djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove static webhook config options.

Browse Source 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
Matt Moyer 2020-09-14 10:48:11 -05:00
parent f7c9ae8ba3
commit 8de046a561
No known key found for this signature in database
GPG Key ID: EAE88AD172C5AE2D
9 changed files with 0 additions and 144 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
pkg/config/api/types.go
View File

@ -7,23 +7,10 @@ package api
// Config contains knobs to setup an instance of pinniped. // Config contains knobs to setup an instance of pinniped.
type Config struct { type Config struct {
WebhookConfig WebhookConfigSpec `json:"webhook"`
DiscoveryInfo DiscoveryInfoSpec `json:"discovery"` DiscoveryInfo DiscoveryInfoSpec `json:"discovery"`
APIConfig APIConfigSpec `json:"api"` APIConfig APIConfigSpec `json:"api"`
} }
// WebhookConfig contains configuration knobs specific to pinniped's use
// of a webhook for token validation.
type WebhookConfigSpec struct {
// URL contains the URL of the webhook that pinniped will use
// to validate external credentials.
URL string `json:"url"`
// CABundle contains PEM-encoded certificate authority certificates used
// to validate TLS connections to the WebhookURL.
CABundle []byte `json:"caBundle"`
}
// DiscoveryInfoSpec contains configuration knobs specific to // DiscoveryInfoSpec contains configuration knobs specific to
// pinniped's publishing of discovery information. These values can be // pinniped's publishing of discovery information. These values can be
// viewed as overrides, i.e., if these are set, then pinniped will // viewed as overrides, i.e., if these are set, then pinniped will

8
pkg/config/config_test.go
View File

@ -27,10 +27,6 @@ func TestFromPath(t *testing.T) {
DiscoveryInfo: api.DiscoveryInfoSpec{ DiscoveryInfo: api.DiscoveryInfoSpec{
URL: stringPtr("https://some.discovery/url"), URL: stringPtr("https://some.discovery/url"),
}, },
WebhookConfig: api.WebhookConfigSpec{
URL: "https://tuna.com/fish?marlin",
CABundle: []byte("-----BEGIN CERTIFICATE-----..."),
},
APIConfig: api.APIConfigSpec{ APIConfig: api.APIConfigSpec{
ServingCertificateConfig: api.ServingCertificateConfigSpec{ ServingCertificateConfig: api.ServingCertificateConfigSpec{
DurationSeconds: int64Ptr(3600), DurationSeconds: int64Ptr(3600),
@ -46,10 +42,6 @@ func TestFromPath(t *testing.T) {
DiscoveryInfo: api.DiscoveryInfoSpec{ DiscoveryInfo: api.DiscoveryInfoSpec{
URL: nil, URL: nil,
}, },
WebhookConfig: api.WebhookConfigSpec{
URL: "https://tuna.com/fish?marlin",
CABundle: []byte("-----BEGIN CERTIFICATE-----..."),
},
APIConfig: api.APIConfigSpec{ APIConfig: api.APIConfigSpec{
ServingCertificateConfig: api.ServingCertificateConfigSpec{ ServingCertificateConfig: api.ServingCertificateConfigSpec{
DurationSeconds: int64Ptr(60 * 60 * 24 * 365), // about a year DurationSeconds: int64Ptr(60 * 60 * 24 * 365), // about a year

3
pkg/config/testdata/default.yaml vendored
View File

@ -1,4 +1 @@
--- ---
webhook:
url: https://tuna.com/fish?marlin
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u

3
pkg/config/testdata/happy.yaml vendored
View File

@ -1,9 +1,6 @@
--- ---
discovery: discovery:
url: https://some.discovery/url url: https://some.discovery/url
webhook:
url: https://tuna.com/fish?marlin
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u
api: api:
servingCertificate: servingCertificate:
durationSeconds: 3600 durationSeconds: 3600

3
pkg/config/testdata/invalid-duration-renew-before.yaml vendored
View File

@ -1,7 +1,4 @@
--- ---
webhook:
url: https://tuna.com/fish?marlin
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u
api: api:
servingCertificate: servingCertificate:
durationSeconds: 2400 durationSeconds: 2400

3
pkg/config/testdata/negative-renew-before.yaml vendored
View File

@ -1,7 +1,4 @@
--- ---
webhook:
url: https://tuna.com/fish?marlin
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u
api: api:
servingCertificate: servingCertificate:
durationSeconds: 2400 durationSeconds: 2400

3
pkg/config/testdata/zero-renew-before.yaml vendored
View File

@ -1,7 +1,4 @@
--- ---
webhook:
url: https://tuna.com/fish?marlin
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u
api: api:
servingCertificate: servingCertificate:
durationSeconds: 2400 durationSeconds: 2400

77
pkg/config/webhook.go
View File

@ -1,77 +0,0 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package config
import (
"fmt"
"io"
"io/ioutil"
"os"
authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
utilnet "k8s.io/apimachinery/pkg/util/net"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
"k8s.io/client-go/tools/clientcmd"
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
"github.com/suzerain-io/pinniped/pkg/config/api"
)
// NewWebhook creates a webhook from the provided API server url and caBundle
// used to validate TLS connections.
func NewWebhook(spec api.WebhookConfigSpec) (*webhook.WebhookTokenAuthenticator, error) {
kubeconfig, err := ioutil.TempFile("", "pinniped-webhook-kubeconfig-*")
if err != nil {
return nil, fmt.Errorf("create temp file: %w", err)
}
defer os.Remove(kubeconfig.Name())
if err := anonymousKubeconfig(spec.URL, spec.CABundle, kubeconfig); err != nil {
return nil, fmt.Errorf("anonymous kubeconfig: %w", err)
}
// We use v1beta1 instead of v1 since v1beta1 is more prevalent in our desired
// integration points.
version := authenticationv1beta1.SchemeGroupVersion.Version
// At the current time, we don't provide any audiences because we simply don't
// have any requirements to do so. This can be changed in the future as
// requirements change.
var implicitAuds authenticator.Audiences
// We set this to nil because we would only need this to support some of the
// custom proxy stuff used by the API server.
var customDial utilnet.DialFunc
return webhook.New(kubeconfig.Name(), version, implicitAuds, customDial)
}
// anonymousKubeconfig writes a kubeconfig file to the provided io.Writer that
// will "use" anonymous auth to talk to a Kube API server at the provided url
// with the provided caBundle.
func anonymousKubeconfig(url string, caBundle []byte, out io.Writer) error {
config := clientcmdapi.NewConfig()
config.Clusters["anonymous-cluster"] = &clientcmdapi.Cluster{
Server: url,
CertificateAuthorityData: caBundle,
}
config.Contexts["anonymous"] = &clientcmdapi.Context{
Cluster: "anonymous-cluster",
}
config.CurrentContext = "anonymous"
data, err := clientcmd.Write(*config)
if err != nil {
return fmt.Errorf("marshal config: %w", err)
}
if _, err := out.Write(data); err != nil {
return fmt.Errorf("write config: %w", err)
}
return nil
}

31
pkg/config/webhook_test.go
View File

@ -1,31 +0,0 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package config
import (
"io/ioutil"
"os"
"testing"
"github.com/stretchr/testify/require"
"k8s.io/client-go/tools/clientcmd"
)
func TestAnonymousKubeconfig(t *testing.T) {
expect := require.New(t)
f, err := ioutil.TempFile("", "pinniped-anonymous-kubeconfig-test-*")
expect.NoError(err)
defer os.Remove(f.Name())
err = anonymousKubeconfig("https://tuna.com", []byte("ca bundle"), f)
expect.NoError(err)
config, err := clientcmd.BuildConfigFromFlags("", f.Name())
expect.NoError(err)
expect.Equal("https://tuna.com", config.Host)
}