Validate tokens using the new dynamic IDP cache instead of the static config.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-14 10:47:16 -05:00 · 2020-09-14 10:47:16 -05:00 · f7c9ae8ba3
commit f7c9ae8ba3
parent 75ea0f48d9
2 changed files with 26 additions and 6 deletions
--- a/internal/controllermanager/prepare_controllers.go
+++ b/internal/controllermanager/prepare_controllers.go
@ -14,11 +14,15 @@ import (
 	k8sinformers "k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
+	"k8s.io/klog/v2/klogr"
 	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"

 	pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned"
 	pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions"
 	"github.com/suzerain-io/pinniped/internal/controller/apicerts"
+	"github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache"
+	"github.com/suzerain-io/pinniped/internal/controller/identityprovider/webhookcachecleaner"
+	"github.com/suzerain-io/pinniped/internal/controller/identityprovider/webhookcachefiller"
 	"github.com/suzerain-io/pinniped/internal/controller/issuerconfig"
 	"github.com/suzerain-io/pinniped/internal/controllerlib"
 	"github.com/suzerain-io/pinniped/internal/provider"
@ -36,6 +40,7 @@ func PrepareControllers(
 	dynamicCertProvider provider.DynamicTLSServingCertProvider,
 	servingCertDuration time.Duration,
 	servingCertRenewBefore time.Duration,
+	idpCache *idpcache.Cache,
 ) (func(ctx context.Context), error) {
 	// Create k8s clients.
 	k8sClient, aggregatorClient, pinnipedClient, err := createClients()
@ -104,6 +109,22 @@ func PrepareControllers(
 				servingCertRenewBefore,
 			),
 			singletonWorker,
+		).
+		WithController(
+			webhookcachefiller.New(
+				idpCache,
+				installationNamespacePinnipedInformers.IDP().V1alpha1().WebhookIdentityProviders(),
+				klogr.New(),
+			),
+			singletonWorker,
+		).
+		WithController(
+			webhookcachecleaner.New(
+				idpCache,
+				installationNamespacePinnipedInformers.IDP().V1alpha1().WebhookIdentityProviders(),
+				klogr.New(),
+			),
+			singletonWorker,
 		)

 	// Return a function which starts the informers and controllers.
--- a/internal/server/server.go
+++ b/internal/server/server.go
@ -26,6 +26,7 @@ import (
 	pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned"
 	"github.com/suzerain-io/pinniped/internal/apiserver"
 	"github.com/suzerain-io/pinniped/internal/certauthority/kubecertauthority"
+	"github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache"
 	"github.com/suzerain-io/pinniped/internal/controller/issuerconfig"
 	"github.com/suzerain-io/pinniped/internal/controllermanager"
 	"github.com/suzerain-io/pinniped/internal/downward"
@ -118,11 +119,8 @@ func (a *App) runServer(ctx context.Context) error {
 	}
 	defer shutdownCA()

-	// Create a WebhookTokenAuthenticator.
-	webhookTokenAuthenticator, err := config.NewWebhook(cfg.WebhookConfig)
-	if err != nil {
-		return fmt.Errorf("could not create webhook client: %w", err)
-	}
+	// Initialize the cache of active identity providers.
+	idpCache := idpcache.New()

 	// This cert provider will provide certs to the API server and will
 	// be mutated by a controller to keep the certs up to date with what
@ -139,6 +137,7 @@ func (a *App) runServer(ctx context.Context) error {
 		dynamicCertProvider,
 		time.Duration(*cfg.APIConfig.ServingCertificateConfig.DurationSeconds)*time.Second,
 		time.Duration(*cfg.APIConfig.ServingCertificateConfig.RenewBeforeSeconds)*time.Second,
+		idpCache,
 	)
 	if err != nil {
 		return fmt.Errorf("could not prepare controllers: %w", err)
@ -147,7 +146,7 @@ func (a *App) runServer(ctx context.Context) error {
 	// Get the aggregated API server config.
 	aggregatedAPIServerConfig, err := getAggregatedAPIServerConfig(
 		dynamicCertProvider,
-		webhookTokenAuthenticator,
+		idpCache,
 		k8sClusterCA,
 		startControllersFunc,
 	)