Merge pull request #100055 from enj/enj/i/delegated_authn_client_ca

delegated authn: allow client CA override based on non-empty opts
This commit is contained in:
Kubernetes Prow Robot 2021-03-10 22:42:23 -08:00 committed by GitHub
commit 98500aa6a5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -290,16 +290,16 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(authenticationInfo *server.Aut
} }
// get the clientCA information // get the clientCA information
clientCAFileSpecified := len(s.ClientCert.ClientCA) > 0 clientCASpecified := s.ClientCert != ClientCertAuthenticationOptions{}
var clientCAProvider dynamiccertificates.CAContentProvider var clientCAProvider dynamiccertificates.CAContentProvider
if clientCAFileSpecified { if clientCASpecified {
clientCAProvider, err = s.ClientCert.GetClientCAContentProvider() clientCAProvider, err = s.ClientCert.GetClientCAContentProvider()
if err != nil { if err != nil {
return fmt.Errorf("unable to load client CA file %q: %v", s.ClientCert.ClientCA, err) return fmt.Errorf("unable to load client CA provider: %v", err)
} }
cfg.ClientCertificateCAContentProvider = clientCAProvider cfg.ClientCertificateCAContentProvider = clientCAProvider
if err = authenticationInfo.ApplyClientCert(cfg.ClientCertificateCAContentProvider, servingInfo); err != nil { if err = authenticationInfo.ApplyClientCert(cfg.ClientCertificateCAContentProvider, servingInfo); err != nil {
return fmt.Errorf("unable to assign client CA file: %v", err) return fmt.Errorf("unable to assign client CA provider: %v", err)
} }
} else if !s.SkipInClusterLookup { } else if !s.SkipInClusterLookup {