Bug 1993977: Bump to 0.11.0

.github/workflows/build.yml

@@ -5,7 +5,7 @@ on: [push, pull_request]
 env:
   QUAY_PATH: quay.io/brancz/kube-rbac-proxy
   go-version: '1.15'
-  kind-version: 'v0.9.0'
+  kind-version: 'v0.11.0'
 
 jobs:
   check-license:
@@ -23,6 +23,15 @@ jobs:
       with:
         go-version: ${{ env.go-version }}
     - run: make generate && git diff --exit-code
+  lint:
+    runs-on: ubuntu-latest
+    name: Lint
+    steps:
+    - uses: actions/checkout@v2
+    - name: golangci-lint
+      uses: golangci/golangci-lint-action@v2
+      with:
+        version: latest
   build:
     runs-on: ubuntu-latest
     name: Build
@@ -52,14 +61,9 @@ jobs:
       with:
         version: ${{ env.kind-version }}
         config: test/e2e/kind-config/kind-config.yaml
-    - name: Wait for cluster to finish bootstrapping
-      run: |
-        until [ "$(kubectl get pods --all-namespaces --no-headers | grep -cEv '([0-9]+)/\1')" -eq 0 ]; do
-            sleep 5s
-        done
-        kubectl cluster-info
-        kubectl get pods -A
-      continue-on-error: false
+        wait: 300s
+    - name: Wait for cluster to finish bootstraping
+      run: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s
     - name: Create container & run tests
       run: |
         VERSION=local make container

.golangci.yaml

@@ -0,0 +1,3 @@
+run:
+  skip-dirs:
+    - test/

CHANGELOG.md

@@ -1,3 +1,13 @@
+## 0.11.0 / 2021-08-02
+
+* [FEATURE] Support for path patterns in --allow-paths and --ignore-paths. #135
+* [ENHANCEMENT] Dynamically reload client CA. #127
+* [BUGFIX] Fix panics on client-cert authenticated requests. #132
+
+## 0.10.0 / 2021-05-07
+
+* [FEATURE] Support local static authorizer. #125
+
 ## 0.9.0 / 2021-04-27
 
 * [FEATURE] Support rewrites using HTTP headers in addition to query parameters. #104

VERSION

@@ -1 +1 @@
-v0.9.0
+v0.11.0

examples/non-resource-url-token-request/README.md

@@ -78,7 +78,7 @@ spec:
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
-        image: quay.io/brancz/kube-rbac-proxy:v0.9.0
+        image: quay.io/brancz/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8081/"

examples/non-resource-url-token-request/deployment.yaml

@@ -63,7 +63,7 @@ spec:
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
-        image: quay.io/brancz/kube-rbac-proxy:v0.9.0
+        image: quay.io/brancz/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8081/"

examples/non-resource-url/README.md

@@ -78,7 +78,7 @@ spec:
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
-        image: quay.io/brancz/kube-rbac-proxy:v0.9.0
+        image: quay.io/brancz/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8081/"

examples/non-resource-url/deployment.yaml

@@ -60,7 +60,7 @@ spec:
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
-        image: quay.io/brancz/kube-rbac-proxy:v0.9.0
+        image: quay.io/brancz/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8081/"

examples/oidc/deployment.yaml

@@ -63,7 +63,7 @@ spec:
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
-        image: quay.io/brancz/kube-rbac-proxy:v0.9.0
+        image: quay.io/brancz/kube-rbac-proxy:v0.11.0
         args:
         - "--insecure-listen-address=0.0.0.0:8444"
         - "--upstream=http://127.0.0.1:8081/"

examples/resource-attributes/README.md

@@ -92,7 +92,7 @@ spec:
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
-        image: quay.io/brancz/kube-rbac-proxy:v0.9.0
+        image: quay.io/brancz/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8081/"

examples/resource-attributes/deployment.yaml

@@ -74,7 +74,7 @@ spec:
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
-        image: quay.io/brancz/kube-rbac-proxy:v0.9.0
+        image: quay.io/brancz/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8081/"

examples/rewrites/README.md

@@ -94,7 +94,7 @@ spec:
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
-        image: quay.io/brancz/kube-rbac-proxy:v0.9.0
+        image: quay.io/brancz/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8081/"

examples/rewrites/deployment.yaml

@@ -76,7 +76,7 @@ spec:
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
-        image: quay.io/brancz/kube-rbac-proxy:v0.9.0
+        image: quay.io/brancz/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8081/"

main.go

@@ -27,6 +27,7 @@ import (
 	"net/url"
 	"os"
 	"os/signal"
+	"path"
 	"strings"
 	"syscall"
 	"time"
@@ -135,7 +136,10 @@ func main() {
 	//Kubeconfig flag
 	flagset.StringVar(&cfg.kubeconfigLocation, "kubeconfig", "", "Path to a kubeconfig file, specifying how to connect to the API server. If unset, in-cluster configuration will be used")
 
-	flagset.Parse(os.Args[1:])
+	err := flagset.Parse(os.Args[1:])
+	if err != nil {
+		klog.Fatalf("Failed to parse CLI flags: %v", err)
+	}
 	kcfg := initKubeConfig(cfg.kubeconfigLocation)
 
 	upstreamURL, err := url.Parse(cfg.upstream)
@@ -222,14 +226,31 @@ func main() {
 		klog.Fatal("Cannot use --allow-paths and --ignore-paths together.")
 	}
 
+	for _, pathAllowed := range cfg.allowPaths {
+		_, err := path.Match(pathAllowed, "")
+		if err != nil {
+			klog.Fatalf("Failed to verify allow path: %s", pathAllowed)
+		}
+	}
+
+	for _, pathIgnored := range cfg.ignorePaths {
+		_, err := path.Match(pathIgnored, "")
+		if err != nil {
+			klog.Fatalf("Failed to verify ignored path: %s", pathIgnored)
+		}
+	}
+
 	proxy := httputil.NewSingleHostReverseProxy(upstreamURL)
 	proxy.Transport = upstreamTransport
 	mux := http.NewServeMux()
 	mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		found := len(cfg.allowPaths) == 0
-		for _, path := range cfg.allowPaths {
-			if req.URL.Path == path {
-				found = true
+		for _, pathAllowed := range cfg.allowPaths {
+			found, err = path.Match(pathAllowed, req.URL.Path)
+			if err != nil {
+				return
+			}
+			if found {
 				break
 			}
 		}
@@ -239,9 +260,12 @@ func main() {
 		}
 
 		ignorePathFound := false
-		for _, path := range cfg.ignorePaths {
-			if req.URL.Path == path {
-				ignorePathFound = true
+		for _, pathIgnored := range cfg.ignorePaths {
+			ignorePathFound, err = path.Match(pathIgnored, req.URL.Path)
+			if err != nil {
+				return
+			}
+			if ignorePathFound {
 				break
 			}
 		}
@@ -370,7 +394,7 @@ func main() {
 		}
 	}
 	{
-		sig := make(chan os.Signal)
+		sig := make(chan os.Signal, 1)
 		gr.Add(func() error {
 			signal.Notify(sig, os.Interrupt, syscall.SIGTERM)
 			<-sig

pkg/authn/delegating.go

@@ -42,19 +42,20 @@ func NewDelegatingAuthenticator(client authenticationclient.TokenReviewInterface
 		p   *dynamiccertificates.DynamicFileCAContent
 		err error
 	)
+
+	authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{
+		Anonymous:               false, // always require authentication
+		CacheTTL:                2 * time.Minute,
+		TokenAccessReviewClient: client,
+		APIAudiences:            authenticator.Audiences(authn.Token.Audiences),
+	}
+
 	if len(authn.X509.ClientCAFile) > 0 {
 		p, err = dynamiccertificates.NewDynamicCAContentFromFile("client-ca", authn.X509.ClientCAFile)
 		if err != nil {
 			return nil, err
 		}
-	}
-
-	authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{
-		Anonymous:                          false, // always require authentication
-		CacheTTL:                           2 * time.Minute,
-		ClientCertificateCAContentProvider: p,
-		TokenAccessReviewClient:            client,
-		APIAudiences:                       authenticator.Audiences(authn.Token.Audiences),
+		authenticatorConfig.ClientCertificateCAContentProvider = p
 	}
 
 	authenticator, _, err := authenticatorConfig.New()

pkg/proxy/proxy.go

@@ -82,7 +82,7 @@ func (h *kubeRBACProxy) Handle(w http.ResponseWriter, req *http.Request) bool {
 	// Get authorization attributes
 	allAttrs := h.authorizerAttributesGetter.GetRequestAttributes(u.User, req)
 	if len(allAttrs) == 0 {
-		msg := fmt.Sprintf("Bad Request. The request or configuration is malformed.")
+		msg := "Bad Request. The request or configuration is malformed."
 		klog.V(2).Info(msg)
 		http.Error(w, msg, http.StatusBadRequest)
 		return false
@@ -259,6 +259,9 @@ func (c *Config) DeepCopy() *Config {
 func templateWithValue(templateString, value string) string {
 	tmpl, _ := template.New("valueTemplate").Parse(templateString)
 	out := bytes.NewBuffer(nil)
-	tmpl.Execute(out, struct{ Value string }{Value: value})
+	err := tmpl.Execute(out, struct{ Value string }{Value: value})
+	if err != nil {
+		return ""
+	}
 	return out.String()
 }

pkg/proxy/proxy_test.go

@@ -246,10 +246,8 @@ func createRequest(queryParams, headers map[string]string) *http.Request {
 		}
 		r.URL.RawQuery = q.Encode()
 	}
-	if headers != nil {
-		for k, v := range headers {
-			r.Header.Set(k, v)
-		}
+	for k, v := range headers {
+		r.Header.Set(k, v)
 	}
 	return r
 }

pkg/tls/reloader_test.go

@@ -193,9 +193,12 @@ func newSelfSignedCert(hostname string) stepFunc {
 		}
 
 		certPath, err := writeTempFile("cert", certBytes)
+		if err != nil {
+			t.Fatalf("error writing cert data: %v", err)
+		}
 		keyPath, err := writeTempFile("key", keyBytes)
 		if err != nil {
-			t.Fatalf("error writing cert/key data: %v", err)
+			t.Fatalf("error writing key data: %v", err)
 		}
 
 		s.certPath = certPath

test/e2e/allowpaths/deployment.yaml

@@ -20,7 +20,7 @@ spec:
           args:
             - "--secure-listen-address=0.0.0.0:8443"
             - "--upstream=http://127.0.0.1:8081/"
-            - "--allow-paths=/metrics"
+            - "--allow-paths=/metrics,/api/v1/label/*/values"
             - "--logtostderr=true"
             - "--v=10"
           ports:

test/e2e/basics.go

@@ -355,6 +355,11 @@ func testAllowPathsRegexp(s *kubetest.Suite) kubetest.TestSuite {
 					fmt.Sprintf(command, "/", 404, 404),
 					nil,
 				),
+				ClientSucceeds(
+					s.KubeClient,
+					fmt.Sprintf(command, "/api/v1/label/name", 404, 404),
+					nil,
+				),
 			),
 		}.Run(t)
 
@@ -394,6 +399,11 @@ func testAllowPathsRegexp(s *kubetest.Suite) kubetest.TestSuite {
 					fmt.Sprintf(command, "/metrics", 200, 200),
 					nil,
 				),
+				ClientSucceeds(
+					s.KubeClient,
+					fmt.Sprintf(command, "/api/v1/label/job/values", 200, 200),
+					nil,
+				),
 			),
 		}.Run(t)
 	}
@@ -439,6 +449,11 @@ func testIgnorePaths(s *kubetest.Suite) kubetest.TestSuite {
 					fmt.Sprintf(commandWithoutAuth, "/metrics", 200, 200),
 					nil,
 				),
+				ClientSucceeds(
+					s.KubeClient,
+					fmt.Sprintf(commandWithoutAuth, "/api/v1/labels", 200, 200),
+					nil,
+				),
 			),
 		}.Run(t)
 
@@ -478,6 +493,11 @@ func testIgnorePaths(s *kubetest.Suite) kubetest.TestSuite {
 					fmt.Sprintf(commandWithoutAuth, "/", 401, 401),
 					nil,
 				),
+				ClientSucceeds(
+					s.KubeClient,
+					fmt.Sprintf(commandWithoutAuth, "/api/v1/label/job/values", 401, 401),
+					nil,
+				),
 			),
 		}.Run(t)
 	}

test/e2e/ignorepaths/deployment.yaml

@@ -20,7 +20,7 @@ spec:
           args:
             - "--secure-listen-address=0.0.0.0:8443"
             - "--upstream=http://127.0.0.1:8081/"
-            - "--ignore-paths=/metrics"
+            - "--ignore-paths=/metrics,/api/v1/*"
             - "--logtostderr=true"
             - "--v=10"
           ports: