pomerium-cli: kubernetes fixes (#1176)

* pomerium-cli: fix kubernetes token caching * pomerium-cli: fix error hanging * add options for TLS
2025-04-30 02:46:30 +02:00 · 2020-07-31 13:51:48 -06:00 · 2020-07-31 13:51:48 -06:00 · 4115c67d93
commit 4115c67d93
parent c8d3baccff
2 changed files with 53 additions and 1 deletions
--- a/cmd/pomerium-cli/kubernetes.go
+++ b/cmd/pomerium-cli/kubernetes.go
@ -2,6 +2,9 @@ package main
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
@ -19,7 +22,20 @@ import (
 	jose "gopkg.in/square/go-jose.v2"
 )
 var kubernetesExecCredentialOption struct {
 	disableTLSVerification bool
 	alternateCAPath        string
 	caCert                 string
 }
 func init() {
 	flags := kubernetesExecCredentialCmd.Flags()
 	flags.BoolVar(&kubernetesExecCredentialOption.disableTLSVerification, "disable-tls-verification", false,
 		"disables TLS verification")
 	flags.StringVar(&kubernetesExecCredentialOption.alternateCAPath, "alternate-ca-path", "",
 		"path to CA certificate to use for HTTP requests")
 	flags.StringVar(&kubernetesExecCredentialOption.caCert, "ca-cert", "",
 		"base64-encoded CA TLS certificate to use for HTTP requests")
 	kubernetesCmd.AddCommand(kubernetesExecCredentialCmd)
 	rootCmd.AddCommand(kubernetesCmd)
 }
@ -97,6 +113,11 @@ func runHTTPServer(ctx context.Context, li net.Listener, incomingJWT chan string
 			go func() { _ = srv.Shutdown(ctx) }()
 		}),
 	}
 	// shutdown the server when ctx is done.
 	go func() {
 		<-ctx.Done()
 		_ = srv.Shutdown(ctx)
 	}()
 	err := srv.Serve(li)
 	if err == http.ErrServerClosed {
 		err = nil
@ -112,12 +133,42 @@ func runOpenBrowser(ctx context.Context, li net.Listener, serverURL *url.URL) er
 		}.Encode(),
 	})
 	ctx, clearTimeout := context.WithTimeout(ctx, 10*time.Second)
 	defer clearTimeout()
 	req, err := http.NewRequestWithContext(ctx, "GET", dst.String(), nil)
 	if err != nil {
 		return err
 	}
-	res, err := http.DefaultClient.Do(req)
+	transport := &http.Transport{
 		TLSClientConfig: &tls.Config{},
 	}
 	if kubernetesExecCredentialOption.disableTLSVerification {
 		transport.TLSClientConfig.InsecureSkipVerify = true
 	}
 	if kubernetesExecCredentialOption.alternateCAPath != "" {
 		data, err := ioutil.ReadFile(kubernetesExecCredentialOption.alternateCAPath)
 		if err != nil {
 			return fmt.Errorf("error reading CA certificate: %w", err)
 		}
 		transport.TLSClientConfig.RootCAs = x509.NewCertPool()
 		transport.TLSClientConfig.RootCAs.AppendCertsFromPEM(data)
 	}
 	if kubernetesExecCredentialOption.caCert != "" {
 		data, err := base64.StdEncoding.DecodeString(kubernetesExecCredentialOption.caCert)
 		if err != nil {
 			return fmt.Errorf("error reading CA certificate: %w", err)
 		}
 		transport.TLSClientConfig.RootCAs = x509.NewCertPool()
 		transport.TLSClientConfig.RootCAs.AppendCertsFromPEM(data)
 	}
 	client := &http.Client{
 		Transport: transport,
 	}
 	res, err := client.Do(req)
 	if err != nil {
 		return fmt.Errorf("failed to get login url: %w", err)
 	}
--- a/go.sum
+++ b/go.sum
@ -589,6 +589,7 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200115085410-6d4e4cb37c7d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=