From b9a29b897ea6a1052a48df40cc2a0132d0045292 Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Wed, 26 May 2021 09:58:35 +0200 Subject: [PATCH] pkg/authn/delegating: dynamically reload client CA Signed-off-by: Sergiusz Urbaniak --- main.go | 5 +++-- pkg/authn/delegating.go | 46 +++++++++++++++++++++++++++-------------- 2 files changed, 34 insertions(+), 17 deletions(-) diff --git a/main.go b/main.go index 539a5ea89..cd61e0e91 100644 --- a/main.go +++ b/main.go @@ -171,17 +171,18 @@ func main() { if err != nil { klog.Fatalf("Failed to instantiate OIDC authenticator: %v", err) } - } else { //Use Delegating authenticator klog.Infof("Valid token audiences: %s", strings.Join(cfg.auth.Authentication.Token.Audiences, ", ")) tokenClient := kubeClient.AuthenticationV1().TokenReviews() - authenticator, err = authn.NewDelegatingAuthenticator(tokenClient, cfg.auth.Authentication) + delegatingAuthenticator, err := authn.NewDelegatingAuthenticator(tokenClient, cfg.auth.Authentication) if err != nil { klog.Fatalf("Failed to instantiate delegating authenticator: %v", err) } + go delegatingAuthenticator.Run(1, context.Background().Done()) + authenticator = delegatingAuthenticator } sarClient := kubeClient.AuthorizationV1().SubjectAccessReviews() diff --git a/pkg/authn/delegating.go b/pkg/authn/delegating.go index 6aaa42005..ba077a8da 100644 --- a/pkg/authn/delegating.go +++ b/pkg/authn/delegating.go @@ -18,8 +18,7 @@ package authn import ( "errors" - "fmt" - "io/ioutil" + "net/http" "time" "k8s.io/apiserver/pkg/authentication/authenticator" @@ -28,27 +27,23 @@ import ( authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1" ) +type DelegatingAuthenticator struct { + dynamicClientCA *dynamiccertificates.DynamicFileCAContent + requestAuthenticator authenticator.Request +} + // NewDelegatingAuthenticator creates an authenticator compatible with the kubelet's needs -func NewDelegatingAuthenticator(client authenticationclient.TokenReviewInterface, authn *AuthnConfig) (authenticator.Request, error) { +func NewDelegatingAuthenticator(client authenticationclient.TokenReviewInterface, authn *AuthnConfig) (*DelegatingAuthenticator, error) { if client == nil { return nil, errors.New("tokenAccessReview client not provided, cannot use webhook authentication") } var ( - p authenticatorfactory.CAContentProvider + p *dynamiccertificates.DynamicFileCAContent err error ) if len(authn.X509.ClientCAFile) > 0 { - if len(authn.X509.ClientCAFile) == 0 { - return nil, fmt.Errorf("missing filename for ca bundle") - } - - caBundle, err := ioutil.ReadFile(authn.X509.ClientCAFile) - if err != nil { - return nil, err - } - - p, err = dynamiccertificates.NewStaticCAContent(authn.X509.ClientCAFile, caBundle) + p, err = dynamiccertificates.NewDynamicCAContentFromFile("client-ca", authn.X509.ClientCAFile) if err != nil { return nil, err } @@ -63,5 +58,26 @@ func NewDelegatingAuthenticator(client authenticationclient.TokenReviewInterface } authenticator, _, err := authenticatorConfig.New() - return authenticator, err + if err != nil { + return nil, err + } + + return &DelegatingAuthenticator{requestAuthenticator: authenticator, dynamicClientCA: p}, nil +} + +func (a *DelegatingAuthenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) { + return a.requestAuthenticator.AuthenticateRequest(req) +} + +func (a *DelegatingAuthenticator) RunOnce() error { + if a.dynamicClientCA != nil { + return a.dynamicClientCA.RunOnce() + } + return nil +} + +func (a *DelegatingAuthenticator) Run(workers int, stopCh <-chan struct{}) { + if a.dynamicClientCA != nil { + a.dynamicClientCA.Run(workers, stopCh) + } }