTokenEnvName, "token-env", "", "Environment variable containing a static token") cmd.Flags().StringVar(&flags.staticTokenEnvName, "token-env", "", "Environment variable containing a static token")
cmd.Flags().BoolVar(&flags.conciergeEnabled, "enable-concierge", false, "Exchange the token with the Pinniped concierge during login") cmd.Flags().BoolVar(&flags.conciergeEnabled, "enable-concierge", false, "Exchange the token with the Pinniped concierge during login")
cmd.Flags().StringVar(&flags.conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed") cmd.Flags().StringVar(&conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
cmd.Flags().StringVar(&flags.conciergeAuthenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt')") cmd.Flags().StringVar(&flags.conciergeAuthenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt')")
cmd.Flags().StringVar(&flags.conciergeAuthenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name") cmd.Flags().StringVar(&flags.conciergeAuthenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name")
cmd.Flags().StringVar(&flags.conciergeEndpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint") cmd.Flags().StringVar(&flags.conciergeEndpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint")
cmd.Flags().StringVar(&flags.conciergeCABundle, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the concierge") cmd.Flags().StringVar(&flags.conciergeCABundle, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the concierge")
cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix") cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix")
cmd.RunE = func(cmd *cobra.Command, args []string) error { return runStaticLogin(cmd.OutOrStdout(), deps, flags) } cmd.RunE = func(cmd *cobra.Command, args []string) error { return runStaticLogin(cmd.OutOrStdout(), deps, flags) }
return &cmd
mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
mustMarkHidden(cmd, "concierge-namespace")
return cmd
} }
func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams) error { func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams) error {
@ -81,7 +85,6 @@ func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams
if flags.conciergeEnabled { if flags.conciergeEnabled {
var err error var err error
concierge, err = conciergeclient.New( concierge, err = conciergeclient.New(
conciergeclient.WithNamespace(flags.conciergeNamespace),
conciergeclient.WithEndpoint(flags.conciergeEndpoint), conciergeclient.WithEndpoint(flags.conciergeEndpoint),
conciergeclient.WithBase64CABundle(flags.conciergeCABundle), conciergeclient.WithBase64CABundle(flags.conciergeCABundle),
conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName), conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName),

View File

@ -56,7 +56,6 @@ func TestLoginStaticCommand(t *testing.T) {
--concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt') --concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt')
--concierge-ca-bundle-data string CA bundle to use when connecting to the concierge --concierge-ca-bundle-data string CA bundle to use when connecting to the concierge
--concierge-endpoint string API base for the Pinniped concierge endpoint --concierge-endpoint string API base for the Pinniped concierge endpoint
--concierge-namespace string Namespace in which the concierge was installed (default "pinniped-concierge")
--enable-concierge Exchange the token with the Pinniped concierge during login --enable-concierge Exchange the token with the Pinniped concierge during login
-h, --help help for static -h, --help help for static
--token string Static token to present during login --token string Static token to present during login

View File

@ -31,6 +31,14 @@ rules:
resources: [ securitycontextconstraints ] resources: [ securitycontextconstraints ]
verbs: [ use ] verbs: [ use ]
resourceNames: [ nonroot ] resourceNames: [ nonroot ]
- apiGroups:
- #@ pinnipedDevAPIGroupWithPrefix("config.concierge")
resources: [ credentialissuers ]
verbs: [ get, list, watch, create, update ]
- apiGroups:
- #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge")
resources: [ jwtauthenticators, webhookauthenticators ]
verbs: [ get, list, watch ]
--- ---
kind: ClusterRoleBinding kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
@ -69,11 +77,6 @@ rules:
- apiGroups: [ "" ] - apiGroups: [ "" ]
resources: [ pods/exec ] resources: [ pods/exec ]
verbs: [ create ] verbs: [ create ]
- apiGroups:
- #@ pinnipedDevAPIGroupWithPrefix("config.concierge")
- #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge")
resources: [ "*" ]
verbs: [ create, get, list, update, watch ]
- apiGroups: [apps] - apiGroups: [apps]
resources: [replicasets,deployments] resources: [replicasets,deployments]
verbs: [get] verbs: [get]

View File

@ -88,7 +88,7 @@ type controller struct {
// Sync implements controllerlib.Syncer. // Sync implements controllerlib.Syncer.
func (c *controller) Sync(ctx controllerlib.Context) error { func (c *controller) Sync(ctx controllerlib.Context) error {
obj, err := c.jwtAuthenticators.Lister().JWTAuthenticators(ctx.Key.Namespace).Get(ctx.Key.Name) obj, err := c.jwtAuthenticators.Lister().Get(ctx.Key.Name)
if err != nil && errors.IsNotFound(err) { if err != nil && errors.IsNotFound(err) {
c.log.Info("Sync() found that the JWTAuthenticator does not exist yet or was deleted") c.log.Info("Sync() found that the JWTAuthenticator does not exist yet or was deleted")
return nil return nil

View File

@ -135,43 +135,41 @@ func TestController(t *testing.T) {
}{ }{
{ {
name: "not found", name: "not found",
syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, syncKey: controllerlib.Key{Name: "test-name"},
wantLogs: []string{ wantLogs: []string{
`jwtcachefiller-controller "level"=0 "msg"="Sync() found that the JWTAuthenticator does not exist yet or was deleted"`, `jwtcachefiller-controller "level"=0 "msg"="Sync() found that the JWTAuthenticator does not exist yet or was deleted"`,
}, },
}, },
{ {
name: "valid jwt authenticator with CA", name: "valid jwt authenticator with CA",
syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, syncKey: controllerlib.Key{Name: "test-name"},
jwtAuthenticators: []runtime.Object{ jwtAuthenticators: []runtime.Object{
&auth1alpha1.JWTAuthenticator{ &auth1alpha1.JWTAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "test-namespace",
Name: "test-name", Name: "test-name",
}, },
Spec: *someJWTAuthenticatorSpec, Spec: *someJWTAuthenticatorSpec,
}, },
}, },
wantLogs: []string{ wantLogs: []string{
`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`,
}, },
wantCacheEntries: 1, wantCacheEntries: 1,
runTestsOnResultingAuthenticator: true, runTestsOnResultingAuthenticator: true,
}, },
{ {
name: "valid jwt authenticator with custom username claim", name: "valid jwt authenticator with custom username claim",
syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, syncKey: controllerlib.Key{Name: "test-name"},
jwtAuthenticators: []runtime.Object{ jwtAuthenticators: []runtime.Object{
&auth1alpha1.JWTAuthenticator{ &auth1alpha1.JWTAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "test-namespace",
Name: "test-name", Name: "test-name",
}, },
Spec: *someJWTAuthenticatorSpecWithUsernameClaim, Spec: *someJWTAuthenticatorSpecWithUsernameClaim,
}, },
}, },
wantLogs: []string{ wantLogs: []string{
`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`,
}, },
wantCacheEntries: 1, wantCacheEntries: 1,
wantUsernameClaim: someJWTAuthenticatorSpecWithUsernameClaim.Claims.Username, wantUsernameClaim: someJWTAuthenticatorSpecWithUsernameClaim.Claims.Username,
@ -179,18 +177,17 @@ func TestController(t *testing.T) {
}, },
{ {
name: "valid jwt authenticator with custom groups claim", name: "valid jwt authenticator with custom groups claim",
syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, syncKey: controllerlib.Key{Name: "test-name"},
jwtAuthenticators: []runtime.Object{ jwtAuthenticators: []runtime.Object{
&auth1alpha1.JWTAuthenticator{ &auth1alpha1.JWTAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "test-namespace",
Name: "test-name", Name: "test-name",
}, },
Spec: *someJWTAuthenticatorSpecWithGroupsClaim, Spec: *someJWTAuthenticatorSpecWithGroupsClaim,
}, },
}, },
wantLogs: []string{ wantLogs: []string{
`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`,
}, },
wantCacheEntries: 1, wantCacheEntries: 1,
wantGroupsClaim: someJWTAuthenticatorSpecWithGroupsClaim.Claims.Groups, wantGroupsClaim: someJWTAuthenticatorSpecWithGroupsClaim.Claims.Groups,
@ -202,7 +199,6 @@ func TestController(t *testing.T) {
cache.Store( cache.Store(
authncache.Key{ authncache.Key{
Name: "test-name", Name: "test-name",
Namespace: "test-namespace",
Kind: "JWTAuthenticator", Kind: "JWTAuthenticator",
APIGroup: auth1alpha1.SchemeGroupVersion.Group, APIGroup: auth1alpha1.SchemeGroupVersion.Group,
}, },
@ -210,18 +206,17 @@ func TestController(t *testing.T) {
) )
}, },
wantClose: true, wantClose: true,
syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, syncKey: controllerlib.Key{Name: "test-name"},
jwtAuthenticators: []runtime.Object{ jwtAuthenticators: []runtime.Object{
&auth1alpha1.JWTAuthenticator{ &auth1alpha1.JWTAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "test-namespace",
Name: "test-name", Name: "test-name",
}, },
Spec: *someJWTAuthenticatorSpec, Spec: *someJWTAuthenticatorSpec,
}, },
}, },
wantLogs: []string{ wantLogs: []string{
`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`,
}, },
wantCacheEntries: 1, wantCacheEntries: 1,
runTestsOnResultingAuthenticator: true, runTestsOnResultingAuthenticator: true,
@ -232,7 +227,6 @@ func TestController(t *testing.T) {
cache.Store( cache.Store(
authncache.Key{ authncache.Key{
Name: "test-name", Name: "test-name",
Namespace: "test-namespace",
Kind: "JWTAuthenticator", Kind: "JWTAuthenticator",
APIGroup: auth1alpha1.SchemeGroupVersion.Group, APIGroup: auth1alpha1.SchemeGroupVersion.Group,
}, },
@ -240,18 +234,17 @@ func TestController(t *testing.T) {
) )
}, },
wantClose: false, wantClose: false,
syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, syncKey: controllerlib.Key{Name: "test-name"},
jwtAuthenticators: []runtime.Object{ jwtAuthenticators: []runtime.Object{
&auth1alpha1.JWTAuthenticator{ &auth1alpha1.JWTAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "test-namespace",
Name: "test-name", Name: "test-name",
}, },
Spec: *someJWTAuthenticatorSpec, Spec: *someJWTAuthenticatorSpec,
}, },
}, },
wantLogs: []string{ wantLogs: []string{
`jwtcachefiller-controller "level"=0 "msg"="actual jwt authenticator and desired jwt authenticator are the same" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, `jwtcachefiller-controller "level"=0 "msg"="actual jwt authenticator and desired jwt authenticator are the same" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`,
}, },
wantCacheEntries: 1, wantCacheEntries: 1,
runTestsOnResultingAuthenticator: false, // skip the tests because the authenticator left in the cache is the mock version that was added above runTestsOnResultingAuthenticator: false, // skip the tests because the authenticator left in the cache is the mock version that was added above
@ -262,18 +255,16 @@ func TestController(t *testing.T) {
cache.Store( cache.Store(
authncache.Key{ authncache.Key{
Name: "test-name", Name: "test-name",
Namespace: "test-namespace",
Kind: "JWTAuthenticator", Kind: "JWTAuthenticator",
APIGroup: auth1alpha1.SchemeGroupVersion.Group, APIGroup: auth1alpha1.SchemeGroupVersion.Group,
}, },
struct{ authenticator.Token }{}, struct{ authenticator.Token }{},
) )
}, },
syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, syncKey: controllerlib.Key{Name: "test-name"},
jwtAuthenticators: []runtime.Object{ jwtAuthenticators: []runtime.Object{
&auth1alpha1.JWTAuthenticator{ &auth1alpha1.JWTAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "test-namespace",
Name: "test-name", Name: "test-name",
}, },
Spec: *someJWTAuthenticatorSpec, Spec: *someJWTAuthenticatorSpec,
@ -281,36 +272,34 @@ func TestController(t *testing.T) {
}, },
wantLogs: []string{ wantLogs: []string{
`jwtcachefiller-controller "level"=0 "msg"="wrong JWT authenticator type in cache" "actualType"="struct { authenticator.Token }"`, `jwtcachefiller-controller "level"=0 "msg"="wrong JWT authenticator type in cache" "actualType"="struct { authenticator.Token }"`,
`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`,
}, },
wantCacheEntries: 1, wantCacheEntries: 1,
runTestsOnResultingAuthenticator: true, runTestsOnResultingAuthenticator: true,
}, },
{ {
name: "valid jwt authenticator without CA", name: "valid jwt authenticator without CA",
syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, syncKey: controllerlib.Key{Name: "test-name"},
jwtAuthenticators: []runtime.Object{ jwtAuthenticators: []runtime.Object{
&auth1alpha1.JWTAuthenticator{ &auth1alpha1.JWTAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "test-namespace",
Name: "test-name", Name: "test-name",
}, },
Spec: *missingTLSJWTAuthenticatorSpec, Spec: *missingTLSJWTAuthenticatorSpec,
}, },
}, },
wantLogs: []string{ wantLogs: []string{
`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`,
}, },
wantCacheEntries: 1, wantCacheEntries: 1,
runTestsOnResultingAuthenticator: false, // skip the tests because the authenticator left in the cache doesn't have the CA for our test discovery server runTestsOnResultingAuthenticator: false, // skip the tests because the authenticator left in the cache doesn't have the CA for our test discovery server
}, },
{ {
name: "invalid jwt authenticator CA", name: "invalid jwt authenticator CA",
syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, syncKey: controllerlib.Key{Name: "test-name"},
jwtAuthenticators: []runtime.Object{ jwtAuthenticators: []runtime.Object{
&auth1alpha1.JWTAuthenticator{ &auth1alpha1.JWTAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "test-namespace",
Name: "test-name", Name: "test-name",
}, },
Spec: *invalidTLSJWTAuthenticatorSpec, Spec: *invalidTLSJWTAuthenticatorSpec,

View File

@ -54,7 +54,7 @@ type controller struct {
// Sync implements controllerlib.Syncer. // Sync implements controllerlib.Syncer.
func (c *controller) Sync(ctx controllerlib.Context) error { func (c *controller) Sync(ctx controllerlib.Context) error {
obj, err := c.webhooks.Lister().WebhookAuthenticators(ctx.Key.Namespace).Get(ctx.Key.Name) obj, err := c.webhooks.Lister().Get(ctx.Key.Name)
if err != nil && errors.IsNotFound(err) { if err != nil && errors.IsNotFound(err) {
c.log.Info("Sync() found that the WebhookAuthenticator does not exist yet or was deleted") c.log.Info("Sync() found that the WebhookAuthenticator does not exist yet or was deleted")
return nil return nil

View File

@ -41,18 +41,17 @@ func TestController(t *testing.T) {
}{ }{
{ {
name: "not found", name: "not found",
syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, syncKey: controllerlib.Key{Name: "test-name"},
wantLogs: []string{ wantLogs: []string{
`webhookcachefiller-controller "level"=0 "msg"="Sync() found that the WebhookAuthenticator does not exist yet or was deleted"`, `webhookcachefiller-controller "level"=0 "msg"="Sync() found that the WebhookAuthenticator does not exist yet or was deleted"`,
}, },
}, },
{ {
name: "invalid webhook", name: "invalid webhook",
syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, syncKey: controllerlib.Key{Name: "test-name"},
webhooks: []runtime.Object{ webhooks: []runtime.Object{
&auth1alpha1.WebhookAuthenticator{ &auth1alpha1.WebhookAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "test-namespace",
Name: "test-name", Name: "test-name",
}, },
Spec: auth1alpha1.WebhookAuthenticatorSpec{ Spec: auth1alpha1.WebhookAuthenticatorSpec{
@ -64,11 +63,10 @@ func TestController(t *testing.T) {
}, },
{ {
name: "valid webhook", name: "valid webhook",
syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, syncKey: controllerlib.Key{Name: "test-name"},
webhooks: []runtime.Object{ webhooks: []runtime.Object{
&auth1alpha1.WebhookAuthenticator{ &auth1alpha1.WebhookAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "test-namespace",
Name: "test-name", Name: "test-name",
}, },
Spec: auth1alpha1.WebhookAuthenticatorSpec{ Spec: auth1alpha1.WebhookAuthenticatorSpec{
@ -78,7 +76,7 @@ func TestController(t *testing.T) {
}, },
}, },
wantLogs: []string{ wantLogs: []string{
`webhookcachefiller-controller "level"=0 "msg"="added new webhook authenticator" "endpoint"="https://example.com" "webhook"={"name":"test-name","namespace":"test-namespace"}`, `webhookcachefiller-controller "level"=0 "msg"="added new webhook authenticator" "endpoint"="https://example.com" "webhook"={"name":"test-name"}`,
}, },
wantCacheEntries: 1, wantCacheEntries: 1,
}, },

View File

@ -19,7 +19,6 @@ import (
func CreateOrUpdateCredentialIssuer( func CreateOrUpdateCredentialIssuer(
ctx context.Context, ctx context.Context,
credentialIssuerNamespace string,
credentialIssuerResourceName string, credentialIssuerResourceName string,
credentialIssuerLabels map[string]string, credentialIssuerLabels map[string]string,
pinnipedClient pinnipedclientset.Interface, pinnipedClient pinnipedclientset.Interface,
@ -28,7 +27,7 @@ func CreateOrUpdateCredentialIssuer(
err := retry.RetryOnConflict(retry.DefaultRetry, func() error { err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
existingCredentialIssuer, err := pinnipedClient. existingCredentialIssuer, err := pinnipedClient.
ConfigV1alpha1(). ConfigV1alpha1().
CredentialIssuers(credentialIssuerNamespace). CredentialIssuers().
Get(ctx, credentialIssuerResourceName, metav1.GetOptions{}) Get(ctx, credentialIssuerResourceName, metav1.GetOptions{})
notFound := k8serrors.IsNotFound(err) notFound := k8serrors.IsNotFound(err)
@ -36,12 +35,12 @@ func CreateOrUpdateCredentialIssuer(
return fmt.Errorf("get failed: %w", err) return fmt.Errorf("get failed: %w", err)
} }
credentialIssuersClient := pinnipedClient.ConfigV1alpha1().CredentialIssuers(credentialIssuerNamespace) credentialIssuersClient := pinnipedClient.ConfigV1alpha1().CredentialIssuers()
if notFound { if notFound {
// Create it // Create it
credentialIssuer := minimalValidCredentialIssuer( credentialIssuer := minimalValidCredentialIssuer(
credentialIssuerResourceName, credentialIssuerNamespace, credentialIssuerLabels, credentialIssuerResourceName, credentialIssuerLabels,
) )
applyUpdatesToCredentialIssuerFunc(credentialIssuer) applyUpdatesToCredentialIssuerFunc(credentialIssuer)
@ -73,14 +72,12 @@ func CreateOrUpdateCredentialIssuer(
func minimalValidCredentialIssuer( func minimalValidCredentialIssuer(
credentialIssuerName string, credentialIssuerName string,
credentialIssuerNamespace string,
credentialIssuerLabels map[string]string, credentialIssuerLabels map[string]string,
) *configv1alpha1.CredentialIssuer { ) *configv1alpha1.CredentialIssuer {
return &configv1alpha1.CredentialIssuer{ return &configv1alpha1.CredentialIssuer{
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerName, Name: credentialIssuerName,
Namespace: credentialIssuerNamespace,
Labels: credentialIssuerLabels, Labels: credentialIssuerLabels,
}, },
Status: configv1alpha1.CredentialIssuerStatus{ Status: configv1alpha1.CredentialIssuerStatus{

View File

@ -29,7 +29,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
var ctx context.Context var ctx context.Context
var pinnipedAPIClient *pinnipedfake.Clientset var pinnipedAPIClient *pinnipedfake.Clientset
var credentialIssuerGVR schema.GroupVersionResource var credentialIssuerGVR schema.GroupVersionResource
const installationNamespace = "some-namespace"
const credentialIssuerResourceName = "some-resource-name" const credentialIssuerResourceName = "some-resource-name"
it.Before(func() { it.Before(func() {
@ -47,7 +46,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
it("creates a new config which includes only the updates made by the func parameter", func() { it("creates a new config which includes only the updates made by the func parameter", func() {
err := CreateOrUpdateCredentialIssuer( err := CreateOrUpdateCredentialIssuer(
ctx, ctx,
installationNamespace,
credentialIssuerResourceName, credentialIssuerResourceName,
map[string]string{ map[string]string{
"myLabelKey1": "myLabelValue1", "myLabelKey1": "myLabelValue1",
@ -62,16 +60,14 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
) )
r.NoError(err) r.NoError(err)
expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName) expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
expectedCreateAction := coretesting.NewCreateAction( expectedCreateAction := coretesting.NewRootCreateAction(
credentialIssuerGVR, credentialIssuerGVR,
installationNamespace,
&configv1alpha1.CredentialIssuer{ &configv1alpha1.CredentialIssuer{
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
Namespace: installationNamespace,
Labels: map[string]string{ Labels: map[string]string{
"myLabelKey1": "myLabelValue1", "myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2", "myLabelKey2": "myLabelValue2",
@ -100,7 +96,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
it("returns an error", func() { it("returns an error", func() {
err := CreateOrUpdateCredentialIssuer( err := CreateOrUpdateCredentialIssuer(
ctx, ctx,
installationNamespace,
credentialIssuerResourceName, credentialIssuerResourceName,
map[string]string{}, map[string]string{},
pinnipedAPIClient, pinnipedAPIClient,
@ -119,7 +114,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
Namespace: installationNamespace,
Labels: map[string]string{ Labels: map[string]string{
"myLabelKey1": "myLabelValue1", "myLabelKey1": "myLabelValue1",
}, },
@ -146,7 +140,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
it("updates the existing config to only apply the updates made by the func parameter", func() { it("updates the existing config to only apply the updates made by the func parameter", func() {
err := CreateOrUpdateCredentialIssuer( err := CreateOrUpdateCredentialIssuer(
ctx, ctx,
installationNamespace,
credentialIssuerResourceName, credentialIssuerResourceName,
map[string]string{ map[string]string{
"myLabelKey1": "myLabelValue1", "myLabelKey1": "myLabelValue1",
@ -159,12 +152,12 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
) )
r.NoError(err) r.NoError(err)
expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName) expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
// Only the edited field should be changed. // Only the edited field should be changed.
expectedUpdatedConfig := existingConfig.DeepCopy() expectedUpdatedConfig := existingConfig.DeepCopy()
expectedUpdatedConfig.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value" expectedUpdatedConfig.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value"
expectedUpdateAction := coretesting.NewUpdateAction(credentialIssuerGVR, installationNamespace, expectedUpdatedConfig) expectedUpdateAction := coretesting.NewRootUpdateAction(credentialIssuerGVR, expectedUpdatedConfig)
r.Equal([]coretesting.Action{expectedGetAction, expectedUpdateAction}, pinnipedAPIClient.Actions()) r.Equal([]coretesting.Action{expectedGetAction, expectedUpdateAction}, pinnipedAPIClient.Actions())
}) })
@ -172,7 +165,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
it("avoids the cost of an update if the local updates made by the func parameter did not actually change anything", func() { it("avoids the cost of an update if the local updates made by the func parameter did not actually change anything", func() {
err := CreateOrUpdateCredentialIssuer( err := CreateOrUpdateCredentialIssuer(
ctx, ctx,
installationNamespace,
credentialIssuerResourceName, credentialIssuerResourceName,
map[string]string{}, map[string]string{},
pinnipedAPIClient, pinnipedAPIClient,
@ -187,7 +179,7 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
) )
r.NoError(err) r.NoError(err)
expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName) expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
r.Equal([]coretesting.Action{expectedGetAction}, pinnipedAPIClient.Actions()) r.Equal([]coretesting.Action{expectedGetAction}, pinnipedAPIClient.Actions())
}) })
@ -201,7 +193,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
it("returns an error", func() { it("returns an error", func() {
err := CreateOrUpdateCredentialIssuer( err := CreateOrUpdateCredentialIssuer(
ctx, ctx,
installationNamespace,
credentialIssuerResourceName, credentialIssuerResourceName,
map[string]string{}, map[string]string{},
pinnipedAPIClient, pinnipedAPIClient,
@ -221,7 +212,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
it("returns an error", func() { it("returns an error", func() {
err := CreateOrUpdateCredentialIssuer( err := CreateOrUpdateCredentialIssuer(
ctx, ctx,
installationNamespace,
credentialIssuerResourceName, credentialIssuerResourceName,
map[string]string{}, map[string]string{},
pinnipedAPIClient, pinnipedAPIClient,
@ -246,7 +236,7 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
if !hit { if !hit {
// Before the update fails, also change the object that will be returned by the next Get(), // Before the update fails, also change the object that will be returned by the next Get(),
// to make sure that the production code does a fresh Get() after detecting a conflict. // to make sure that the production code does a fresh Get() after detecting a conflict.
r.NoError(pinnipedAPIClient.Tracker().Update(credentialIssuerGVR, slightlyDifferentExistingConfig, installationNamespace)) r.NoError(pinnipedAPIClient.Tracker().Update(credentialIssuerGVR, slightlyDifferentExistingConfig, ""))
hit = true hit = true
return true, nil, apierrors.NewConflict(schema.GroupResource{ return true, nil, apierrors.NewConflict(schema.GroupResource{
Group: apiregistrationv1.GroupName, Group: apiregistrationv1.GroupName,
@ -260,7 +250,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
it("retries updates on conflict", func() { it("retries updates on conflict", func() {
err := CreateOrUpdateCredentialIssuer( err := CreateOrUpdateCredentialIssuer(
ctx, ctx,
installationNamespace,
credentialIssuerResourceName, credentialIssuerResourceName,
map[string]string{ map[string]string{
"myLabelKey1": "myLabelValue1", "myLabelKey1": "myLabelValue1",
@ -273,18 +262,18 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) {
) )
r.NoError(err) r.NoError(err)
expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName) expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
// The first attempted update only includes its own edits. // The first attempted update only includes its own edits.
firstExpectedUpdatedConfig := existingConfig.DeepCopy() firstExpectedUpdatedConfig := existingConfig.DeepCopy()
firstExpectedUpdatedConfig.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value" firstExpectedUpdatedConfig.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value"
firstExpectedUpdateAction := coretesting.NewUpdateAction(credentialIssuerGVR, installationNamespace, firstExpectedUpdatedConfig) firstExpectedUpdateAction := coretesting.NewRootUpdateAction(credentialIssuerGVR, firstExpectedUpdatedConfig)
// Both the edits made by this update and the edits made by the conflicting update should be included. // Both the edits made by this update and the edits made by the conflicting update should be included.
secondExpectedUpdatedConfig := existingConfig.DeepCopy() secondExpectedUpdatedConfig := existingConfig.DeepCopy()
secondExpectedUpdatedConfig.Status.KubeConfigInfo.Server = "some-other-server-value-from-conflicting-update" secondExpectedUpdatedConfig.Status.KubeConfigInfo.Server = "some-other-server-value-from-conflicting-update"
secondExpectedUpdatedConfig.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value" secondExpectedUpdatedConfig.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value"
secondExpectedUpdateAction := coretesting.NewUpdateAction(credentialIssuerGVR, installationNamespace, secondExpectedUpdatedConfig) secondExpectedUpdateAction := coretesting.NewRootUpdateAction(credentialIssuerGVR, secondExpectedUpdatedConfig)
expectedActions := []coretesting.Action{ expectedActions := []coretesting.Action{
expectedGetAction, expectedGetAction,

View File

@ -26,7 +26,6 @@ const (
) )
type kubeConigInfoPublisherController struct { type kubeConigInfoPublisherController struct {
credentialIssuerNamespaceName string
credentialIssuerResourceName string credentialIssuerResourceName string
credentialIssuerLabels map[string]string credentialIssuerLabels map[string]string
serverOverride *string serverOverride *string
@ -38,7 +37,6 @@ type kubeConigInfoPublisherController struct {
// configv1alpha1.CredentialIssuer.Status.KubeConfigInfo field with the cluster-info ConfigMap // configv1alpha1.CredentialIssuer.Status.KubeConfigInfo field with the cluster-info ConfigMap
// in the kube-public namespace. // in the kube-public namespace.
func NewKubeConfigInfoPublisherController( func NewKubeConfigInfoPublisherController(
credentialIssuerNamespaceName string,
credentialIssuerResourceName string, credentialIssuerResourceName string,
credentialIssuerLabels map[string]string, credentialIssuerLabels map[string]string,
serverOverride *string, serverOverride *string,
@ -51,7 +49,6 @@ func NewKubeConfigInfoPublisherController(
Name: "publisher-controller", Name: "publisher-controller",
Syncer: &kubeConigInfoPublisherController{ Syncer: &kubeConigInfoPublisherController{
credentialIssuerResourceName: credentialIssuerResourceName, credentialIssuerResourceName: credentialIssuerResourceName,
credentialIssuerNamespaceName: credentialIssuerNamespaceName,
credentialIssuerLabels: credentialIssuerLabels, credentialIssuerLabels: credentialIssuerLabels,
serverOverride: serverOverride, serverOverride: serverOverride,
pinnipedClient: pinnipedClient, pinnipedClient: pinnipedClient,
@ -116,7 +113,6 @@ func (c *kubeConigInfoPublisherController) Sync(ctx controllerlib.Context) error
return CreateOrUpdateCredentialIssuer( return CreateOrUpdateCredentialIssuer(
ctx.Context, ctx.Context,
c.credentialIssuerNamespaceName,
c.credentialIssuerResourceName, c.credentialIssuerResourceName,
c.credentialIssuerLabels, c.credentialIssuerLabels,
c.pinnipedClient, c.pinnipedClient,

View File

@ -30,7 +30,6 @@ import (
func TestInformerFilters(t *testing.T) { func TestInformerFilters(t *testing.T) {
spec.Run(t, "informer filters", func(t *testing.T, when spec.G, it spec.S) { spec.Run(t, "informer filters", func(t *testing.T, when spec.G, it spec.S) {
const credentialIssuerResourceName = "some-resource-name" const credentialIssuerResourceName = "some-resource-name"
const installedInNamespace = "some-namespace"
var r *require.Assertions var r *require.Assertions
var observableWithInformerOption *testutil.ObservableWithInformerOption var observableWithInformerOption *testutil.ObservableWithInformerOption
@ -41,7 +40,6 @@ func TestInformerFilters(t *testing.T) {
observableWithInformerOption = testutil.NewObservableWithInformerOption() observableWithInformerOption = testutil.NewObservableWithInformerOption()
configMapInformer := kubeinformers.NewSharedInformerFactory(nil, 0).Core().V1().ConfigMaps() configMapInformer := kubeinformers.NewSharedInformerFactory(nil, 0).Core().V1().ConfigMaps()
_ = NewKubeConfigInfoPublisherController( _ = NewKubeConfigInfoPublisherController(
installedInNamespace,
credentialIssuerResourceName, credentialIssuerResourceName,
map[string]string{}, map[string]string{},
nil, nil,
@ -105,7 +103,6 @@ func TestInformerFilters(t *testing.T) {
func TestSync(t *testing.T) { func TestSync(t *testing.T) {
spec.Run(t, "Sync", func(t *testing.T, when spec.G, it spec.S) { spec.Run(t, "Sync", func(t *testing.T, when spec.G, it spec.S) {
const credentialIssuerResourceName = "some-resource-name" const credentialIssuerResourceName = "some-resource-name"
const installedInNamespace = "some-namespace"
var r *require.Assertions var r *require.Assertions
@ -118,7 +115,7 @@ func TestSync(t *testing.T) {
var timeoutContextCancel context.CancelFunc var timeoutContextCancel context.CancelFunc
var syncContext *controllerlib.Context var syncContext *controllerlib.Context
var expectedCredentialIssuer = func(expectedNamespace, expectedServerURL, expectedCAData string) (schema.GroupVersionResource, *configv1alpha1.CredentialIssuer) { var expectedCredentialIssuer = func(expectedServerURL, expectedCAData string) (schema.GroupVersionResource, *configv1alpha1.CredentialIssuer) {
expectedCredentialIssuerGVR := schema.GroupVersionResource{ expectedCredentialIssuerGVR := schema.GroupVersionResource{
Group: configv1alpha1.GroupName, Group: configv1alpha1.GroupName,
Version: "v1alpha1", Version: "v1alpha1",
@ -127,7 +124,6 @@ func TestSync(t *testing.T) {
expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{ expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
Namespace: expectedNamespace,
Labels: map[string]string{ Labels: map[string]string{
"myLabelKey1": "myLabelValue1", "myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2", "myLabelKey2": "myLabelValue2",
@ -149,7 +145,6 @@ func TestSync(t *testing.T) {
var startInformersAndController = func() { var startInformersAndController = func() {
// Set this at the last second to allow for injection of server override. // Set this at the last second to allow for injection of server override.
subject = NewKubeConfigInfoPublisherController( subject = NewKubeConfigInfoPublisherController(
installedInNamespace,
credentialIssuerResourceName, credentialIssuerResourceName,
map[string]string{ map[string]string{
"myLabelKey1": "myLabelValue1", "myLabelKey1": "myLabelValue1",
@ -223,17 +218,15 @@ func TestSync(t *testing.T) {
r.NoError(err) r.NoError(err)
expectedCredentialIssuerGVR, expectedCredentialIssuer := expectedCredentialIssuer( expectedCredentialIssuerGVR, expectedCredentialIssuer := expectedCredentialIssuer(
installedInNamespace,
kubeServerURL, kubeServerURL,
caData, caData,
) )
r.Equal( r.Equal(
[]coretesting.Action{ []coretesting.Action{
coretesting.NewGetAction(expectedCredentialIssuerGVR, installedInNamespace, expectedCredentialIssuer.Name), coretesting.NewRootGetAction(expectedCredentialIssuerGVR, expectedCredentialIssuer.Name),
coretesting.NewCreateAction( coretesting.NewRootCreateAction(
expectedCredentialIssuerGVR, expectedCredentialIssuerGVR,
installedInNamespace,
expectedCredentialIssuer, expectedCredentialIssuer,
), ),
}, },
@ -269,7 +262,6 @@ func TestSync(t *testing.T) {
r.NoError(err) r.NoError(err)
expectedCredentialIssuerGVR, expectedCredentialIssuer := expectedCredentialIssuer( expectedCredentialIssuerGVR, expectedCredentialIssuer := expectedCredentialIssuer(
installedInNamespace,
kubeServerURL, kubeServerURL,
caData, caData,
) )
@ -277,10 +269,9 @@ func TestSync(t *testing.T) {
r.Equal( r.Equal(
[]coretesting.Action{ []coretesting.Action{
coretesting.NewGetAction(expectedCredentialIssuerGVR, installedInNamespace, expectedCredentialIssuer.Name), coretesting.NewRootGetAction(expectedCredentialIssuerGVR, expectedCredentialIssuer.Name),
coretesting.NewCreateAction( coretesting.NewRootCreateAction(
expectedCredentialIssuerGVR, expectedCredentialIssuerGVR,
installedInNamespace,
expectedCredentialIssuer, expectedCredentialIssuer,
), ),
}, },
@ -297,7 +288,6 @@ func TestSync(t *testing.T) {
it.Before(func() { it.Before(func() {
credentialIssuerGVR, credentialIssuer = expectedCredentialIssuer( credentialIssuerGVR, credentialIssuer = expectedCredentialIssuer(
installedInNamespace,
kubeServerURL, kubeServerURL,
caData, caData,
) )
@ -312,7 +302,7 @@ func TestSync(t *testing.T) {
r.Equal( r.Equal(
[]coretesting.Action{ []coretesting.Action{
coretesting.NewGetAction(credentialIssuerGVR, installedInNamespace, credentialIssuer.Name), coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuer.Name),
}, },
pinnipedAPIClient.Actions(), pinnipedAPIClient.Actions(),
) )
@ -322,7 +312,6 @@ func TestSync(t *testing.T) {
when("the CredentialIssuer is stale compared to the data in the ConfigMap", func() { when("the CredentialIssuer is stale compared to the data in the ConfigMap", func() {
it.Before(func() { it.Before(func() {
_, expectedCredentialIssuer := expectedCredentialIssuer( _, expectedCredentialIssuer := expectedCredentialIssuer(
installedInNamespace,
kubeServerURL, kubeServerURL,
caData, caData,
) )
@ -336,15 +325,13 @@ func TestSync(t *testing.T) {
r.NoError(err) r.NoError(err)
expectedCredentialIssuerGVR, expectedCredentialIssuer := expectedCredentialIssuer( expectedCredentialIssuerGVR, expectedCredentialIssuer := expectedCredentialIssuer(
installedInNamespace,
kubeServerURL, kubeServerURL,
caData, caData,
) )
expectedActions := []coretesting.Action{ expectedActions := []coretesting.Action{
coretesting.NewGetAction(expectedCredentialIssuerGVR, installedInNamespace, expectedCredentialIssuer.Name), coretesting.NewRootGetAction(expectedCredentialIssuerGVR, expectedCredentialIssuer.Name),
coretesting.NewUpdateAction( coretesting.NewRootUpdateAction(
expectedCredentialIssuerGVR, expectedCredentialIssuerGVR,
installedInNamespace,
expectedCredentialIssuer, expectedCredentialIssuer,
), ),
} }

View File

@ -59,7 +59,6 @@ func TestAnnotaterControllerSync(t *testing.T) {
const agentPodNamespace = "agent-pod-namespace" const agentPodNamespace = "agent-pod-namespace"
const defaultKubeControllerManagerClusterSigningCertFileFlagValue = "/etc/kubernetes/ca/ca.pem" const defaultKubeControllerManagerClusterSigningCertFileFlagValue = "/etc/kubernetes/ca/ca.pem"
const defaultKubeControllerManagerClusterSigningKeyFileFlagValue = "/etc/kubernetes/ca/ca.key" const defaultKubeControllerManagerClusterSigningKeyFileFlagValue = "/etc/kubernetes/ca/ca.key"
const credentialIssuerNamespaceName = "ci-namespace-name"
const credentialIssuerResourceName = "ci-resource-name" const credentialIssuerResourceName = "ci-resource-name"
const ( const (
@ -102,7 +101,6 @@ func TestAnnotaterControllerSync(t *testing.T) {
}, },
}, },
&CredentialIssuerLocationConfig{ &CredentialIssuerLocationConfig{
Namespace: credentialIssuerNamespaceName,
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
}, },
clock.NewFakeClock(frozenNow), clock.NewFakeClock(frozenNow),
@ -237,7 +235,6 @@ func TestAnnotaterControllerSync(t *testing.T) {
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
Namespace: credentialIssuerNamespaceName,
}, },
Status: configv1alpha1.CredentialIssuerStatus{ Status: configv1alpha1.CredentialIssuerStatus{
Strategies: []configv1alpha1.CredentialIssuerStrategy{}, Strategies: []configv1alpha1.CredentialIssuerStrategy{},
@ -264,14 +261,12 @@ func TestAnnotaterControllerSync(t *testing.T) {
LastUpdateTime: metav1.NewTime(frozenNow), LastUpdateTime: metav1.NewTime(frozenNow),
}, },
} }
expectedGetAction := coretesting.NewGetAction( expectedGetAction := coretesting.NewRootGetAction(
credentialIssuerGVR, credentialIssuerGVR,
credentialIssuerNamespaceName,
credentialIssuerResourceName, credentialIssuerResourceName,
) )
expectedUpdateAction := coretesting.NewUpdateAction( expectedUpdateAction := coretesting.NewRootUpdateAction(
credentialIssuerGVR, credentialIssuerGVR,
credentialIssuerNamespaceName,
expectedCredentialIssuer, expectedCredentialIssuer,
) )
@ -313,7 +308,6 @@ func TestAnnotaterControllerSync(t *testing.T) {
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
Namespace: credentialIssuerNamespaceName,
}, },
Status: configv1alpha1.CredentialIssuerStatus{ Status: configv1alpha1.CredentialIssuerStatus{
Strategies: []configv1alpha1.CredentialIssuerStrategy{ Strategies: []configv1alpha1.CredentialIssuerStrategy{
@ -327,14 +321,12 @@ func TestAnnotaterControllerSync(t *testing.T) {
}, },
}, },
} }
expectedGetAction := coretesting.NewGetAction( expectedGetAction := coretesting.NewRootGetAction(
credentialIssuerGVR, credentialIssuerGVR,
credentialIssuerNamespaceName,
credentialIssuerResourceName, credentialIssuerResourceName,
) )
expectedCreateAction := coretesting.NewCreateAction( expectedCreateAction := coretesting.NewRootCreateAction(
credentialIssuerGVR, credentialIssuerGVR,
credentialIssuerNamespaceName,
expectedCredentialIssuer, expectedCredentialIssuer,
) )

View File

@ -83,7 +83,6 @@ func TestCreaterControllerSync(t *testing.T) {
spec.Run(t, "CreaterControllerSync", func(t *testing.T, when spec.G, it spec.S) { spec.Run(t, "CreaterControllerSync", func(t *testing.T, when spec.G, it spec.S) {
const kubeSystemNamespace = "kube-system" const kubeSystemNamespace = "kube-system"
const agentPodNamespace = "agent-pod-namespace" const agentPodNamespace = "agent-pod-namespace"
const credentialIssuerNamespaceName = "ci-namespace-name"
const credentialIssuerResourceName = "ci-resource-name" const credentialIssuerResourceName = "ci-resource-name"
var r *require.Assertions var r *require.Assertions
@ -119,7 +118,6 @@ func TestCreaterControllerSync(t *testing.T) {
}, },
}, },
&CredentialIssuerLocationConfig{ &CredentialIssuerLocationConfig{
Namespace: credentialIssuerNamespaceName,
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
}, },
map[string]string{ map[string]string{
@ -308,7 +306,6 @@ func TestCreaterControllerSync(t *testing.T) {
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
Namespace: credentialIssuerNamespaceName,
}, },
Status: configv1alpha1.CredentialIssuerStatus{ Status: configv1alpha1.CredentialIssuerStatus{
Strategies: []configv1alpha1.CredentialIssuerStrategy{}, Strategies: []configv1alpha1.CredentialIssuerStrategy{},
@ -335,14 +332,12 @@ func TestCreaterControllerSync(t *testing.T) {
LastUpdateTime: metav1.NewTime(frozenNow), LastUpdateTime: metav1.NewTime(frozenNow),
}, },
} }
expectedGetAction := coretesting.NewGetAction( expectedGetAction := coretesting.NewRootGetAction(
credentialIssuerGVR, credentialIssuerGVR,
credentialIssuerNamespaceName,
credentialIssuerResourceName, credentialIssuerResourceName,
) )
expectedUpdateAction := coretesting.NewUpdateAction( expectedUpdateAction := coretesting.NewRootUpdateAction(
credentialIssuerGVR, credentialIssuerGVR,
credentialIssuerNamespaceName,
expectedCredentialIssuer, expectedCredentialIssuer,
) )
@ -384,7 +379,6 @@ func TestCreaterControllerSync(t *testing.T) {
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
Namespace: credentialIssuerNamespaceName,
Labels: map[string]string{ Labels: map[string]string{
"myLabelKey1": "myLabelValue1", "myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2", "myLabelKey2": "myLabelValue2",
@ -402,14 +396,12 @@ func TestCreaterControllerSync(t *testing.T) {
}, },
}, },
} }
expectedGetAction := coretesting.NewGetAction( expectedGetAction := coretesting.NewRootGetAction(
credentialIssuerGVR, credentialIssuerGVR,
credentialIssuerNamespaceName,
credentialIssuerResourceName, credentialIssuerResourceName,
) )
expectedCreateAction := coretesting.NewCreateAction( expectedCreateAction := coretesting.NewRootCreateAction(
credentialIssuerGVR, credentialIssuerGVR,
credentialIssuerNamespaceName,
expectedCredentialIssuer, expectedCredentialIssuer,
) )
@ -436,7 +428,6 @@ func TestCreaterControllerSync(t *testing.T) {
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
Namespace: credentialIssuerNamespaceName,
}, },
Status: configv1alpha1.CredentialIssuerStatus{ Status: configv1alpha1.CredentialIssuerStatus{
Strategies: []configv1alpha1.CredentialIssuerStrategy{}, Strategies: []configv1alpha1.CredentialIssuerStrategy{},
@ -463,14 +454,12 @@ func TestCreaterControllerSync(t *testing.T) {
LastUpdateTime: metav1.NewTime(frozenNow), LastUpdateTime: metav1.NewTime(frozenNow),
}, },
} }
expectedGetAction := coretesting.NewGetAction( expectedGetAction := coretesting.NewRootGetAction(
credentialIssuerGVR, credentialIssuerGVR,
credentialIssuerNamespaceName,
credentialIssuerResourceName, credentialIssuerResourceName,
) )
expectedUpdateAction := coretesting.NewUpdateAction( expectedUpdateAction := coretesting.NewRootUpdateAction(
credentialIssuerGVR, credentialIssuerGVR,
credentialIssuerNamespaceName,
expectedCredentialIssuer, expectedCredentialIssuer,
) )
@ -529,7 +518,6 @@ func TestCreaterControllerSync(t *testing.T) {
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
Namespace: credentialIssuerNamespaceName,
Labels: map[string]string{ Labels: map[string]string{
"myLabelKey1": "myLabelValue1", "myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2", "myLabelKey2": "myLabelValue2",
@ -547,14 +535,12 @@ func TestCreaterControllerSync(t *testing.T) {
}, },
}, },
} }
expectedGetAction := coretesting.NewGetAction( expectedGetAction := coretesting.NewRootGetAction(
credentialIssuerGVR, credentialIssuerGVR,
credentialIssuerNamespaceName,
credentialIssuerResourceName, credentialIssuerResourceName,
) )
expectedCreateAction := coretesting.NewCreateAction( expectedCreateAction := coretesting.NewRootCreateAction(
credentialIssuerGVR, credentialIssuerGVR,
credentialIssuerNamespaceName,
expectedCredentialIssuer, expectedCredentialIssuer,
) )

View File

@ -44,7 +44,6 @@ func TestExecerControllerOptions(t *testing.T) {
agentPodsInformer := kubeinformers.NewSharedInformerFactory(nil, 0).Core().V1().Pods() agentPodsInformer := kubeinformers.NewSharedInformerFactory(nil, 0).Core().V1().Pods()
_ = NewExecerController( _ = NewExecerController(
&CredentialIssuerLocationConfig{ &CredentialIssuerLocationConfig{
Namespace: "ignored by this test",
Name: "ignored by this test", Name: "ignored by this test",
}, },
nil, // dynamicCertProvider, not needed for this test nil, // dynamicCertProvider, not needed for this test
@ -136,7 +135,6 @@ func TestManagerControllerSync(t *testing.T) {
const fakeKeyPath = "/some/key/path" const fakeKeyPath = "/some/key/path"
const defaultDynamicCertProviderCert = "initial-cert" const defaultDynamicCertProviderCert = "initial-cert"
const defaultDynamicCertProviderKey = "initial-key" const defaultDynamicCertProviderKey = "initial-key"
const credentialIssuerNamespaceName = "ci-namespace-name"
const credentialIssuerResourceName = "ci-resource-name" const credentialIssuerResourceName = "ci-resource-name"
var r *require.Assertions var r *require.Assertions
@ -160,7 +158,6 @@ func TestManagerControllerSync(t *testing.T) {
// Set this at the last second to allow for injection of server override. // Set this at the last second to allow for injection of server override.
subject = NewExecerController( subject = NewExecerController(
&CredentialIssuerLocationConfig{ &CredentialIssuerLocationConfig{
Namespace: credentialIssuerNamespaceName,
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
}, },
dynamicCertProvider, dynamicCertProvider,
@ -334,7 +331,6 @@ func TestManagerControllerSync(t *testing.T) {
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
Namespace: credentialIssuerNamespaceName,
}, },
Status: configv1alpha1.CredentialIssuerStatus{ Status: configv1alpha1.CredentialIssuerStatus{
Strategies: []configv1alpha1.CredentialIssuerStrategy{}, Strategies: []configv1alpha1.CredentialIssuerStrategy{},
@ -361,8 +357,8 @@ func TestManagerControllerSync(t *testing.T) {
LastUpdateTime: metav1.NewTime(frozenNow), LastUpdateTime: metav1.NewTime(frozenNow),
}, },
} }
expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName) expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
expectedCreateAction := coretesting.NewUpdateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer) expectedCreateAction := coretesting.NewRootUpdateAction(credentialIssuerGVR, expectedCredentialIssuer)
r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions()) r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions())
}) })
@ -397,7 +393,6 @@ func TestManagerControllerSync(t *testing.T) {
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
Namespace: credentialIssuerNamespaceName,
}, },
Status: configv1alpha1.CredentialIssuerStatus{ Status: configv1alpha1.CredentialIssuerStatus{
Strategies: []configv1alpha1.CredentialIssuerStrategy{ Strategies: []configv1alpha1.CredentialIssuerStrategy{
@ -411,8 +406,8 @@ func TestManagerControllerSync(t *testing.T) {
}, },
}, },
} }
expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName) expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
expectedCreateAction := coretesting.NewCreateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer) expectedCreateAction := coretesting.NewRootCreateAction(credentialIssuerGVR, expectedCredentialIssuer)
r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions()) r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions())
}) })
}) })
@ -440,7 +435,6 @@ func TestManagerControllerSync(t *testing.T) {
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
Namespace: credentialIssuerNamespaceName,
}, },
Status: configv1alpha1.CredentialIssuerStatus{ Status: configv1alpha1.CredentialIssuerStatus{
Strategies: []configv1alpha1.CredentialIssuerStrategy{ Strategies: []configv1alpha1.CredentialIssuerStrategy{
@ -454,8 +448,8 @@ func TestManagerControllerSync(t *testing.T) {
}, },
}, },
} }
expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName) expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
expectedCreateAction := coretesting.NewCreateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer) expectedCreateAction := coretesting.NewRootCreateAction(credentialIssuerGVR, expectedCredentialIssuer)
r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions()) r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions())
}) })
}) })
@ -482,7 +476,6 @@ func TestManagerControllerSync(t *testing.T) {
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName, Name: credentialIssuerResourceName,
Namespace: credentialIssuerNamespaceName,
}, },
Status: configv1alpha1.CredentialIssuerStatus{ Status: configv1alpha1.CredentialIssuerStatus{
Strategies: []configv1alpha1.CredentialIssuerStrategy{ Strategies: []configv1alpha1.CredentialIssuerStrategy{
@ -496,8 +489,8 @@ func TestManagerControllerSync(t *testing.T) {
}, },
}, },
} }
expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName) expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName)
expectedCreateAction := coretesting.NewCreateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer) expectedCreateAction := coretesting.NewRootCreateAction(credentialIssuerGVR, expectedCredentialIssuer)
r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions()) r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions())
}) })
}) })

View File

@ -74,9 +74,6 @@ type AgentPodConfig struct {
} }
type CredentialIssuerLocationConfig struct { type CredentialIssuerLocationConfig struct {
// The namespace in which the CredentialIssuer should be created/updated.
Namespace string
// The resource name for the CredentialIssuer to be created/updated. // The resource name for the CredentialIssuer to be created/updated.
Name string Name string
} }
@ -292,7 +289,6 @@ func createOrUpdateCredentialIssuer(ctx context.Context,
) error { ) error {
return issuerconfig.CreateOrUpdateCredentialIssuer( return issuerconfig.CreateOrUpdateCredentialIssuer(
ctx, ctx,
ciConfig.Namespace,
ciConfig.Name, ciConfig.Name,
credentialIssuerLabels, credentialIssuerLabels,
pinnipedAPIClient, pinnipedAPIClient,

View File

@ -109,7 +109,6 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
AdditionalLabels: c.Labels, AdditionalLabels: c.Labels,
} }
credentialIssuerLocationConfig := &kubecertagent.CredentialIssuerLocationConfig{ credentialIssuerLocationConfig := &kubecertagent.CredentialIssuerLocationConfig{
Namespace: c.ServerInstallationInfo.Namespace,
Name: c.NamesConfig.CredentialIssuer, Name: c.NamesConfig.CredentialIssuer,
} }
@ -127,7 +126,6 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
// CredentialIssuer resource and keeping that information up to date. // CredentialIssuer resource and keeping that information up to date.
WithController( WithController(
issuerconfig.NewKubeConfigInfoPublisherController( issuerconfig.NewKubeConfigInfoPublisherController(
c.ServerInstallationInfo.Namespace,
c.NamesConfig.CredentialIssuer, c.NamesConfig.CredentialIssuer,
c.Labels, c.Labels,
c.DiscoveryURLOverride, c.DiscoveryURLOverride,
@ -245,7 +243,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
WithController( WithController(
webhookcachefiller.New( webhookcachefiller.New(
c.AuthenticatorCache, c.AuthenticatorCache,
informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookAuthenticators(), informers.pinniped.Authentication().V1alpha1().WebhookAuthenticators(),
klogr.New(), klogr.New(),
), ),
singletonWorker, singletonWorker,
@ -253,7 +251,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
WithController( WithController(
jwtcachefiller.New( jwtcachefiller.New(
c.AuthenticatorCache, c.AuthenticatorCache,
informers.installationNamespacePinniped.Authentication().V1alpha1().JWTAuthenticators(), informers.pinniped.Authentication().V1alpha1().JWTAuthenticators(),
klogr.New(), klogr.New(),
), ),
singletonWorker, singletonWorker,
@ -261,8 +259,8 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
WithController( WithController(
cachecleaner.New( cachecleaner.New(
c.AuthenticatorCache, c.AuthenticatorCache,
informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookAuthenticators(), informers.pinniped.Authentication().V1alpha1().WebhookAuthenticators(),
informers.installationNamespacePinniped.Authentication().V1alpha1().JWTAuthenticators(), informers.pinniped.Authentication().V1alpha1().JWTAuthenticators(),
klogr.New(), klogr.New(),
), ),
singletonWorker, singletonWorker,
@ -279,7 +277,7 @@ type informers struct {
kubePublicNamespaceK8s k8sinformers.SharedInformerFactory kubePublicNamespaceK8s k8sinformers.SharedInformerFactory
kubeSystemNamespaceK8s k8sinformers.SharedInformerFactory kubeSystemNamespaceK8s k8sinformers.SharedInformerFactory
installationNamespaceK8s k8sinformers.SharedInformerFactory installationNamespaceK8s k8sinformers.SharedInformerFactory
installationNamespacePinniped pinnipedinformers.SharedInformerFactory pinniped pinnipedinformers.SharedInformerFactory
} }
// Create the informers that will be used by the controllers. // Create the informers that will be used by the controllers.
@ -304,10 +302,9 @@ func createInformers(
defaultResyncInterval, defaultResyncInterval,
k8sinformers.WithNamespace(serverInstallationNamespace), k8sinformers.WithNamespace(serverInstallationNamespace),
), ),
installationNamespacePinniped: pinnipedinformers.NewSharedInformerFactoryWithOptions( pinniped: pinnipedinformers.NewSharedInformerFactoryWithOptions(
pinnipedClient, pinnipedClient,
defaultResyncInterval, defaultResyncInterval,
pinnipedinformers.WithNamespace(serverInstallationNamespace),
), ),
} }
} }
@ -316,10 +313,10 @@ func (i *informers) startAndWaitForSync(ctx context.Context) {
i.kubePublicNamespaceK8s.Start(ctx.Done()) i.kubePublicNamespaceK8s.Start(ctx.Done())
i.kubeSystemNamespaceK8s.Start(ctx.Done()) i.kubeSystemNamespaceK8s.Start(ctx.Done())
i.installationNamespaceK8s.Start(ctx.Done()) i.installationNamespaceK8s.Start(ctx.Done())
i.installationNamespacePinniped.Start(ctx.Done()) i.pinniped.Start(ctx.Done())
i.kubePublicNamespaceK8s.WaitForCacheSync(ctx.Done()) i.kubePublicNamespaceK8s.WaitForCacheSync(ctx.Done())
i.kubeSystemNamespaceK8s.WaitForCacheSync(ctx.Done()) i.kubeSystemNamespaceK8s.WaitForCacheSync(ctx.Done())
i.installationNamespaceK8s.WaitForCacheSync(ctx.Done()) i.installationNamespaceK8s.WaitForCacheSync(ctx.Done())
i.installationNamespacePinniped.WaitForCacheSync(ctx.Done()) i.pinniped.WaitForCacheSync(ctx.Done())
} }

View File

@ -259,7 +259,7 @@ func TestKubeclient(t *testing.T) {
// create // create
tokenCredentialRequest, err := c.PinnipedConcierge. tokenCredentialRequest, err := c.PinnipedConcierge.
LoginV1alpha1(). LoginV1alpha1().
TokenCredentialRequests(goodTokenCredentialRequest.Namespace). TokenCredentialRequests().
Create(context.Background(), goodTokenCredentialRequest, metav1.CreateOptions{}) Create(context.Background(), goodTokenCredentialRequest, metav1.CreateOptions{})
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, goodTokenCredentialRequest, tokenCredentialRequest) require.Equal(t, goodTokenCredentialRequest, tokenCredentialRequest)
@ -267,7 +267,7 @@ func TestKubeclient(t *testing.T) {
// read // read
tokenCredentialRequest, err = c.PinnipedConcierge. tokenCredentialRequest, err = c.PinnipedConcierge.
LoginV1alpha1(). LoginV1alpha1().
TokenCredentialRequests(tokenCredentialRequest.Namespace). TokenCredentialRequests().
Get(context.Background(), tokenCredentialRequest.Name, metav1.GetOptions{}) Get(context.Background(), tokenCredentialRequest.Name, metav1.GetOptions{})
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, with(goodTokenCredentialRequest, annotations(), labels()), tokenCredentialRequest) require.Equal(t, with(goodTokenCredentialRequest, annotations(), labels()), tokenCredentialRequest)
@ -276,7 +276,7 @@ func TestKubeclient(t *testing.T) {
goodTokenCredentialRequestWithAnnotationsAndLabelsAndClusterName := with(goodTokenCredentialRequest, annotations(), labels(), clusterName()).(*loginv1alpha1.TokenCredentialRequest) goodTokenCredentialRequestWithAnnotationsAndLabelsAndClusterName := with(goodTokenCredentialRequest, annotations(), labels(), clusterName()).(*loginv1alpha1.TokenCredentialRequest)
tokenCredentialRequest, err = c.PinnipedConcierge. tokenCredentialRequest, err = c.PinnipedConcierge.
LoginV1alpha1(). LoginV1alpha1().
TokenCredentialRequests(tokenCredentialRequest.Namespace). TokenCredentialRequests().
Update(context.Background(), goodTokenCredentialRequestWithAnnotationsAndLabelsAndClusterName, metav1.UpdateOptions{}) Update(context.Background(), goodTokenCredentialRequestWithAnnotationsAndLabelsAndClusterName, metav1.UpdateOptions{})
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, goodTokenCredentialRequestWithAnnotationsAndLabelsAndClusterName, tokenCredentialRequest) require.Equal(t, goodTokenCredentialRequestWithAnnotationsAndLabelsAndClusterName, tokenCredentialRequest)
@ -284,7 +284,7 @@ func TestKubeclient(t *testing.T) {
// delete // delete
err = c.PinnipedConcierge. err = c.PinnipedConcierge.
LoginV1alpha1(). LoginV1alpha1().
TokenCredentialRequests(tokenCredentialRequest.Namespace). TokenCredentialRequests().
Delete(context.Background(), tokenCredentialRequest.Name, metav1.DeleteOptions{}) Delete(context.Background(), tokenCredentialRequest.Name, metav1.DeleteOptions{})
require.NoError(t, err) require.NoError(t, err)
}, },

View File

@ -27,28 +27,19 @@ import (
) )
// ErrLoginFailed is returned by Client.ExchangeToken when the concierge server rejects the login request for any reason. // ErrLoginFailed is returned by Client.ExchangeToken when the concierge server rejects the login request for any reason.
var ErrLoginFailed = constable.Error("login failed") const ErrLoginFailed = constable.Error("login failed")
// Option is an optional configuration for New(). // Option is an optional configuration for New().
type Option func(*Client) error type Option func(*Client) error
// Client is a configuration for talking to the Pinniped concierge. // Client is a configuration for talking to the Pinniped concierge.
type Client struct { type Client struct {
namespace string
authenticator *corev1.TypedLocalObjectReference authenticator *corev1.TypedLocalObjectReference
caBundle string caBundle string
endpoint *url.URL endpoint *url.URL
apiGroupSuffix string apiGroupSuffix string
} }
// WithNamespace configures the namespace where the TokenCredentialRequest is to be sent.
func WithNamespace(namespace string) Option {
return func(c *Client) error {
c.namespace = namespace
return nil
}
}
// WithAuthenticator configures the authenticator reference (spec.authenticator) of the TokenCredentialRequests. // WithAuthenticator configures the authenticator reference (spec.authenticator) of the TokenCredentialRequests.
func WithAuthenticator(authType, authName string) Option { func WithAuthenticator(authType, authName string) Option {
return func(c *Client) error { return func(c *Client) error {
@ -127,7 +118,7 @@ func WithAPIGroupSuffix(apiGroupSuffix string) Option {
// New validates the specified options and returns a newly initialized *Client. // New validates the specified options and returns a newly initialized *Client.
func New(opts ...Option) (*Client, error) { func New(opts ...Option) (*Client, error) {
c := Client{namespace: "pinniped-concierge", apiGroupSuffix: "pinniped.dev"} c := Client{apiGroupSuffix: "pinniped.dev"}
for _, opt := range opts { for _, opt := range opts {
if err := opt(&c); err != nil { if err := opt(&c); err != nil {
return nil, err return nil, err
@ -180,10 +171,7 @@ func (c *Client) ExchangeToken(ctx context.Context, token string) (*clientauthen
if err != nil { if err != nil {
return nil, err return nil, err
} }
resp, err := clientset.LoginV1alpha1().TokenCredentialRequests(c.namespace).Create(ctx, &loginv1alpha1.TokenCredentialRequest{ resp, err := clientset.LoginV1alpha1().TokenCredentialRequests().Create(ctx, &loginv1alpha1.TokenCredentialRequest{
ObjectMeta: metav1.ObjectMeta{
Namespace: c.namespace,
},
Spec: loginv1alpha1.TokenCredentialRequestSpec{ Spec: loginv1alpha1.TokenCredentialRequestSpec{
Token: token, Token: token,
Authenticator: *c.authenticator, Authenticator: *c.authenticator,

View File

@ -125,7 +125,6 @@ func TestNew(t *testing.T) {
{ {
name: "valid", name: "valid",
opts: []Option{ opts: []Option{
WithNamespace("test-namespace"),
WithEndpoint("https://example.com"), WithEndpoint("https://example.com"),
WithCABundle(""), WithCABundle(""),
WithCABundle(string(testCA.Bundle())), WithCABundle(string(testCA.Bundle())),
@ -223,7 +222,7 @@ func TestExchangeToken(t *testing.T) {
// Start a test server that returns successfully and asserts various properties of the request. // Start a test server that returns successfully and asserts various properties of the request.
caBundle, endpoint := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) { caBundle, endpoint := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) {
require.Equal(t, http.MethodPost, r.Method) require.Equal(t, http.MethodPost, r.Method)
require.Equal(t, "/apis/login.concierge.pinniped.dev/v1alpha1/namespaces/test-namespace/tokencredentialrequests", r.URL.Path) require.Equal(t, "/apis/login.concierge.pinniped.dev/v1alpha1/tokencredentialrequests", r.URL.Path)
require.Equal(t, "application/json", r.Header.Get("content-type")) require.Equal(t, "application/json", r.Header.Get("content-type"))
body, err := ioutil.ReadAll(r.Body) body, err := ioutil.ReadAll(r.Body)
@ -233,8 +232,7 @@ func TestExchangeToken(t *testing.T) {
"kind": "TokenCredentialRequest", "kind": "TokenCredentialRequest",
"apiVersion": "login.concierge.pinniped.dev/v1alpha1", "apiVersion": "login.concierge.pinniped.dev/v1alpha1",
"metadata": { "metadata": {
"creationTimestamp": null, "creationTimestamp": null
"namespace": "test-namespace"
}, },
"spec": { "spec": {
"token": "test-token", "token": "test-token",
@ -262,7 +260,7 @@ func TestExchangeToken(t *testing.T) {
}) })
}) })
client, err := New(WithNamespace("test-namespace"), WithEndpoint(endpoint), WithCABundle(caBundle), WithAuthenticator("webhook", "test-webhook")) client, err := New(WithEndpoint(endpoint), WithCABundle(caBundle), WithAuthenticator("webhook", "test-webhook"))
require.NoError(t, err) require.NoError(t, err)
got, err := client.ExchangeToken(ctx, "test-token") got, err := client.ExchangeToken(ctx, "test-token")

View File

@ -163,7 +163,7 @@ to authenticate federated identities from the Supervisor.
object to configure the Pinniped Concierge to authenticate using the Pinniped Supervisor. object to configure the Pinniped Concierge to authenticate using the Pinniped Supervisor.
```bash ```bash
cat <<EOF | kubectl create --context kind-pinniped-concierge --namespace pinniped-concierge -f - cat <<EOF | kubectl create --context kind-pinniped-concierge -f -
apiVersion: authentication.concierge.pinniped.dev/v1alpha1 apiVersion: authentication.concierge.pinniped.dev/v1alpha1
kind: JWTAuthenticator kind: JWTAuthenticator
metadata: metadata:
@ -185,7 +185,6 @@ to authenticate federated identities from the Supervisor.
```bash ```bash
pinniped get kubeconfig \ pinniped get kubeconfig \
--kubeconfig-context kind-pinniped-concierge \ --kubeconfig-context kind-pinniped-concierge \
--concierge-namespace pinniped-concierge \
> /tmp/pinniped-kubeconfig > /tmp/pinniped-kubeconfig
``` ```

View File

@ -102,7 +102,7 @@ as the authenticator.
1. Create a `WebhookAuthenticator` object to configure the Pinniped Concierge to authenticate using local-user-authenticator. 1. Create a `WebhookAuthenticator` object to configure the Pinniped Concierge to authenticate using local-user-authenticator.
```bash ```bash
cat <<EOF | kubectl create --namespace pinniped-concierge -f - cat <<EOF | kubectl create -f -
apiVersion: authentication.concierge.pinniped.dev/v1alpha1 apiVersion: authentication.concierge.pinniped.dev/v1alpha1
kind: WebhookAuthenticator kind: WebhookAuthenticator
metadata: metadata:
@ -124,7 +124,7 @@ as the authenticator.
allow you to authenticate as the user that you created above. allow you to authenticate as the user that you created above.
```bash ```bash
pinniped get kubeconfig --concierge-namespace pinniped-concierge --static-token "pinny-the-seal:password123" --concierge-authenticator-type webhook --concierge-authenticator-name local-user-authenticator > /tmp/pinniped-kubeconfig pinniped get kubeconfig --static-token "pinny-the-seal:password123" --concierge-authenticator-type webhook --concierge-authenticator-name local-user-authenticator > /tmp/pinniped-kubeconfig
``` ```
If you are using MacOS, you may get an error dialog that says If you are using MacOS, you may get an error dialog that says

View File

@ -57,7 +57,6 @@ func TestCLIGetKubeconfigStaticToken(t *testing.T) {
"get", "kubeconfig", "get", "kubeconfig",
"--static-token", env.TestUser.Token, "--static-token", env.TestUser.Token,
"--concierge-api-group-suffix", env.APIGroupSuffix, "--concierge-api-group-suffix", env.APIGroupSuffix,
"--concierge-namespace", env.ConciergeNamespace,
"--concierge-authenticator-type", "webhook", "--concierge-authenticator-type", "webhook",
"--concierge-authenticator-name", authenticator.Name, "--concierge-authenticator-name", authenticator.Name,
}, },

View File

@ -146,7 +146,7 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
// pod has rotated their cert, but not the other ones sitting behind the service. // pod has rotated their cert, but not the other ones sitting behind the service.
aggregatedAPIWorking := func() bool { aggregatedAPIWorking := func() bool {
for i := 0; i < 10; i++ { for i := 0; i < 10; i++ {
_, err = conciergeClient.LoginV1alpha1().TokenCredentialRequests(env.ConciergeNamespace).Create(ctx, &loginv1alpha1.TokenCredentialRequest{ _, err = conciergeClient.LoginV1alpha1().TokenCredentialRequests().Create(ctx, &loginv1alpha1.TokenCredentialRequest{
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{}, ObjectMeta: metav1.ObjectMeta{},
Spec: loginv1alpha1.TokenCredentialRequestSpec{Token: "not a good token", Authenticator: testWebhook}, Spec: loginv1alpha1.TokenCredentialRequestSpec{Token: "not a good token", Authenticator: testWebhook},

View File

@ -72,7 +72,6 @@ func TestClient(t *testing.T) {
// Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange. // Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange.
clientConfig := library.NewClientConfig(t) clientConfig := library.NewClientConfig(t)
client, err := conciergeclient.New( client, err := conciergeclient.New(
conciergeclient.WithNamespace(env.ConciergeNamespace),
conciergeclient.WithCABundle(string(clientConfig.CAData)), conciergeclient.WithCABundle(string(clientConfig.CAData)),
conciergeclient.WithEndpoint(clientConfig.Host), conciergeclient.WithEndpoint(clientConfig.Host),
conciergeclient.WithAuthenticator("webhook", webhook.Name), conciergeclient.WithAuthenticator("webhook", webhook.Name),

View File

@ -29,7 +29,7 @@ func TestCredentialIssuer(t *testing.T) {
t.Run("test successful CredentialIssuer", func(t *testing.T) { t.Run("test successful CredentialIssuer", func(t *testing.T) {
actualConfigList, err := client. actualConfigList, err := client.
ConfigV1alpha1(). ConfigV1alpha1().
CredentialIssuers(env.ConciergeNamespace). CredentialIssuers().
List(ctx, metav1.ListOptions{}) List(ctx, metav1.ListOptions{})
require.NoError(t, err) require.NoError(t, err)

View File

@ -211,7 +211,7 @@ func makeRequest(ctx context.Context, t *testing.T, spec loginv1alpha1.TokenCred
ctx, cancel := context.WithTimeout(ctx, 10*time.Second) ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
defer cancel() defer cancel()
return client.LoginV1alpha1().TokenCredentialRequests(env.ConciergeNamespace).Create(ctx, &loginv1alpha1.TokenCredentialRequest{ return client.LoginV1alpha1().TokenCredentialRequests().Create(ctx, &loginv1alpha1.TokenCredentialRequest{
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{Namespace: env.ConciergeNamespace}, ObjectMeta: metav1.ObjectMeta{Namespace: env.ConciergeNamespace},
Spec: spec, Spec: spec,

View File

@ -142,7 +142,6 @@ func TestE2EFullIntegration(t *testing.T) {
// Run "pinniped get kubeconfig" to get a kubeconfig YAML. // Run "pinniped get kubeconfig" to get a kubeconfig YAML.
kubeconfigYAML, stderr := runPinnipedCLI(t, pinnipedExe, "get", "kubeconfig", kubeconfigYAML, stderr := runPinnipedCLI(t, pinnipedExe, "get", "kubeconfig",
"--concierge-api-group-suffix", env.APIGroupSuffix, "--concierge-api-group-suffix", env.APIGroupSuffix,
"--concierge-namespace", env.ConciergeNamespace,
"--concierge-authenticator-type", "jwt", "--concierge-authenticator-type", "jwt",
"--concierge-authenticator-name", authenticator.Name, "--concierge-authenticator-name", authenticator.Name,
"--oidc-skip-browser", "--oidc-skip-browser",

View File

@ -167,7 +167,7 @@ func TestKubeClientOwnerRef(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
// sanity check concierge client // sanity check concierge client
credentialIssuer, err := ownerRefClient.PinnipedConcierge.ConfigV1alpha1().CredentialIssuers(namespace.Name).Create( credentialIssuer, err := ownerRefClient.PinnipedConcierge.ConfigV1alpha1().CredentialIssuers().Create(
ctx, ctx,
&conciergeconfigv1alpha1.CredentialIssuer{ &conciergeconfigv1alpha1.CredentialIssuer{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
@ -184,7 +184,7 @@ func TestKubeClientOwnerRef(t *testing.T) {
hasOwnerRef(t, credentialIssuer, ref) hasOwnerRef(t, credentialIssuer, ref)
// this owner has already been deleted so the cred issuer should be immediately deleted // this owner has already been deleted so the cred issuer should be immediately deleted
isEventuallyDeleted(t, func() error { isEventuallyDeleted(t, func() error {
_, err := ownerRefClient.PinnipedConcierge.ConfigV1alpha1().CredentialIssuers(namespace.Name).Get(ctx, credentialIssuer.Name, metav1.GetOptions{}) _, err := ownerRefClient.PinnipedConcierge.ConfigV1alpha1().CredentialIssuers().Get(ctx, credentialIssuer.Name, metav1.GetOptions{})
return err return err
}) })

View File

@ -153,7 +153,7 @@ func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.Ty
testEnv := IntegrationEnv(t) testEnv := IntegrationEnv(t)
client := NewConciergeClientset(t) client := NewConciergeClientset(t)
webhooks := client.AuthenticationV1alpha1().WebhookAuthenticators(testEnv.ConciergeNamespace) webhooks := client.AuthenticationV1alpha1().WebhookAuthenticators()
createContext, cancel := context.WithTimeout(ctx, 5*time.Second) createContext, cancel := context.WithTimeout(ctx, 5*time.Second)
defer cancel() defer cancel()
@ -220,10 +220,9 @@ func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T)
// authenticator within the test namespace. // authenticator within the test namespace.
func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T, spec auth1alpha1.JWTAuthenticatorSpec) corev1.TypedLocalObjectReference { func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T, spec auth1alpha1.JWTAuthenticatorSpec) corev1.TypedLocalObjectReference {
t.Helper() t.Helper()
testEnv := IntegrationEnv(t)
client := NewConciergeClientset(t) client := NewConciergeClientset(t)
jwtAuthenticators := client.AuthenticationV1alpha1().JWTAuthenticators(testEnv.ConciergeNamespace) jwtAuthenticators := client.AuthenticationV1alpha1().JWTAuthenticators()
createContext, cancel := context.WithTimeout(ctx, 5*time.Second) createContext, cancel := context.WithTimeout(ctx, 5*time.Second)
defer cancel() defer cancel()