github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 14:37:00 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #99860 from chewong/fix-99470

Browse Source 
agnhost: resolve service account issuer URL before invoking oidc.NewProvider
This commit is contained in:
Kubernetes Prow Robot 2021-03-16 14:49:30 -07:00 committed by GitHub
commit 72cc3f2112
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 38 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build/dependencies.yaml
View File

@ -18,7 +18,7 @@ dependencies:
# agnhost: bump this one first # agnhost: bump this one first
- name: "agnhost" - name: "agnhost"
version: "2.29" version: "2.30"
refPaths: refPaths:
- path: test/images/agnhost/VERSION - path: test/images/agnhost/VERSION
match: \d.\d match: \d.\d

2
test/images/agnhost/VERSION
View File

@ -1 +1 @@
2.29 2.30

2
test/images/agnhost/agnhost.go
View File

@ -51,7 +51,7 @@ import (
func main() { func main() {
rootCmd := &cobra.Command{ rootCmd := &cobra.Command{
Use: "app", Use: "app",
Version: "2.29", Version: "2.30",
} }
rootCmd.AddCommand(auditproxy.CmdAuditProxy) rootCmd.AddCommand(auditproxy.CmdAuditProxy)

35
test/images/agnhost/openidmetadata/openidmetadata.go
View File

@ -23,12 +23,17 @@ import (
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"log" "log"
"net"
"net/http" "net/http"
"net/url"
"runtime"
"time"
oidc "github.com/coreos/go-oidc" oidc "github.com/coreos/go-oidc"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"golang.org/x/oauth2" "golang.org/x/oauth2"
"gopkg.in/square/go-jose.v2/jwt" "gopkg.in/square/go-jose.v2/jwt"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/rest" "k8s.io/client-go/rest"
) )
@ -80,6 +85,12 @@ func main(cmd *cobra.Command, args []string) {
log.Printf("OK: got issuer %s", unsafeClaims.Issuer) log.Printf("OK: got issuer %s", unsafeClaims.Issuer)
log.Printf("Full, not-validated claims: \n%#v", unsafeClaims) log.Printf("Full, not-validated claims: \n%#v", unsafeClaims)
if runtime.GOOS == "windows" {
if err := ensureWindowsDNSAvailability(unsafeClaims.Issuer); err != nil {
log.Fatal(err)
}
}
iss, err := oidc.NewProvider(ctx, unsafeClaims.Issuer) iss, err := oidc.NewProvider(ctx, unsafeClaims.Issuer)
if err != nil { if err != nil {
log.Fatal(err) log.Fatal(err)
@ -162,3 +173,27 @@ func withOAuth2Client(context.Context) (context.Context, error) {
}) })
return ctx, nil return ctx, nil
} }
// DNS can be available sometime after the container starts due to the way
// networking is set up for Windows nodes with dockershim as the container runtime.
// In this case, we should make sure we are able to resolve the issuer before
// invoking oidc.NewProvider.
// See https://github.com/kubernetes/kubernetes/issues/99470 for more details.
func ensureWindowsDNSAvailability(issuer string) error {
log.Println("Ensuring Windows DNS availability")
u, err := url.Parse(issuer)
if err != nil {
return err
}
return wait.PollImmediate(1*time.Second, 5*time.Second, func() (bool, error) {
ips, err := net.LookupHost(u.Host)
if err != nil {
log.Println(err)
return false, nil
}
log.Printf("OK: Resolved host %s: %v", u.Host, ips)
return true, nil
})
}