From f7c9ae8ba36e9eb22f4b54bbfb5b3f424d663c28 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Mon, 14 Sep 2020 10:47:16 -0500 Subject: [PATCH] Validate tokens using the new dynamic IDP cache instead of the static config. Signed-off-by: Matt Moyer --- .../controllermanager/prepare_controllers.go | 21 +++++++++++++++++++ internal/server/server.go | 11 +++++----- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/internal/controllermanager/prepare_controllers.go b/internal/controllermanager/prepare_controllers.go index dcb565fa..fc821886 100644 --- a/internal/controllermanager/prepare_controllers.go +++ b/internal/controllermanager/prepare_controllers.go @@ -14,11 +14,15 @@ import ( k8sinformers "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" restclient "k8s.io/client-go/rest" + "k8s.io/klog/v2/klogr" aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions" "github.com/suzerain-io/pinniped/internal/controller/apicerts" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/webhookcachecleaner" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/webhookcachefiller" "github.com/suzerain-io/pinniped/internal/controller/issuerconfig" "github.com/suzerain-io/pinniped/internal/controllerlib" "github.com/suzerain-io/pinniped/internal/provider" @@ -36,6 +40,7 @@ func PrepareControllers( dynamicCertProvider provider.DynamicTLSServingCertProvider, servingCertDuration time.Duration, servingCertRenewBefore time.Duration, + idpCache *idpcache.Cache, ) (func(ctx context.Context), error) { // Create k8s clients. k8sClient, aggregatorClient, pinnipedClient, err := createClients() @@ -104,6 +109,22 @@ func PrepareControllers( servingCertRenewBefore, ), singletonWorker, + ). + WithController( + webhookcachefiller.New( + idpCache, + installationNamespacePinnipedInformers.IDP().V1alpha1().WebhookIdentityProviders(), + klogr.New(), + ), + singletonWorker, + ). + WithController( + webhookcachecleaner.New( + idpCache, + installationNamespacePinnipedInformers.IDP().V1alpha1().WebhookIdentityProviders(), + klogr.New(), + ), + singletonWorker, ) // Return a function which starts the informers and controllers. diff --git a/internal/server/server.go b/internal/server/server.go index 774c9e4e..64faa1d2 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -26,6 +26,7 @@ import ( pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" "github.com/suzerain-io/pinniped/internal/apiserver" "github.com/suzerain-io/pinniped/internal/certauthority/kubecertauthority" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" "github.com/suzerain-io/pinniped/internal/controller/issuerconfig" "github.com/suzerain-io/pinniped/internal/controllermanager" "github.com/suzerain-io/pinniped/internal/downward" @@ -118,11 +119,8 @@ func (a *App) runServer(ctx context.Context) error { } defer shutdownCA() - // Create a WebhookTokenAuthenticator. - webhookTokenAuthenticator, err := config.NewWebhook(cfg.WebhookConfig) - if err != nil { - return fmt.Errorf("could not create webhook client: %w", err) - } + // Initialize the cache of active identity providers. + idpCache := idpcache.New() // This cert provider will provide certs to the API server and will // be mutated by a controller to keep the certs up to date with what @@ -139,6 +137,7 @@ func (a *App) runServer(ctx context.Context) error { dynamicCertProvider, time.Duration(*cfg.APIConfig.ServingCertificateConfig.DurationSeconds)*time.Second, time.Duration(*cfg.APIConfig.ServingCertificateConfig.RenewBeforeSeconds)*time.Second, + idpCache, ) if err != nil { return fmt.Errorf("could not prepare controllers: %w", err) @@ -147,7 +146,7 @@ func (a *App) runServer(ctx context.Context) error { // Get the aggregated API server config. aggregatedAPIServerConfig, err := getAggregatedAPIServerConfig( dynamicCertProvider, - webhookTokenAuthenticator, + idpCache, k8sClusterCA, startControllersFunc, )