mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 04:33:26 +00:00
fix delegated authn client cert presentation
This commit is contained in:
parent
79a956c197
commit
bae26c2030
@ -99,7 +99,7 @@ function start_discovery {
|
||||
sleep 1
|
||||
|
||||
# create the "normal" api services for the core API server
|
||||
${kubectl} --kubeconfig="${CERT_DIR}/admin-discovery.kubeconfig" create -f "${KUBE_ROOT}/cmd/kubernetes-discovery/artifacts/core-apiservices" --token="foo/system:masters"
|
||||
${kubectl} --kubeconfig="${CERT_DIR}/admin-discovery.kubeconfig" create -f "${KUBE_ROOT}/cmd/kubernetes-discovery/artifacts/core-apiservices"
|
||||
}
|
||||
|
||||
kube::util::test_openssl_installed
|
||||
|
@ -312,9 +312,28 @@ func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOpti
|
||||
return c, nil
|
||||
}
|
||||
|
||||
var err error
|
||||
if o.ClientCert != nil {
|
||||
c, err = c.applyClientCert(o.ClientCert.ClientCA)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to load client CA file: %v", err)
|
||||
}
|
||||
}
|
||||
if o.RequestHeader != nil {
|
||||
c, err = c.applyClientCert(o.RequestHeader.ClientCAFile)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to load client CA file: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
c.SupportsBasicAuth = len(o.PasswordFile.BasicAuthFile) > 0
|
||||
return c, nil
|
||||
}
|
||||
|
||||
func (c *Config) applyClientCert(clientCAFile string) (*Config, error) {
|
||||
if c.SecureServingInfo != nil {
|
||||
if o.ClientCert != nil && len(o.ClientCert.ClientCA) > 0 {
|
||||
clientCAs, err := certutil.CertsFromFile(o.ClientCert.ClientCA)
|
||||
if len(clientCAFile) > 0 {
|
||||
clientCAs, err := certutil.CertsFromFile(clientCAFile)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to load client CA file: %v", err)
|
||||
}
|
||||
@ -325,21 +344,8 @@ func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOpti
|
||||
c.SecureServingInfo.ClientCA.AddCert(cert)
|
||||
}
|
||||
}
|
||||
if o.RequestHeader != nil && len(o.RequestHeader.ClientCAFile) > 0 {
|
||||
clientCAs, err := certutil.CertsFromFile(o.RequestHeader.ClientCAFile)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to load requestheader client CA file: %v", err)
|
||||
}
|
||||
if c.SecureServingInfo.ClientCA == nil {
|
||||
c.SecureServingInfo.ClientCA = x509.NewCertPool()
|
||||
}
|
||||
for _, cert := range clientCAs {
|
||||
c.SecureServingInfo.ClientCA.AddCert(cert)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
c.SupportsBasicAuth = len(o.PasswordFile.BasicAuthFile) > 0
|
||||
return c, nil
|
||||
}
|
||||
|
||||
@ -348,6 +354,16 @@ func (c *Config) ApplyDelegatingAuthenticationOptions(o *options.DelegatingAuthe
|
||||
return c, nil
|
||||
}
|
||||
|
||||
var err error
|
||||
c, err = c.applyClientCert(o.ClientCert.ClientCA)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to load client CA file: %v", err)
|
||||
}
|
||||
c, err = c.applyClientCert(o.RequestHeader.ClientCAFile)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to load client CA file: %v", err)
|
||||
}
|
||||
|
||||
cfg, err := o.ToAuthenticationConfig()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
Loading…
Reference in New Issue
Block a user