pomerium-cli: kubernetes fixes (#1176)

* pomerium-cli: fix kubernetes token caching * pomerium-cli: fix error hanging * add options for TLS
2025-04-29 18:36:30 +02:00 · 2020-07-31 13:51:48 -06:00 · 2020-07-31 13:51:48 -06:00 · 4115c67d93
commit 4115c67d93
parent c8d3baccff
2 changed files with 53 additions and 1 deletions
--- a/cmd/pomerium-cli/kubernetes.go
+++ b/cmd/pomerium-cli/kubernetes.go
@ -2,6 +2,9 @@ package main

 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
@ -19,7 +22,20 @@ import (
 	jose "gopkg.in/square/go-jose.v2"
 )

+var kubernetesExecCredentialOption struct {
+	disableTLSVerification bool
+	alternateCAPath        string
+	caCert                 string
+}
+
 func init() {
+	flags := kubernetesExecCredentialCmd.Flags()
+	flags.BoolVar(&kubernetesExecCredentialOption.disableTLSVerification, "disable-tls-verification", false,
+		"disables TLS verification")
+	flags.StringVar(&kubernetesExecCredentialOption.alternateCAPath, "alternate-ca-path", "",
+		"path to CA certificate to use for HTTP requests")
+	flags.StringVar(&kubernetesExecCredentialOption.caCert, "ca-cert", "",
+		"base64-encoded CA TLS certificate to use for HTTP requests")
 	kubernetesCmd.AddCommand(kubernetesExecCredentialCmd)
 	rootCmd.AddCommand(kubernetesCmd)
 }
@ -97,6 +113,11 @@ func runHTTPServer(ctx context.Context, li net.Listener, incomingJWT chan string
 			go func() { _ = srv.Shutdown(ctx) }()
 		}),
 	}
+	// shutdown the server when ctx is done.
+	go func() {
+		<-ctx.Done()
+		_ = srv.Shutdown(ctx)
+	}()
 	err := srv.Serve(li)
 	if err == http.ErrServerClosed {
 		err = nil
@ -112,12 +133,42 @@ func runOpenBrowser(ctx context.Context, li net.Listener, serverURL *url.URL) er
 		}.Encode(),
 	})

+	ctx, clearTimeout := context.WithTimeout(ctx, 10*time.Second)
+	defer clearTimeout()
+
 	req, err := http.NewRequestWithContext(ctx, "GET", dst.String(), nil)
 	if err != nil {
 		return err
 	}

-	res, err := http.DefaultClient.Do(req)
+	transport := &http.Transport{
+		TLSClientConfig: &tls.Config{},
+	}
+	if kubernetesExecCredentialOption.disableTLSVerification {
+		transport.TLSClientConfig.InsecureSkipVerify = true
+	}
+	if kubernetesExecCredentialOption.alternateCAPath != "" {
+		data, err := ioutil.ReadFile(kubernetesExecCredentialOption.alternateCAPath)
+		if err != nil {
+			return fmt.Errorf("error reading CA certificate: %w", err)
+		}
+		transport.TLSClientConfig.RootCAs = x509.NewCertPool()
+		transport.TLSClientConfig.RootCAs.AppendCertsFromPEM(data)
+	}
+	if kubernetesExecCredentialOption.caCert != "" {
+		data, err := base64.StdEncoding.DecodeString(kubernetesExecCredentialOption.caCert)
+		if err != nil {
+			return fmt.Errorf("error reading CA certificate: %w", err)
+		}
+		transport.TLSClientConfig.RootCAs = x509.NewCertPool()
+		transport.TLSClientConfig.RootCAs.AppendCertsFromPEM(data)
+	}
+
+	client := &http.Client{
+		Transport: transport,
+	}
+
+	res, err := client.Do(req)
 	if err != nil {
 		return fmt.Errorf("failed to get login url: %w", err)
 	}
--- a/go.sum
+++ b/go.sum
@ -589,6 +589,7 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200115085410-6d4e4cb37c7d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=