From 28573e373fd1d3da58719457efdf6ff56bd011ed Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Mon, 16 Jun 2025 15:07:47 -0700 Subject: [PATCH] Add error prefixes for authn config load or validation failures Signed-off-by: Anish Ramasekar --- pkg/kubeapiserver/options/authentication.go | 4 +-- .../options/authentication_test.go | 32 +++++++++++++++++-- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go index 81b12cc34c1..a8cea8abee1 100644 --- a/pkg/kubeapiserver/options/authentication.go +++ b/pkg/kubeapiserver/options/authentication.go @@ -491,7 +491,7 @@ func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticat if len(o.AuthenticationConfigFile) > 0 { var err error if ret.AuthenticationConfig, ret.AuthenticationConfigData, err = loadAuthenticationConfig(o.AuthenticationConfigFile); err != nil { - return kubeauthenticator.Config{}, err + return kubeauthenticator.Config{}, fmt.Errorf("failed to load authentication configuration from file %q: %w", o.AuthenticationConfigFile, err) } } else { ret.AuthenticationConfig = &apiserver.AuthenticationConfiguration{} @@ -577,7 +577,7 @@ func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticat } if err := apiservervalidation.ValidateAuthenticationConfiguration(authenticationcel.NewDefaultCompiler(), ret.AuthenticationConfig, ret.ServiceAccountIssuers).ToAggregate(); err != nil { - return kubeauthenticator.Config{}, err + return kubeauthenticator.Config{}, fmt.Errorf("invalid authentication configuration: %w", err) } if o.RequestHeader != nil { diff --git a/pkg/kubeapiserver/options/authentication_test.go b/pkg/kubeapiserver/options/authentication_test.go index 30092faded2..4075e39d3e7 100644 --- a/pkg/kubeapiserver/options/authentication_test.go +++ b/pkg/kubeapiserver/options/authentication_test.go @@ -799,6 +799,7 @@ func TestToAuthenticationConfig_OIDC(t *testing.T) { name string args []string expectConfig kubeauthenticator.Config + expectErr string }{ { name: "username prefix is '-'", @@ -1038,6 +1039,29 @@ jwt: OIDCSigningAlgs: []string{"ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512"}, }, }, + { + name: "authentication config file not found", + args: []string{ + "--authentication-config=nonexistent-file", + }, + expectErr: `failed to load authentication configuration from file "nonexistent-file": open nonexistent-file: no such file or directory`, + expectConfig: kubeauthenticator.Config{}, + }, + { + name: "authentication config validation error", + args: []string{ + "--authentication-config=" + writeTempFile(t, ` +apiVersion: apiserver.config.k8s.io/v1 +kind: AuthenticationConfiguration +jwt: +- issuer: + url: https://test-issuer + audiences: [ "🐼" ] +`), + }, + expectErr: "invalid authentication configuration: jwt[0].claimMappings.username: Required value: claim or expression is required", + expectConfig: kubeauthenticator.Config{}, + }, } for _, testcase := range testCases { @@ -1051,9 +1075,13 @@ jwt: } resultConfig, err := opts.ToAuthenticationConfig() - if err != nil { - t.Fatal(err) + if (err != nil) != (testcase.expectErr != "") { + t.Fatalf("Got err: %v; Want err: %v", err, testcase.expectErr) } + if len(testcase.expectErr) > 0 && !strings.Contains(err.Error(), testcase.expectErr) { + t.Fatalf("Got err: %v; Want err: %v", err, testcase.expectErr) + } + if !reflect.DeepEqual(resultConfig, testcase.expectConfig) { t.Error(cmp.Diff(resultConfig, testcase.expectConfig)) }