diff --git a/kubernetes/base/config/kube_config.py b/kubernetes/base/config/kube_config.py index ed70df0ca8..b932678714 100644 --- a/kubernetes/base/config/kube_config.py +++ b/kubernetes/base/config/kube_config.py @@ -439,6 +439,9 @@ def _refresh_oidc(self, provider): config.ssl_ca_cert = ca_cert.name + elif 'idp-certificate-authority' in provider['config']: + config.ssl_ca_cert = provider['config']['idp-certificate-authority'] + else: config.verify_ssl = False diff --git a/kubernetes/base/config/kube_config_test.py b/kubernetes/base/config/kube_config_test.py index 6233e977df..da0d2f35c6 100644 --- a/kubernetes/base/config/kube_config_test.py +++ b/kubernetes/base/config/kube_config_test.py @@ -17,6 +17,7 @@ import io import json import os +from pprint import pprint import shutil import tempfile import unittest @@ -485,6 +486,13 @@ class TestKubeConfigLoader(BaseTestCase): "user": "expired_oidc" } }, + { + "name": "expired_oidc_with_idp_ca_file", + "context": { + "cluster": "default", + "user": "expired_oidc_with_idp_ca_file" + } + }, { "name": "expired_oidc_nocert", "context": { @@ -799,6 +807,23 @@ class TestKubeConfigLoader(BaseTestCase): } } }, + { + "name": "expired_oidc_with_idp_ca_file", + "user": { + "auth-provider": { + "name": "oidc", + "config": { + "client-id": "tectonic-kubectl", + "client-secret": "FAKE_SECRET", + "id-token": TEST_OIDC_EXPIRED_LOGIN, + "idp-certificate-authority": TEST_CERTIFICATE_AUTH, + "idp-issuer-url": "https://example.org/identity", + "refresh-token": + "lucWJjEhlxZW01cXI3YmVlcYnpxNGhzk" + } + } + } + }, { "name": "expired_oidc_nocert", "user": { @@ -1059,6 +1084,33 @@ def test_oidc_with_refresh(self, mock_ApiClient, mock_OAuth2Session): self.assertTrue(loader._load_auth_provider_token()) self.assertEqual("Bearer abc123", loader.token) + @mock.patch('kubernetes.config.kube_config.OAuth2Session.refresh_token') + @mock.patch('kubernetes.config.kube_config.ApiClient.request') + def test_oidc_with_idp_ca_file_refresh(self, mock_ApiClient, mock_OAuth2Session): + mock_response = mock.MagicMock() + type(mock_response).status = mock.PropertyMock( + return_value=200 + ) + type(mock_response).data = mock.PropertyMock( + return_value=json.dumps({ + "token_endpoint": "https://example.org/identity/token" + }) + ) + + mock_ApiClient.return_value = mock_response + + mock_OAuth2Session.return_value = {"id_token": "abc123", + "refresh_token": "newtoken123"} + + loader = KubeConfigLoader( + config_dict=self.TEST_KUBE_CONFIG, + active_context="expired_oidc_with_idp_ca_file", + ) + + + self.assertTrue(loader._load_auth_provider_token()) + self.assertEqual("Bearer abc123", loader.token) + @mock.patch('kubernetes.config.kube_config.OAuth2Session.refresh_token') @mock.patch('kubernetes.config.kube_config.ApiClient.request') def test_oidc_with_refresh_nocert(