mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2025-12-23 06:15:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

use .cluster.local address for LUA (squid cannot resolve .svc addresses)

Browse Source
This commit is contained in:
Ryan Richard
2024-10-10 14:44:14 -07:00
parent eca8914760
commit 4d2bbac674
4 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
hack/prepare-for-integration-tests.sh
View File

@@ -347,7 +347,7 @@ manifest=/tmp/pinniped-concierge.yaml
data_values_file=/tmp/concierge-values.yml data_values_file=/tmp/concierge-values.yml
concierge_app_name="pinniped-concierge" concierge_app_name="pinniped-concierge"
concierge_namespace="concierge" concierge_namespace="concierge"
webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate" webhook_url="https://local-user-authenticator.local-user-authenticator.svc.cluster.local/authenticate"
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')" discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}" concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
log_level="debug" log_level="debug"
@@ -366,7 +366,7 @@ EOF
if [[ "${FIREWALL_IDPS:-no}" == "yes" ]]; then if [[ "${FIREWALL_IDPS:-no}" == "yes" ]]; then
# Configure the web proxy on the Concierge pods. Note that .svc and .cluster.local are not included, # Configure the web proxy on the Concierge pods. Note that .svc and .cluster.local are not included,
# so requests for things like pinniped-supervisor-clusterip.supervisor.svc.cluster.local and # so requests for things like pinniped-supervisor-clusterip.supervisor.svc.cluster.local and
# local-user-authenticator.local-user-authenticator.svc will go through the web proxy. # local-user-authenticator.local-user-authenticator.svc.cluster.local will go through the web proxy.
cat <<EOF >>"$data_values_file" cat <<EOF >>"$data_values_file"
https_proxy: "http://proxy.tools.svc.cluster.local:3128" https_proxy: "http://proxy.tools.svc.cluster.local:3128"
no_proxy: "\$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost" no_proxy: "\$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost"

4
hack/prepare-impersonator-on-kind.sh
View File

@@ -1,6 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. # Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #
@@ -50,7 +50,7 @@ kind: WebhookAuthenticator
metadata: metadata:
name: local-user-authenticator name: local-user-authenticator
spec: spec:
endpoint: https://local-user-authenticator.local-user-authenticator.svc/authenticate endpoint: https://local-user-authenticator.local-user-authenticator.svc.cluster.local/authenticate
tls: tls:
certificateAuthorityData: $LOCAL_USER_AUTHENTICATOR_CA certificateAuthorityData: $LOCAL_USER_AUTHENTICATOR_CA
EOF EOF

3
internal/controller/apicerts/certs_manager.go
View File

@@ -119,7 +119,8 @@ func (c *certsManagerController) Sync(ctx controllerlib.Context) error {
// Using the CA from above, create a TLS server cert if we have service name. // Using the CA from above, create a TLS server cert if we have service name.
if len(c.serviceNameForGeneratedCertCommonName) != 0 { if len(c.serviceNameForGeneratedCertCommonName) != 0 {
serviceEndpoint := c.serviceNameForGeneratedCertCommonName + "." + c.namespace + ".svc" serviceEndpoint := c.serviceNameForGeneratedCertCommonName + "." + c.namespace + ".svc"
tlsCert, err := ca.IssueServerCert([]string{serviceEndpoint}, nil, c.certDuration) // Allow clients to use either service-name.namespace.svc or service-name.namespace.svc.cluster.local to verify TLS.
tlsCert, err := ca.IssueServerCert([]string{serviceEndpoint, serviceEndpoint + ".cluster.local"}, nil, c.certDuration)
if err != nil { if err != nil {
return fmt.Errorf("could not issue serving certificate: %w", err) return fmt.Errorf("could not issue serving certificate: %w", err)
} }

3
internal/controller/apicerts/certs_manager_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package apicerts package apicerts
@@ -225,6 +225,7 @@ func TestManagerControllerSync(t *testing.T) {
// Validate the created cert using the CA, and also validate the cert's hostname // Validate the created cert using the CA, and also validate the cert's hostname
validCert := testutil.ValidateServerCertificate(t, actualCACert, actualCertChain) validCert := testutil.ValidateServerCertificate(t, actualCACert, actualCertChain)
validCert.RequireDNSName("pinniped-api." + installedInNamespace + ".svc") validCert.RequireDNSName("pinniped-api." + installedInNamespace + ".svc")
validCert.RequireDNSName("pinniped-api." + installedInNamespace + ".svc.cluster.local")
validCert.RequireLifetime(time.Now(), time.Now().Add(certDuration), 6*time.Minute) validCert.RequireLifetime(time.Now(), time.Now().Add(certDuration), 6*time.Minute)
validCert.RequireMatchesPrivateKey(actualPrivateKey) validCert.RequireMatchesPrivateKey(actualPrivateKey)
}) })