Validate tokens using the new dynamic IDP cache instead of the static config.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
parent
75ea0f48d9
commit
f7c9ae8ba3
@ -14,11 +14,15 @@ import (
|
|||||||
k8sinformers "k8s.io/client-go/informers"
|
k8sinformers "k8s.io/client-go/informers"
|
||||||
"k8s.io/client-go/kubernetes"
|
"k8s.io/client-go/kubernetes"
|
||||||
restclient "k8s.io/client-go/rest"
|
restclient "k8s.io/client-go/rest"
|
||||||
|
"k8s.io/klog/v2/klogr"
|
||||||
aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
|
aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
|
||||||
|
|
||||||
pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned"
|
pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned"
|
||||||
pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions"
|
pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions"
|
||||||
"github.com/suzerain-io/pinniped/internal/controller/apicerts"
|
"github.com/suzerain-io/pinniped/internal/controller/apicerts"
|
||||||
|
"github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache"
|
||||||
|
"github.com/suzerain-io/pinniped/internal/controller/identityprovider/webhookcachecleaner"
|
||||||
|
"github.com/suzerain-io/pinniped/internal/controller/identityprovider/webhookcachefiller"
|
||||||
"github.com/suzerain-io/pinniped/internal/controller/issuerconfig"
|
"github.com/suzerain-io/pinniped/internal/controller/issuerconfig"
|
||||||
"github.com/suzerain-io/pinniped/internal/controllerlib"
|
"github.com/suzerain-io/pinniped/internal/controllerlib"
|
||||||
"github.com/suzerain-io/pinniped/internal/provider"
|
"github.com/suzerain-io/pinniped/internal/provider"
|
||||||
@ -36,6 +40,7 @@ func PrepareControllers(
|
|||||||
dynamicCertProvider provider.DynamicTLSServingCertProvider,
|
dynamicCertProvider provider.DynamicTLSServingCertProvider,
|
||||||
servingCertDuration time.Duration,
|
servingCertDuration time.Duration,
|
||||||
servingCertRenewBefore time.Duration,
|
servingCertRenewBefore time.Duration,
|
||||||
|
idpCache *idpcache.Cache,
|
||||||
) (func(ctx context.Context), error) {
|
) (func(ctx context.Context), error) {
|
||||||
// Create k8s clients.
|
// Create k8s clients.
|
||||||
k8sClient, aggregatorClient, pinnipedClient, err := createClients()
|
k8sClient, aggregatorClient, pinnipedClient, err := createClients()
|
||||||
@ -104,6 +109,22 @@ func PrepareControllers(
|
|||||||
servingCertRenewBefore,
|
servingCertRenewBefore,
|
||||||
),
|
),
|
||||||
singletonWorker,
|
singletonWorker,
|
||||||
|
).
|
||||||
|
WithController(
|
||||||
|
webhookcachefiller.New(
|
||||||
|
idpCache,
|
||||||
|
installationNamespacePinnipedInformers.IDP().V1alpha1().WebhookIdentityProviders(),
|
||||||
|
klogr.New(),
|
||||||
|
),
|
||||||
|
singletonWorker,
|
||||||
|
).
|
||||||
|
WithController(
|
||||||
|
webhookcachecleaner.New(
|
||||||
|
idpCache,
|
||||||
|
installationNamespacePinnipedInformers.IDP().V1alpha1().WebhookIdentityProviders(),
|
||||||
|
klogr.New(),
|
||||||
|
),
|
||||||
|
singletonWorker,
|
||||||
)
|
)
|
||||||
|
|
||||||
// Return a function which starts the informers and controllers.
|
// Return a function which starts the informers and controllers.
|
||||||
|
@ -26,6 +26,7 @@ import (
|
|||||||
pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned"
|
pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned"
|
||||||
"github.com/suzerain-io/pinniped/internal/apiserver"
|
"github.com/suzerain-io/pinniped/internal/apiserver"
|
||||||
"github.com/suzerain-io/pinniped/internal/certauthority/kubecertauthority"
|
"github.com/suzerain-io/pinniped/internal/certauthority/kubecertauthority"
|
||||||
|
"github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache"
|
||||||
"github.com/suzerain-io/pinniped/internal/controller/issuerconfig"
|
"github.com/suzerain-io/pinniped/internal/controller/issuerconfig"
|
||||||
"github.com/suzerain-io/pinniped/internal/controllermanager"
|
"github.com/suzerain-io/pinniped/internal/controllermanager"
|
||||||
"github.com/suzerain-io/pinniped/internal/downward"
|
"github.com/suzerain-io/pinniped/internal/downward"
|
||||||
@ -118,11 +119,8 @@ func (a *App) runServer(ctx context.Context) error {
|
|||||||
}
|
}
|
||||||
defer shutdownCA()
|
defer shutdownCA()
|
||||||
|
|
||||||
// Create a WebhookTokenAuthenticator.
|
// Initialize the cache of active identity providers.
|
||||||
webhookTokenAuthenticator, err := config.NewWebhook(cfg.WebhookConfig)
|
idpCache := idpcache.New()
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("could not create webhook client: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// This cert provider will provide certs to the API server and will
|
// This cert provider will provide certs to the API server and will
|
||||||
// be mutated by a controller to keep the certs up to date with what
|
// be mutated by a controller to keep the certs up to date with what
|
||||||
@ -139,6 +137,7 @@ func (a *App) runServer(ctx context.Context) error {
|
|||||||
dynamicCertProvider,
|
dynamicCertProvider,
|
||||||
time.Duration(*cfg.APIConfig.ServingCertificateConfig.DurationSeconds)*time.Second,
|
time.Duration(*cfg.APIConfig.ServingCertificateConfig.DurationSeconds)*time.Second,
|
||||||
time.Duration(*cfg.APIConfig.ServingCertificateConfig.RenewBeforeSeconds)*time.Second,
|
time.Duration(*cfg.APIConfig.ServingCertificateConfig.RenewBeforeSeconds)*time.Second,
|
||||||
|
idpCache,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("could not prepare controllers: %w", err)
|
return fmt.Errorf("could not prepare controllers: %w", err)
|
||||||
@ -147,7 +146,7 @@ func (a *App) runServer(ctx context.Context) error {
|
|||||||
// Get the aggregated API server config.
|
// Get the aggregated API server config.
|
||||||
aggregatedAPIServerConfig, err := getAggregatedAPIServerConfig(
|
aggregatedAPIServerConfig, err := getAggregatedAPIServerConfig(
|
||||||
dynamicCertProvider,
|
dynamicCertProvider,
|
||||||
webhookTokenAuthenticator,
|
idpCache,
|
||||||
k8sClusterCA,
|
k8sClusterCA,
|
||||||
startControllersFunc,
|
startControllersFunc,
|
||||||
)
|
)
|
||||||
|
Loading…
Reference in New Issue
Block a user