Add a way to set a default supervisor TLS cert for when SNI won't work

- Setting a Secret in the supervisor's namespace with a special name will cause it to get picked up and served as the supervisor's TLS cert for any request which does not have a matching SNI cert. - This is especially useful for when there is no DNS record for an issuer and the user will be accessing it via IP address. This is not how we would expect it to be used in production, but it might be useful for other cases. - Includes a new integration test - Also suppress all of the warnings about ignoring the error returned by Close() in lines like `defer x.Close()` to make GoLand happier
2026-01-05 04:56:11 +00:00 · 2020-10-27 16:33:08 -07:00
parent 1f1b6c884e
commit 38802c2184
10 changed files with 192 additions and 58 deletions
--- a/cmd/local-user-authenticator/main.go
+++ b/cmd/local-user-authenticator/main.go
@@ -109,7 +109,7 @@ func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
 	if err != nil {
 		return
 	}
-	defer req.Body.Close()
+	defer func() { _ = req.Body.Close() }()

 	secret, err := w.secretInformer.Lister().Secrets(namespace).Get(username)
 	notFound := k8serrors.IsNotFound(err)
@@ -379,7 +379,7 @@ func run() error {
 	if err != nil {
 		return fmt.Errorf("cannot create listener: %w", err)
 	}
-	defer l.Close()
+	defer func() { _ = l.Close() }()

 	err = startWebhook(ctx, l, dynamicCertProvider, kubeInformers.Core().V1().Secrets())
 	if err != nil {
--- a/cmd/local-user-authenticator/main_test.go
+++ b/cmd/local-user-authenticator/main_test.go
@@ -106,7 +106,7 @@ func TestWebhook(t *testing.T) {

 	l, err := net.Listen("tcp", "127.0.0.1:0")
 	require.NoError(t, err)
-	defer l.Close()
+	defer func() { _ = l.Close() }()
 	require.NoError(t, w.start(ctx, l))

 	client := newClient(caBundle, serverName)
@@ -412,7 +412,7 @@ func TestWebhook(t *testing.T) {
 				Body:   body,
 			})
 			require.NoError(t, err)
-			defer rsp.Body.Close()
+			defer func() { _ = rsp.Body.Close() }()

 			require.Equal(t, test.wantStatus, rsp.StatusCode)

@@ -470,7 +470,7 @@ func newCertProvider(t *testing.T) (dynamiccert.Provider, []byte, string) {
 	ca, err := certauthority.New(pkix.Name{CommonName: serverName + " CA"}, time.Hour*24)
 	require.NoError(t, err)

-	cert, err := ca.Issue(pkix.Name{CommonName: serverName}, []string{serverName}, time.Hour*24)
+	cert, err := ca.Issue(pkix.Name{CommonName: serverName}, []string{serverName}, nil, time.Hour*24)
 	require.NoError(t, err)

 	certPEM, keyPEM, err := certauthority.ToPEM(cert)
--- a/cmd/pinniped-supervisor/main.go
+++ b/cmd/pinniped-supervisor/main.go
@@ -201,7 +201,7 @@ func run(serverInstallationNamespace string, cfg *supervisor.Config) error {
 	if err != nil {
 		return fmt.Errorf("cannot create listener: %w", err)
 	}
-	defer httpListener.Close()
+	defer func() { _ = httpListener.Close() }()
 	start(ctx, httpListener, oidProvidersManager)

 	//nolint: gosec // Intentionally binding to all network interfaces.
@@ -209,14 +209,22 @@ func run(serverInstallationNamespace string, cfg *supervisor.Config) error {
 		MinVersion: tls.VersionTLS12, // Allow v1.2 because clients like the default `curl` on MacOS don't support 1.3 yet.
 		GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
 			cert := dynamicTLSCertProvider.GetTLSCert(strings.ToLower(info.ServerName))
-			klog.InfoS("GetCertificate called for port 443", "info.ServerName", info.ServerName, "foundCert", cert != nil)
+			defaultCert := dynamicTLSCertProvider.GetDefaultTLSCert()
+			klog.InfoS("GetCertificate called for port 443",
+				"info.ServerName", info.ServerName,
+				"foundSNICert", cert != nil,
+				"foundDefaultCert", defaultCert != nil,
+			)
+			if cert == nil {
+				cert = defaultCert
+			}
 			return cert, nil
 		},
 	})
 	if err != nil {
 		return fmt.Errorf("cannot create listener: %w", err)
 	}
-	defer httpsListener.Close()
+	defer func() { _ = httpsListener.Close() }()
 	start(ctx, httpsListener, oidProvidersManager)

 	klog.InfoS("supervisor is ready",