-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oidc authenticator: allow http.Client to be overridden #106141
Conversation
@@ -81,9 +81,12 @@ type Options struct { | |||
// See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken | |||
ClientID string | |||
|
|||
// PEM encoded root certificate contents of the provider. | |||
// PEM encoded root certificate contents of the provider. Ignored when Client is not nil. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would it be better to make this and Client
mutually exclusive?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I think so. Updated and added unit test.
ClientID: "my-client", | ||
UsernameClaim: "username", | ||
GroupsClaim: "groups", | ||
Client: http.DefaultClient, // cause distributed claims fetching to fail with an unknown CA error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
any way to verify the error or verify this client gets called?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the test logic so that I could assert the returned error.
36ebc3a
to
2cb0b5b
Compare
This change allows the http.Client used by the OIDC authenticator to be overridden. This is useful when this code is being used as a library outside of core Kubernetes. For example, a downstream consumer may want to override the http.Client's internals such as its TLS configuration. Signed-off-by: Monis Khan <mok@vmware.com>
2cb0b5b
to
11974cd
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Kube 1.23 introduced a new field on the OIDC Authenticator which allows us to pass in a client with our own TLS config. See kubernetes/kubernetes#106141. Signed-off-by: Margo Crawford <margaretc@vmware.com>
Kube 1.23 introduced a new field on the OIDC Authenticator which allows us to pass in a client with our own TLS config. See kubernetes/kubernetes#106141. Signed-off-by: Margo Crawford <margaretc@vmware.com>
This change allows the http.Client used by the OIDC authenticator to
be overridden. This is useful when this code is being used as a
library outside of core Kubernetes. For example, a downstream
consumer may want to override the http.Client's internals such as
its TLS configuration.
Signed-off-by: Monis Khan mok@vmware.com
/kind cleanup
/milestone v1.23
/triage accepted
/priority backlog
/assign @liggitt
xref: #99765