mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-06 21:47:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

update jwtcachefiller to use new tlsconfigutil.CABundle type

Browse Source 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
This commit is contained in:
Ashish Amarnath
2024-07-25 19:53:27 -07:00
committed by Ryan Richard
parent 005dbf3aa8
commit 282b949c24
1 changed files with 6 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
View File

@@ -6,7 +6,6 @@ package webhookcachefiller
import (
"context"
"crypto/sha256"
"crypto/tls"
"crypto/x509"
"fmt"
@@ -162,8 +161,8 @@ func (c *webhookCacheFillerController) syncIndividualWebhookAuthenticator(ctx co
}
conditions := make([]*metav1.Condition, 0)
certPool, caBundlePEM, conditions, tlsBundleOk := c.validateTLSBundle(webhookAuthenticator.Spec.TLS, conditions)
caBundlePEMSHA256 := sha256.Sum256(caBundlePEM) // note that this will always return the same hash for nil input
caBundle, conditions, tlsBundleOk := c.validateTLSBundle(webhookAuthenticator.Spec.TLS, conditions)
caBundlePEMSHA256 := caBundle.GetCABundleHash()
// Only revalidate and update the cache if the cached authenticator is different from the desired authenticator.
// There is no need to repeat validations for a spec that was already successfully validated. We are making a
@@ -190,7 +189,7 @@ func (c *webhookCacheFillerController) syncIndividualWebhookAuthenticator(ctx co
endpointHostPort, conditions, endpointOk := c.validateEndpoint(webhookAuthenticator.Spec.Endpoint, conditions)
okSoFar := tlsBundleOk && endpointOk
conditions, tlsNegotiateErr := c.validateConnection(certPool, endpointHostPort, conditions, okSoFar)
conditions, tlsNegotiateErr := c.validateConnection(caBundle.GetCertPool(), endpointHostPort, conditions, okSoFar)
errs = append(errs, tlsNegotiateErr)
okSoFar = okSoFar && tlsNegotiateErr == nil
@@ -198,7 +197,7 @@ func (c *webhookCacheFillerController) syncIndividualWebhookAuthenticator(ctx co
// Note that we use the whole URL when constructing the webhook client,
// not just the host and port that we validated above. We need the path, etc.
webhookAuthenticator.Spec.Endpoint,
caBundlePEM,
caBundle.GetCABundle(),
conditions,
okSoFar,
)
@@ -243,7 +242,7 @@ func (c *webhookCacheFillerController) cacheValueAsWebhookAuthenticator(value au
return webhookAuthenticator
}
func (c *webhookCacheFillerController) validateTLSBundle(tlsSpec *authenticationv1alpha1.TLSSpec, conditions []*metav1.Condition) (*x509.CertPool, []byte, []*metav1.Condition, bool) {
func (c *webhookCacheFillerController) validateTLSBundle(tlsSpec *authenticationv1alpha1.TLSSpec, conditions []*metav1.Condition) (*tlsconfigutil.CABundle, []*metav1.Condition, bool) {
condition, caBundle := tlsconfigutil.ValidateTLSConfig(
tlsconfigutil.TLSSpecForConcierge(tlsSpec),
"spec.tls",
@@ -252,7 +251,7 @@ func (c *webhookCacheFillerController) validateTLSBundle(tlsSpec *authentication
c.configMapInformer)
conditions = append(conditions, condition)
return caBundle.GetCertPool(), caBundle.GetCABundle(), conditions, condition.Status == metav1.ConditionTrue
return caBundle, conditions, condition.Status == metav1.ConditionTrue
}
// newWebhookAuthenticator creates a webhook from the provided API server url and caBundle