8000 Merge pull request #1916 from vgupta3/oidc-idp-ca-cert-file-support · chrisgzf/python@d199529 · GitHub
[go: up one dir, main page]
Skip to content

Commit d199529

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request kubernetes-client#1916 from vgupta3/oidc-idp-ca-cert-file-support
Add support for using oidc CA certificate file while refreshing token
2 parents 3fb24ad + f740c63 commit d199529

File tree

2 files changed

+55
-0
lines changed

2 files changed

+55
-0
lines changed

kubernetes/base/config/kube_config.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -439,6 +439,9 @@ def _refresh_oidc(self, provider):
439439

440440
config.ssl_ca_cert = ca_cert.name
441441

442+
elif 'idp-certificate-authority' in provider['config']:
443+
config.ssl_ca_cert = provider['config']['idp-certificate-authority']
444+
442445
else:
443446
config.verify_ssl = False
444447

kubernetes/base/config/kube_config_test.py

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
import io
1818
import json
1919
import os
20+
from pprint import pprint
2021
import shutil
2122
import tempfile
2223
import unittest
@@ -485,6 +486,13 @@ class TestKubeConfigLoader(BaseTestCase):
485486
"user": "expired_oidc"
486487
}
487488
},
489+
{
490+
"name": "expired_oidc_with_idp_ca_file",
491+
"context": {
492+
"cluster": "default",
493+
"user": "expired_oidc_with_idp_ca_file"
494+
}
495+
},
488496
{
489497
"name": "expired_oidc_nocert",
490498
"context": {
@@ -799,6 +807,23 @@ class TestKubeConfigLoader(BaseTestCase):
799807
}
800808
}
801809
},
810+
{
811+
"name": "expired_oidc_with_idp_ca_file",
812+
"user": {
813+
"auth-provider": {
814+
"name": "oidc",
815+
"config": {
816+
"client-id": "tectonic-kubectl",
817+
"client-secret": "FAKE_SECRET",
818+
"id-token": TEST_OIDC_EXPIRED_LOGIN,
819+
"idp-certificate-authority": TEST_CERTIFICATE_AUTH,
820+
"idp-issuer-url": "https://example.org/identity",
821+
"refresh-token":
822+
"lucWJjEhlxZW01cXI3YmVlcYnpxNGhzk"
823+
}
824+
}
825+
}
826+
},
802827
{
803828
"name": "expired_oidc_nocert",
804829
"user": {
@@ -1059,6 +1084,33 @@ def test_oidc_with_refresh(self, mock_ApiClient, mock_OAuth2Session):
10591084
self.assertTrue(loader._load_auth_provider_token())
10601085
self.assertEqual("Bearer abc123", loader.token)
10611086

1087+
@mock.patch('kubernetes.config.kube_config.OAuth2Session.refresh_token')
1088+
@mock.patch('kubernetes.config.kube_config.ApiClient.request')
1089+
def test_oidc_with_idp_ca_file_refresh(self, mock_ApiClient, mock_OAuth2Session):
1090+
mock_response = mock.MagicMock()
1091+
type(mock_response).status = mock.PropertyMock(
1092+
return_value=200
1093+
)
1094+
type(mock_response).data = mock.PropertyMock(
1095+
return_value=json.dumps({
1096+
"token_endpoint": "https://example.org/identity/token"
1097+
})
1098+
)
1099+
1100+
mock_ApiClient.return_value = mock_response
1101+
1102+
mock_OAuth2Session.return_value = {"id_token": "abc123",
1103+
"refresh_token": "newtoken123"}
1104+
1105+
loader = KubeConfigLoader(
1106+
config_dict=self.TEST_KUBE_CONFIG,
1107+
active_context="expired_oidc_with_idp_ca_file",
1108+
)
1109+
1110+
1111+
self.assertTrue(loader._load_auth_provider_token())
1112+
self.assertEqual("Bearer abc123", loader.token)
1113+
10621114
@mock.patch('kubernetes.config.kube_config.OAuth2Session.refresh_token')
10631115
@mock.patch('kubernetes.config.kube_config.ApiClient.request')
10641116
def test_oidc_with_refresh_nocert(

0 commit comments

Comments
 (0)
0