storage/kubernetes: Removing Kubernetes TPR support
Third Party Resources (TPR) have been removed from Kubernetes for roughly 2 years. This commit removes the support dex had for them. Documentation has been updated to reflect this and to instruct users on how to migrate from TPR-powered dex environment to a Custom Resource Defintion (CRD) based one that dex > v2.17 will support
This commit is contained in:
Michael Venezia
@@ -253,7 +253,7 @@ func (c *client) put(resource, name string, v interface{}) error {
|
||||
return checkHTTPErr(resp, http.StatusOK)
|
||||
}
|
||||
|
||||
func newClient(cluster k8sapi.Cluster, user k8sapi.AuthInfo, namespace string, logger log.Logger, useTPR bool) (*client, error) {
|
||||
func newClient(cluster k8sapi.Cluster, user k8sapi.AuthInfo, namespace string, logger log.Logger) (*client, error) {
|
||||
tlsConfig := cryptopasta.DefaultTLSConfig()
|
||||
data := func(b string, file string) ([]byte, error) {
|
||||
if b != "" {
|
||||
@@ -329,11 +329,7 @@ func newClient(cluster k8sapi.Cluster, user k8sapi.AuthInfo, namespace string, l
|
||||
}
|
||||
}
|
||||
|
||||
// the API Group and version differ depending on if CRDs or TPRs are used.
|
||||
apiVersion := "dex.coreos.com/v1"
|
||||
if useTPR {
|
||||
apiVersion = "oidc.coreos.com/v1"
|
||||
}
|
||||
|
||||
logger.Infof("kubernetes client apiVersion = %s", apiVersion)
|
||||
return &client{
|
||||
|
||||
@@ -16,32 +16,6 @@ limitations under the License.
|
||||
|
||||
package k8sapi
|
||||
|
||||
// A ThirdPartyResource is a generic representation of a resource, it is used by add-ons and plugins to add new resource
|
||||
// types to the API. It consists of one or more Versions of the api.
|
||||
type ThirdPartyResource struct {
|
||||
TypeMeta `json:",inline"`
|
||||
|
||||
// Standard object metadata
|
||||
ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
||||
|
||||
// Description is the description of this object.
|
||||
Description string `json:"description,omitempty" protobuf:"bytes,2,opt,name=description"`
|
||||
|
||||
// Versions are versions for this third party object
|
||||
Versions []APIVersion `json:"versions,omitempty" protobuf:"bytes,3,rep,name=versions"`
|
||||
}
|
||||
|
||||
// ThirdPartyResourceList is a list of ThirdPartyResources.
|
||||
type ThirdPartyResourceList struct {
|
||||
TypeMeta `json:",inline"`
|
||||
|
||||
// Standard list metadata.
|
||||
ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
||||
|
||||
// Items is the list of ThirdPartyResources.
|
||||
Items []ThirdPartyResource `json:"items" protobuf:"bytes,2,rep,name=items"`
|
||||
}
|
||||
|
||||
// An APIVersion represents a single concrete version of an object model.
|
||||
type APIVersion struct {
|
||||
// Name of this version (e.g. 'v1').
|
||||
|
||||
@@ -38,7 +38,6 @@ const (
|
||||
type Config struct {
|
||||
InCluster bool `json:"inCluster"`
|
||||
KubeConfigFile string `json:"kubeConfigFile"`
|
||||
UseTPR bool `json:"useTPR"` // Flag option to use TPRs instead of CRDs
|
||||
}
|
||||
|
||||
// Open returns a storage using Kubernetes third party resource.
|
||||
@@ -78,7 +77,7 @@ func (c *Config) open(logger log.Logger, waitForResources bool) (*client, error)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
cli, err := newClient(cluster, user, namespace, logger, c.UseTPR)
|
||||
cli, err := newClient(cluster, user, namespace, logger)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("create client: %v", err)
|
||||
}
|
||||
@@ -86,7 +85,7 @@ func (c *Config) open(logger log.Logger, waitForResources bool) (*client, error)
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
|
||||
logger.Info("creating custom Kubernetes resources")
|
||||
if !cli.registerCustomResources(c.UseTPR) {
|
||||
if !cli.registerCustomResources() {
|
||||
if waitForResources {
|
||||
cancel()
|
||||
return nil, fmt.Errorf("failed creating custom resources")
|
||||
@@ -98,7 +97,7 @@ func (c *Config) open(logger log.Logger, waitForResources bool) (*client, error)
|
||||
logger.Errorf("failed creating custom resources: %v", err)
|
||||
go func() {
|
||||
for {
|
||||
if cli.registerCustomResources(c.UseTPR) {
|
||||
if cli.registerCustomResources() {
|
||||
return
|
||||
}
|
||||
|
||||
@@ -125,39 +124,28 @@ func (c *Config) open(logger log.Logger, waitForResources bool) (*client, error)
|
||||
|
||||
// registerCustomResources attempts to create the custom resources dex
|
||||
// requires or identifies that they're already enabled. This function creates
|
||||
// third party resources(TPRs) or custom resource definitions(CRDs) depending
|
||||
// on the `useTPR` flag passed in as an argument.
|
||||
// custom resource definitions(CRDs)
|
||||
// It logs all errors, returning true if the resources were created successfully.
|
||||
//
|
||||
// Creating a custom resource does not mean that they'll be immediately available.
|
||||
func (cli *client) registerCustomResources(useTPR bool) (ok bool) {
|
||||
func (cli *client) registerCustomResources() (ok bool) {
|
||||
ok = true
|
||||
length := len(customResourceDefinitions)
|
||||
if useTPR {
|
||||
length = len(thirdPartyResources)
|
||||
}
|
||||
|
||||
for i := 0; i < length; i++ {
|
||||
var err error
|
||||
var resourceName string
|
||||
|
||||
if useTPR {
|
||||
r := thirdPartyResources[i]
|
||||
err = cli.postResource("extensions/v1beta1", "", "thirdpartyresources", r)
|
||||
resourceName = r.ObjectMeta.Name
|
||||
r := customResourceDefinitions[i]
|
||||
var i interface{}
|
||||
cli.logger.Infof("checking if custom resource %s has been created already...", r.ObjectMeta.Name)
|
||||
if err := cli.list(r.Spec.Names.Plural, &i); err == nil {
|
||||
cli.logger.Infof("The custom resource %s already available, skipping create", r.ObjectMeta.Name)
|
||||
continue
|
||||
} else {
|
||||
r := customResourceDefinitions[i]
|
||||
var i interface{}
|
||||
cli.logger.Infof("checking if custom resource %s has been created already...", r.ObjectMeta.Name)
|
||||
if err := cli.list(r.Spec.Names.Plural, &i); err == nil {
|
||||
cli.logger.Infof("The custom resource %s already available, skipping create", r.ObjectMeta.Name)
|
||||
continue
|
||||
} else {
|
||||
cli.logger.Infof("failed to list custom resource %s, attempting to create: %v", r.ObjectMeta.Name, err)
|
||||
}
|
||||
err = cli.postResource("apiextensions.k8s.io/v1beta1", "", "customresourcedefinitions", r)
|
||||
resourceName = r.ObjectMeta.Name
|
||||
cli.logger.Infof("failed to list custom resource %s, attempting to create: %v", r.ObjectMeta.Name, err)
|
||||
}
|
||||
err = cli.postResource("apiextensions.k8s.io/v1beta1", "", "customresourcedefinitions", r)
|
||||
resourceName = r.ObjectMeta.Name
|
||||
|
||||
if err != nil {
|
||||
switch err {
|
||||
@@ -424,7 +412,7 @@ func (cli *client) DeleteRefresh(id string) error {
|
||||
}
|
||||
|
||||
func (cli *client) DeletePassword(email string) error {
|
||||
// Check for hash collition.
|
||||
// Check for hash collision.
|
||||
p, err := cli.getPassword(email)
|
||||
if err != nil {
|
||||
return err
|
||||
@@ -433,7 +421,7 @@ func (cli *client) DeletePassword(email string) error {
|
||||
}
|
||||
|
||||
func (cli *client) DeleteOfflineSessions(userID string, connID string) error {
|
||||
// Check for hash collition.
|
||||
// Check for hash collision.
|
||||
o, err := cli.getOfflineSessions(userID, connID)
|
||||
if err != nil {
|
||||
return err
|
||||
|
||||
@@ -10,80 +10,6 @@ import (
|
||||
"github.com/dexidp/dex/storage/kubernetes/k8sapi"
|
||||
)
|
||||
|
||||
var tprMeta = k8sapi.TypeMeta{
|
||||
APIVersion: "extensions/v1beta1",
|
||||
Kind: "ThirdPartyResource",
|
||||
}
|
||||
|
||||
// The set of third party resources required by the storage. These are managed by
|
||||
// the storage so it can migrate itself by creating new resources.
|
||||
var thirdPartyResources = []k8sapi.ThirdPartyResource{
|
||||
{
|
||||
ObjectMeta: k8sapi.ObjectMeta{
|
||||
Name: "auth-code.oidc.coreos.com",
|
||||
},
|
||||
TypeMeta: tprMeta,
|
||||
Description: "A code which can be claimed for an access token.",
|
||||
Versions: []k8sapi.APIVersion{{Name: "v1"}},
|
||||
},
|
||||
{
|
||||
ObjectMeta: k8sapi.ObjectMeta{
|
||||
Name: "auth-request.oidc.coreos.com",
|
||||
},
|
||||
TypeMeta: tprMeta,
|
||||
Description: "A request for an end user to authorize a client.",
|
||||
Versions: []k8sapi.APIVersion{{Name: "v1"}},
|
||||
},
|
||||
{
|
||||
ObjectMeta: k8sapi.ObjectMeta{
|
||||
Name: "o-auth2-client.oidc.coreos.com",
|
||||
},
|
||||
TypeMeta: tprMeta,
|
||||
Description: "An OpenID Connect client.",
|
||||
Versions: []k8sapi.APIVersion{{Name: "v1"}},
|
||||
},
|
||||
{
|
||||
ObjectMeta: k8sapi.ObjectMeta{
|
||||
Name: "signing-key.oidc.coreos.com",
|
||||
},
|
||||
TypeMeta: tprMeta,
|
||||
Description: "Keys used to sign and verify OpenID Connect tokens.",
|
||||
Versions: []k8sapi.APIVersion{{Name: "v1"}},
|
||||
},
|
||||
{
|
||||
ObjectMeta: k8sapi.ObjectMeta{
|
||||
Name: "refresh-token.oidc.coreos.com",
|
||||
},
|
||||
TypeMeta: tprMeta,
|
||||
Description: "Refresh tokens for clients to continuously act on behalf of an end user.",
|
||||
Versions: []k8sapi.APIVersion{{Name: "v1"}},
|
||||
},
|
||||
{
|
||||
ObjectMeta: k8sapi.ObjectMeta{
|
||||
Name: "password.oidc.coreos.com",
|
||||
},
|
||||
TypeMeta: tprMeta,
|
||||
Description: "Passwords managed by the OIDC server.",
|
||||
Versions: []k8sapi.APIVersion{{Name: "v1"}},
|
||||
},
|
||||
{
|
||||
ObjectMeta: k8sapi.ObjectMeta{
|
||||
Name: "offline-sessions.oidc.coreos.com",
|
||||
},
|
||||
TypeMeta: tprMeta,
|
||||
Description: "User sessions with an active refresh token.",
|
||||
Versions: []k8sapi.APIVersion{{Name: "v1"}},
|
||||
},
|
||||
{
|
||||
ObjectMeta: k8sapi.ObjectMeta{
|
||||
Name: "connector.oidc.coreos.com",
|
||||
},
|
||||
TypeMeta: tprMeta,
|
||||
Description: "Connectors available for login",
|
||||
Versions: []k8sapi.APIVersion{{Name: "v1"}},
|
||||
},
|
||||
}
|
||||
|
||||
var crdMeta = k8sapi.TypeMeta{
|
||||
APIVersion: "apiextensions.k8s.io/v1beta1",
|
||||
Kind: "CustomResourceDefinition",
|
||||
|
||||
Reference in New Issue
Block a user