Address PR feedback, especially to check that the CA bundle is some kind of valid cert
This commit is contained in:
parent
959f18b67b
commit
dc61d132cf
@ -82,6 +82,12 @@ const (
|
||||
|
||||
// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
|
||||
// serve TLS.
|
||||
//
|
||||
// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
|
||||
// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
//
|
||||
// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
|
||||
// the impersonation proxy endpoint.
|
||||
type ImpersonationProxyTLSSpec struct {
|
||||
// X.509 Certificate Authority (base64-encoded PEM bundle).
|
||||
// Used to advertise the CA bundle for the impersonation proxy endpoint.
|
||||
@ -119,6 +125,8 @@ type ImpersonationProxySpec struct {
|
||||
|
||||
// TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
//
|
||||
// If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
//
|
||||
// +optional
|
||||
TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
|
||||
}
|
||||
|
@ -104,8 +104,9 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
tls:
|
||||
description: TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS.
|
||||
description: "TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS. \n If this field is empty,
|
||||
the impersonation proxy will generate its own TLS certificate."
|
||||
properties:
|
||||
certificateAuthorityData:
|
||||
description: X.509 Certificate Authority (base64-encoded PEM
|
||||
|
3
generated/1.17/README.adoc
generated
3
generated/1.17/README.adoc
generated
@ -569,6 +569,7 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name.
|
||||
This field must be non-empty when spec.impersonationProxy.service.type is "None".
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
|===
|
||||
|
||||
|
||||
@ -576,6 +577,8 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
==== ImpersonationProxyTLSSpec
|
||||
|
||||
ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
|
@ -82,6 +82,12 @@ const (
|
||||
|
||||
// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
|
||||
// serve TLS.
|
||||
//
|
||||
// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
|
||||
// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
//
|
||||
// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
|
||||
// the impersonation proxy endpoint.
|
||||
type ImpersonationProxyTLSSpec struct {
|
||||
// X.509 Certificate Authority (base64-encoded PEM bundle).
|
||||
// Used to advertise the CA bundle for the impersonation proxy endpoint.
|
||||
@ -119,6 +125,8 @@ type ImpersonationProxySpec struct {
|
||||
|
||||
// TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
//
|
||||
// If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
//
|
||||
// +optional
|
||||
TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
|
||||
}
|
||||
|
@ -104,8 +104,9 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
tls:
|
||||
description: TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS.
|
||||
description: "TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS. \n If this field is empty,
|
||||
the impersonation proxy will generate its own TLS certificate."
|
||||
properties:
|
||||
certificateAuthorityData:
|
||||
description: X.509 Certificate Authority (base64-encoded PEM
|
||||
|
3
generated/1.18/README.adoc
generated
3
generated/1.18/README.adoc
generated
@ -569,6 +569,7 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name.
|
||||
This field must be non-empty when spec.impersonationProxy.service.type is "None".
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
|===
|
||||
|
||||
|
||||
@ -576,6 +577,8 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
==== ImpersonationProxyTLSSpec
|
||||
|
||||
ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
|
@ -82,6 +82,12 @@ const (
|
||||
|
||||
// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
|
||||
// serve TLS.
|
||||
//
|
||||
// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
|
||||
// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
//
|
||||
// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
|
||||
// the impersonation proxy endpoint.
|
||||
type ImpersonationProxyTLSSpec struct {
|
||||
// X.509 Certificate Authority (base64-encoded PEM bundle).
|
||||
// Used to advertise the CA bundle for the impersonation proxy endpoint.
|
||||
@ -119,6 +125,8 @@ type ImpersonationProxySpec struct {
|
||||
|
||||
// TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
//
|
||||
// If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
//
|
||||
// +optional
|
||||
TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
|
||||
}
|
||||
|
@ -104,8 +104,9 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
tls:
|
||||
description: TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS.
|
||||
description: "TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS. \n If this field is empty,
|
||||
the impersonation proxy will generate its own TLS certificate."
|
||||
properties:
|
||||
certificateAuthorityData:
|
||||
description: X.509 Certificate Authority (base64-encoded PEM
|
||||
|
3
generated/1.19/README.adoc
generated
3
generated/1.19/README.adoc
generated
@ -569,6 +569,7 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name.
|
||||
This field must be non-empty when spec.impersonationProxy.service.type is "None".
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
|===
|
||||
|
||||
|
||||
@ -576,6 +577,8 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
==== ImpersonationProxyTLSSpec
|
||||
|
||||
ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
|
@ -82,6 +82,12 @@ const (
|
||||
|
||||
// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
|
||||
// serve TLS.
|
||||
//
|
||||
// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
|
||||
// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
//
|
||||
// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
|
||||
// the impersonation proxy endpoint.
|
||||
type ImpersonationProxyTLSSpec struct {
|
||||
// X.509 Certificate Authority (base64-encoded PEM bundle).
|
||||
// Used to advertise the CA bundle for the impersonation proxy endpoint.
|
||||
@ -119,6 +125,8 @@ type ImpersonationProxySpec struct {
|
||||
|
||||
// TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
//
|
||||
// If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
//
|
||||
// +optional
|
||||
TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
|
||||
}
|
||||
|
@ -104,8 +104,9 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
tls:
|
||||
description: TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS.
|
||||
description: "TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS. \n If this field is empty,
|
||||
the impersonation proxy will generate its own TLS certificate."
|
||||
properties:
|
||||
certificateAuthorityData:
|
||||
description: X.509 Certificate Authority (base64-encoded PEM
|
||||
|
3
generated/1.20/README.adoc
generated
3
generated/1.20/README.adoc
generated
@ -569,6 +569,7 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name.
|
||||
This field must be non-empty when spec.impersonationProxy.service.type is "None".
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
|===
|
||||
|
||||
|
||||
@ -576,6 +577,8 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
==== ImpersonationProxyTLSSpec
|
||||
|
||||
ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
|
@ -82,6 +82,12 @@ const (
|
||||
|
||||
// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
|
||||
// serve TLS.
|
||||
//
|
||||
// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
|
||||
// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
//
|
||||
// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
|
||||
// the impersonation proxy endpoint.
|
||||
type ImpersonationProxyTLSSpec struct {
|
||||
// X.509 Certificate Authority (base64-encoded PEM bundle).
|
||||
// Used to advertise the CA bundle for the impersonation proxy endpoint.
|
||||
@ -119,6 +125,8 @@ type ImpersonationProxySpec struct {
|
||||
|
||||
// TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
//
|
||||
// If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
//
|
||||
// +optional
|
||||
TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
|
||||
}
|
||||
|
@ -104,8 +104,9 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
tls:
|
||||
description: TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS.
|
||||
description: "TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS. \n If this field is empty,
|
||||
the impersonation proxy will generate its own TLS certificate."
|
||||
properties:
|
||||
certificateAuthorityData:
|
||||
description: X.509 Certificate Authority (base64-encoded PEM
|
||||
|
3
generated/1.21/README.adoc
generated
3
generated/1.21/README.adoc
generated
@ -569,6 +569,7 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name.
|
||||
This field must be non-empty when spec.impersonationProxy.service.type is "None".
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
|===
|
||||
|
||||
|
||||
@ -576,6 +577,8 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
==== ImpersonationProxyTLSSpec
|
||||
|
||||
ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
|
@ -82,6 +82,12 @@ const (
|
||||
|
||||
// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
|
||||
// serve TLS.
|
||||
//
|
||||
// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
|
||||
// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
//
|
||||
// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
|
||||
// the impersonation proxy endpoint.
|
||||
type ImpersonationProxyTLSSpec struct {
|
||||
// X.509 Certificate Authority (base64-encoded PEM bundle).
|
||||
// Used to advertise the CA bundle for the impersonation proxy endpoint.
|
||||
@ -119,6 +125,8 @@ type ImpersonationProxySpec struct {
|
||||
|
||||
// TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
//
|
||||
// If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
//
|
||||
// +optional
|
||||
TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
|
||||
}
|
||||
|
@ -104,8 +104,9 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
tls:
|
||||
description: TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS.
|
||||
description: "TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS. \n If this field is empty,
|
||||
the impersonation proxy will generate its own TLS certificate."
|
||||
properties:
|
||||
certificateAuthorityData:
|
||||
description: X.509 Certificate Authority (base64-encoded PEM
|
||||
|
3
generated/1.22/README.adoc
generated
3
generated/1.22/README.adoc
generated
@ -569,6 +569,7 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name.
|
||||
This field must be non-empty when spec.impersonationProxy.service.type is "None".
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
|===
|
||||
|
||||
|
||||
@ -576,6 +577,8 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
==== ImpersonationProxyTLSSpec
|
||||
|
||||
ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
|
@ -82,6 +82,12 @@ const (
|
||||
|
||||
// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
|
||||
// serve TLS.
|
||||
//
|
||||
// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
|
||||
// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
//
|
||||
// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
|
||||
// the impersonation proxy endpoint.
|
||||
type ImpersonationProxyTLSSpec struct {
|
||||
// X.509 Certificate Authority (base64-encoded PEM bundle).
|
||||
// Used to advertise the CA bundle for the impersonation proxy endpoint.
|
||||
@ -119,6 +125,8 @@ type ImpersonationProxySpec struct {
|
||||
|
||||
// TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
//
|
||||
// If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
//
|
||||
// +optional
|
||||
TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
|
||||
}
|
||||
|
@ -104,8 +104,9 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
tls:
|
||||
description: TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS.
|
||||
description: "TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS. \n If this field is empty,
|
||||
the impersonation proxy will generate its own TLS certificate."
|
||||
properties:
|
||||
certificateAuthorityData:
|
||||
description: X.509 Certificate Authority (base64-encoded PEM
|
||||
|
3
generated/1.23/README.adoc
generated
3
generated/1.23/README.adoc
generated
@ -569,6 +569,7 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name.
|
||||
This field must be non-empty when spec.impersonationProxy.service.type is "None".
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
|===
|
||||
|
||||
|
||||
@ -576,6 +577,8 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
==== ImpersonationProxyTLSSpec
|
||||
|
||||
ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
|
@ -82,6 +82,12 @@ const (
|
||||
|
||||
// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
|
||||
// serve TLS.
|
||||
//
|
||||
// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
|
||||
// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
//
|
||||
// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
|
||||
// the impersonation proxy endpoint.
|
||||
type ImpersonationProxyTLSSpec struct {
|
||||
// X.509 Certificate Authority (base64-encoded PEM bundle).
|
||||
// Used to advertise the CA bundle for the impersonation proxy endpoint.
|
||||
@ -119,6 +125,8 @@ type ImpersonationProxySpec struct {
|
||||
|
||||
// TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
//
|
||||
// If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
//
|
||||
// +optional
|
||||
TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
|
||||
}
|
||||
|
@ -104,8 +104,9 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
tls:
|
||||
description: TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS.
|
||||
description: "TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS. \n If this field is empty,
|
||||
the impersonation proxy will generate its own TLS certificate."
|
||||
properties:
|
||||
certificateAuthorityData:
|
||||
description: X.509 Certificate Authority (base64-encoded PEM
|
||||
|
3
generated/1.24/README.adoc
generated
3
generated/1.24/README.adoc
generated
@ -569,6 +569,7 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name.
|
||||
This field must be non-empty when spec.impersonationProxy.service.type is "None".
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
|===
|
||||
|
||||
|
||||
@ -576,6 +577,8 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
==== ImpersonationProxyTLSSpec
|
||||
|
||||
ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
|
@ -82,6 +82,12 @@ const (
|
||||
|
||||
// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
|
||||
// serve TLS.
|
||||
//
|
||||
// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
|
||||
// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
//
|
||||
// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
|
||||
// the impersonation proxy endpoint.
|
||||
type ImpersonationProxyTLSSpec struct {
|
||||
// X.509 Certificate Authority (base64-encoded PEM bundle).
|
||||
// Used to advertise the CA bundle for the impersonation proxy endpoint.
|
||||
@ -119,6 +125,8 @@ type ImpersonationProxySpec struct {
|
||||
|
||||
// TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
//
|
||||
// If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
//
|
||||
// +optional
|
||||
TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
|
||||
}
|
||||
|
@ -104,8 +104,9 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
tls:
|
||||
description: TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS.
|
||||
description: "TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS. \n If this field is empty,
|
||||
the impersonation proxy will generate its own TLS certificate."
|
||||
properties:
|
||||
certificateAuthorityData:
|
||||
description: X.509 Certificate Authority (base64-encoded PEM
|
||||
|
3
generated/1.25/README.adoc
generated
3
generated/1.25/README.adoc
generated
@ -567,6 +567,7 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name.
|
||||
This field must be non-empty when spec.impersonationProxy.service.type is "None".
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
|===
|
||||
|
||||
|
||||
@ -574,6 +575,8 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
==== ImpersonationProxyTLSSpec
|
||||
|
||||
ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
|
@ -82,6 +82,12 @@ const (
|
||||
|
||||
// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
|
||||
// serve TLS.
|
||||
//
|
||||
// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
|
||||
// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
//
|
||||
// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
|
||||
// the impersonation proxy endpoint.
|
||||
type ImpersonationProxyTLSSpec struct {
|
||||
// X.509 Certificate Authority (base64-encoded PEM bundle).
|
||||
// Used to advertise the CA bundle for the impersonation proxy endpoint.
|
||||
@ -119,6 +125,8 @@ type ImpersonationProxySpec struct {
|
||||
|
||||
// TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
//
|
||||
// If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
//
|
||||
// +optional
|
||||
TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
|
||||
}
|
||||
|
@ -104,8 +104,9 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
tls:
|
||||
description: TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS.
|
||||
description: "TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS. \n If this field is empty,
|
||||
the impersonation proxy will generate its own TLS certificate."
|
||||
properties:
|
||||
certificateAuthorityData:
|
||||
description: X.509 Certificate Authority (base64-encoded PEM
|
||||
|
3
generated/1.26/README.adoc
generated
3
generated/1.26/README.adoc
generated
@ -567,6 +567,7 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name.
|
||||
This field must be non-empty when spec.impersonationProxy.service.type is "None".
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
|===
|
||||
|
||||
|
||||
@ -574,6 +575,8 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
==== ImpersonationProxyTLSSpec
|
||||
|
||||
ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
|
@ -82,6 +82,12 @@ const (
|
||||
|
||||
// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
|
||||
// serve TLS.
|
||||
//
|
||||
// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
|
||||
// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
//
|
||||
// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
|
||||
// the impersonation proxy endpoint.
|
||||
type ImpersonationProxyTLSSpec struct {
|
||||
// X.509 Certificate Authority (base64-encoded PEM bundle).
|
||||
// Used to advertise the CA bundle for the impersonation proxy endpoint.
|
||||
@ -119,6 +125,8 @@ type ImpersonationProxySpec struct {
|
||||
|
||||
// TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
//
|
||||
// If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
//
|
||||
// +optional
|
||||
TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
|
||||
}
|
||||
|
@ -104,8 +104,9 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
tls:
|
||||
description: TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS.
|
||||
description: "TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS. \n If this field is empty,
|
||||
the impersonation proxy will generate its own TLS certificate."
|
||||
properties:
|
||||
certificateAuthorityData:
|
||||
description: X.509 Certificate Authority (base64-encoded PEM
|
||||
|
3
generated/1.27/README.adoc
generated
3
generated/1.27/README.adoc
generated
@ -567,6 +567,7 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
| *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name.
|
||||
This field must be non-empty when spec.impersonationProxy.service.type is "None".
|
||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
|===
|
||||
|
||||
|
||||
@ -574,6 +575,8 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp
|
||||
==== ImpersonationProxyTLSSpec
|
||||
|
||||
ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
|
||||
|
||||
.Appears In:
|
||||
****
|
||||
|
@ -82,6 +82,12 @@ const (
|
||||
|
||||
// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
|
||||
// serve TLS.
|
||||
//
|
||||
// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
|
||||
// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
//
|
||||
// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
|
||||
// the impersonation proxy endpoint.
|
||||
type ImpersonationProxyTLSSpec struct {
|
||||
// X.509 Certificate Authority (base64-encoded PEM bundle).
|
||||
// Used to advertise the CA bundle for the impersonation proxy endpoint.
|
||||
@ -119,6 +125,8 @@ type ImpersonationProxySpec struct {
|
||||
|
||||
// TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
//
|
||||
// If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
//
|
||||
// +optional
|
||||
TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
|
||||
}
|
||||
|
@ -104,8 +104,9 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
tls:
|
||||
description: TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS.
|
||||
description: "TLS contains information about how the Concierge
|
||||
impersonation proxy should serve TLS. \n If this field is empty,
|
||||
the impersonation proxy will generate its own TLS certificate."
|
||||
properties:
|
||||
certificateAuthorityData:
|
||||
description: X.509 Certificate Authority (base64-encoded PEM
|
||||
|
@ -82,6 +82,12 @@ const (
|
||||
|
||||
// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
|
||||
// serve TLS.
|
||||
//
|
||||
// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
|
||||
// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
|
||||
//
|
||||
// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
|
||||
// the impersonation proxy endpoint.
|
||||
type ImpersonationProxyTLSSpec struct {
|
||||
// X.509 Certificate Authority (base64-encoded PEM bundle).
|
||||
// Used to advertise the CA bundle for the impersonation proxy endpoint.
|
||||
@ -119,6 +125,8 @@ type ImpersonationProxySpec struct {
|
||||
|
||||
// TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
||||
//
|
||||
// If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
||||
//
|
||||
// +optional
|
||||
TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
|
||||
}
|
||||
|
@ -328,7 +328,8 @@ func (c *impersonatorConfigController) doSync(syncCtx controllerlib.Context, cre
|
||||
|
||||
func (c *impersonatorConfigController) ensureCAAndTLSSecrets(
|
||||
ctx context.Context,
|
||||
nameInfo *certNameInfo) ([]byte, error) {
|
||||
nameInfo *certNameInfo,
|
||||
) ([]byte, error) {
|
||||
var (
|
||||
impersonationCA *certauthority.CA
|
||||
err error
|
||||
@ -349,7 +350,8 @@ func (c *impersonatorConfigController) ensureCAAndTLSSecrets(
|
||||
|
||||
func (c *impersonatorConfigController) evaluateExternallyProvidedTLSSecret(
|
||||
ctx context.Context,
|
||||
tlsSpec *v1alpha1.ImpersonationProxyTLSSpec) ([]byte, error) {
|
||||
tlsSpec *v1alpha1.ImpersonationProxyTLSSpec,
|
||||
) ([]byte, error) {
|
||||
if tlsSpec.SecretName == "" {
|
||||
return nil, fmt.Errorf("must provide impersonationSpec.TLS.secretName if impersonationSpec.TLS is provided")
|
||||
}
|
||||
@ -378,6 +380,11 @@ func (c *impersonatorConfigController) evaluateExternallyProvidedTLSSecret(
|
||||
return nil, fmt.Errorf("could not decode impersonationSpec.TLS.certificateAuthorityData: %w", err)
|
||||
}
|
||||
|
||||
block, _ := pem.Decode(caBundle)
|
||||
if block == nil {
|
||||
return nil, fmt.Errorf("could not decode impersonationSpec.TLS.certificateAuthorityData: data is not a certificate")
|
||||
}
|
||||
|
||||
c.infoLog.Info("the impersonation proxy will advertise its CA Bundle from impersonationSpec.TLS.CertificateAuthorityData",
|
||||
"CertificateAuthorityData", caBundle)
|
||||
}
|
||||
@ -723,7 +730,27 @@ func (c *impersonatorConfigController) readExternalTLSSecret(externalTLSSecretNa
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return secretFromInformer.Data[caCrtKey], nil
|
||||
base64EncodedCaCert := secretFromInformer.Data[caCrtKey]
|
||||
|
||||
if len(base64EncodedCaCert) > 0 {
|
||||
var decodedCaCert []byte
|
||||
decodedCaCert, err = base64.StdEncoding.DecodeString(string(secretFromInformer.Data[caCrtKey]))
|
||||
if err != nil {
|
||||
err = fmt.Errorf("unable to read provided ca.crt: %w", err)
|
||||
plog.Error("error loading cert from externally provided TLS secret for the impersonation proxy", err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
block, _ := pem.Decode(decodedCaCert)
|
||||
if block == nil {
|
||||
plog.Warning("error loading cert from externally provided TLS secret for the impersonation proxy: data is not a certificate")
|
||||
return nil, fmt.Errorf("unable to read provided ca.crt: data is not a certificate")
|
||||
}
|
||||
|
||||
return decodedCaCert, nil
|
||||
}
|
||||
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
func (c *impersonatorConfigController) ensureTLSSecret(ctx context.Context, nameInfo *certNameInfo, ca *certauthority.CA) error {
|
||||
|
@ -1278,11 +1278,85 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
|
||||
})
|
||||
})
|
||||
|
||||
when("the CertificateAuthorityData is configured with invalid data", func() {
|
||||
it.Before(func() {
|
||||
addNodeWithRoleToTracker("worker", kubeAPIClient)
|
||||
})
|
||||
|
||||
when("CertificateAuthorityData is not base64 encoded", func() {
|
||||
it.Before(func() {
|
||||
addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient)
|
||||
addSecretToTrackers(externalTLSSecret, kubeInformerClient)
|
||||
addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName},
|
||||
Spec: v1alpha1.CredentialIssuerSpec{
|
||||
ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{
|
||||
Mode: v1alpha1.ImpersonationProxyModeAuto,
|
||||
ExternalEndpoint: localhostIP,
|
||||
Service: v1alpha1.ImpersonationProxyServiceSpec{
|
||||
Type: v1alpha1.ImpersonationProxyServiceTypeNone,
|
||||
},
|
||||
TLS: &v1alpha1.ImpersonationProxyTLSSpec{
|
||||
CertificateAuthorityData: string(externalCA.Bundle()),
|
||||
SecretName: externallyProvidedTLSSecretName,
|
||||
},
|
||||
},
|
||||
},
|
||||
}, pinnipedInformerClient, pinnipedAPIClient)
|
||||
})
|
||||
|
||||
it("returns an error", func() {
|
||||
startInformersAndController()
|
||||
r.Error(runControllerSync(), "could not decode impersonationSpec.TLS.certificateAuthorityData: illegal base64 data at input byte 0")
|
||||
r.Len(kubeAPIClient.Actions(), 1)
|
||||
requireNodesListed(kubeAPIClient.Actions()[0])
|
||||
requireCredentialIssuer(newErrorStrategy("could not decode impersonationSpec.TLS.certificateAuthorityData: illegal base64 data at input byte 0"))
|
||||
requireMTLSClientCertProviderHasLoadedCerts([]byte{}, []byte{})
|
||||
})
|
||||
})
|
||||
|
||||
when("CertificateAuthorityData is not a cert", func() {
|
||||
it.Before(func() {
|
||||
addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient)
|
||||
addSecretToTrackers(externalTLSSecret, kubeInformerClient)
|
||||
addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName},
|
||||
Spec: v1alpha1.CredentialIssuerSpec{
|
||||
ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{
|
||||
Mode: v1alpha1.ImpersonationProxyModeAuto,
|
||||
ExternalEndpoint: localhostIP,
|
||||
Service: v1alpha1.ImpersonationProxyServiceSpec{
|
||||
Type: v1alpha1.ImpersonationProxyServiceTypeNone,
|
||||
},
|
||||
TLS: &v1alpha1.ImpersonationProxyTLSSpec{
|
||||
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("hello")),
|
||||
SecretName: externallyProvidedTLSSecretName,
|
||||
},
|
||||
},
|
||||
},
|
||||
}, pinnipedInformerClient, pinnipedAPIClient)
|
||||
})
|
||||
|
||||
it("returns an error", func() {
|
||||
startInformersAndController()
|
||||
r.Error(runControllerSync(), "could not decode impersonationSpec.TLS.certificateAuthorityData: data is not a certificate")
|
||||
r.Len(kubeAPIClient.Actions(), 1)
|
||||
requireNodesListed(kubeAPIClient.Actions()[0])
|
||||
requireCredentialIssuer(newErrorStrategy("could not decode impersonationSpec.TLS.certificateAuthorityData: data is not a certificate"))
|
||||
requireMTLSClientCertProviderHasLoadedCerts([]byte{}, []byte{})
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
when("the CertificateAuthorityData is not configured", func() {
|
||||
it.Before(func() {
|
||||
addNodeWithRoleToTracker("worker", kubeAPIClient)
|
||||
})
|
||||
|
||||
when("the externally provided TLS secret has a ca.crt field", func() {
|
||||
it.Before(func() {
|
||||
addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient)
|
||||
externalTLSSecret.Data["ca.crt"] = externalCA.Bundle()
|
||||
externalTLSSecret.Data["ca.crt"] = []byte(base64.StdEncoding.EncodeToString(externalCA.Bundle()))
|
||||
addSecretToTrackers(externalTLSSecret, kubeInformerClient)
|
||||
addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName},
|
||||
@ -1299,7 +1373,6 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
|
||||
},
|
||||
},
|
||||
}, pinnipedInformerClient, pinnipedAPIClient)
|
||||
addNodeWithRoleToTracker("worker", kubeAPIClient)
|
||||
})
|
||||
|
||||
it("will advertise ca.crt from the externally provided secret", func() {
|
||||
@ -1307,12 +1380,76 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
|
||||
r.NoError(runControllerSync())
|
||||
r.Len(kubeAPIClient.Actions(), 1)
|
||||
requireNodesListed(kubeAPIClient.Actions()[0])
|
||||
requireTLSServerIsRunning(externalTLSSecret.Data["ca.crt"], testServerAddr(), nil)
|
||||
requireCredentialIssuer(newSuccessStrategy(localhostIP, externalTLSSecret.Data["ca.crt"]))
|
||||
requireTLSServerIsRunning(externalCA.Bundle(), testServerAddr(), nil)
|
||||
requireCredentialIssuer(newSuccessStrategy(localhostIP, externalCA.Bundle()))
|
||||
requireMTLSClientCertProviderHasLoadedCerts(mTLSClientCertCACertPEM, mTLSClientCertCAPrivateKeyPEM)
|
||||
})
|
||||
})
|
||||
|
||||
when("the externally provided TLS secret has a ca.crt field that is not base64-encoded", func() {
|
||||
it.Before(func() {
|
||||
addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient)
|
||||
externalTLSSecret.Data["ca.crt"] = []byte("hello")
|
||||
addSecretToTrackers(externalTLSSecret, kubeInformerClient)
|
||||
addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName},
|
||||
Spec: v1alpha1.CredentialIssuerSpec{
|
||||
ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{
|
||||
Mode: v1alpha1.ImpersonationProxyModeAuto,
|
||||
ExternalEndpoint: localhostIP,
|
||||
Service: v1alpha1.ImpersonationProxyServiceSpec{
|
||||
Type: v1alpha1.ImpersonationProxyServiceTypeNone,
|
||||
},
|
||||
TLS: &v1alpha1.ImpersonationProxyTLSSpec{
|
||||
SecretName: externallyProvidedTLSSecretName,
|
||||
},
|
||||
},
|
||||
},
|
||||
}, pinnipedInformerClient, pinnipedAPIClient)
|
||||
})
|
||||
|
||||
it("returns an error", func() {
|
||||
startInformersAndController()
|
||||
r.Error(runControllerSync(), "could not load the externally provided TLS secret for the impersonation proxy: unable to read provided ca.crt: illegal base64 data at input byte 4")
|
||||
r.Len(kubeAPIClient.Actions(), 1)
|
||||
requireNodesListed(kubeAPIClient.Actions()[0])
|
||||
requireCredentialIssuer(newErrorStrategy("could not load the externally provided TLS secret for the impersonation proxy: unable to read provided ca.crt: illegal base64 data at input byte 4"))
|
||||
requireMTLSClientCertProviderHasLoadedCerts([]byte{}, []byte{})
|
||||
})
|
||||
})
|
||||
|
||||
when("the externally provided TLS secret has a ca.crt field that is not a valid cert", func() {
|
||||
it.Before(func() {
|
||||
addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient)
|
||||
externalTLSSecret.Data["ca.crt"] = []byte(base64.StdEncoding.EncodeToString([]byte("hello")))
|
||||
addSecretToTrackers(externalTLSSecret, kubeInformerClient)
|
||||
addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName},
|
||||
Spec: v1alpha1.CredentialIssuerSpec{
|
||||
ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{
|
||||
Mode: v1alpha1.ImpersonationProxyModeAuto,
|
||||
ExternalEndpoint: localhostIP,
|
||||
Service: v1alpha1.ImpersonationProxyServiceSpec{
|
||||
Type: v1alpha1.ImpersonationProxyServiceTypeNone,
|
||||
},
|
||||
TLS: &v1alpha1.ImpersonationProxyTLSSpec{
|
||||
SecretName: externallyProvidedTLSSecretName,
|
||||
},
|
||||
},
|
||||
},
|
||||
}, pinnipedInformerClient, pinnipedAPIClient)
|
||||
})
|
||||
|
||||
it("returns an error", func() {
|
||||
startInformersAndController()
|
||||
r.Error(runControllerSync(), "could not load the externally provided TLS secret for the impersonation proxy: unable to read provided ca.crt: data is not a certificate")
|
||||
r.Len(kubeAPIClient.Actions(), 1)
|
||||
requireNodesListed(kubeAPIClient.Actions()[0])
|
||||
requireCredentialIssuer(newErrorStrategy("could not load the externally provided TLS secret for the impersonation proxy: unable to read provided ca.crt: data is not a certificate"))
|
||||
requireMTLSClientCertProviderHasLoadedCerts([]byte{}, []byte{})
|
||||
})
|
||||
})
|
||||
|
||||
when("the externally provided TLS secret does not have a ca.crt field", func() {
|
||||
it.Before(func() {
|
||||
addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient)
|
||||
@ -1332,7 +1469,6 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
|
||||
},
|
||||
},
|
||||
}, pinnipedInformerClient, pinnipedAPIClient)
|
||||
addNodeWithRoleToTracker("worker", kubeAPIClient)
|
||||
})
|
||||
|
||||
it("will advertise an empty CA bundle", func() {
|
||||
|
@ -1787,29 +1787,39 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
|
||||
externallyProvidedTLSServingCertPEM, externallyProvidedTLSServingKeyPEM, err = externallyProvidedCA.IssueServerCertPEM([]string{proxyServiceEndpoint}, nil, 1*time.Hour)
|
||||
require.NoError(t, err)
|
||||
|
||||
externallyProvidedTLSServingCertSecretName := "external-tls-cert-secret-name" //nolint:gosec // this is not a credential
|
||||
externallyProvidedTLSServingCertSecret := &corev1.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: externallyProvidedTLSServingCertSecretName,
|
||||
Namespace: env.ConciergeNamespace,
|
||||
},
|
||||
Type: corev1.SecretTypeTLS,
|
||||
Data: map[string][]byte{
|
||||
v1.TLSCertKey: externallyProvidedTLSServingCertPEM,
|
||||
v1.TLSPrivateKeyKey: externallyProvidedTLSServingKeyPEM,
|
||||
},
|
||||
}
|
||||
|
||||
_, err = adminClient.CoreV1().Secrets(env.ConciergeNamespace).Create(ctx, externallyProvidedTLSServingCertSecret, metav1.CreateOptions{})
|
||||
require.NoError(t, err)
|
||||
|
||||
t.Cleanup(func() {
|
||||
err := adminClient.CoreV1().Secrets(env.ConciergeNamespace).Delete(ctx, externallyProvidedTLSServingCertSecretName, metav1.DeleteOptions{})
|
||||
require.NoError(t, err)
|
||||
})
|
||||
externallyProvidedTLSServingCertSecret := testlib.CreateTestSecret(
|
||||
t,
|
||||
env.ConciergeNamespace,
|
||||
"external-tls-cert-secret-name",
|
||||
corev1.SecretTypeTLS,
|
||||
map[string]string{
|
||||
v1.TLSCertKey: string(externallyProvidedTLSServingCertPEM),
|
||||
v1.TLSPrivateKeyKey: string(externallyProvidedTLSServingKeyPEM),
|
||||
})
|
||||
|
||||
_, originalInternallyGeneratedCAPEM := performImpersonatorDiscoveryURL(ctx, t, env, adminConciergeClient)
|
||||
|
||||
t.Cleanup(func() {
|
||||
// Remove the TLS block from the CredentialIssuer, which should revert the ImpersonationProxy to using an
|
||||
// internally generated TLS serving cert derived from the original CA.
|
||||
updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{
|
||||
ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{
|
||||
Mode: conciergev1alpha.ImpersonationProxyModeEnabled,
|
||||
ExternalEndpoint: proxyServiceEndpoint,
|
||||
Service: conciergev1alpha.ImpersonationProxyServiceSpec{
|
||||
Type: conciergev1alpha.ImpersonationProxyServiceTypeClusterIP,
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
// Wait for the CredentialIssuer's impersonation proxy frontend strategy to be updated to the original CA bundle
|
||||
testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
|
||||
_, impersonationProxyCACertPEM = performImpersonatorDiscoveryURL(ctx, t, env, adminConciergeClient)
|
||||
|
||||
return bytes.Equal(impersonationProxyCACertPEM, originalInternallyGeneratedCAPEM), nil
|
||||
}, 2*time.Minute, 500*time.Millisecond)
|
||||
})
|
||||
|
||||
updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{
|
||||
ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{
|
||||
Mode: conciergev1alpha.ImpersonationProxyModeEnabled,
|
||||
@ -1819,7 +1829,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
|
||||
},
|
||||
TLS: &conciergev1alpha.ImpersonationProxyTLSSpec{
|
||||
CertificateAuthorityData: base64.StdEncoding.EncodeToString(externallyProvidedCA.Bundle()),
|
||||
SecretName: externallyProvidedTLSServingCertSecretName,
|
||||
SecretName: externallyProvidedTLSServingCertSecret.Name,
|
||||
},
|
||||
},
|
||||
})
|
||||
@ -1835,25 +1845,6 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
|
||||
_, newImpersonationProxyCACertPEM := performImpersonatorDiscovery(ctx, t, env, adminClient, adminConciergeClient, refreshCredential)
|
||||
return bytes.Equal(newImpersonationProxyCACertPEM, externallyProvidedCA.Bundle()), err
|
||||
}, 2*time.Minute, 500*time.Millisecond)
|
||||
|
||||
// Remove the TLS block from the CredentialIssuer, which should revert the ImpersonationProxy to using an
|
||||
// internally generated TLS serving cert derived from the original CA.
|
||||
updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{
|
||||
ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{
|
||||
Mode: conciergev1alpha.ImpersonationProxyModeEnabled,
|
||||
ExternalEndpoint: proxyServiceEndpoint,
|
||||
Service: conciergev1alpha.ImpersonationProxyServiceSpec{
|
||||
Type: conciergev1alpha.ImpersonationProxyServiceTypeClusterIP,
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
// Wait for the CredentialIssuer's impersonation proxy frontend strategy to be updated to the original CA bundle
|
||||
testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
|
||||
_, impersonationProxyCACertPEM = performImpersonatorDiscoveryURL(ctx, t, env, adminConciergeClient)
|
||||
|
||||
return bytes.Equal(impersonationProxyCACertPEM, originalInternallyGeneratedCAPEM), nil
|
||||
}, 2*time.Minute, 500*time.Millisecond)
|
||||
})
|
||||
|
||||
t.Run("manually disabling the impersonation proxy feature", func(t *testing.T) {
|
||||
|
Loading…
Reference in New Issue
Block a user