Fix "pinniped get kubeconfig" strategy detection to pick the _first_ working strategy.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 12:24:57 -06:00 · 2021-03-04 12:24:57 -06:00 · ddd1d29e5d
commit ddd1d29e5d
parent 03f09c6870
2 changed files with 36 additions and 18 deletions
--- a/cmd/pinniped/cmd/kubeconfig.go
+++ b/cmd/pinniped/cmd/kubeconfig.go
@ -251,23 +251,25 @@ func configureConcierge(credentialIssuer *configv1alpha1.CredentialIssuer, authe
 	// Autodiscover the --concierge-mode.
 	if flags.concierge.mode == modeUnknown { //nolint:nestif
 	strategyLoop:
 		for _, strategy := range credentialIssuer.Status.Strategies {
-			fe := strategy.Frontend
+			if strategy.Status != configv1alpha1.SuccessStrategyStatus || strategy.Frontend == nil {
 			if strategy.Status != configv1alpha1.SuccessStrategyStatus || fe == nil {
 				continue
 			}
-
+			switch strategy.Frontend.Type {
 			switch fe.Type {
 			case configv1alpha1.TokenCredentialRequestAPIFrontendType:
 				flags.concierge.mode = modeTokenCredentialRequestAPI
 				break strategyLoop
 			case configv1alpha1.ImpersonationProxyFrontendType:
 				flags.concierge.mode = modeImpersonationProxy
-				flags.concierge.endpoint = fe.ImpersonationProxyInfo.Endpoint
+				flags.concierge.endpoint = strategy.Frontend.ImpersonationProxyInfo.Endpoint
 				var err error
-				conciergeCABundleData, err = base64.StdEncoding.DecodeString(fe.ImpersonationProxyInfo.CertificateAuthorityData)
+				conciergeCABundleData, err = base64.StdEncoding.DecodeString(strategy.Frontend.ImpersonationProxyInfo.CertificateAuthorityData)
 				if err != nil {
 					return fmt.Errorf("autodiscovered Concierge CA bundle is invalid: %w", err)
 				}
 				break strategyLoop
 			default:
 				//	Skip any unknown frontend types.
 			}
--- a/cmd/pinniped/cmd/kubeconfig_test.go
+++ b/cmd/pinniped/cmd/kubeconfig_test.go
@ -788,20 +788,36 @@ func TestGetKubeconfig(t *testing.T) {
 				&configv1alpha1.CredentialIssuer{
 					ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"},
 					Status: configv1alpha1.CredentialIssuerStatus{
-						Strategies: []configv1alpha1.CredentialIssuerStrategy{{
+						Strategies: []configv1alpha1.CredentialIssuerStrategy{
-							Type:           "SomeType",
+							{
-							Status:         configv1alpha1.SuccessStrategyStatus,
+								Type:           "SomeType",
-							Reason:         "SomeReason",
+								Status:         configv1alpha1.SuccessStrategyStatus,
-							Message:        "Some message",
+								Reason:         "SomeReason",
-							LastUpdateTime: metav1.Now(),
+								Message:        "Some message",
-							Frontend: &configv1alpha1.CredentialIssuerFrontend{
+								LastUpdateTime: metav1.Now(),
-								Type: configv1alpha1.ImpersonationProxyFrontendType,
+								Frontend: &configv1alpha1.CredentialIssuerFrontend{
-								ImpersonationProxyInfo: &configv1alpha1.ImpersonationProxyInfo{
+									Type: configv1alpha1.ImpersonationProxyFrontendType,
-									Endpoint:                 "https://impersonation-proxy-endpoint.test",
+									ImpersonationProxyInfo: &configv1alpha1.ImpersonationProxyInfo{
-									CertificateAuthorityData: "dGVzdC1jb25jaWVyZ2UtY2E=",
+										Endpoint:                 "https://impersonation-proxy-endpoint.test",
 										CertificateAuthorityData: "dGVzdC1jb25jaWVyZ2UtY2E=",
 									},
 								},
 							},
-						}},
+							{
 								Type:           "SomeOtherType",
 								Status:         configv1alpha1.SuccessStrategyStatus,
 								Reason:         "SomeOtherReason",
 								Message:        "Some other message",
 								LastUpdateTime: metav1.Now(),
 								Frontend: &configv1alpha1.CredentialIssuerFrontend{
 									Type: configv1alpha1.ImpersonationProxyFrontendType,
 									ImpersonationProxyInfo: &configv1alpha1.ImpersonationProxyInfo{
 										Endpoint:                 "https://some-other-impersonation-endpoint",
 										CertificateAuthorityData: "dGVzdC1jb25jaWVyZ2UtY2E=",
 									},
 								},
 							},
 						},
 					},
 				},
 				&conciergev1alpha1.JWTAuthenticator{