Readiness check through blackbox usage

* This seems to be a clearer approach than #92 #93

Signed-off-by: Christian Simon <[email protected]>

Author: simonswine

cmd/app/run.go

@@ -9,11 +9,11 @@ import (
 	"time"
 
 	"github.com/spf13/cobra"
-	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
 	"k8s.io/apiserver/pkg/server"
 	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/apiserver/pkg/util/term"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/client-go/rest"
 	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/component-base/cli/globalflag"
@@ -86,23 +86,6 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 				}
 			}
 
-			// oidc config
-			oidcAuther, err := oidc.New(oidc.Options{
-				APIAudiences:         oidcOptions.APIAudiences,
-				CAFile:               oidcOptions.CAFile,
-				ClientID:             oidcOptions.ClientID,
-				GroupsClaim:          oidcOptions.GroupsClaim,
-				GroupsPrefix:         oidcOptions.GroupsPrefix,
-				IssuerURL:            oidcOptions.IssuerURL,
-				RequiredClaims:       oidcOptions.RequiredClaims,
-				SupportedSigningAlgs: oidcOptions.SigningAlgs,
-				UsernameClaim:        oidcOptions.UsernameClaim,
-				UsernamePrefix:       oidcOptions.UsernamePrefix,
-			})
-			if err != nil {
-				return err
-			}
-
 			// Init token reviewer if enabled
 			var tokenReviewer *tokenreview.TokenReview
 			if kopOptions.TokenPassthrough.Enabled {
@@ -113,7 +96,6 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 			}
 
 			// oidc auther from config
-			reqAuther := bearertoken.New(oidcAuther)
 			secureServingInfo := new(server.SecureServingInfo)
 			if err := ssoptionsWithLB.ApplyTo(&secureServingInfo, nil); err != nil {
 				return err
@@ -124,7 +106,7 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 				DisableImpersonation: kopOptions.DisableImpersonation,
 			}
 
-			p := proxy.New(restConfig, reqAuther,
+			p := proxy.New(restConfig, oidcOptions,
 				tokenReviewer, secureServingInfo, proxyOptions)
 
 			// run proxy

pkg/proxy/proxy.go

@@ -10,14 +10,18 @@ import (
 	"strings"
 	"time"
 
+	"gopkg.in/square/go-jose.v2"
+	"gopkg.in/square/go-jose.v2/jwt"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
 	authuser "k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/server"
+	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/transport"
 	"k8s.io/klog"
 
+	"github.com/jetstack/kube-oidc-proxy/cmd/app/options"
 	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/tokenreview"
 )
 
@@ -39,6 +43,7 @@ type Options struct {
 
 type Proxy struct {
 	oidcAuther        *bearertoken.Authenticator
+	oidcOptions       *options.OIDCAuthenticationOptions
 	tokenReviewer     *tokenreview.TokenReview
 	secureServingInfo *server.SecureServingInfo
 
@@ -49,19 +54,35 @@ type Proxy struct {
 	options *Options
 }
 
-func New(restConfig *rest.Config, oidcAuther *bearertoken.Authenticator,
+func New(restConfig *rest.Config, oidcOptions *options.OIDCAuthenticationOptions,
 	tokenReviewer *tokenreview.TokenReview, ssinfo *server.SecureServingInfo, options *Options) *Proxy {
 	return &Proxy{
 		restConfig:        restConfig,
-		oidcAuther:        oidcAuther,
+		oidcOptions:       oidcOptions,
 		tokenReviewer:     tokenReviewer,
 		secureServingInfo: ssinfo,
 		options:           options,
 	}
 }
 
 func (p *Proxy) Run(stopCh <-chan struct{}) (<-chan struct{}, error) {
-	klog.Infof("waiting for oidc provider to become ready...")
+	// generate oidcAuther from oidc config
+	oidcAuther, err := oidc.New(oidc.Options{
+		APIAudiences:         p.oidcOptions.APIAudiences,
+		CAFile:               p.oidcOptions.CAFile,
+		ClientID:             p.oidcOptions.ClientID,
+		GroupsClaim:          p.oidcOptions.GroupsClaim,
+		GroupsPrefix:         p.oidcOptions.GroupsPrefix,
+		IssuerURL:            p.oidcOptions.IssuerURL,
+		RequiredClaims:       p.oidcOptions.RequiredClaims,
+		SupportedSigningAlgs: p.oidcOptions.SigningAlgs,
+		UsernameClaim:        p.oidcOptions.UsernameClaim,
+		UsernamePrefix:       p.oidcOptions.UsernamePrefix,
+	})
+	if err != nil {
+		return nil, err
+	}
+	p.oidcAuther = bearertoken.New(oidcAuther)
 
 	// standard round tripper for proxy to API Server
 	clientRT, err := p.roundTripperForRestConfig(p.restConfig)
@@ -99,17 +120,41 @@ func (p *Proxy) Run(stopCh <-chan struct{}) (<-chan struct{}, error) {
 	proxyHandler.Transport = p
 	proxyHandler.ErrorHandler = p.Error
 
-	// wait for oidc auther to become ready
-	klog.Infof("waiting for oidc provider to become ready...")
-	time.Sleep(10 * time.Second)
+	// probe for readiness
+	go func() {
+		ticker := time.NewTicker(500 * time.Millisecond)
+		for {
+			<-ticker.C
+			fr, err := http.NewRequest("GET", "http://fake", nil)
+			if err != nil {
+				klog.Infof("error during readiness check: %v", err)
+				continue
+			}
+			jwt, err := p.fakeJWT()
+			if err != nil {
+				klog.Infof("error during readiness check: %v", err)
+				continue
+			}
+			fr.Header.Set("Authorization", fmt.Sprintf("Bearer %s", jwt))
+
+			_, _, err = p.oidcAuther.AuthenticateRequest(fr)
+			if strings.HasSuffix(err.Error(), "authenticator not initialized") {
+				klog.V(4).Infof("OIDC provider not yet initialized")
+				continue
+			}
+
+			klog.Info("OIDC provider initialized, proxy ready")
+			klog.V(4).Infof("OIDC provider initialized, readiness check returned error: %+v", err)
+			return
+		}
+
+	}()
 
 	waitCh, err := p.serve(proxyHandler, stopCh)
 	if err != nil {
 		return nil, err
 	}
 
-	klog.Infof("proxy ready")
-
 	return waitCh, nil
 }
 
@@ -193,6 +238,24 @@ func (p *Proxy) RoundTrip(req *http.Request) (*http.Response, error) {
 	return rt.RoundTrip(reqCpy)
 }
 
+// fakeJWT generates a JWT that passes the first offline validity checks. It is
+// used to test if the OIDC provider is initialised
+func (p *Proxy) fakeJWT() (string, error) {
+	key := []byte("secret")
+	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: key}, (&jose.SignerOptions{}).WithType("JWT"))
+	if err != nil {
+		return "", err
+	}
+
+	cl := jwt.Claims{
+		Subject:   "readiness",
+		Issuer:    p.oidcOptions.IssuerURL,
+		NotBefore: jwt.NewNumericDate(time.Date(2016, 1, 1, 0, 0, 0, 0, time.UTC)),
+		Audience:  jwt.Audience(p.oidcOptions.APIAudiences),
+	}
+	return jwt.Signed(sig).Claims(cl).CompactSerialize()
+}
+
 func (p *Proxy) tokenReview(req *http.Request) (*http.Response, error) {
 	klog.V(4).Infof("attempting to validate a token in request using TokenReview endpoint(%s)",
 		req.RemoteAddr)