djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

jwtcachefiller: update to use CAContentProvider

Browse Source 
Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan 2021-08-09 19:16:25 -04:00
parent d2891554a4
commit a027f1ae2c
No known key found for this signature in database
GPG Key ID: 52C90ADA01B269B8
1 changed files with 8 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go
View File

@ -7,14 +7,13 @@ package jwtcachefiller
import ( import (
"fmt" "fmt"
"io/ioutil"
"os"
"reflect" "reflect"
"github.com/go-logr/logr" "github.com/go-logr/logr"
"gopkg.in/square/go-jose.v2" "gopkg.in/square/go-jose.v2"
"k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/server/dynamiccertificates"
"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc" "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
"k8s.io/klog/v2" "k8s.io/klog/v2"
@ -151,22 +150,13 @@ func newJWTAuthenticator(spec *auth1alpha1.JWTAuthenticatorSpec) (*jwtAuthentica
return nil, fmt.Errorf("invalid TLS configuration: %w", err) return nil, fmt.Errorf("invalid TLS configuration: %w", err)
} }
var caFile string var caContentProvider oidc.CAContentProvider
if caBundle != nil { if len(caBundle) != 0 {
temp, err := ioutil.TempFile("", "pinniped-jwkauthenticator-cafile-*") var caContentProviderErr error
if err != nil { caContentProvider, caContentProviderErr = dynamiccertificates.NewStaticCAContent("ignored", caBundle)
return nil, fmt.Errorf("unable to create temporary file: %w", err) if caContentProviderErr != nil {
return nil, caContentProviderErr // impossible since caBundle is validated already
} }
// We can safely remove the temp file at the end of this function since oidc.New() reads the
// provided CA file and then forgets about it.
defer func() { _ = os.Remove(temp.Name()) }()
if _, err := temp.Write(caBundle); err != nil {
return nil, fmt.Errorf("cannot write CA file: %w", err)
}
caFile = temp.Name()
} }
usernameClaim := spec.Claims.Username usernameClaim := spec.Claims.Username
if usernameClaim == "" { if usernameClaim == "" {
@ -183,7 +173,7 @@ func newJWTAuthenticator(spec *auth1alpha1.JWTAuthenticatorSpec) (*jwtAuthentica
UsernameClaim: usernameClaim, UsernameClaim: usernameClaim,
GroupsClaim: groupsClaim, GroupsClaim: groupsClaim,
SupportedSigningAlgs: defaultSupportedSigningAlgos(), SupportedSigningAlgs: defaultSupportedSigningAlgos(),
CAFile: caFile, CAContentProvider: caContentProvider,
}) })
if err != nil { if err != nil {
return nil, fmt.Errorf("could not initialize authenticator: %w", err) return nil, fmt.Errorf("could not initialize authenticator: %w", err)