wip004

Signed-off-by: Monis Khan <mok@vmware.com>

internal/fositestorage/accesstoken/accesstoken.go

@@ -84,6 +84,7 @@ func (a *accessTokenStorage) CreateAccessTokenSession(ctx context.Context, signa
 		signature,
 		&Session{Request: request, Version: accessTokenStorageVersion},
 		map[string]string{fositestorage.StorageRequestIDLabelName: requester.GetID()},
+		nil,
 	)
 	return err
 }

internal/fositestorage/authorizationcode/authorizationcode.go

@@ -88,7 +88,7 @@ func (a *authorizeCodeStorage) CreateAuthorizeCodeSession(ctx context.Context, s
 	//      of the consent authorization request. It is used to identify the session.
 	//  signature for lookup in the DB
 
-	_, err = a.storage.Create(ctx, signature, &Session{Active: true, Request: request, Version: authorizeCodeStorageVersion}, nil)
+	_, err = a.storage.Create(ctx, signature, &Session{Active: true, Request: request, Version: authorizeCodeStorageVersion}, nil, nil)
 	return err
 }
 

internal/fositestorage/openidconnect/openidconnect.go

@@ -59,7 +59,7 @@ func (a *openIDConnectRequestStorage) CreateOpenIDConnectSession(ctx context.Con
 		return err
 	}
 
-	_, err = a.storage.Create(ctx, signature, &session{Request: request, Version: oidcStorageVersion}, nil)
+	_, err = a.storage.Create(ctx, signature, &session{Request: request, Version: oidcStorageVersion}, nil, nil)
 	return err
 }
 

internal/fositestorage/pkce/pkce.go

@@ -52,7 +52,7 @@ func (a *pkceStorage) CreatePKCERequestSession(ctx context.Context, signature st
 		return err
 	}
 
-	_, err = a.storage.Create(ctx, signature, &session{Request: request, Version: pkceStorageVersion}, nil)
+	_, err = a.storage.Create(ctx, signature, &session{Request: request, Version: pkceStorageVersion}, nil, nil)
 	return err
 }
 

internal/fositestorage/refreshtoken/refreshtoken.go

@@ -90,6 +90,7 @@ func (a *refreshTokenStorage) CreateRefreshTokenSession(ctx context.Context, sig
 		signature,
 		&Session{Request: request, Version: refreshTokenStorageVersion},
 		map[string]string{fositestorage.StorageRequestIDLabelName: requester.GetID()},
+		nil,
 	)
 	return err
 }

internal/registry/clientsecretrequest/rest.go

@@ -18,11 +18,11 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/registry/rest"
+	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/utils/trace"
 
 	clientsecretapi "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret"
 	configv1alpha1clientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
-	"go.pinniped.dev/internal/kubeclient"
 	"go.pinniped.dev/internal/oidcclientsecretstorage"
 )
 
@@ -34,11 +34,12 @@ import (
 //  also write a unit test that fails in 2023 to ask this to be updated to latest recommendation
 const cost = bcrypt.DefaultCost + 5
 
-func NewREST(resource schema.GroupResource, client *kubeclient.Client, namespace string) *REST {
+func NewREST(resource schema.GroupResource, secrets corev1client.SecretInterface, clients configv1alpha1clientset.OIDCClientInterface, namespace string) *REST {
 	return &REST{
 		tableConvertor: rest.NewDefaultTableConvertor(resource),
-		secretStorage:  oidcclientsecretstorage.New(client.Kubernetes.CoreV1().Secrets(namespace)),
-		clients:        client.PinnipedSupervisor.ConfigV1alpha1().OIDCClients(namespace),
+		secretStorage:  oidcclientsecretstorage.New(secrets),
+		clients:        clients,
+		namespace:      namespace,
 		rand:           rand.Reader,
 	}
 }
@@ -47,6 +48,7 @@ type REST struct {
 	tableConvertor rest.TableConvertor
 	secretStorage  *oidcclientsecretstorage.OIDCClientSecretStorage
 	clients        configv1alpha1clientset.OIDCClientInterface
+	namespace      string // TODO use
 	rand           io.Reader
 }
 

internal/supervisor/apiserver/apiserver.go

@@ -14,8 +14,10 @@ import (
 	"k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
+	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/pkg/version"
 
+	configv1alpha1clientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
 	"go.pinniped.dev/internal/controllerinit"
 	"go.pinniped.dev/internal/plog"
 	"go.pinniped.dev/internal/registry/clientsecretrequest"
@@ -31,6 +33,9 @@ type ExtraConfig struct {
 	Scheme                             *runtime.Scheme
 	NegotiatedSerializer               runtime.NegotiatedSerializer
 	ClientSecretSupervisorGroupVersion schema.GroupVersion
+	Secrets                            corev1client.SecretInterface
+	OIDCClients                        configv1alpha1clientset.OIDCClientInterface
+	Namespace                          string
 }
 
 type PinnipedServer struct {
@@ -71,11 +76,11 @@ func (c completedConfig) New() (*PinnipedServer, error) {
 		GenericAPIServer: genericServer,
 	}
 
-	var errs []error //nolint: prealloc
+	var errs []error // nolint: prealloc
 	for _, f := range []func() (schema.GroupVersionResource, rest.Storage){
 		func() (schema.GroupVersionResource, rest.Storage) {
 			clientSecretReqGVR := c.ExtraConfig.ClientSecretSupervisorGroupVersion.WithResource("oidcclientsecretrequests")
-			clientSecretReqStorage := clientsecretrequest.NewREST(clientSecretReqGVR.GroupResource())
+			clientSecretReqStorage := clientsecretrequest.NewREST(clientSecretReqGVR.GroupResource(), c.ExtraConfig.Secrets, c.ExtraConfig.OIDCClients, c.ExtraConfig.Namespace)
 			return clientSecretReqGVR, clientSecretReqStorage
 		},
 	} {

internal/supervisor/server/server.go

@@ -31,6 +31,7 @@ import (
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	kubeinformers "k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
+	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/pkg/version"
 	"k8s.io/client-go/rest"
 	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
@@ -38,6 +39,7 @@ import (
 
 	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	pinnipedclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
+	"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
 	pinnipedinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions"
 	"go.pinniped.dev/internal/apiserviceref"
 	"go.pinniped.dev/internal/config/supervisor"
@@ -473,6 +475,9 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis
 		*cfg.AggregatedAPIServerPort,
 		scheme,
 		clientSecretGV,
+		clientWithoutLeaderElection.Kubernetes.CoreV1().Secrets(serverInstallationNamespace),
+		client.PinnipedSupervisor.ConfigV1alpha1().OIDCClients(serverInstallationNamespace),
+		serverInstallationNamespace,
 	)
 	if err != nil {
 		return fmt.Errorf("could not configure aggregated API server: %w", err)
@@ -566,7 +571,6 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis
 	return nil
 }
 
-// Create a configuration for the aggregated API server.
 func getAggregatedAPIServerConfig(
 	dynamicCertProvider dynamiccert.Private,
 	buildControllers controllerinit.RunnerBuilder,
@@ -574,6 +578,9 @@ func getAggregatedAPIServerConfig(
 	aggregatedAPIServerPort int64,
 	scheme *runtime.Scheme,
 	clientSecretSupervisorGroupVersion schema.GroupVersion,
+	secrets corev1client.SecretInterface,
+	oidcClients v1alpha1.OIDCClientInterface,
+	serverInstallationNamespace string,
 ) (*apiserver.Config, error) {
 	codecs := serializer.NewCodecFactory(scheme)
 
@@ -618,6 +625,9 @@ func getAggregatedAPIServerConfig(
 			Scheme:                             scheme,
 			NegotiatedSerializer:               codecs,
 			ClientSecretSupervisorGroupVersion: clientSecretSupervisorGroupVersion,
+			Secrets:                            secrets,
+			OIDCClients:                        oidcClients,
+			Namespace:                          serverInstallationNamespace,
 		},
 	}
 	return apiServerConfig, nil