oidc authenticator: allow passing in CA via bytes
This change updates the OIDC authenticator code to use a subset of the dynamiccertificates.CAContentProvider interface to provide the root CA bytes. This removes the hard dependency on a file based CA and makes it easier to use this code as a library. Signed-off-by: Monis Khan <mok@vmware.com> Kubernetes-commit: 5dd4c89df38d4a5389c0cbf2c7fe4f6a5d5534ce
This commit is contained in:
Monis Khan
Kubernetes Publisher
parent
cba9cd88c4
commit
1fd6a1891c
|
|
@ -78,8 +78,8 @@ type Options struct {
|
|||
// See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
|
||||
ClientID string
|
||||
|
||||
// Path to a PEM encoded root certificate of the provider.
|
||||
CAFile string
|
||||
// PEM encoded root certificate contents of the provider.
|
||||
CAContentProvider CAContentProvider
|
||||
|
||||
// UsernameClaim is the JWT field to use as the user's username.
|
||||
UsernameClaim string
|
||||
|
|
@ -116,6 +116,11 @@ type Options struct {
|
|||
now func() time.Time
|
||||
}
|
||||
|
||||
// Subset of dynamiccertificates.CAContentProvider that can be used to dynamically load root CAs.
|
||||
type CAContentProvider interface {
|
||||
CurrentCABundleContent() []byte
|
||||
}
|
||||
|
||||
// initVerifier creates a new ID token verifier for the given configuration and issuer URL. On success, calls setVerifier with the
|
||||
// resulting verifier.
|
||||
func initVerifier(ctx context.Context, config *oidc.Config, iss string) (*oidc.IDTokenVerifier, error) {
|
||||
|
|
@ -273,10 +278,11 @@ func newAuthenticator(opts Options, initVerifier func(ctx context.Context, a *Au
|
|||
}
|
||||
|
||||
var roots *x509.CertPool
|
||||
if opts.CAFile != "" {
|
||||
roots, err = certutil.NewPool(opts.CAFile)
|
||||
if opts.CAContentProvider != nil {
|
||||
// TODO(enj): make this reload CA data dynamically
|
||||
roots, err = certutil.NewPoolFromBytes(opts.CAContentProvider.CurrentCABundleContent())
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Failed to read the CA file: %v", err)
|
||||
return nil, fmt.Errorf("Failed to read the CA contents: %v", err)
|
||||
}
|
||||
} else {
|
||||
klog.Info("OIDC: No x509 certificates provided, will use host's root CA set")
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@ import (
|
|||
oidc "github.com/coreos/go-oidc"
|
||||
jose "gopkg.in/square/go-jose.v2"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/apiserver/pkg/server/dynamiccertificates"
|
||||
"k8s.io/klog/v2"
|
||||
)
|
||||
|
||||
|
|
@ -254,7 +255,11 @@ func (c *claimsTest) run(t *testing.T) {
|
|||
// by writing its root CA certificate into a temporary file.
|
||||
tempFileName := writeTempCert(t, ts.TLS.Certificates[0].Certificate[0])
|
||||
defer os.Remove(tempFileName)
|
||||
c.options.CAFile = tempFileName
|
||||
caContent, err := dynamiccertificates.NewDynamicCAContentFromFile("oidc-authenticator", tempFileName)
|
||||
if err != nil {
|
||||
t.Fatalf("initialize ca: %v", err)
|
||||
}
|
||||
c.options.CAContentProvider = caContent
|
||||
|
||||
// Allow claims to refer to the serving URL of the test server. For this,
|
||||
// substitute all references to {{.URL}} in appropriate places.
|
||||
|
|
|
|||
Loading…
Reference in New Issue