From a4fb53e131624e79d2a427fdb9f79fec6b97796b Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Fri, 15 Jul 2022 16:11:10 -0400 Subject: [PATCH] wip004 Signed-off-by: Monis Khan --- internal/fositestorage/accesstoken/accesstoken.go | 1 + .../authorizationcode/authorizationcode.go | 2 +- .../fositestorage/openidconnect/openidconnect.go | 2 +- internal/fositestorage/pkce/pkce.go | 2 +- internal/fositestorage/refreshtoken/refreshtoken.go | 1 + internal/registry/clientsecretrequest/rest.go | 10 ++++++---- internal/supervisor/apiserver/apiserver.go | 9 +++++++-- internal/supervisor/server/server.go | 12 +++++++++++- 8 files changed, 29 insertions(+), 10 deletions(-) diff --git a/internal/fositestorage/accesstoken/accesstoken.go b/internal/fositestorage/accesstoken/accesstoken.go index 792b76e7..7c5cec4d 100644 --- a/internal/fositestorage/accesstoken/accesstoken.go +++ b/internal/fositestorage/accesstoken/accesstoken.go @@ -84,6 +84,7 @@ func (a *accessTokenStorage) CreateAccessTokenSession(ctx context.Context, signa signature, &Session{Request: request, Version: accessTokenStorageVersion}, map[string]string{fositestorage.StorageRequestIDLabelName: requester.GetID()}, + nil, ) return err } diff --git a/internal/fositestorage/authorizationcode/authorizationcode.go b/internal/fositestorage/authorizationcode/authorizationcode.go index ecfad7be..f7b731f9 100644 --- a/internal/fositestorage/authorizationcode/authorizationcode.go +++ b/internal/fositestorage/authorizationcode/authorizationcode.go @@ -88,7 +88,7 @@ func (a *authorizeCodeStorage) CreateAuthorizeCodeSession(ctx context.Context, s // of the consent authorization request. It is used to identify the session. // signature for lookup in the DB - _, err = a.storage.Create(ctx, signature, &Session{Active: true, Request: request, Version: authorizeCodeStorageVersion}, nil) + _, err = a.storage.Create(ctx, signature, &Session{Active: true, Request: request, Version: authorizeCodeStorageVersion}, nil, nil) return err } diff --git a/internal/fositestorage/openidconnect/openidconnect.go b/internal/fositestorage/openidconnect/openidconnect.go index 81699410..7a57df95 100644 --- a/internal/fositestorage/openidconnect/openidconnect.go +++ b/internal/fositestorage/openidconnect/openidconnect.go @@ -59,7 +59,7 @@ func (a *openIDConnectRequestStorage) CreateOpenIDConnectSession(ctx context.Con return err } - _, err = a.storage.Create(ctx, signature, &session{Request: request, Version: oidcStorageVersion}, nil) + _, err = a.storage.Create(ctx, signature, &session{Request: request, Version: oidcStorageVersion}, nil, nil) return err } diff --git a/internal/fositestorage/pkce/pkce.go b/internal/fositestorage/pkce/pkce.go index cbe566bd..cd104041 100644 --- a/internal/fositestorage/pkce/pkce.go +++ b/internal/fositestorage/pkce/pkce.go @@ -52,7 +52,7 @@ func (a *pkceStorage) CreatePKCERequestSession(ctx context.Context, signature st return err } - _, err = a.storage.Create(ctx, signature, &session{Request: request, Version: pkceStorageVersion}, nil) + _, err = a.storage.Create(ctx, signature, &session{Request: request, Version: pkceStorageVersion}, nil, nil) return err } diff --git a/internal/fositestorage/refreshtoken/refreshtoken.go b/internal/fositestorage/refreshtoken/refreshtoken.go index a2a2fe89..46753cb7 100644 --- a/internal/fositestorage/refreshtoken/refreshtoken.go +++ b/internal/fositestorage/refreshtoken/refreshtoken.go @@ -90,6 +90,7 @@ func (a *refreshTokenStorage) CreateRefreshTokenSession(ctx context.Context, sig signature, &Session{Request: request, Version: refreshTokenStorageVersion}, map[string]string{fositestorage.StorageRequestIDLabelName: requester.GetID()}, + nil, ) return err } diff --git a/internal/registry/clientsecretrequest/rest.go b/internal/registry/clientsecretrequest/rest.go index 6c3f5f66..257b0766 100644 --- a/internal/registry/clientsecretrequest/rest.go +++ b/internal/registry/clientsecretrequest/rest.go @@ -18,11 +18,11 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apiserver/pkg/registry/rest" + corev1client "k8s.io/client-go/kubernetes/typed/core/v1" "k8s.io/utils/trace" clientsecretapi "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret" configv1alpha1clientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" - "go.pinniped.dev/internal/kubeclient" "go.pinniped.dev/internal/oidcclientsecretstorage" ) @@ -34,11 +34,12 @@ import ( // also write a unit test that fails in 2023 to ask this to be updated to latest recommendation const cost = bcrypt.DefaultCost + 5 -func NewREST(resource schema.GroupResource, client *kubeclient.Client, namespace string) *REST { +func NewREST(resource schema.GroupResource, secrets corev1client.SecretInterface, clients configv1alpha1clientset.OIDCClientInterface, namespace string) *REST { return &REST{ tableConvertor: rest.NewDefaultTableConvertor(resource), - secretStorage: oidcclientsecretstorage.New(client.Kubernetes.CoreV1().Secrets(namespace)), - clients: client.PinnipedSupervisor.ConfigV1alpha1().OIDCClients(namespace), + secretStorage: oidcclientsecretstorage.New(secrets), + clients: clients, + namespace: namespace, rand: rand.Reader, } } @@ -47,6 +48,7 @@ type REST struct { tableConvertor rest.TableConvertor secretStorage *oidcclientsecretstorage.OIDCClientSecretStorage clients configv1alpha1clientset.OIDCClientInterface + namespace string // TODO use rand io.Reader } diff --git a/internal/supervisor/apiserver/apiserver.go b/internal/supervisor/apiserver/apiserver.go index 135aeca9..b732343f 100644 --- a/internal/supervisor/apiserver/apiserver.go +++ b/internal/supervisor/apiserver/apiserver.go @@ -14,8 +14,10 @@ import ( "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apiserver/pkg/registry/rest" genericapiserver "k8s.io/apiserver/pkg/server" + corev1client "k8s.io/client-go/kubernetes/typed/core/v1" "k8s.io/client-go/pkg/version" + configv1alpha1clientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" "go.pinniped.dev/internal/controllerinit" "go.pinniped.dev/internal/plog" "go.pinniped.dev/internal/registry/clientsecretrequest" @@ -31,6 +33,9 @@ type ExtraConfig struct { Scheme *runtime.Scheme NegotiatedSerializer runtime.NegotiatedSerializer ClientSecretSupervisorGroupVersion schema.GroupVersion + Secrets corev1client.SecretInterface + OIDCClients configv1alpha1clientset.OIDCClientInterface + Namespace string } type PinnipedServer struct { @@ -71,11 +76,11 @@ func (c completedConfig) New() (*PinnipedServer, error) { GenericAPIServer: genericServer, } - var errs []error //nolint: prealloc + var errs []error // nolint: prealloc for _, f := range []func() (schema.GroupVersionResource, rest.Storage){ func() (schema.GroupVersionResource, rest.Storage) { clientSecretReqGVR := c.ExtraConfig.ClientSecretSupervisorGroupVersion.WithResource("oidcclientsecretrequests") - clientSecretReqStorage := clientsecretrequest.NewREST(clientSecretReqGVR.GroupResource()) + clientSecretReqStorage := clientsecretrequest.NewREST(clientSecretReqGVR.GroupResource(), c.ExtraConfig.Secrets, c.ExtraConfig.OIDCClients, c.ExtraConfig.Namespace) return clientSecretReqGVR, clientSecretReqStorage }, } { diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go index 677165ee..262bff6c 100644 --- a/internal/supervisor/server/server.go +++ b/internal/supervisor/server/server.go @@ -31,6 +31,7 @@ import ( genericoptions "k8s.io/apiserver/pkg/server/options" kubeinformers "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" + corev1client "k8s.io/client-go/kubernetes/typed/core/v1" "k8s.io/client-go/pkg/version" "k8s.io/client-go/rest" aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" @@ -38,6 +39,7 @@ import ( configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" pinnipedclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" pinnipedinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions" "go.pinniped.dev/internal/apiserviceref" "go.pinniped.dev/internal/config/supervisor" @@ -473,6 +475,9 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis *cfg.AggregatedAPIServerPort, scheme, clientSecretGV, + clientWithoutLeaderElection.Kubernetes.CoreV1().Secrets(serverInstallationNamespace), + client.PinnipedSupervisor.ConfigV1alpha1().OIDCClients(serverInstallationNamespace), + serverInstallationNamespace, ) if err != nil { return fmt.Errorf("could not configure aggregated API server: %w", err) @@ -566,7 +571,6 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis return nil } -// Create a configuration for the aggregated API server. func getAggregatedAPIServerConfig( dynamicCertProvider dynamiccert.Private, buildControllers controllerinit.RunnerBuilder, @@ -574,6 +578,9 @@ func getAggregatedAPIServerConfig( aggregatedAPIServerPort int64, scheme *runtime.Scheme, clientSecretSupervisorGroupVersion schema.GroupVersion, + secrets corev1client.SecretInterface, + oidcClients v1alpha1.OIDCClientInterface, + serverInstallationNamespace string, ) (*apiserver.Config, error) { codecs := serializer.NewCodecFactory(scheme) @@ -618,6 +625,9 @@ func getAggregatedAPIServerConfig( Scheme: scheme, NegotiatedSerializer: codecs, ClientSecretSupervisorGroupVersion: clientSecretSupervisorGroupVersion, + Secrets: secrets, + OIDCClients: oidcClients, + Namespace: serverInstallationNamespace, }, } return apiServerConfig, nil