Fix "pinniped get kubeconfig" strategy detection to pick the _first_ working strategy.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
parent
03f09c6870
commit
ddd1d29e5d
@ -251,23 +251,25 @@ func configureConcierge(credentialIssuer *configv1alpha1.CredentialIssuer, authe
|
|||||||
|
|
||||||
// Autodiscover the --concierge-mode.
|
// Autodiscover the --concierge-mode.
|
||||||
if flags.concierge.mode == modeUnknown { //nolint:nestif
|
if flags.concierge.mode == modeUnknown { //nolint:nestif
|
||||||
|
|
||||||
|
strategyLoop:
|
||||||
for _, strategy := range credentialIssuer.Status.Strategies {
|
for _, strategy := range credentialIssuer.Status.Strategies {
|
||||||
fe := strategy.Frontend
|
if strategy.Status != configv1alpha1.SuccessStrategyStatus || strategy.Frontend == nil {
|
||||||
if strategy.Status != configv1alpha1.SuccessStrategyStatus || fe == nil {
|
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
switch strategy.Frontend.Type {
|
||||||
switch fe.Type {
|
|
||||||
case configv1alpha1.TokenCredentialRequestAPIFrontendType:
|
case configv1alpha1.TokenCredentialRequestAPIFrontendType:
|
||||||
flags.concierge.mode = modeTokenCredentialRequestAPI
|
flags.concierge.mode = modeTokenCredentialRequestAPI
|
||||||
|
break strategyLoop
|
||||||
case configv1alpha1.ImpersonationProxyFrontendType:
|
case configv1alpha1.ImpersonationProxyFrontendType:
|
||||||
flags.concierge.mode = modeImpersonationProxy
|
flags.concierge.mode = modeImpersonationProxy
|
||||||
flags.concierge.endpoint = fe.ImpersonationProxyInfo.Endpoint
|
flags.concierge.endpoint = strategy.Frontend.ImpersonationProxyInfo.Endpoint
|
||||||
var err error
|
var err error
|
||||||
conciergeCABundleData, err = base64.StdEncoding.DecodeString(fe.ImpersonationProxyInfo.CertificateAuthorityData)
|
conciergeCABundleData, err = base64.StdEncoding.DecodeString(strategy.Frontend.ImpersonationProxyInfo.CertificateAuthorityData)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("autodiscovered Concierge CA bundle is invalid: %w", err)
|
return fmt.Errorf("autodiscovered Concierge CA bundle is invalid: %w", err)
|
||||||
}
|
}
|
||||||
|
break strategyLoop
|
||||||
default:
|
default:
|
||||||
// Skip any unknown frontend types.
|
// Skip any unknown frontend types.
|
||||||
}
|
}
|
||||||
|
@ -788,7 +788,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
&configv1alpha1.CredentialIssuer{
|
&configv1alpha1.CredentialIssuer{
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"},
|
ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"},
|
||||||
Status: configv1alpha1.CredentialIssuerStatus{
|
Status: configv1alpha1.CredentialIssuerStatus{
|
||||||
Strategies: []configv1alpha1.CredentialIssuerStrategy{{
|
Strategies: []configv1alpha1.CredentialIssuerStrategy{
|
||||||
|
{
|
||||||
Type: "SomeType",
|
Type: "SomeType",
|
||||||
Status: configv1alpha1.SuccessStrategyStatus,
|
Status: configv1alpha1.SuccessStrategyStatus,
|
||||||
Reason: "SomeReason",
|
Reason: "SomeReason",
|
||||||
@ -801,7 +802,22 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
CertificateAuthorityData: "dGVzdC1jb25jaWVyZ2UtY2E=",
|
CertificateAuthorityData: "dGVzdC1jb25jaWVyZ2UtY2E=",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}},
|
},
|
||||||
|
{
|
||||||
|
Type: "SomeOtherType",
|
||||||
|
Status: configv1alpha1.SuccessStrategyStatus,
|
||||||
|
Reason: "SomeOtherReason",
|
||||||
|
Message: "Some other message",
|
||||||
|
LastUpdateTime: metav1.Now(),
|
||||||
|
Frontend: &configv1alpha1.CredentialIssuerFrontend{
|
||||||
|
Type: configv1alpha1.ImpersonationProxyFrontendType,
|
||||||
|
ImpersonationProxyInfo: &configv1alpha1.ImpersonationProxyInfo{
|
||||||
|
Endpoint: "https://some-other-impersonation-endpoint",
|
||||||
|
CertificateAuthorityData: "dGVzdC1jb25jaWVyZ2UtY2E=",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
&conciergev1alpha1.JWTAuthenticator{
|
&conciergev1alpha1.JWTAuthenticator{
|
||||||
|
Loading…
Reference in New Issue
Block a user