Remove static webhook config options.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
Matt Moyer
parent
f7c9ae8ba3
commit
8de046a561
@ -7,23 +7,10 @@ package api
|
||||
|
||||
// Config contains knobs to setup an instance of pinniped.
|
||||
type Config struct {
|
||||
WebhookConfig WebhookConfigSpec `json:"webhook"`
|
||||
DiscoveryInfo DiscoveryInfoSpec `json:"discovery"`
|
||||
APIConfig APIConfigSpec `json:"api"`
|
||||
}
|
||||
|
||||
// WebhookConfig contains configuration knobs specific to pinniped's use
|
||||
// of a webhook for token validation.
|
||||
type WebhookConfigSpec struct {
|
||||
// URL contains the URL of the webhook that pinniped will use
|
||||
// to validate external credentials.
|
||||
URL string `json:"url"`
|
||||
|
||||
// CABundle contains PEM-encoded certificate authority certificates used
|
||||
// to validate TLS connections to the WebhookURL.
|
||||
CABundle []byte `json:"caBundle"`
|
||||
}
|
||||
|
||||
// DiscoveryInfoSpec contains configuration knobs specific to
|
||||
// pinniped's publishing of discovery information. These values can be
|
||||
// viewed as overrides, i.e., if these are set, then pinniped will
|
||||
|
||||
@ -27,10 +27,6 @@ func TestFromPath(t *testing.T) {
|
||||
DiscoveryInfo: api.DiscoveryInfoSpec{
|
||||
URL: stringPtr("https://some.discovery/url"),
|
||||
},
|
||||
WebhookConfig: api.WebhookConfigSpec{
|
||||
URL: "https://tuna.com/fish?marlin",
|
||||
CABundle: []byte("-----BEGIN CERTIFICATE-----..."),
|
||||
},
|
||||
APIConfig: api.APIConfigSpec{
|
||||
ServingCertificateConfig: api.ServingCertificateConfigSpec{
|
||||
DurationSeconds: int64Ptr(3600),
|
||||
@ -46,10 +42,6 @@ func TestFromPath(t *testing.T) {
|
||||
DiscoveryInfo: api.DiscoveryInfoSpec{
|
||||
URL: nil,
|
||||
},
|
||||
WebhookConfig: api.WebhookConfigSpec{
|
||||
URL: "https://tuna.com/fish?marlin",
|
||||
CABundle: []byte("-----BEGIN CERTIFICATE-----..."),
|
||||
},
|
||||
APIConfig: api.APIConfigSpec{
|
||||
ServingCertificateConfig: api.ServingCertificateConfigSpec{
|
||||
DurationSeconds: int64Ptr(60 * 60 * 24 * 365), // about a year
|
||||
|
||||
3
pkg/config/testdata/default.yaml
vendored
3
pkg/config/testdata/default.yaml
vendored
@ -1,4 +1 @@
|
||||
---
|
||||
webhook:
|
||||
url: https://tuna.com/fish?marlin
|
||||
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u
|
||||
|
||||
3
pkg/config/testdata/happy.yaml
vendored
3
pkg/config/testdata/happy.yaml
vendored
@ -1,9 +1,6 @@
|
||||
---
|
||||
discovery:
|
||||
url: https://some.discovery/url
|
||||
webhook:
|
||||
url: https://tuna.com/fish?marlin
|
||||
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u
|
||||
api:
|
||||
servingCertificate:
|
||||
durationSeconds: 3600
|
||||
|
||||
@ -1,7 +1,4 @@
|
||||
---
|
||||
webhook:
|
||||
url: https://tuna.com/fish?marlin
|
||||
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u
|
||||
api:
|
||||
servingCertificate:
|
||||
durationSeconds: 2400
|
||||
|
||||
@ -1,7 +1,4 @@
|
||||
---
|
||||
webhook:
|
||||
url: https://tuna.com/fish?marlin
|
||||
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u
|
||||
api:
|
||||
servingCertificate:
|
||||
durationSeconds: 2400
|
||||
|
||||
3
pkg/config/testdata/zero-renew-before.yaml
vendored
3
pkg/config/testdata/zero-renew-before.yaml
vendored
@ -1,7 +1,4 @@
|
||||
---
|
||||
webhook:
|
||||
url: https://tuna.com/fish?marlin
|
||||
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u
|
||||
api:
|
||||
servingCertificate:
|
||||
durationSeconds: 2400
|
||||
|
||||
@ -1,77 +0,0 @@
|
||||
/*
|
||||
Copyright 2020 VMware, Inc.
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
|
||||
package config
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
|
||||
authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
|
||||
utilnet "k8s.io/apimachinery/pkg/util/net"
|
||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
|
||||
"k8s.io/client-go/tools/clientcmd"
|
||||
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
|
||||
|
||||
"github.com/suzerain-io/pinniped/pkg/config/api"
|
||||
)
|
||||
|
||||
// NewWebhook creates a webhook from the provided API server url and caBundle
|
||||
// used to validate TLS connections.
|
||||
func NewWebhook(spec api.WebhookConfigSpec) (*webhook.WebhookTokenAuthenticator, error) {
|
||||
kubeconfig, err := ioutil.TempFile("", "pinniped-webhook-kubeconfig-*")
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("create temp file: %w", err)
|
||||
}
|
||||
defer os.Remove(kubeconfig.Name())
|
||||
|
||||
if err := anonymousKubeconfig(spec.URL, spec.CABundle, kubeconfig); err != nil {
|
||||
return nil, fmt.Errorf("anonymous kubeconfig: %w", err)
|
||||
}
|
||||
|
||||
// We use v1beta1 instead of v1 since v1beta1 is more prevalent in our desired
|
||||
// integration points.
|
||||
version := authenticationv1beta1.SchemeGroupVersion.Version
|
||||
|
||||
// At the current time, we don't provide any audiences because we simply don't
|
||||
// have any requirements to do so. This can be changed in the future as
|
||||
// requirements change.
|
||||
var implicitAuds authenticator.Audiences
|
||||
|
||||
// We set this to nil because we would only need this to support some of the
|
||||
// custom proxy stuff used by the API server.
|
||||
var customDial utilnet.DialFunc
|
||||
|
||||
return webhook.New(kubeconfig.Name(), version, implicitAuds, customDial)
|
||||
}
|
||||
|
||||
// anonymousKubeconfig writes a kubeconfig file to the provided io.Writer that
|
||||
// will "use" anonymous auth to talk to a Kube API server at the provided url
|
||||
// with the provided caBundle.
|
||||
func anonymousKubeconfig(url string, caBundle []byte, out io.Writer) error {
|
||||
config := clientcmdapi.NewConfig()
|
||||
config.Clusters["anonymous-cluster"] = &clientcmdapi.Cluster{
|
||||
Server: url,
|
||||
CertificateAuthorityData: caBundle,
|
||||
}
|
||||
config.Contexts["anonymous"] = &clientcmdapi.Context{
|
||||
Cluster: "anonymous-cluster",
|
||||
}
|
||||
config.CurrentContext = "anonymous"
|
||||
|
||||
data, err := clientcmd.Write(*config)
|
||||
if err != nil {
|
||||
return fmt.Errorf("marshal config: %w", err)
|
||||
}
|
||||
|
||||
if _, err := out.Write(data); err != nil {
|
||||
return fmt.Errorf("write config: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
@ -1,31 +0,0 @@
|
||||
/*
|
||||
Copyright 2020 VMware, Inc.
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
|
||||
package config
|
||||
|
||||
import (
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
"k8s.io/client-go/tools/clientcmd"
|
||||
)
|
||||
|
||||
func TestAnonymousKubeconfig(t *testing.T) {
|
||||
expect := require.New(t)
|
||||
|
||||
f, err := ioutil.TempFile("", "pinniped-anonymous-kubeconfig-test-*")
|
||||
expect.NoError(err)
|
||||
defer os.Remove(f.Name())
|
||||
|
||||
err = anonymousKubeconfig("https://tuna.com", []byte("ca bundle"), f)
|
||||
expect.NoError(err)
|
||||
|
||||
config, err := clientcmd.BuildConfigFromFlags("", f.Name())
|
||||
expect.NoError(err)
|
||||
|
||||
expect.Equal("https://tuna.com", config.Host)
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user