audit log OIDCClientSecretRequests

2026-01-07 14:05:50 +00:00 · 2024-11-14 09:55:31 -08:00
parent f388513145
commit c2018717b6
5 changed files with 133 additions and 14 deletions
--- a/internal/supervisor/apiserver/apiserver.go
+++ b/internal/supervisor/apiserver/apiserver.go
@@ -39,6 +39,7 @@ type ExtraConfig struct {
 	Secrets                            corev1client.SecretInterface
 	OIDCClients                        configv1alpha1clientset.OIDCClientInterface
 	Namespace                          string
+	AuditLogger                        plog.AuditLogger
 }

 type PinnipedServer struct {
@@ -92,6 +93,7 @@ func (c completedConfig) New() (*PinnipedServer, error) {
 				rand.Reader,
 				bcrypt.GenerateFromPassword,
 				metav1.Now,
+				c.ExtraConfig.AuditLogger,
 			)
 			return clientSecretReqGVR, clientSecretReqStorage
 		},
--- a/internal/supervisor/server/server.go
+++ b/internal/supervisor/server/server.go
@@ -529,6 +529,7 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis
 		clientWithoutLeaderElection.Kubernetes.CoreV1().Secrets(serverInstallationNamespace),
 		client.PinnipedSupervisor.ConfigV1alpha1().OIDCClients(serverInstallationNamespace),
 		serverInstallationNamespace,
+		auditLogger,
 	)
 	if err != nil {
 		return fmt.Errorf("could not configure aggregated API server: %w", err)
@@ -639,6 +640,7 @@ func getAggregatedAPIServerConfig(
 	secrets corev1client.SecretInterface,
 	oidcClients v1alpha1.OIDCClientInterface,
 	serverInstallationNamespace string,
+	auditLogger plog.AuditLogger,
 ) (*apiserver.Config, error) {
 	codecs := serializer.NewCodecFactory(scheme)

@@ -705,6 +707,7 @@ func getAggregatedAPIServerConfig(
 			Secrets:                            secrets,
 			OIDCClients:                        oidcClients,
 			Namespace:                          serverInstallationNamespace,
+			AuditLogger:                        auditLogger,
 		},
 	}
 	return apiServerConfig, nil