Merge pull request #147 from JoshVanL/update-k8s-1.18

Updates Kubernetes discrepancies to v1.18

Author: jetstack-bot

cmd/app/options/oidc.go

@@ -10,7 +10,6 @@ import (
 )
 
 type OIDCAuthenticationOptions struct {
-	APIAudiences   []string
 	CAFile         string
 	ClientID       string
 	IssuerURL      string
@@ -35,11 +34,6 @@ func (o *OIDCAuthenticationOptions) Validate() error {
 }
 
 func (o *OIDCAuthenticationOptions) AddFlags(fs *pflag.FlagSet) *OIDCAuthenticationOptions {
-	fs.StringSliceVar(&o.APIAudiences, "api-audiences", o.APIAudiences, ""+
-		"Identifiers of the API. This can be used as an additional list of "+
-		"identifiers that exist in the target audiences of requests when "+
-		"authenticating with OIDC.")
-
 	fs.StringVar(&o.IssuerURL, "oidc-issuer-url", o.IssuerURL, ""+
 		"The URL of the OpenID issuer, only HTTPS scheme will be accepted.")
 

cmd/app/run.go

@@ -91,7 +91,7 @@ func buildRunCommand(stopCh <-chan struct{}, opts *options.Options) *cobra.Comma
 			}
 
 			// Create a fake JWT to set up readiness probe
-			fakeJWT, err := util.FakeJWT(opts.OIDCAuthentication.IssuerURL, opts.OIDCAuthentication.APIAudiences)
+			fakeJWT, err := util.FakeJWT(opts.OIDCAuthentication.IssuerURL)
 			if err != nil {
 				return err
 			}

deploy/charts/kube-oidc-proxy/templates/deployment.yaml

@@ -59,9 +59,6 @@ spec:
           {{- if .Values.oidc.requiredClaims }}
           - "--oidc-signing-algs=$(OIDC_REQUIRED_CLAIMS)"
           {{ end }}
-          {{- if .Values.oidc.apiAudiences }}
-          - "--api-audiences=$(API_AUDIENCES)"
-          {{ end }}
           {{- if .Values.tokenPassthrough.enabled }}
           - "--token-passthrough"
           {{- if .Values.tokenPassthrough.audiences }}
@@ -130,13 +127,6 @@ spec:
               name: {{ include "kube-oidc-proxy.fullname" . }}-config
               key: oidc.required-claims
         {{ end }}
-        {{- if .Values.oidc.apiAudiences }}
-        - name: API_AUDIENCES
-          valueFrom:
-            secretKeyRef:
-              name: {{ include "kube-oidc-proxy.fullname" . }}-config
-              key: api-audiences
-        {{ end }}
         volumeMounts:
           {{- if .Values.oidc.caPEM }}
           - name: kube-oidc-proxy-config

deploy/charts/kube-oidc-proxy/templates/secret_config.yaml

@@ -21,12 +21,9 @@ data:
   {{ if .Values.oidc.requiredClaims }}
   oidc.required-claims: {{ include "requiredClaims" . | b64enc }}
   {{- end }}
-  {{- if .Values.oidc.apiAudiences -}}
-  api-audiences: {{ join "," .Values.oidc.apiAudiences | b64enc }}
-  {{- end }}
 kind: Secret
 metadata:
   name: {{ include "kube-oidc-proxy.fullname" . }}-config
   labels:
 {{ include "kube-oidc-proxy.labels" . | indent 4 }}
-type: Opaque
+type: Opaque

deploy/charts/kube-oidc-proxy/values.yaml

@@ -39,7 +39,7 @@ oidc:
   usernameClaim: ""
 
   # PEM encoded value of CA cert that will verify TLS connection to
-  # OIDC issuer URL. If not provided default hosts root CA's will be used.
+  # OIDC issuer URL. If not provided, default hosts root CA's will be used.
   caPEM:
 
   usernamePrefix:
@@ -49,7 +49,6 @@ oidc:
   signingAlgs:
     - RS256
   requiredClaims: {}
-  apiAudiences: []
 
 # To enable token passthrough feature
 # https://github.com/jetstack/kube-oidc-proxy/blob/master/docs/tasks/token-passthrough.md

go.mod

@@ -5,20 +5,20 @@ go 1.13
 require (
 	github.com/golang/mock v1.2.0
 	github.com/heptiolabs/healthcheck v0.0.0-20180807145615-6ff867650f40
-	github.com/onsi/ginkgo v1.10.1
+	github.com/onsi/ginkgo v1.11.0
 	github.com/onsi/gomega v1.7.0
 	github.com/sebest/xff v0.0.0-20160910043805-6c115e0ffa35
 	github.com/sirupsen/logrus v1.4.2
 	github.com/spf13/cobra v0.0.5
 	github.com/spf13/pflag v1.0.5
 	gopkg.in/DATA-DOG/go-sqlmock.v1 v1.3.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.3.1
-	k8s.io/api v0.17.0
-	k8s.io/apimachinery v0.17.0
-	k8s.io/apiserver v0.17.0
-	k8s.io/cli-runtime v0.17.0
-	k8s.io/client-go v0.17.0
-	k8s.io/component-base v0.17.0
+	k8s.io/api v0.18.0
+	k8s.io/apimachinery v0.18.0
+	k8s.io/apiserver v0.18.0
+	k8s.io/cli-runtime v0.18.0
+	k8s.io/client-go v0.18.0
+	k8s.io/component-base v0.18.0
 	k8s.io/klog v1.0.0
 	sigs.k8s.io/kind v0.7.0
 )

go.sum

@@ -14,6 +14,10 @@ import (
 	"k8s.io/klog"
 )
 
+const (
+	timeout = time.Second * 10
+)
+
 type HealthCheck struct {
 	handler healthcheck.Handler
 
@@ -50,7 +54,10 @@ func (h *HealthCheck) Check() error {
 		return nil
 	}
 
-	_, _, err := h.oidcAuther.AuthenticateToken(context.Background(), h.fakeJWT)
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	_, _, err := h.oidcAuther.AuthenticateToken(ctx, h.fakeJWT)
 	if err != nil && strings.HasSuffix(err.Error(), "authenticator not initialized") {
 		err = fmt.Errorf("OIDC provider not yet initialized: %s", err)
 		klog.V(4).Infof(err.Error())

pkg/probe/probe.go

@@ -38,7 +38,7 @@ func TestRun(t *testing.T) {
 		t.FailNow()
 	}
 
-	fakeJWT, err := util.FakeJWT("issuer", nil)
+	fakeJWT, err := util.FakeJWT("issuer")
 	if err != nil {
 		t.Error(err.Error())
 		t.FailNow()

pkg/probe/probe_test.go

@@ -80,7 +80,6 @@ func New(restConfig *rest.Config,
 
 	// generate tokenAuther from oidc config
 	tokenAuther, err := oidc.New(oidc.Options{
-		APIAudiences:         oidcOptions.APIAudiences,
 		CAFile:               oidcOptions.CAFile,
 		ClientID:             oidcOptions.ClientID,
 		GroupsClaim:          oidcOptions.GroupsClaim,