Add impersonationProxyServerPort to the Concierge's static ConfigMap

- Used to determine on which port the impersonation proxy will bind - Defaults to 8444, which is the old hard-coded port value - Allow the port number to be configured to any value within the range 1024 to 65535 - This commit does not include adding new config knobs to the ytt values file, so while it is possible to change this port without needing to recompile, it is not convenient
2026-01-07 14:05:50 +00:00 · 2021-11-17 13:27:59 -08:00
parent 2383a88612
commit ca2cc40769
8 changed files with 74 additions and 25 deletions
--- a/internal/controller/impersonatorconfig/impersonator_config.go
+++ b/internal/controller/impersonatorconfig/impersonator_config.go
@@ -48,7 +48,6 @@ import (
 )

 const (
-	impersonationProxyPort       = 8444
 	defaultHTTPSPort             = 443
 	approximatelyOneHundredYears = 100 * 365 * 24 * time.Hour
 	caCommonName                 = "Pinniped Impersonation Proxy Serving CA"
@@ -61,6 +60,7 @@ const (
 type impersonatorConfigController struct {
 	namespace                        string
 	credentialIssuerResourceName     string
+	impersonationProxyPort           int
 	generatedLoadBalancerServiceName string
 	generatedClusterIPServiceName    string
 	tlsSecretName                    string
@@ -96,6 +96,7 @@ func NewImpersonatorConfigController(
 	servicesInformer corev1informers.ServiceInformer,
 	secretsInformer corev1informers.SecretInformer,
 	withInformer pinnipedcontroller.WithInformerOptionFunc,
+	impersonationProxyPort int,
 	generatedLoadBalancerServiceName string,
 	generatedClusterIPServiceName string,
 	tlsSecretName string,
@@ -115,6 +116,7 @@ func NewImpersonatorConfigController(
 			Syncer: &impersonatorConfigController{
 				namespace:                         namespace,
 				credentialIssuerResourceName:      credentialIssuerResourceName,
+				impersonationProxyPort:            impersonationProxyPort,
 				generatedLoadBalancerServiceName:  generatedLoadBalancerServiceName,
 				generatedClusterIPServiceName:     generatedClusterIPServiceName,
 				tlsSecretName:                     tlsSecretName,
@@ -401,9 +403,9 @@ func (c *impersonatorConfigController) ensureImpersonatorIsStarted(syncCtx contr
 		}
 	}

-	c.infoLog.Info("starting impersonation proxy", "port", impersonationProxyPort)
+	c.infoLog.Info("starting impersonation proxy", "port", c.impersonationProxyPort)
 	startImpersonatorFunc, err := c.impersonatorFunc(
-		impersonationProxyPort,
+		c.impersonationProxyPort,
 		c.tlsServingCertDynamicCertProvider,
 		c.impersonationSigningCertProvider,
 	)
@@ -436,7 +438,7 @@ func (c *impersonatorConfigController) ensureImpersonatorIsStopped(shouldCloseEr
 		return nil
 	}

-	c.infoLog.Info("stopping impersonation proxy", "port", impersonationProxyPort)
+	c.infoLog.Info("stopping impersonation proxy", "port", c.impersonationProxyPort)
 	close(c.serverStopCh)
 	stopErr := <-c.errorCh

@@ -457,7 +459,7 @@ func (c *impersonatorConfigController) ensureLoadBalancerIsStarted(ctx context.C
 			Type: v1.ServiceTypeLoadBalancer,
 			Ports: []v1.ServicePort{
 				{
-					TargetPort: intstr.FromInt(impersonationProxyPort),
+					TargetPort: intstr.FromInt(c.impersonationProxyPort),
 					Port:       defaultHTTPSPort,
 					Protocol:   v1.ProtocolTCP,
 				},
@@ -503,7 +505,7 @@ func (c *impersonatorConfigController) ensureClusterIPServiceIsStarted(ctx conte
 			Type: v1.ServiceTypeClusterIP,
 			Ports: []v1.ServicePort{
 				{
-					TargetPort: intstr.FromInt(impersonationProxyPort),
+					TargetPort: intstr.FromInt(c.impersonationProxyPort),
 					Port:       defaultHTTPSPort,
 					Protocol:   v1.ProtocolTCP,
 				},
--- a/internal/controller/impersonatorconfig/impersonator_config_test.go
+++ b/internal/controller/impersonatorconfig/impersonator_config_test.go
@@ -51,6 +51,7 @@ import (
 func TestImpersonatorConfigControllerOptions(t *testing.T) {
 	spec.Run(t, "options", func(t *testing.T, when spec.G, it spec.S) {
 		const installedInNamespace = "some-namespace"
+		const impersonationProxyPort = 8444
 		const credentialIssuerResourceName = "some-credential-issuer-resource-name"
 		const generatedLoadBalancerServiceName = "some-service-resource-name"
 		const generatedClusterIPServiceName = "some-cluster-ip-resource-name"
@@ -84,6 +85,7 @@ func TestImpersonatorConfigControllerOptions(t *testing.T) {
 				servicesInformer,
 				secretsInformer,
 				observableWithInformerOption.WithInformer,
+				impersonationProxyPort,
 				generatedLoadBalancerServiceName,
 				generatedClusterIPServiceName,
 				tlsSecretName,
@@ -252,6 +254,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
 	name := t.Name()
 	spec.Run(t, "Sync", func(t *testing.T, when spec.G, it spec.S) {
 		const installedInNamespace = "some-namespace"
+		const impersonationProxyPort = 8444
 		const credentialIssuerResourceName = "some-credential-issuer-resource-name"
 		const loadBalancerServiceName = "some-service-resource-name"
 		const clusterIPServiceName = "some-cluster-ip-resource-name"
@@ -553,6 +556,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
 				kubeInformers.Core().V1().Services(),
 				kubeInformers.Core().V1().Secrets(),
 				controllerlib.WithInformer,
+				impersonationProxyPort,
 				loadBalancerServiceName,
 				clusterIPServiceName,
 				tlsSecretName,