Populate internal GitHub IDP Config from CRD

2026-01-08 07:11:53 +00:00 · 2024-04-02 21:53:03 -05:00
parent 349039ff5d
commit c9b61ef010
51 changed files with 3256 additions and 289 deletions
--- a/internal/controller/utils.go
+++ b/internal/controller/utils.go
@@ -1,12 +1,20 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package controller

 import (
+	"crypto/x509"
+	"encoding/base64"
+	"fmt"
+	"slices"
+
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/util/cert"

+	authv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
 	"go.pinniped.dev/internal/controllerlib"
 )

@@ -43,12 +51,16 @@ func SimpleFilter(match func(metav1.Object) bool, parentFunc controllerlib.Paren
 	}
 }

-func MatchAnySecretOfTypeFilter(secretType corev1.SecretType, parentFunc controllerlib.ParentFunc) controllerlib.Filter {
+func MatchAnySecretOfTypeFilter(secretType corev1.SecretType, parentFunc controllerlib.ParentFunc, namespaces ...string) controllerlib.Filter {
 	isSecretOfType := func(obj metav1.Object) bool {
 		secret, ok := obj.(*corev1.Secret)
 		if !ok {
 			return false
 		}
+		// Only match on namespace if namespaces are provided
+		if len(namespaces) > 0 && !slices.Contains(namespaces, secret.Namespace) {
+			return false
+		}
 		return secret.Type == secretType
 	}
 	return SimpleFilter(isSecretOfType, parentFunc)
@@ -87,3 +99,43 @@ type WithInformerOptionFunc func(

 // Same signature as controllerlib.WithInitialEvent().
 type WithInitialEventOptionFunc func(key controllerlib.Key) controllerlib.Option
+
+// BuildCertPoolAuth returns a PEM-encoded CA bundle from the provided spec. If the provided spec is nil, a
+// nil CA bundle will be returned. If the provided spec contains a CA bundle that is not properly
+// encoded, an error will be returned.
+func BuildCertPoolAuth(spec *authv1alpha1.TLSSpec) (*x509.CertPool, []byte, error) {
+	if spec == nil {
+		return nil, nil, nil
+	}
+
+	return buildCertPool(spec.CertificateAuthorityData)
+}
+
+// BuildCertPoolIDP returns a PEM-encoded CA bundle from the provided spec. If the provided spec is nil, a
+// nil CA bundle will be returned. If the provided spec contains a CA bundle that is not properly
+// encoded, an error will be returned.
+func BuildCertPoolIDP(spec *idpv1alpha1.TLSSpec) (*x509.CertPool, []byte, error) {
+	if spec == nil {
+		return nil, nil, nil
+	}
+
+	return buildCertPool(spec.CertificateAuthorityData)
+}
+
+func buildCertPool(certificateAuthorityData string) (*x509.CertPool, []byte, error) {
+	if len(certificateAuthorityData) == 0 {
+		return nil, nil, nil
+	}
+
+	pem, err := base64.StdEncoding.DecodeString(certificateAuthorityData)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	rootCAs, err := cert.NewPoolFromBytes(pem)
+	if err != nil {
+		return nil, nil, fmt.Errorf("certificateAuthorityData is not valid PEM: %w", err)
+	}
+
+	return rootCAs, pem, nil
+}