Create conjur v5 k8s authenticator #619
Conversation
… policy to address pathing bug
This is to accomodate a lot of code imported wholesale
ghost
assigned …b.com:cyberark/conjur into CONJ-5128--create-conjur-v5-k8s-authenticator
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
| @timeout = timeout | ||
| end | ||
|
|
||
| def exec command, body: "", stdin: false |
There was a problem hiding this comment.
Method exec has 76 lines of code (exceeds 25 allowed). Consider refactoring.
| end | ||
| end | ||
|
|
||
| class StatefulSet < Base |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| end | ||
| end | ||
|
|
||
| class ReplicaSet < Base |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| end | ||
| end | ||
|
|
||
| Then(/^I( can)? authenticate pod matching "([^"]*)" with authn-k8s as "([^"]*)"( without cert and key)?$/) do |success, objectid, hostid, nocertkey| |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| @request_ip = find_matching_pod(objectid) | ||
| end | ||
|
|
||
| Then(/^I( can)? authenticate with authn-k8s as "([^"]*)"( without cert and key)?$/) do |success, objectid, nocertkey| |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| end | ||
|
|
||
| # Tests whether the Pod's ReplicaSet belongs to the Deployment. | ||
| class Deployment < Base |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| end | ||
| end | ||
|
|
||
| class DeploymentConfig < Base |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
|
|
||
| class StatefulSet < Base | ||
| def validate_pod | ||
| stateful_set_ref = verify "Pod #{pod.metadata.name.inspect} does not belong to a StatefulSet" do |
There was a problem hiding this comment.
Authentication::AuthnK8s::K8sResolver::StatefulSet#validate_pod calls 'pod.metadata.name' 2 times
| @@ -0,0 +1,427 @@ | |||
| module Authentication | |||
There was a problem hiding this comment.
File authenticator.rb has 302 lines of code (exceeds 250 allowed). Consider refactoring.
| end | ||
| end | ||
|
|
||
| def pod_name_login |
There was a problem hiding this comment.
Method pod_name_login has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring.
| end | ||
|
|
||
| # get pod cert | ||
| def pod_certificate |
There was a problem hiding this comment.
Method pod_certificate has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring.
| end | ||
|
|
||
| # Find a valid request IP for the given object. | ||
| def detect_request_ip objectid |
There was a problem hiding this comment.
Method detect_request_ip has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring.
|
|
||
| # In the case that this node is a follower, it's necessary to wait for the | ||
| # variables to be replicated from the master. | ||
| def wait_for_variable var, value |
There was a problem hiding this comment.
Method wait_for_variable has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring.
| @pod_name | ||
| end | ||
|
|
||
| def pod_name_authenticate |
There was a problem hiding this comment.
Method pod_name_authenticate has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring.
|
|
||
| # ssl stuff | ||
|
|
||
| def csr_spiffe_id(csr) |
There was a problem hiding this comment.
Method csr_spiffe_id has a Cognitive Complexity of 17 (exceeds 5 allowed). Consider refactoring.
| # authn-k8s AuthenticateController helpers | ||
| #---------------------------------------- | ||
|
|
||
| def pod_certificate |
There was a problem hiding this comment.
Method pod_certificate has a Cognitive Complexity of 14 (exceeds 5 allowed). Consider refactoring.
| host.annotations.find { |a| a.values[:name] == 'kubernetes/authentication-container-name' }[:value] || 'authenticator' | ||
| end | ||
|
|
||
| def find_pod |
There was a problem hiding this comment.
Method find_pod has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring.
| ["pod", "service_account", "deployment", "stateful_set", "deployment_config"].include? k8s_controller_name | ||
| end | ||
|
|
||
| def find_pod_under_controller |
There was a problem hiding this comment.
Method find_pod_under_controller has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring.
| class ClientCertExpiredError < RuntimeError; end | ||
| class NotFoundError < RuntimeError; end | ||
|
|
||
| class Authenticator |
There was a problem hiding this comment.
Class Authenticator has 39 methods (exceeds 20 allowed). Consider refactoring.
|
|
||
| # ssl stuff | ||
|
|
||
| def csr_spiffe_id(csr) |
There was a problem hiding this comment.
Method csr_spiffe_id has 29 lines of code (exceeds 25 allowed). Consider refactoring.
| @timeout = timeout | ||
| end | ||
|
|
||
| def exec command, body: "", stdin: false |
There was a problem hiding this comment.
Method exec has a Cognitive Complexity of 13 (exceeds 5 allowed). Consider refactoring.
| resp | ||
| end | ||
|
|
||
| Then(/^I( can)? login to pod matching "([^"]*)" to authn-k8s as "([^"]*)"$/) do |success, objectid, host_id| |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| end | ||
| end | ||
|
|
||
| Then(/^I( can)? login to authn-k8s as "([^"]*)"$/) do |success, objectid| |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| end | ||
| end | ||
|
|
||
| def pod_name_login |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| @pod_name | ||
| end | ||
|
|
||
| def pod_name_authenticate |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| resp | ||
| end | ||
|
|
||
| Then(/^I( can)? login to pod matching "([^"]*)" to authn-k8s as "([^"]*)"$/) do |success, objectid, host_id| |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| end | ||
| end | ||
|
|
||
| Then(/^I( can)? login to authn-k8s as "([^"]*)"$/) do |success, objectid| |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| end | ||
| end | ||
|
|
||
| def pod_name_login |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| @pod_name | ||
| end | ||
|
|
||
| def pod_name_authenticate |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
|
|
||
| def login username, request_ip, authn_k8s_host, pkey | ||
| csr = gen_csr(username, pkey, [ | ||
| "URI:spiffe://cluster.local/namespace/#{@pod.metadata.namespace}/pod/#{@pod.metadata.name}" |
There was a problem hiding this comment.
login calls '@pod.metadata' 2 times
| resp | ||
| end | ||
|
|
||
| Then(/^I( can)? login to pod matching "([^"]*)" to authn-k8s as "([^"]*)"$/) do |success, objectid, host_id| |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| end | ||
| end | ||
|
|
||
| Then(/^I( can)? login to authn-k8s as "([^"]*)"$/) do |success, objectid| |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| end | ||
| end | ||
|
|
||
| def pod_name_login |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| @pod_name | ||
| end | ||
|
|
||
| def pod_name_authenticate |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
|
|
||
| def login username, request_ip, authn_k8s_host, pkey | ||
| csr = gen_csr(username, pkey, [ | ||
| "URI:spiffe://cluster.local/namespace/#{@pod.metadata.namespace}/pod/#{@pod.metadata.name}" |
There was a problem hiding this comment.
login calls '@pod.metadata' 2 times
This reverts commit 60befd5.
| resp | ||
| end | ||
|
|
||
| Then(/^I( can)? login to pod matching "([^"]*)" to authn-k8s as "([^"]*)"$/) do |success, objectid, host_id| |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| end | ||
| end | ||
|
|
||
| Then(/^I( can)? login to authn-k8s as "([^"]*)"$/) do |success, objectid| |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| end | ||
| end | ||
|
|
||
| def pod_name_login |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| @pod_name | ||
| end | ||
|
|
||
| def pod_name_authenticate |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
|
|
||
| def login username, request_ip, authn_k8s_host, pkey | ||
| csr = gen_csr(username, pkey, [ | ||
| "URI:spiffe://cluster.local/namespace/#{@pod.metadata.namespace}/pod/#{@pod.metadata.name}" |
There was a problem hiding this comment.
login calls '@pod.metadata' 2 times
| resp | ||
| end | ||
|
|
||
| Then(/^I( can)? login to pod matching "([^"]*)" to authn-k8s as "([^"]*)"$/) do |success, objectid, host_id| |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| end | ||
| end | ||
|
|
||
| Then(/^I( can)? login to authn-k8s as "([^"]*)"$/) do |success, objectid| |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| end | ||
| end | ||
|
|
||
| def pod_name_login |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| @pod_name | ||
| end | ||
|
|
||
| def pod_name_authenticate |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
|
|
||
| def login username, request_ip, authn_k8s_host, pkey | ||
| csr = gen_csr(username, pkey, [ | ||
| "URI:spiffe://cluster.local/namespace/#{@pod.metadata.namespace}/pod/#{@pod.metadata.name}" |
There was a problem hiding this comment.
login calls '@pod.metadata' 2 times
jtuttle
changed the title
Closes CONJ-5128
What does this pull request do?
Ports the v4 Kubernetes authenticator to Conjur v5.
Where should the reviewer start?
The new
inject_client_certroute in theauthenticate_controlleror perhaps the new kubernetes cuke tests.How should this be manually tested?
Manually testing this will be quite a chore, but you can mimic what the test scripts are doing in
ci/authn-k8s. A better way would be to update http://github.com/cyberark/kubernetes-conjur-deploy to work w/ Conjur v5.Link to build in Jenkins (if appropriate)
https://jenkins.conjur.net/job/cyberark--conjur/job/CONJ-5128--create-conjur-v5-k8s-authenticator/
Questions:
Yes
If you like watching text fly by in terminals, sure.
Yes