Skip to content

Commit

Permalink
Merge pull request #1916 from vgupta3/oidc-idp-ca-cert-file-support
Browse files Browse the repository at this point in the history 
Add support for using oidc  CA certificate file while refreshing token
  • Loading branch information
@k8s-ci-robot
k8s-ci-robot committed Oct 13, 2022
2 parents 3fb24ad + f740c63 commit d199529
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 0 deletions.
3 changes: 3 additions & 0 deletions kubernetes/base/config/kube_config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -439,6 +439,9 @@ def _refresh_oidc(self, provider):

config.ssl_ca_cert = ca_cert.name

elif 'idp-certificate-authority' in provider['config']:
config.ssl_ca_cert = provider['config']['idp-certificate-authority']

else:
config.verify_ssl = False

Expand Down
52 changes: 52 additions & 0 deletions kubernetes/base/config/kube_config_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import io
import json
import os
from pprint import pprint
import shutil
import tempfile
import unittest
Expand Down Expand Up @@ -485,6 +486,13 @@ class TestKubeConfigLoader(BaseTestCase):
"user": "expired_oidc"
}
},
{
"name": "expired_oidc_with_idp_ca_file",
"context": {
"cluster": "default",
"user": "expired_oidc_with_idp_ca_file"
}
},
{
"name": "expired_oidc_nocert",
"context": {
Expand Down Expand Up @@ -799,6 +807,23 @@ class TestKubeConfigLoader(BaseTestCase):
}
}
},
{
"name": "expired_oidc_with_idp_ca_file",
"user": {
"auth-provider": {
"name": "oidc",
"config": {
"client-id": "tectonic-kubectl",
"client-secret": "FAKE_SECRET",
"id-token": TEST_OIDC_EXPIRED_LOGIN,
"idp-certificate-authority": TEST_CERTIFICATE_AUTH,
"idp-issuer-url": "https://example.org/identity",
"refresh-token":
"lucWJjEhlxZW01cXI3YmVlcYnpxNGhzk"
}
}
}
},
{
"name": "expired_oidc_nocert",
"user": {
Expand Down Expand Up @@ -1059,6 +1084,33 @@ def test_oidc_with_refresh(self, mock_ApiClient, mock_OAuth2Session):
self.assertTrue(loader._load_auth_provider_token())
self.assertEqual("Bearer abc123", loader.token)

@mock.patch('kubernetes.config.kube_config.OAuth2Session.refresh_token')
@mock.patch('kubernetes.config.kube_config.ApiClient.request')
def test_oidc_with_idp_ca_file_refresh(self, mock_ApiClient, mock_OAuth2Session):
mock_response = mock.MagicMock()
type(mock_response).status = mock.PropertyMock(
return_value=200
)
type(mock_response).data = mock.PropertyMock(
return_value=json.dumps({
"token_endpoint": "https://example.org/identity/token"
})
)

mock_ApiClient.return_value = mock_response

mock_OAuth2Session.return_value = {"id_token": "abc123",
"refresh_token": "newtoken123"}

loader = KubeConfigLoader(
config_dict=self.TEST_KUBE_CONFIG,
active_context="expired_oidc_with_idp_ca_file",
)


self.assertTrue(loader._load_auth_provider_token())
self.assertEqual("Bearer abc123", loader.token)

@mock.patch('kubernetes.config.kube_config.OAuth2Session.refresh_token')
@mock.patch('kubernetes.config.kube_config.ApiClient.request')
def test_oidc_with_refresh_nocert(
Expand Down

0 comments on commit d199529

Please sign in to comment.