Commit bae26c20 authored by deads2k's avatar deads2k

fix delegated authn client cert presentation

parent 79a956c1
...@@ -99,7 +99,7 @@ function start_discovery { ...@@ -99,7 +99,7 @@ function start_discovery {
sleep 1 sleep 1
# create the "normal" api services for the core API server # create the "normal" api services for the core API server
${kubectl} --kubeconfig="${CERT_DIR}/admin-discovery.kubeconfig" create -f "${KUBE_ROOT}/cmd/kubernetes-discovery/artifacts/core-apiservices" --token="foo/system:masters" ${kubectl} --kubeconfig="${CERT_DIR}/admin-discovery.kubeconfig" create -f "${KUBE_ROOT}/cmd/kubernetes-discovery/artifacts/core-apiservices"
} }
kube::util::test_openssl_installed kube::util::test_openssl_installed
......
...@@ -312,23 +312,30 @@ func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOpti ...@@ -312,23 +312,30 @@ func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOpti
return c, nil return c, nil
} }
if c.SecureServingInfo != nil { var err error
if o.ClientCert != nil && len(o.ClientCert.ClientCA) > 0 { if o.ClientCert != nil {
clientCAs, err := certutil.CertsFromFile(o.ClientCert.ClientCA) c, err = c.applyClientCert(o.ClientCert.ClientCA)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to load client CA file: %v", err) return nil, fmt.Errorf("unable to load client CA file: %v", err)
} }
if c.SecureServingInfo.ClientCA == nil {
c.SecureServingInfo.ClientCA = x509.NewCertPool()
} }
for _, cert := range clientCAs { if o.RequestHeader != nil {
c.SecureServingInfo.ClientCA.AddCert(cert) c, err = c.applyClientCert(o.RequestHeader.ClientCAFile)
if err != nil {
return nil, fmt.Errorf("unable to load client CA file: %v", err)
} }
} }
if o.RequestHeader != nil && len(o.RequestHeader.ClientCAFile) > 0 {
clientCAs, err := certutil.CertsFromFile(o.RequestHeader.ClientCAFile) c.SupportsBasicAuth = len(o.PasswordFile.BasicAuthFile) > 0
return c, nil
}
func (c *Config) applyClientCert(clientCAFile string) (*Config, error) {
if c.SecureServingInfo != nil {
if len(clientCAFile) > 0 {
clientCAs, err := certutil.CertsFromFile(clientCAFile)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to load requestheader client CA file: %v", err) return nil, fmt.Errorf("unable to load client CA file: %v", err)
} }
if c.SecureServingInfo.ClientCA == nil { if c.SecureServingInfo.ClientCA == nil {
c.SecureServingInfo.ClientCA = x509.NewCertPool() c.SecureServingInfo.ClientCA = x509.NewCertPool()
...@@ -339,7 +346,6 @@ func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOpti ...@@ -339,7 +346,6 @@ func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOpti
} }
} }
c.SupportsBasicAuth = len(o.PasswordFile.BasicAuthFile) > 0
return c, nil return c, nil
} }
...@@ -348,6 +354,16 @@ func (c *Config) ApplyDelegatingAuthenticationOptions(o *options.DelegatingAuthe ...@@ -348,6 +354,16 @@ func (c *Config) ApplyDelegatingAuthenticationOptions(o *options.DelegatingAuthe
return c, nil return c, nil
} }
var err error
c, err = c.applyClientCert(o.ClientCert.ClientCA)
if err != nil {
return nil, fmt.Errorf("unable to load client CA file: %v", err)
}
c, err = c.applyClientCert(o.RequestHeader.ClientCAFile)
if err != nil {
return nil, fmt.Errorf("unable to load client CA file: %v", err)
}
cfg, err := o.ToAuthenticationConfig() cfg, err := o.ToAuthenticationConfig()
if err != nil { if err != nil {
return nil, err return nil, err
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment