Search client auth with and without port
Kubernetes-commit: 2f5dde7672eaf90c7086f86a5a4ee190559f3bb2
This commit is contained in:
Jordan Liggitt
Kubernetes Publisher
parent
fa157b05a9
commit
2de636a948
|
|
@ -136,6 +136,23 @@ func (c *defaultAuthenticationInfoResolver) clientConfig(target string) (*rest.C
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If target included the default https port (443), search again without the port
|
||||||
|
if target, port, err := net.SplitHostPort(target); err == nil && port == "443" {
|
||||||
|
// exact match without port
|
||||||
|
if authConfig, ok := c.kubeconfig.AuthInfos[target]; ok {
|
||||||
|
return restConfigFromKubeconfig(authConfig)
|
||||||
|
}
|
||||||
|
|
||||||
|
// star prefixed match without port
|
||||||
|
serverSteps := strings.Split(target, ".")
|
||||||
|
for i := 1; i < len(serverSteps); i++ {
|
||||||
|
nickName := "*." + strings.Join(serverSteps[i:], ".")
|
||||||
|
if authConfig, ok := c.kubeconfig.AuthInfos[nickName]; ok {
|
||||||
|
return restConfigFromKubeconfig(authConfig)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// if we're trying to hit the kube-apiserver and there wasn't an explicit config, use the in-cluster config
|
// if we're trying to hit the kube-apiserver and there wasn't an explicit config, use the in-cluster config
|
||||||
if target == "kubernetes.default.svc" {
|
if target == "kubernetes.default.svc" {
|
||||||
// if we can find an in-cluster-config use that. If we can't, fall through.
|
// if we can find an in-cluster-config use that. If we can't, fall through.
|
||||||
|
|
|
||||||
|
|
@ -109,6 +109,90 @@ func TestAuthenticationDetection(t *testing.T) {
|
||||||
},
|
},
|
||||||
expected: rest.Config{BearerToken: "first"},
|
expected: rest.Config{BearerToken: "first"},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "exact match with default https port",
|
||||||
|
serverName: "one.two.three.com:443",
|
||||||
|
kubeconfig: clientcmdapi.Config{
|
||||||
|
AuthInfos: map[string]*clientcmdapi.AuthInfo{
|
||||||
|
"one.two.three.com:443": {Token: "exact"},
|
||||||
|
"*.two.three.com": {Token: "first"},
|
||||||
|
"*.three.com": {Token: "second"},
|
||||||
|
"*.com": {Token: "third"},
|
||||||
|
"*": {Token: "fallback"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expected: rest.Config{BearerToken: "exact"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "wildcard match with default https port",
|
||||||
|
serverName: "one.two.three.com:443",
|
||||||
|
kubeconfig: clientcmdapi.Config{
|
||||||
|
AuthInfos: map[string]*clientcmdapi.AuthInfo{
|
||||||
|
"*.two.three.com:443": {Token: "first-with-port"},
|
||||||
|
"*.two.three.com": {Token: "first"},
|
||||||
|
"*.three.com": {Token: "second"},
|
||||||
|
"*.com": {Token: "third"},
|
||||||
|
"*": {Token: "fallback"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expected: rest.Config{BearerToken: "first-with-port"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "wildcard match without default https port",
|
||||||
|
serverName: "one.two.three.com:443",
|
||||||
|
kubeconfig: clientcmdapi.Config{
|
||||||
|
AuthInfos: map[string]*clientcmdapi.AuthInfo{
|
||||||
|
"*.two.three.com": {Token: "first"},
|
||||||
|
"*.three.com": {Token: "second"},
|
||||||
|
"*.com": {Token: "third"},
|
||||||
|
"*": {Token: "fallback"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expected: rest.Config{BearerToken: "first"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "exact match with non-default https port",
|
||||||
|
serverName: "one.two.three.com:8443",
|
||||||
|
kubeconfig: clientcmdapi.Config{
|
||||||
|
AuthInfos: map[string]*clientcmdapi.AuthInfo{
|
||||||
|
"one.two.three.com:8443": {Token: "exact"},
|
||||||
|
"*.two.three.com": {Token: "first"},
|
||||||
|
"*.three.com": {Token: "second"},
|
||||||
|
"*.com": {Token: "third"},
|
||||||
|
"*": {Token: "fallback"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expected: rest.Config{BearerToken: "exact"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "wildcard match with non-default https port",
|
||||||
|
serverName: "one.two.three.com:8443",
|
||||||
|
kubeconfig: clientcmdapi.Config{
|
||||||
|
AuthInfos: map[string]*clientcmdapi.AuthInfo{
|
||||||
|
"*.two.three.com:8443": {Token: "first-with-port"},
|
||||||
|
"one.two.three.com": {Token: "first-without-port"},
|
||||||
|
"*.two.three.com": {Token: "first"},
|
||||||
|
"*.three.com": {Token: "second"},
|
||||||
|
"*.com": {Token: "third"},
|
||||||
|
"*": {Token: "fallback"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expected: rest.Config{BearerToken: "first-with-port"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "wildcard match without non-default https port",
|
||||||
|
serverName: "one.two.three.com:8443",
|
||||||
|
kubeconfig: clientcmdapi.Config{
|
||||||
|
AuthInfos: map[string]*clientcmdapi.AuthInfo{
|
||||||
|
"one.two.three.com": {Token: "first-without-port"},
|
||||||
|
"*.two.three.com": {Token: "first"},
|
||||||
|
"*.three.com": {Token: "second"},
|
||||||
|
"*.com": {Token: "third"},
|
||||||
|
"*": {Token: "fallback"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expected: rest.Config{BearerToken: "fallback"},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, tc := range tests {
|
for _, tc := range tests {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue