Fix "pinniped get kubeconfig" strategy detection to pick the _first_ working strategy.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
Matt Moyer 2021-03-04 12:24:57 -06:00
parent 03f09c6870
commit ddd1d29e5d
No known key found for this signature in database
GPG Key ID: EAE88AD172C5AE2D
2 changed files with 36 additions and 18 deletions

View File

@ -251,23 +251,25 @@ func configureConcierge(credentialIssuer *configv1alpha1.CredentialIssuer, authe
// Autodiscover the --concierge-mode. // Autodiscover the --concierge-mode.
if flags.concierge.mode == modeUnknown { //nolint:nestif if flags.concierge.mode == modeUnknown { //nolint:nestif
strategyLoop:
for _, strategy := range credentialIssuer.Status.Strategies { for _, strategy := range credentialIssuer.Status.Strategies {
fe := strategy.Frontend if strategy.Status != configv1alpha1.SuccessStrategyStatus || strategy.Frontend == nil {
if strategy.Status != configv1alpha1.SuccessStrategyStatus || fe == nil {
continue continue
} }
switch strategy.Frontend.Type {
switch fe.Type {
case configv1alpha1.TokenCredentialRequestAPIFrontendType: case configv1alpha1.TokenCredentialRequestAPIFrontendType:
flags.concierge.mode = modeTokenCredentialRequestAPI flags.concierge.mode = modeTokenCredentialRequestAPI
break strategyLoop
case configv1alpha1.ImpersonationProxyFrontendType: case configv1alpha1.ImpersonationProxyFrontendType:
flags.concierge.mode = modeImpersonationProxy flags.concierge.mode = modeImpersonationProxy
flags.concierge.endpoint = fe.ImpersonationProxyInfo.Endpoint flags.concierge.endpoint = strategy.Frontend.ImpersonationProxyInfo.Endpoint
var err error var err error
conciergeCABundleData, err = base64.StdEncoding.DecodeString(fe.ImpersonationProxyInfo.CertificateAuthorityData) conciergeCABundleData, err = base64.StdEncoding.DecodeString(strategy.Frontend.ImpersonationProxyInfo.CertificateAuthorityData)
if err != nil { if err != nil {
return fmt.Errorf("autodiscovered Concierge CA bundle is invalid: %w", err) return fmt.Errorf("autodiscovered Concierge CA bundle is invalid: %w", err)
} }
break strategyLoop
default: default:
// Skip any unknown frontend types. // Skip any unknown frontend types.
} }

View File

@ -788,7 +788,8 @@ func TestGetKubeconfig(t *testing.T) {
&configv1alpha1.CredentialIssuer{ &configv1alpha1.CredentialIssuer{
ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}, ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"},
Status: configv1alpha1.CredentialIssuerStatus{ Status: configv1alpha1.CredentialIssuerStatus{
Strategies: []configv1alpha1.CredentialIssuerStrategy{{ Strategies: []configv1alpha1.CredentialIssuerStrategy{
{
Type: "SomeType", Type: "SomeType",
Status: configv1alpha1.SuccessStrategyStatus, Status: configv1alpha1.SuccessStrategyStatus,
Reason: "SomeReason", Reason: "SomeReason",
@ -801,7 +802,22 @@ func TestGetKubeconfig(t *testing.T) {
CertificateAuthorityData: "dGVzdC1jb25jaWVyZ2UtY2E=", CertificateAuthorityData: "dGVzdC1jb25jaWVyZ2UtY2E=",
}, },
}, },
}}, },
{
Type: "SomeOtherType",
Status: configv1alpha1.SuccessStrategyStatus,
Reason: "SomeOtherReason",
Message: "Some other message",
LastUpdateTime: metav1.Now(),
Frontend: &configv1alpha1.CredentialIssuerFrontend{
Type: configv1alpha1.ImpersonationProxyFrontendType,
ImpersonationProxyInfo: &configv1alpha1.ImpersonationProxyInfo{
Endpoint: "https://some-other-impersonation-endpoint",
CertificateAuthorityData: "dGVzdC1jb25jaWVyZ2UtY2E=",
},
},
},
},
}, },
}, },
&conciergev1alpha1.JWTAuthenticator{ &conciergev1alpha1.JWTAuthenticator{