Validate tokens using the new dynamic IDP cache instead of the static config.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
Matt Moyer 2020-09-14 10:47:16 -05:00
parent 75ea0f48d9
commit f7c9ae8ba3
No known key found for this signature in database
GPG Key ID: EAE88AD172C5AE2D
2 changed files with 26 additions and 6 deletions

View File

@ -14,11 +14,15 @@ import (
k8sinformers "k8s.io/client-go/informers" k8sinformers "k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes"
restclient "k8s.io/client-go/rest" restclient "k8s.io/client-go/rest"
"k8s.io/klog/v2/klogr"
aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned"
pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions" pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions"
"github.com/suzerain-io/pinniped/internal/controller/apicerts" "github.com/suzerain-io/pinniped/internal/controller/apicerts"
"github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache"
"github.com/suzerain-io/pinniped/internal/controller/identityprovider/webhookcachecleaner"
"github.com/suzerain-io/pinniped/internal/controller/identityprovider/webhookcachefiller"
"github.com/suzerain-io/pinniped/internal/controller/issuerconfig" "github.com/suzerain-io/pinniped/internal/controller/issuerconfig"
"github.com/suzerain-io/pinniped/internal/controllerlib" "github.com/suzerain-io/pinniped/internal/controllerlib"
"github.com/suzerain-io/pinniped/internal/provider" "github.com/suzerain-io/pinniped/internal/provider"
@ -36,6 +40,7 @@ func PrepareControllers(
dynamicCertProvider provider.DynamicTLSServingCertProvider, dynamicCertProvider provider.DynamicTLSServingCertProvider,
servingCertDuration time.Duration, servingCertDuration time.Duration,
servingCertRenewBefore time.Duration, servingCertRenewBefore time.Duration,
idpCache *idpcache.Cache,
) (func(ctx context.Context), error) { ) (func(ctx context.Context), error) {
// Create k8s clients. // Create k8s clients.
k8sClient, aggregatorClient, pinnipedClient, err := createClients() k8sClient, aggregatorClient, pinnipedClient, err := createClients()
@ -104,6 +109,22 @@ func PrepareControllers(
servingCertRenewBefore, servingCertRenewBefore,
), ),
singletonWorker, singletonWorker,
).
WithController(
webhookcachefiller.New(
idpCache,
installationNamespacePinnipedInformers.IDP().V1alpha1().WebhookIdentityProviders(),
klogr.New(),
),
singletonWorker,
).
WithController(
webhookcachecleaner.New(
idpCache,
installationNamespacePinnipedInformers.IDP().V1alpha1().WebhookIdentityProviders(),
klogr.New(),
),
singletonWorker,
) )
// Return a function which starts the informers and controllers. // Return a function which starts the informers and controllers.

View File

@ -26,6 +26,7 @@ import (
pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned"
"github.com/suzerain-io/pinniped/internal/apiserver" "github.com/suzerain-io/pinniped/internal/apiserver"
"github.com/suzerain-io/pinniped/internal/certauthority/kubecertauthority" "github.com/suzerain-io/pinniped/internal/certauthority/kubecertauthority"
"github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache"
"github.com/suzerain-io/pinniped/internal/controller/issuerconfig" "github.com/suzerain-io/pinniped/internal/controller/issuerconfig"
"github.com/suzerain-io/pinniped/internal/controllermanager" "github.com/suzerain-io/pinniped/internal/controllermanager"
"github.com/suzerain-io/pinniped/internal/downward" "github.com/suzerain-io/pinniped/internal/downward"
@ -118,11 +119,8 @@ func (a *App) runServer(ctx context.Context) error {
} }
defer shutdownCA() defer shutdownCA()
// Create a WebhookTokenAuthenticator. // Initialize the cache of active identity providers.
webhookTokenAuthenticator, err := config.NewWebhook(cfg.WebhookConfig) idpCache := idpcache.New()
if err != nil {
return fmt.Errorf("could not create webhook client: %w", err)
}
// This cert provider will provide certs to the API server and will // This cert provider will provide certs to the API server and will
// be mutated by a controller to keep the certs up to date with what // be mutated by a controller to keep the certs up to date with what
@ -139,6 +137,7 @@ func (a *App) runServer(ctx context.Context) error {
dynamicCertProvider, dynamicCertProvider,
time.Duration(*cfg.APIConfig.ServingCertificateConfig.DurationSeconds)*time.Second, time.Duration(*cfg.APIConfig.ServingCertificateConfig.DurationSeconds)*time.Second,
time.Duration(*cfg.APIConfig.ServingCertificateConfig.RenewBeforeSeconds)*time.Second, time.Duration(*cfg.APIConfig.ServingCertificateConfig.RenewBeforeSeconds)*time.Second,
idpCache,
) )
if err != nil { if err != nil {
return fmt.Errorf("could not prepare controllers: %w", err) return fmt.Errorf("could not prepare controllers: %w", err)
@ -147,7 +146,7 @@ func (a *App) runServer(ctx context.Context) error {
// Get the aggregated API server config. // Get the aggregated API server config.
aggregatedAPIServerConfig, err := getAggregatedAPIServerConfig( aggregatedAPIServerConfig, err := getAggregatedAPIServerConfig(
dynamicCertProvider, dynamicCertProvider,
webhookTokenAuthenticator, idpCache,
k8sClusterCA, k8sClusterCA,
startControllersFunc, startControllersFunc,
) )