Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
c8604653
Unverified
Commit
c8604653
authored
Nov 05, 2018
by
k8s-ci-robot
Committed by
GitHub
Nov 05, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #70449 from mikedanese/simplcache
remove webhook cache implementation and replace with token cache
parents
c86944b5
0ec4d6d3
Hide whitespace changes
Inline
Side-by-side
Showing
13 changed files
with
68 additions
and
46 deletions
+68
-46
config.go
pkg/kubeapiserver/authenticator/config.go
+3
-3
Godeps.json
...ing/src/k8s.io/apiextensions-apiserver/Godeps/Godeps.json
+4
-0
BUILD
...o/apiserver/pkg/authentication/authenticatorfactory/BUILD
+1
-0
delegating.go
...ver/pkg/authentication/authenticatorfactory/delegating.go
+4
-2
cached_token_authenticator.go
.../authentication/token/cache/cached_token_authenticator.go
+8
-3
cached_token_authenticator_test.go
...entication/token/cache/cached_token_authenticator_test.go
+2
-2
BUILD
...io/apiserver/plugin/pkg/authenticator/token/webhook/BUILD
+2
-1
webhook.go
...iserver/plugin/pkg/authenticator/token/webhook/webhook.go
+23
-28
webhook_test.go
...er/plugin/pkg/authenticator/token/webhook/webhook_test.go
+9
-5
Godeps.json
staging/src/k8s.io/kube-aggregator/Godeps/Godeps.json
+4
-0
Godeps.json
staging/src/k8s.io/sample-apiserver/Godeps/Godeps.json
+4
-0
BUILD
test/integration/auth/BUILD
+1
-0
auth_test.go
test/integration/auth/auth_test.go
+3
-2
No files found.
pkg/kubeapiserver/authenticator/config.go
View file @
c8604653
...
@@ -178,7 +178,7 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
...
@@ -178,7 +178,7 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
tokenAuth
:=
tokenunion
.
New
(
tokenAuthenticators
...
)
tokenAuth
:=
tokenunion
.
New
(
tokenAuthenticators
...
)
// Optionally cache authentication results
// Optionally cache authentication results
if
config
.
TokenSuccessCacheTTL
>
0
||
config
.
TokenFailureCacheTTL
>
0
{
if
config
.
TokenSuccessCacheTTL
>
0
||
config
.
TokenFailureCacheTTL
>
0
{
tokenAuth
=
tokencache
.
New
(
tokenAuth
,
config
.
TokenSuccessCacheTTL
,
config
.
TokenFailureCacheTTL
)
tokenAuth
=
tokencache
.
New
(
tokenAuth
,
true
,
config
.
TokenSuccessCacheTTL
,
config
.
TokenFailureCacheTTL
)
}
}
authenticators
=
append
(
authenticators
,
bearertoken
.
New
(
tokenAuth
),
websocket
.
NewProtocolAuthenticator
(
tokenAuth
))
authenticators
=
append
(
authenticators
,
bearertoken
.
New
(
tokenAuth
),
websocket
.
NewProtocolAuthenticator
(
tokenAuth
))
securityDefinitions
[
"BearerToken"
]
=
&
spec
.
SecurityScheme
{
securityDefinitions
[
"BearerToken"
]
=
&
spec
.
SecurityScheme
{
...
@@ -316,10 +316,10 @@ func newAuthenticatorFromClientCAFile(clientCAFile string) (authenticator.Reques
...
@@ -316,10 +316,10 @@ func newAuthenticatorFromClientCAFile(clientCAFile string) (authenticator.Reques
}
}
func
newWebhookTokenAuthenticator
(
webhookConfigFile
string
,
ttl
time
.
Duration
)
(
authenticator
.
Token
,
error
)
{
func
newWebhookTokenAuthenticator
(
webhookConfigFile
string
,
ttl
time
.
Duration
)
(
authenticator
.
Token
,
error
)
{
webhookTokenAuthenticator
,
err
:=
webhook
.
New
(
webhookConfigFile
,
ttl
)
webhookTokenAuthenticator
,
err
:=
webhook
.
New
(
webhookConfigFile
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
err
return
nil
,
err
}
}
return
webhookTokenAuthenticator
,
nil
return
tokencache
.
New
(
webhookTokenAuthenticator
,
false
,
ttl
,
ttl
)
,
nil
}
}
staging/src/k8s.io/apiextensions-apiserver/Godeps/Godeps.json
View file @
c8604653
...
@@ -1407,6 +1407,10 @@
...
@@ -1407,6 +1407,10 @@
"Rev"
:
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"Rev"
:
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
},
{
{
"ImportPath"
:
"k8s.io/apiserver/pkg/authentication/token/cache"
,
"Rev"
:
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
{
"ImportPath"
:
"k8s.io/apiserver/pkg/authentication/token/tokenfile"
,
"ImportPath"
:
"k8s.io/apiserver/pkg/authentication/token/tokenfile"
,
"Rev"
:
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"Rev"
:
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
},
...
...
staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/BUILD
View file @
c8604653
...
@@ -23,6 +23,7 @@ go_library(
...
@@ -23,6 +23,7 @@ go_library(
"//staging/src/k8s.io/apiserver/pkg/authentication/request/union:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/request/union:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/request/websocket:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/request/websocket:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/request/x509:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/request/x509:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/token/cache:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook:go_default_library",
"//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook:go_default_library",
...
...
staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go
View file @
c8604653
...
@@ -31,6 +31,7 @@ import (
...
@@ -31,6 +31,7 @@ import (
unionauth
"k8s.io/apiserver/pkg/authentication/request/union"
unionauth
"k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/request/websocket"
"k8s.io/apiserver/pkg/authentication/request/websocket"
"k8s.io/apiserver/pkg/authentication/request/x509"
"k8s.io/apiserver/pkg/authentication/request/x509"
"k8s.io/apiserver/pkg/authentication/token/cache"
webhooktoken
"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
webhooktoken
"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
authenticationclient
"k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
authenticationclient
"k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
"k8s.io/client-go/util/cert"
"k8s.io/client-go/util/cert"
...
@@ -85,11 +86,12 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, *spec.Secur
...
@@ -85,11 +86,12 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, *spec.Secur
}
}
if
c
.
TokenAccessReviewClient
!=
nil
{
if
c
.
TokenAccessReviewClient
!=
nil
{
tokenAuth
,
err
:=
webhooktoken
.
NewFromInterface
(
c
.
TokenAccessReviewClient
,
c
.
CacheTTL
)
tokenAuth
,
err
:=
webhooktoken
.
NewFromInterface
(
c
.
TokenAccessReviewClient
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
err
return
nil
,
nil
,
err
}
}
authenticators
=
append
(
authenticators
,
bearertoken
.
New
(
tokenAuth
),
websocket
.
NewProtocolAuthenticator
(
tokenAuth
))
cachingTokenAuth
:=
cache
.
New
(
tokenAuth
,
false
,
c
.
CacheTTL
,
c
.
CacheTTL
)
authenticators
=
append
(
authenticators
,
bearertoken
.
New
(
cachingTokenAuth
),
websocket
.
NewProtocolAuthenticator
(
cachingTokenAuth
))
securityDefinitions
[
"BearerToken"
]
=
&
spec
.
SecurityScheme
{
securityDefinitions
[
"BearerToken"
]
=
&
spec
.
SecurityScheme
{
SecuritySchemeProps
:
spec
.
SecuritySchemeProps
{
SecuritySchemeProps
:
spec
.
SecuritySchemeProps
{
...
...
staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go
View file @
c8604653
...
@@ -35,6 +35,7 @@ type cacheRecord struct {
...
@@ -35,6 +35,7 @@ type cacheRecord struct {
type
cachedTokenAuthenticator
struct
{
type
cachedTokenAuthenticator
struct
{
authenticator
authenticator
.
Token
authenticator
authenticator
.
Token
cacheErrs
bool
successTTL
time
.
Duration
successTTL
time
.
Duration
failureTTL
time
.
Duration
failureTTL
time
.
Duration
...
@@ -51,13 +52,14 @@ type cache interface {
...
@@ -51,13 +52,14 @@ type cache interface {
}
}
// New returns a token authenticator that caches the results of the specified authenticator. A ttl of 0 bypasses the cache.
// New returns a token authenticator that caches the results of the specified authenticator. A ttl of 0 bypasses the cache.
func
New
(
authenticator
authenticator
.
Token
,
successTTL
,
failureTTL
time
.
Duration
)
authenticator
.
Token
{
func
New
(
authenticator
authenticator
.
Token
,
cacheErrs
bool
,
successTTL
,
failureTTL
time
.
Duration
)
authenticator
.
Token
{
return
newWithClock
(
authenticator
,
successTTL
,
failureTTL
,
utilclock
.
RealClock
{})
return
newWithClock
(
authenticator
,
cacheErrs
,
successTTL
,
failureTTL
,
utilclock
.
RealClock
{})
}
}
func
newWithClock
(
authenticator
authenticator
.
Token
,
successTTL
,
failureTTL
time
.
Duration
,
clock
utilclock
.
Clock
)
authenticator
.
Token
{
func
newWithClock
(
authenticator
authenticator
.
Token
,
cacheErrs
bool
,
successTTL
,
failureTTL
time
.
Duration
,
clock
utilclock
.
Clock
)
authenticator
.
Token
{
return
&
cachedTokenAuthenticator
{
return
&
cachedTokenAuthenticator
{
authenticator
:
authenticator
,
authenticator
:
authenticator
,
cacheErrs
:
cacheErrs
,
successTTL
:
successTTL
,
successTTL
:
successTTL
,
failureTTL
:
failureTTL
,
failureTTL
:
failureTTL
,
cache
:
newStripedCache
(
32
,
fnvHashFunc
,
func
()
cache
{
return
newSimpleCache
(
128
,
clock
)
}),
cache
:
newStripedCache
(
32
,
fnvHashFunc
,
func
()
cache
{
return
newSimpleCache
(
128
,
clock
)
}),
...
@@ -74,6 +76,9 @@ func (a *cachedTokenAuthenticator) AuthenticateToken(ctx context.Context, token
...
@@ -74,6 +76,9 @@ func (a *cachedTokenAuthenticator) AuthenticateToken(ctx context.Context, token
}
}
resp
,
ok
,
err
:=
a
.
authenticator
.
AuthenticateToken
(
ctx
,
token
)
resp
,
ok
,
err
:=
a
.
authenticator
.
AuthenticateToken
(
ctx
,
token
)
if
!
a
.
cacheErrs
&&
err
!=
nil
{
return
resp
,
ok
,
err
}
switch
{
switch
{
case
ok
&&
a
.
successTTL
>
0
:
case
ok
&&
a
.
successTTL
>
0
:
...
...
staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go
View file @
c8604653
...
@@ -41,7 +41,7 @@ func TestCachedTokenAuthenticator(t *testing.T) {
...
@@ -41,7 +41,7 @@ func TestCachedTokenAuthenticator(t *testing.T) {
})
})
fakeClock
:=
utilclock
.
NewFakeClock
(
time
.
Now
())
fakeClock
:=
utilclock
.
NewFakeClock
(
time
.
Now
())
a
:=
newWithClock
(
fakeAuth
,
time
.
Minute
,
0
,
fakeClock
)
a
:=
newWithClock
(
fakeAuth
,
t
rue
,
t
ime
.
Minute
,
0
,
fakeClock
)
calledWithToken
,
resultUsers
,
resultOk
,
resultErr
=
[]
string
{},
nil
,
false
,
nil
calledWithToken
,
resultUsers
,
resultOk
,
resultErr
=
[]
string
{},
nil
,
false
,
nil
a
.
AuthenticateToken
(
context
.
Background
(),
"bad1"
)
a
.
AuthenticateToken
(
context
.
Background
(),
"bad1"
)
...
@@ -113,7 +113,7 @@ func TestCachedTokenAuthenticatorWithAudiences(t *testing.T) {
...
@@ -113,7 +113,7 @@ func TestCachedTokenAuthenticatorWithAudiences(t *testing.T) {
})
})
fakeClock
:=
utilclock
.
NewFakeClock
(
time
.
Now
())
fakeClock
:=
utilclock
.
NewFakeClock
(
time
.
Now
())
a
:=
newWithClock
(
fakeAuth
,
time
.
Minute
,
0
,
fakeClock
)
a
:=
newWithClock
(
fakeAuth
,
t
rue
,
t
ime
.
Minute
,
0
,
fakeClock
)
resultUsers
[
"audAusertoken1"
]
=
&
user
.
DefaultInfo
{
Name
:
"user1"
}
resultUsers
[
"audAusertoken1"
]
=
&
user
.
DefaultInfo
{
Name
:
"user1"
}
resultUsers
[
"audBusertoken1"
]
=
&
user
.
DefaultInfo
{
Name
:
"user1-different"
}
resultUsers
[
"audBusertoken1"
]
=
&
user
.
DefaultInfo
{
Name
:
"user1-different"
}
...
...
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook/BUILD
View file @
c8604653
...
@@ -16,6 +16,8 @@ go_test(
...
@@ -16,6 +16,8 @@ go_test(
deps = [
deps = [
"//staging/src/k8s.io/api/authentication/v1beta1:go_default_library",
"//staging/src/k8s.io/api/authentication/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/token/cache:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/client-go/tools/clientcmd/api/v1:go_default_library",
"//staging/src/k8s.io/client-go/tools/clientcmd/api/v1:go_default_library",
],
],
...
@@ -30,7 +32,6 @@ go_library(
...
@@ -30,7 +32,6 @@ go_library(
"//staging/src/k8s.io/api/authentication/v1beta1:go_default_library",
"//staging/src/k8s.io/api/authentication/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/cache:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library",
...
...
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook/webhook.go
View file @
c8604653
...
@@ -26,7 +26,6 @@ import (
...
@@ -26,7 +26,6 @@ import (
authentication
"k8s.io/api/authentication/v1beta1"
authentication
"k8s.io/api/authentication/v1beta1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/cache"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/util/webhook"
"k8s.io/apiserver/pkg/util/webhook"
...
@@ -45,28 +44,29 @@ var _ authenticator.Token = (*WebhookTokenAuthenticator)(nil)
...
@@ -45,28 +44,29 @@ var _ authenticator.Token = (*WebhookTokenAuthenticator)(nil)
type
WebhookTokenAuthenticator
struct
{
type
WebhookTokenAuthenticator
struct
{
tokenReview
authenticationclient
.
TokenReviewInterface
tokenReview
authenticationclient
.
TokenReviewInterface
responseCache
*
cache
.
LRUExpireCache
ttl
time
.
Duration
initialBackoff
time
.
Duration
initialBackoff
time
.
Duration
}
}
// NewFromInterface creates a webhook authenticator using the given tokenReview client
// NewFromInterface creates a webhook authenticator using the given tokenReview
func
NewFromInterface
(
tokenReview
authenticationclient
.
TokenReviewInterface
,
ttl
time
.
Duration
)
(
*
WebhookTokenAuthenticator
,
error
)
{
// client. It is recommend to wrap this authenticator with the token cache
return
newWithBackoff
(
tokenReview
,
ttl
,
retryBackoff
)
// authenticator implemented in
// k8s.io/apiserver/pkg/authentication/token/cache.
func
NewFromInterface
(
tokenReview
authenticationclient
.
TokenReviewInterface
)
(
*
WebhookTokenAuthenticator
,
error
)
{
return
newWithBackoff
(
tokenReview
,
retryBackoff
)
}
}
// New creates a new WebhookTokenAuthenticator from the provided kubeconfig file.
// New creates a new WebhookTokenAuthenticator from the provided kubeconfig file.
func
New
(
kubeConfigFile
string
,
ttl
time
.
Duration
)
(
*
WebhookTokenAuthenticator
,
error
)
{
func
New
(
kubeConfigFile
string
)
(
*
WebhookTokenAuthenticator
,
error
)
{
tokenReview
,
err
:=
tokenReviewInterfaceFromKubeconfig
(
kubeConfigFile
)
tokenReview
,
err
:=
tokenReviewInterfaceFromKubeconfig
(
kubeConfigFile
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
err
return
nil
,
err
}
}
return
newWithBackoff
(
tokenReview
,
ttl
,
retryBackoff
)
return
newWithBackoff
(
tokenReview
,
retryBackoff
)
}
}
// newWithBackoff allows tests to skip the sleep.
// newWithBackoff allows tests to skip the sleep.
func
newWithBackoff
(
tokenReview
authenticationclient
.
TokenReviewInterface
,
ttl
,
initialBackoff
time
.
Duration
)
(
*
WebhookTokenAuthenticator
,
error
)
{
func
newWithBackoff
(
tokenReview
authenticationclient
.
TokenReviewInterface
,
initialBackoff
time
.
Duration
)
(
*
WebhookTokenAuthenticator
,
error
)
{
return
&
WebhookTokenAuthenticator
{
tokenReview
,
cache
.
NewLRUExpireCache
(
1024
),
ttl
,
initialBackoff
},
nil
return
&
WebhookTokenAuthenticator
{
tokenReview
,
initialBackoff
},
nil
}
}
// AuthenticateToken implements the authenticator.Token interface.
// AuthenticateToken implements the authenticator.Token interface.
...
@@ -74,25 +74,20 @@ func (w *WebhookTokenAuthenticator) AuthenticateToken(ctx context.Context, token
...
@@ -74,25 +74,20 @@ func (w *WebhookTokenAuthenticator) AuthenticateToken(ctx context.Context, token
r
:=
&
authentication
.
TokenReview
{
r
:=
&
authentication
.
TokenReview
{
Spec
:
authentication
.
TokenReviewSpec
{
Token
:
token
},
Spec
:
authentication
.
TokenReviewSpec
{
Token
:
token
},
}
}
if
entry
,
ok
:=
w
.
responseCache
.
Get
(
r
.
Spec
);
ok
{
var
(
r
.
Status
=
entry
.
(
authentication
.
TokenReviewStatus
)
result
*
authentication
.
TokenReview
}
else
{
err
error
var
(
)
result
*
authentication
.
TokenReview
webhook
.
WithExponentialBackoff
(
w
.
initialBackoff
,
func
()
error
{
err
error
result
,
err
=
w
.
tokenReview
.
Create
(
r
)
)
return
err
webhook
.
WithExponentialBackoff
(
w
.
initialBackoff
,
func
()
error
{
})
result
,
err
=
w
.
tokenReview
.
Create
(
r
)
if
err
!=
nil
{
return
err
// An error here indicates bad configuration or an outage. Log for debugging.
})
glog
.
Errorf
(
"Failed to make webhook authenticator request: %v"
,
err
)
if
err
!=
nil
{
return
nil
,
false
,
err
// An error here indicates bad configuration or an outage. Log for debugging.
glog
.
Errorf
(
"Failed to make webhook authenticator request: %v"
,
err
)
return
nil
,
false
,
err
}
r
.
Status
=
result
.
Status
w
.
responseCache
.
Add
(
r
.
Spec
,
result
.
Status
,
w
.
ttl
)
}
}
r
.
Status
=
result
.
Status
if
!
r
.
Status
.
Authenticated
{
if
!
r
.
Status
.
Authenticated
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}
}
...
...
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook/webhook_test.go
View file @
c8604653
...
@@ -33,6 +33,8 @@ import (
...
@@ -33,6 +33,8 @@ import (
"k8s.io/api/authentication/v1beta1"
"k8s.io/api/authentication/v1beta1"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/token/cache"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/client-go/tools/clientcmd/api/v1"
"k8s.io/client-go/tools/clientcmd/api/v1"
)
)
...
@@ -166,7 +168,7 @@ func (m *mockService) HTTPStatusCode() int { return m.statusCode }
...
@@ -166,7 +168,7 @@ func (m *mockService) HTTPStatusCode() int { return m.statusCode }
// newTokenAuthenticator creates a temporary kubeconfig file from the provided
// newTokenAuthenticator creates a temporary kubeconfig file from the provided
// arguments and attempts to load a new WebhookTokenAuthenticator from it.
// arguments and attempts to load a new WebhookTokenAuthenticator from it.
func
newTokenAuthenticator
(
serverURL
string
,
clientCert
,
clientKey
,
ca
[]
byte
,
cacheTime
time
.
Duration
)
(
*
WebhookTokenAuthenticator
,
error
)
{
func
newTokenAuthenticator
(
serverURL
string
,
clientCert
,
clientKey
,
ca
[]
byte
,
cacheTime
time
.
Duration
)
(
authenticator
.
Token
,
error
)
{
tempfile
,
err
:=
ioutil
.
TempFile
(
""
,
""
)
tempfile
,
err
:=
ioutil
.
TempFile
(
""
,
""
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
err
return
nil
,
err
...
@@ -194,7 +196,12 @@ func newTokenAuthenticator(serverURL string, clientCert, clientKey, ca []byte, c
...
@@ -194,7 +196,12 @@ func newTokenAuthenticator(serverURL string, clientCert, clientKey, ca []byte, c
return
nil
,
err
return
nil
,
err
}
}
return
newWithBackoff
(
c
,
cacheTime
,
0
)
authn
,
err
:=
newWithBackoff
(
c
,
0
)
if
err
!=
nil
{
return
nil
,
err
}
return
cache
.
New
(
authn
,
false
,
cacheTime
,
cacheTime
),
nil
}
}
func
TestTLSConfig
(
t
*
testing
.
T
)
{
func
TestTLSConfig
(
t
*
testing
.
T
)
{
...
@@ -549,15 +556,12 @@ func TestWebhookCacheAndRetry(t *testing.T) {
...
@@ -549,15 +556,12 @@ func TestWebhookCacheAndRetry(t *testing.T) {
_
,
ok
,
err
:=
wh
.
AuthenticateToken
(
context
.
Background
(),
testcase
.
token
)
_
,
ok
,
err
:=
wh
.
AuthenticateToken
(
context
.
Background
(),
testcase
.
token
)
hasError
:=
err
!=
nil
hasError
:=
err
!=
nil
if
hasError
!=
testcase
.
expectError
{
if
hasError
!=
testcase
.
expectError
{
t
.
Log
(
testcase
.
description
)
t
.
Errorf
(
"Webhook returned HTTP %d, expected error=%v, but got error %v"
,
testcase
.
code
,
testcase
.
expectError
,
err
)
t
.
Errorf
(
"Webhook returned HTTP %d, expected error=%v, but got error %v"
,
testcase
.
code
,
testcase
.
expectError
,
err
)
}
}
if
serv
.
called
!=
testcase
.
expectCalls
{
if
serv
.
called
!=
testcase
.
expectCalls
{
t
.
Log
(
testcase
.
description
)
t
.
Errorf
(
"Expected %d calls, got %d"
,
testcase
.
expectCalls
,
serv
.
called
)
t
.
Errorf
(
"Expected %d calls, got %d"
,
testcase
.
expectCalls
,
serv
.
called
)
}
}
if
ok
!=
testcase
.
expectOk
{
if
ok
!=
testcase
.
expectOk
{
t
.
Log
(
testcase
.
description
)
t
.
Errorf
(
"Expected ok=%v, got %v"
,
testcase
.
expectOk
,
ok
)
t
.
Errorf
(
"Expected ok=%v, got %v"
,
testcase
.
expectOk
,
ok
)
}
}
})
})
...
...
staging/src/k8s.io/kube-aggregator/Godeps/Godeps.json
View file @
c8604653
...
@@ -1007,6 +1007,10 @@
...
@@ -1007,6 +1007,10 @@
"Rev"
:
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"Rev"
:
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
},
{
{
"ImportPath"
:
"k8s.io/apiserver/pkg/authentication/token/cache"
,
"Rev"
:
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
{
"ImportPath"
:
"k8s.io/apiserver/pkg/authentication/token/tokenfile"
,
"ImportPath"
:
"k8s.io/apiserver/pkg/authentication/token/tokenfile"
,
"Rev"
:
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"Rev"
:
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
},
...
...
staging/src/k8s.io/sample-apiserver/Godeps/Godeps.json
View file @
c8604653
...
@@ -971,6 +971,10 @@
...
@@ -971,6 +971,10 @@
"Rev"
:
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"Rev"
:
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
},
{
{
"ImportPath"
:
"k8s.io/apiserver/pkg/authentication/token/cache"
,
"Rev"
:
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
{
"ImportPath"
:
"k8s.io/apiserver/pkg/authentication/token/tokenfile"
,
"ImportPath"
:
"k8s.io/apiserver/pkg/authentication/token/tokenfile"
,
"Rev"
:
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"Rev"
:
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
},
...
...
test/integration/auth/BUILD
View file @
c8604653
...
@@ -62,6 +62,7 @@ go_test(
...
@@ -62,6 +62,7 @@ go_test(
"//staging/src/k8s.io/apiserver/pkg/authentication/group:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/group:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/token/cache:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
...
...
test/integration/auth/auth_test.go
View file @
c8604653
...
@@ -40,6 +40,7 @@ import (
...
@@ -40,6 +40,7 @@ import (
"k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authentication/serviceaccount"
"k8s.io/apiserver/pkg/authentication/serviceaccount"
"k8s.io/apiserver/pkg/authentication/token/cache"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
...
@@ -84,11 +85,11 @@ func getTestWebhookTokenAuth(serverURL string) (authenticator.Request, error) {
...
@@ -84,11 +85,11 @@ func getTestWebhookTokenAuth(serverURL string) (authenticator.Request, error) {
if
err
:=
json
.
NewEncoder
(
kubecfgFile
)
.
Encode
(
config
);
err
!=
nil
{
if
err
:=
json
.
NewEncoder
(
kubecfgFile
)
.
Encode
(
config
);
err
!=
nil
{
return
nil
,
err
return
nil
,
err
}
}
webhookTokenAuth
,
err
:=
webhook
.
New
(
kubecfgFile
.
Name
()
,
2
*
time
.
Minute
)
webhookTokenAuth
,
err
:=
webhook
.
New
(
kubecfgFile
.
Name
())
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
err
return
nil
,
err
}
}
return
bearertoken
.
New
(
webhookTokenAuth
),
nil
return
bearertoken
.
New
(
cache
.
New
(
webhookTokenAuth
,
false
,
2
*
time
.
Minute
,
2
*
time
.
Minute
)
),
nil
}
}
func
path
(
resource
,
namespace
,
name
string
)
string
{
func
path
(
resource
,
namespace
,
name
string
)
string
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment