From e9f291bd32f5065124167f443bdf3f1fa786a04d Mon Sep 17 00:00:00 2001 From: kaedwen Date: Tue, 8 Oct 2024 19:58:39 +0200 Subject: [PATCH] fix cert auth without token fixed #3926 (#3952) * fix cert auth without token fixed #3926 Signed-off-by: kaedwen * refactor auth preapre, fail when nothing is given Signed-off-by: kaedwen --------- Signed-off-by: kaedwen Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> --- pkg/provider/kubernetes/auth.go | 54 +++++++++++++++------------- pkg/provider/kubernetes/auth_test.go | 18 +--------- 2 files changed, 30 insertions(+), 42 deletions(-) diff --git a/pkg/provider/kubernetes/auth.go b/pkg/provider/kubernetes/auth.go index d62b23cd1..8d7eeaf66 100644 --- a/pkg/provider/kubernetes/auth.go +++ b/pkg/provider/kubernetes/auth.go @@ -44,6 +44,14 @@ func (c *Client) getAuth(ctx context.Context) (*rest.Config, error) { return clientcmd.RESTConfigFromKubeConfig(cfg) } + if c.store.Server.URL == "" { + return nil, errors.New("no server URL provided") + } + + cfg := &rest.Config{ + Host: c.store.Server.URL, + } + ca, err := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{ CABundle: c.store.Server.CABundle, CAProvider: c.store.Server.CAProvider, @@ -55,43 +63,39 @@ func (c *Client) getAuth(ctx context.Context) (*rest.Config, error) { return nil, err } - var token []byte - if c.store.Auth.Token != nil { - token, err = c.fetchSecretKey(ctx, c.store.Auth.Token.BearerToken) + cfg.TLSClientConfig = rest.TLSClientConfig{ + Insecure: false, + CAData: ca, + } + + switch { + case c.store.Auth.Token != nil: + token, err := c.fetchSecretKey(ctx, c.store.Auth.Token.BearerToken) if err != nil { return nil, fmt.Errorf("could not fetch Auth.Token.BearerToken: %w", err) } - } else if c.store.Auth.ServiceAccount != nil { - token, err = c.serviceAccountToken(ctx, c.store.Auth.ServiceAccount) + + cfg.BearerToken = string(token) + case c.store.Auth.ServiceAccount != nil: + token, err := c.serviceAccountToken(ctx, c.store.Auth.ServiceAccount) if err != nil { return nil, fmt.Errorf("could not fetch Auth.ServiceAccount: %w", err) } - } else { - return nil, errors.New("no auth provider given") - } - var key, cert []byte - if c.store.Auth.Cert != nil { - key, cert, err = c.getClientKeyAndCert(ctx) + cfg.BearerToken = string(token) + case c.store.Auth.Cert != nil: + key, cert, err := c.getClientKeyAndCert(ctx) if err != nil { return nil, fmt.Errorf("could not fetch client key and cert: %w", err) } + + cfg.TLSClientConfig.KeyData = key + cfg.TLSClientConfig.CertData = cert + default: + return nil, errors.New("no auth provider given") } - if c.store.Server.URL == "" { - return nil, errors.New("no server URL provided") - } - - return &rest.Config{ - Host: c.store.Server.URL, - BearerToken: string(token), - TLSClientConfig: rest.TLSClientConfig{ - Insecure: false, - CertData: cert, - KeyData: key, - CAData: ca, - }, - }, nil + return cfg, nil } func (c *Client) getClientKeyAndCert(ctx context.Context) ([]byte, []byte, error) { diff --git a/pkg/provider/kubernetes/auth_test.go b/pkg/provider/kubernetes/auth_test.go index 84e2a0d75..7c3feb75c 100644 --- a/pkg/provider/kubernetes/auth_test.go +++ b/pkg/provider/kubernetes/auth_test.go @@ -250,14 +250,6 @@ func TestSetAuth(t *testing.T) { "cert": []byte("my-cert"), "key": []byte("my-key"), }, - }, &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "foobar", - Namespace: "default", - }, - Data: map[string][]byte{ - "token": []byte("mytoken"), - }, }).Build(), store: &esv1beta1.KubernetesProvider{ Server: esv1beta1.KubernetesServer{ @@ -265,13 +257,6 @@ func TestSetAuth(t *testing.T) { CABundle: []byte(caCert), }, Auth: esv1beta1.KubernetesAuth{ - Token: &esv1beta1.TokenAuth{ - BearerToken: v1.SecretKeySelector{ - Name: "foobar", - Namespace: pointer.To("shouldnotberelevant"), - Key: "token", - }, - }, Cert: &esv1beta1.CertAuth{ ClientCert: v1.SecretKeySelector{ Name: "mycert", @@ -286,8 +271,7 @@ func TestSetAuth(t *testing.T) { }, }, want: &want{ - Host: "https://my.test.tld", - BearerToken: "mytoken", + Host: "https://my.test.tld", TLSClientConfig: rest.TLSClientConfig{ CAData: []byte(caCert), CertData: []byte("my-cert"),