From 0abe10e6b281156151ffeec2c88c6dcdfcc042cf Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Tue, 9 Mar 2021 14:48:16 -0600 Subject: [PATCH] Add new behavior to "pinniped get kubeconfig" to wait for pending strategies to become non-pending. This behavior can be disabled with "--concierge-skip-wait". Signed-off-by: Matt Moyer --- cmd/pinniped/cmd/kubeconfig.go | 38 +++++++++++++++++++++++++++++ cmd/pinniped/cmd/kubeconfig_test.go | 1 + 2 files changed, 39 insertions(+) diff --git a/cmd/pinniped/cmd/kubeconfig.go b/cmd/pinniped/cmd/kubeconfig.go index 243bc30f9..1f59a970a 100644 --- a/cmd/pinniped/cmd/kubeconfig.go +++ b/cmd/pinniped/cmd/kubeconfig.go @@ -87,6 +87,7 @@ type getKubeconfigConciergeParams struct { caBundle caBundleFlag endpoint string mode conciergeModeFlag + skipWait bool } type getKubeconfigParams struct { @@ -123,6 +124,7 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command { f.StringVar(&flags.concierge.authenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)") f.StringVar(&flags.concierge.authenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name (default: autodiscover)") f.StringVar(&flags.concierge.apiGroupSuffix, "concierge-api-group-suffix", groupsuffix.PinnipedDefaultSuffix, "Concierge API group suffix") + f.BoolVar(&flags.concierge.skipWait, "concierge-skip-wait", false, "Skip waiting for any pending Concierge strategies to become ready (default: false)") f.Var(&flags.concierge.caBundle, "concierge-ca-bundle", "Path to TLS certificate authority bundle (PEM format, optional, can be repeated) to use when connecting to the Concierge") f.StringVar(&flags.concierge.endpoint, "concierge-endpoint", "", "API base for the Concierge endpoint") @@ -205,6 +207,33 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f return err } + if !flags.concierge.skipWait { + ticker := time.NewTicker(2 * time.Second) + defer ticker.Stop() + + deadline, _ := ctx.Deadline() + attempts := 1 + + for { + if !hasPendingStrategy(credentialIssuer) { + break + } + deps.log.Info("waiting for CredentialIssuer pending strategies to finish", + "attempts", attempts, + "remaining", time.Until(deadline).Round(time.Second).String(), + ) + select { + case <-ctx.Done(): + return ctx.Err() + case <-ticker.C: + credentialIssuer, err = lookupCredentialIssuer(clientset, flags.concierge.credentialIssuer, deps.log) + if err != nil { + return err + } + } + } + } + authenticator, err := lookupAuthenticator( clientset, flags.concierge.authenticatorType, @@ -636,3 +665,12 @@ func countCACerts(pemData []byte) int { pool.AppendCertsFromPEM(pemData) return len(pool.Subjects()) } + +func hasPendingStrategy(credentialIssuer *configv1alpha1.CredentialIssuer) bool { + for _, strategy := range credentialIssuer.Status.Strategies { + if strategy.Reason == configv1alpha1.PendingStrategyReason { + return true + } + } + return false +} diff --git a/cmd/pinniped/cmd/kubeconfig_test.go b/cmd/pinniped/cmd/kubeconfig_test.go index 0c8280387..53b83830f 100644 --- a/cmd/pinniped/cmd/kubeconfig_test.go +++ b/cmd/pinniped/cmd/kubeconfig_test.go @@ -73,6 +73,7 @@ func TestGetKubeconfig(t *testing.T) { --concierge-credential-issuer string Concierge CredentialIssuer object to use for autodiscovery (default: autodiscover) --concierge-endpoint string API base for the Concierge endpoint --concierge-mode mode Concierge mode of operation (default TokenCredentialRequestAPI) + --concierge-skip-wait Skip waiting for any pending Concierge strategies to become ready (default: false) -h, --help help for kubeconfig --kubeconfig string Path to kubeconfig file --kubeconfig-context string Kubeconfig context name (default: current active context)