Merge pull request #99860 from chewong/fix-99470

agnhost: resolve service account issuer URL before invoking oidc.NewProvider
2025-07-22 19:31:44 +00:00 · 2021-03-16 14:49:30 -07:00 · 2021-03-16 14:49:30 -07:00 · 72cc3f2112
commit 72cc3f2112
parent 97f59e9431 573535691b
4 changed files with 38 additions and 3 deletions
--- a/build/dependencies.yaml
+++ b/build/dependencies.yaml
@ -18,7 +18,7 @@ dependencies:

  # agnhost: bump this one first
  - name: "agnhost"
-    version: "2.29"
+    version: "2.30"
    refPaths:
    - path: test/images/agnhost/VERSION
      match: \d.\d
--- a/test/images/agnhost/VERSION
+++ b/test/images/agnhost/VERSION
@ -1 +1 @@
-2.29
+2.30
--- a/test/images/agnhost/agnhost.go
+++ b/test/images/agnhost/agnhost.go
@ -51,7 +51,7 @@ import (
 func main() {
 	rootCmd := &cobra.Command{
 		Use:     "app",
-		Version: "2.29",
+		Version: "2.30",
 	}

 	rootCmd.AddCommand(auditproxy.CmdAuditProxy)
--- a/test/images/agnhost/openidmetadata/openidmetadata.go
+++ b/test/images/agnhost/openidmetadata/openidmetadata.go
@ -23,12 +23,17 @@ import (
 	"fmt"
 	"io/ioutil"
 	"log"
+	"net"
 	"net/http"
+	"net/url"
+	"runtime"
+	"time"

 	oidc "github.com/coreos/go-oidc"
 	"github.com/spf13/cobra"
 	"golang.org/x/oauth2"
 	"gopkg.in/square/go-jose.v2/jwt"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/rest"
 )

@ -80,6 +85,12 @@ func main(cmd *cobra.Command, args []string) {
 	log.Printf("OK: got issuer %s", unsafeClaims.Issuer)
 	log.Printf("Full, not-validated claims: \n%#v", unsafeClaims)

+	if runtime.GOOS == "windows" {
+		if err := ensureWindowsDNSAvailability(unsafeClaims.Issuer); err != nil {
+			log.Fatal(err)
+		}
+	}
+
 	iss, err := oidc.NewProvider(ctx, unsafeClaims.Issuer)
 	if err != nil {
 		log.Fatal(err)
@ -162,3 +173,27 @@ func withOAuth2Client(context.Context) (context.Context, error) {
 		})
 	return ctx, nil
 }
+
+// DNS can be available sometime after the container starts due to the way
+// networking is set up for Windows nodes with dockershim as the container runtime.
+// In this case, we should make sure we are able to resolve the issuer before
+// invoking oidc.NewProvider.
+// See https://github.com/kubernetes/kubernetes/issues/99470 for more details.
+func ensureWindowsDNSAvailability(issuer string) error {
+	log.Println("Ensuring Windows DNS availability")
+
+	u, err := url.Parse(issuer)
+	if err != nil {
+		return err
+	}
+
+	return wait.PollImmediate(1*time.Second, 5*time.Second, func() (bool, error) {
+		ips, err := net.LookupHost(u.Host)
+		if err != nil {
+			log.Println(err)
+			return false, nil
+		}
+		log.Printf("OK: Resolved host %s: %v", u.Host, ips)
+		return true, nil
+	})
+}
 @ -1 +1 @@
 .29
 .30