pomerium-cli: kubernetes fixes (#1176)

* pomerium-cli: fix kubernetes token caching * pomerium-cli: fix error hanging * add options for TLS
2025-05-24 22:47:14 +02:00 · 2020-07-31 13:51:48 -06:00 · 2020-07-31 13:51:48 -06:00 · 4115c67d93
commit 4115c67d93
parent c8d3baccff
2 changed files with 53 additions and 1 deletions
--- a/cmd/pomerium-cli/kubernetes.go
+++ b/cmd/pomerium-cli/kubernetes.go
@ -2,6 +2,9 @@ package main

 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
@ -19,7 +22,20 @@ import (
 	jose "gopkg.in/square/go-jose.v2"
 )

+var kubernetesExecCredentialOption struct {
+	disableTLSVerification bool
+	alternateCAPath        string
+	caCert                 string
+}
+
 func init() {
+	flags := kubernetesExecCredentialCmd.Flags()
+	flags.BoolVar(&kubernetesExecCredentialOption.disableTLSVerification, "disable-tls-verification", false,
+		"disables TLS verification")
+	flags.StringVar(&kubernetesExecCredentialOption.alternateCAPath, "alternate-ca-path", "",
+		"path to CA certificate to use for HTTP requests")
+	flags.StringVar(&kubernetesExecCredentialOption.caCert, "ca-cert", "",
+		"base64-encoded CA TLS certificate to use for HTTP requests")
 	kubernetesCmd.AddCommand(kubernetesExecCredentialCmd)
 	rootCmd.AddCommand(kubernetesCmd)
 }
@ -97,6 +113,11 @@ func runHTTPServer(ctx context.Context, li net.Listener, incomingJWT chan string
 			go func() { _ = srv.Shutdown(ctx) }()
 		}),
 	}
+	// shutdown the server when ctx is done.
+	go func() {
+		<-ctx.Done()
+		_ = srv.Shutdown(ctx)
+	}()
 	err := srv.Serve(li)
 	if err == http.ErrServerClosed {
 		err = nil
@ -112,12 +133,42 @@ func runOpenBrowser(ctx context.Context, li net.Listener, serverURL *url.URL) er
 		}.Encode(),
 	})

+	ctx, clearTimeout := context.WithTimeout(ctx, 10*time.Second)
+	defer clearTimeout()
+
 	req, err := http.NewRequestWithContext(ctx, "GET", dst.String(), nil)
 	if err != nil {
 		return err
 	}

-	res, err := http.DefaultClient.Do(req)
+	transport := &http.Transport{
+		TLSClientConfig: &tls.Config{},
+	}
+	if kubernetesExecCredentialOption.disableTLSVerification {
+		transport.TLSClientConfig.InsecureSkipVerify = true
+	}
+	if kubernetesExecCredentialOption.alternateCAPath != "" {
+		data, err := ioutil.ReadFile(kubernetesExecCredentialOption.alternateCAPath)
+		if err != nil {
+			return fmt.Errorf("error reading CA certificate: %w", err)
+		}
+		transport.TLSClientConfig.RootCAs = x509.NewCertPool()
+		transport.TLSClientConfig.RootCAs.AppendCertsFromPEM(data)
+	}
+	if kubernetesExecCredentialOption.caCert != "" {
+		data, err := base64.StdEncoding.DecodeString(kubernetesExecCredentialOption.caCert)
+		if err != nil {
+			return fmt.Errorf("error reading CA certificate: %w", err)
+		}
+		transport.TLSClientConfig.RootCAs = x509.NewCertPool()
+		transport.TLSClientConfig.RootCAs.AppendCertsFromPEM(data)
+	}
+
+	client := &http.Client{
+		Transport: transport,
+	}
+
+	res, err := client.Do(req)
 	if err != nil {
 		return fmt.Errorf("failed to get login url: %w", err)
 	}