Merge pull request jetstack#183 from justinas-b/master

ISSUE-180 Updating CluserRole to include userextras/remote-client-ip
bobsongplus · Jun 14, 2022 · 7c6e865 · 7c6e865
2 parents 6b1aae9 + 76b2ffc
commit 7c6e865
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 29 deletions.
diff --git a/Makefile b/Makefile
@@ -59,14 +59,11 @@ depend: $(BINDIR)/mockgen $(BINDIR)/kubectl $(BINDIR)/golangci-lint
 verify_boilerplate:
 	$(HACK_DIR)/verify-boilerplate.sh
 
-go_fmt:
-	@set -e; \
-	GO_FMT=$$(git ls-files *.go | xargs gofmt -d); \
-	if [ -n "$${GO_FMT}" ] ; then \
-		echo "Please run go fmt"; \
-		echo "$$GO_FMT"; \
-		exit 1; \
-	fi
+go_fmt: ## Run go fmt against code.
+	go fmt ./...
+
+go_vet: ## Run go vet against code.
+	go vet ./...
 
 go_vet:
 	go vet ./cmd
@@ -82,8 +79,10 @@ clean: ## clean up created files
 		$(CURDIR)/test/e2e/framework/issuer/bin \
 		$(CURDIR)/test/e2e/framework/fake-apiserver/bin
 
+#TODO: verfiy
 verify: depend verify_boilerplate go_fmt go_vet go_lint ## verify code and mod
 
+#TODO what is go generate
 generate: depend ## generates mocks and assets files
 	go generate $$(go list ./pkg/... ./cmd/...)
 

diff --git a/cmd/app/options/options.go b/cmd/app/options/options.go
@@ -7,8 +7,8 @@ import (
 
 	"github.com/spf13/cobra"
 	k8sErrors "k8s.io/apimachinery/pkg/util/errors"
-	"k8s.io/apiserver/pkg/util/term"
 	cliflag "k8s.io/component-base/cli/flag"
+	"k8s.io/component-base/term"
 )
 
 const (

diff --git a/deploy/yaml/kube-oidc-proxy.yaml b/deploy/yaml/kube-oidc-proxy.yaml
@@ -135,6 +135,7 @@ rules:
   - "authentication.k8s.io"
   resources:
   - "userextras/scopes"
+  - "userextras/remote-client-ip"
   - "tokenreviews"
   verbs:
   - "create"

diff --git a/go.mod b/go.mod
@@ -1,24 +1,11 @@
-module github.com/jetstack/kube-oidc-proxy
+module kube-oidc-proxy
 
-go 1.13
+go 1.18
 
 require (
-	github.com/golang/mock v1.2.0
-	github.com/heptiolabs/healthcheck v0.0.0-20180807145615-6ff867650f40
-	github.com/onsi/ginkgo v1.11.0
-	github.com/onsi/gomega v1.7.0
-	github.com/sebest/xff v0.0.0-20160910043805-6c115e0ffa35
-	github.com/sirupsen/logrus v1.4.2
-	github.com/spf13/cobra v0.0.5
-	github.com/spf13/pflag v1.0.5
-	gopkg.in/DATA-DOG/go-sqlmock.v1 v1.3.0 // indirect
-	gopkg.in/square/go-jose.v2 v2.3.1
-	k8s.io/api v0.18.0
-	k8s.io/apimachinery v0.18.0
-	k8s.io/apiserver v0.18.0
-	k8s.io/cli-runtime v0.18.0
-	k8s.io/client-go v0.18.0
-	k8s.io/component-base v0.18.0
-	k8s.io/klog v1.0.0
-	sigs.k8s.io/kind v0.7.0
+	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
+	golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d // indirect
+	k8s.io/component-base v0.24.1 // indirect
+	k8s.io/apiserver v0.24.1
 )
diff --git a/hack/tools/tools.go b/hack/tools/tools.go
@@ -1,3 +1,4 @@
+//go:build tools
 // +build tools
 
 // Copyright Jetstack Ltd. See LICENSE for details.

diff --git a/pkg/proxy/handlers.go b/pkg/proxy/handlers.go
@@ -33,6 +33,7 @@ func (p *Proxy) withAuthenticateRequest(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		// Auth request and handle unauthed
 		info, ok, err := p.oidcRequestAuther.AuthenticateRequest(req)
+		klog.Error(err)
 		if err != nil {
 			// Since we have failed OIDC auth, we will try a token review, if enabled.
 			tokenReviewHandler.ServeHTTP(rw, req)
@@ -41,6 +42,7 @@ func (p *Proxy) withAuthenticateRequest(handler http.Handler) http.Handler {
 
 		// Failed authorization
 		if !ok {
+			klog.Info(ok)
 			p.handleError(rw, req, errUnauthorized)
 			return
 		}
@@ -62,12 +64,14 @@ func (p *Proxy) withTokenReview(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		// If token review is not enabled then error.
 		if !p.config.TokenReview {
+			klog.Info(p.config.TokenReview)
 			p.handleError(rw, req, errUnauthorized)
 			return
 		}
 
 		// Attempt to passthrough request if valid token
 		if !p.reviewToken(rw, req) {
+			klog.Info("reviewToken")
 			// Token review failed so error
 			p.handleError(rw, req, errUnauthorized)
 			return
@@ -102,13 +106,15 @@ func (p *Proxy) withImpersonateRequest(handler http.Handler) http.Handler {
 		}
 
 		if p.hasImpersonation(req.Header) {
+			klog.Info(req.Header)
 			p.handleError(rw, req, errImpersonateHeader)
 			return
 		}
 
 		user, ok := genericapirequest.UserFrom(req.Context())
 		// No name available so reject request
 		if !ok || len(user.GetName()) == 0 {
+			klog.Info(errNoName)
 			p.handleError(rw, req, errNoName)
 			return
 		}