Remove k8s.io/kubernetes as a dependency

Signed-off-by: JoshVanL <[email protected]>

Author: JoshVanL

Makefile

@@ -83,7 +83,7 @@ generate: depend ## generates mocks and assets files
 test: generate verify ## run all go tests
 	go test $$(go list ./pkg/... ./cmd/... | grep -v pkg/e2e)
 
-e2e: e2e-1.14 ## run end to end tests
+e2e: e2e-1.15 ## run end to end tests
 
 e2e-1.15: build ## run end to end tests for kubernetes version 1.15
 	KUBE_OIDC_PROXY_NODE_IMAGE=1.15.0 go test ./pkg/e2e/. -v --count=1

cmd/options/options.go

@@ -0,0 +1,79 @@
+// Copyright Jetstack Ltd. See LICENSE for details.
+package options
+
+import (
+	"fmt"
+
+	"github.com/spf13/pflag"
+
+	cliflag "k8s.io/component-base/cli/flag"
+)
+
+type OIDCAuthenticationOptions struct {
+	APIAudiences   []string
+	CAFile         string
+	ClientID       string
+	IssuerURL      string
+	UsernameClaim  string
+	UsernamePrefix string
+	GroupsClaim    string
+	GroupsPrefix   string
+	SigningAlgs    []string
+	RequiredClaims map[string]string
+}
+
+func (o *OIDCAuthenticationOptions) Validate() error {
+	if o != nil && (len(o.IssuerURL) > 0) != (len(o.ClientID) > 0) {
+		return fmt.Errorf("oidc-issuer-url and oidc-client-id should be specified together")
+	}
+
+	return nil
+}
+
+func (o *OIDCAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.StringSliceVar(&o.APIAudiences, "api-audiences", o.APIAudiences, ""+
+		"Identifiers of the API. The service account token authenticator will validate that "+
+		"tokens used against the API are bound to at least one of these audiences. If the "+
+		"--service-account-issuer flag is configured and this flag is not, this field "+
+		"defaults to a single element list containing the issuer URL .")
+
+	fs.StringVar(&o.IssuerURL, "oidc-issuer-url", o.IssuerURL, ""+
+		"The URL of the OpenID issuer, only HTTPS scheme will be accepted. "+
+		"If set, it will be used to verify the OIDC JSON Web Token (JWT).")
+
+	fs.StringVar(&o.ClientID, "oidc-client-id", o.ClientID,
+		"The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.")
+
+	fs.StringVar(&o.CAFile, "oidc-ca-file", o.CAFile, ""+
+		"If set, the OpenID server's certificate will be verified by one of the authorities "+
+		"in the oidc-ca-file, otherwise the host's root CA set will be used.")
+
+	fs.StringVar(&o.UsernameClaim, "oidc-username-claim", "sub", ""+
+		"The OpenID claim to use as the user name. Note that claims other than the default ('sub') "+
+		"is not guaranteed to be unique and immutable. This flag is experimental, please see "+
+		"the authentication documentation for further details.")
+
+	fs.StringVar(&o.UsernamePrefix, "oidc-username-prefix", "", ""+
+		"If provided, all usernames will be prefixed with this value. If not provided, "+
+		"username claims other than 'email' are prefixed by the issuer URL to avoid "+
+		"clashes. To skip any prefixing, provide the value '-'.")
+
+	fs.StringVar(&o.GroupsClaim, "oidc-groups-claim", "", ""+
+		"If provided, the name of a custom OpenID Connect claim for specifying user groups. "+
+		"The claim value is expected to be a string or array of strings. This flag is experimental, "+
+		"please see the authentication documentation for further details.")
+
+	fs.StringVar(&o.GroupsPrefix, "oidc-groups-prefix", "", ""+
+		"If provided, all groups will be prefixed with this value to prevent conflicts with "+
+		"other authentication strategies.")
+
+	fs.StringSliceVar(&o.SigningAlgs, "oidc-signing-algs", []string{"RS256"}, ""+
+		"Comma-separated list of allowed JOSE asymmetric signing algorithms. JWTs with a "+
+		"'alg' header value not in this list will be rejected. "+
+		"Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1.")
+
+	fs.Var(cliflag.NewMapStringStringNoSplit(&o.RequiredClaims), "oidc-required-claim", ""+
+		"A key=value pair that describes a required claim in the ID Token. "+
+		"If set, the claim is verified to be present in the ID Token with a matching value. "+
+		"Repeat this flag to specify multiple claims.")
+}

cmd/run.go

@@ -4,20 +4,22 @@ package cmd
 import (
 	"errors"
 	"fmt"
+	"net"
 	"strconv"
 	"time"
 
 	"github.com/spf13/cobra"
 	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
 	"k8s.io/apiserver/pkg/server"
+	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/apiserver/pkg/util/term"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/client-go/rest"
 	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/component-base/cli/globalflag"
-	apiserveroptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
 
+	"github.com/jetstack/kube-oidc-proxy/cmd/options"
 	"github.com/jetstack/kube-oidc-proxy/pkg/probe"
 	"github.com/jetstack/kube-oidc-proxy/pkg/proxy"
 	"github.com/jetstack/kube-oidc-proxy/pkg/version"
@@ -29,25 +31,38 @@ const (
 
 func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 	// flag option structs
-	oidcOptions := &apiserveroptions.BuiltInAuthenticationOptions{
-		OIDC: &apiserveroptions.OIDCAuthenticationOptions{},
+	oidcOptions := new(options.OIDCAuthenticationOptions)
+
+	ssoptions := &apiserveroptions.SecureServingOptions{
+		BindAddress: net.ParseIP("0.0.0.0"),
+		BindPort:    6443,
+		Required:    true,
+		ServerCert: apiserveroptions.GeneratableKeyCert{
+			PairName:      "kube-oidc-proxy",
+			CertDirectory: "/var/run/kubernetes",
+		},
 	}
-	secureServingOptions := apiserveroptions.NewSecureServingOptions()
-	secureServingOptions.ServerCert.PairName = "kube-oidc-proxy"
+	ssoptionsWithLB := ssoptions.WithLoopback()
+	//secureServingOptions = secureServingOptions.WithLoopback()
+
 	clientConfigFlags := genericclioptions.NewConfigFlags(true)
 
 	healthCheck := probe.New(strconv.Itoa(readinessProbePort))
 
 	// proxy command
 	cmd := &cobra.Command{
-		Use:  "k8s-oidc-proxy",
-		Long: "k8s-oidc-proxy is a reverse proxy to authenticate users to Kubernetes API servers with Open ID Connect Authentication.",
+		Use:  "kube-oidc-proxy",
+		Long: "kube-oidc-proxy is a reverse proxy to authenticate users to Kubernetes API servers with Open ID Connect Authentication.",
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if cmd.Flag("version").Value.String() == "true" {
 				version.PrintVersionAndExit()
 			}
 
-			if secureServingOptions.SecureServingOptions.BindPort == readinessProbePort {
+			if err := oidcOptions.Validate(); err != nil {
+				return err
+			}
+
+			if ssoptionsWithLB.SecureServingOptions.BindPort == readinessProbePort {
 				return errors.New("unable to securely serve on port 8080, used by readiness prob")
 			}
 
@@ -65,15 +80,15 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 			// oidc config
 			oidcAuther, err := oidc.New(oidc.Options{
 				APIAudiences:         oidcOptions.APIAudiences,
-				CAFile:               oidcOptions.OIDC.CAFile,
-				ClientID:             oidcOptions.OIDC.ClientID,
-				GroupsClaim:          oidcOptions.OIDC.GroupsClaim,
-				GroupsPrefix:         oidcOptions.OIDC.GroupsPrefix,
-				IssuerURL:            oidcOptions.OIDC.IssuerURL,
-				RequiredClaims:       oidcOptions.OIDC.RequiredClaims,
-				SupportedSigningAlgs: oidcOptions.OIDC.SigningAlgs,
-				UsernameClaim:        oidcOptions.OIDC.UsernameClaim,
-				UsernamePrefix:       oidcOptions.OIDC.UsernamePrefix,
+				CAFile:               oidcOptions.CAFile,
+				ClientID:             oidcOptions.ClientID,
+				GroupsClaim:          oidcOptions.GroupsClaim,
+				GroupsPrefix:         oidcOptions.GroupsPrefix,
+				IssuerURL:            oidcOptions.IssuerURL,
+				RequiredClaims:       oidcOptions.RequiredClaims,
+				SupportedSigningAlgs: oidcOptions.SigningAlgs,
+				UsernameClaim:        oidcOptions.UsernameClaim,
+				UsernamePrefix:       oidcOptions.UsernamePrefix,
 			})
 			if err != nil {
 				return err
@@ -82,7 +97,7 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 			// oidc auther from config
 			reqAuther := bearertoken.New(oidcAuther)
 			secureServingInfo := new(server.SecureServingInfo)
-			if err := secureServingOptions.ApplyTo(&secureServingInfo, nil); err != nil {
+			if err := ssoptionsWithLB.ApplyTo(&secureServingInfo, nil); err != nil {
 				return err
 			}
 
@@ -110,7 +125,7 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 	oidcfs := namedFlagSets.FlagSet("OIDC")
 	oidcOptions.AddFlags(oidcfs)
 
-	secureServingOptions.AddFlags(namedFlagSets.FlagSet("secure serving"))
+	ssoptionsWithLB.AddFlags(namedFlagSets.FlagSet("secure serving"))
 
 	clientConfigFlags.CacheDir = nil
 	clientConfigFlags.Impersonate = nil

go.mod

@@ -6,48 +6,27 @@ require (
 	github.com/Masterminds/semver v1.4.2
 	github.com/golang/mock v0.0.0-20160127222235-bd3c8e81be01
 	github.com/heptiolabs/healthcheck v0.0.0-20180807145615-6ff867650f40
-	github.com/sirupsen/logrus v1.4.1
+	github.com/sirupsen/logrus v1.4.2
 	github.com/spf13/cobra v0.0.5
+	github.com/spf13/pflag v1.0.3
 	gopkg.in/square/go-jose.v2 v2.3.1
 	k8s.io/api v0.0.0
 	k8s.io/apimachinery v0.0.0
-	k8s.io/apiserver v0.0.0
+	k8s.io/apiserver v0.0.0-20190721103406-1e59c150c171
 	k8s.io/cli-runtime v0.0.0
 	k8s.io/client-go v11.0.0+incompatible
 	k8s.io/component-base v0.0.0
 	k8s.io/klog v0.3.3
-	k8s.io/kubernetes v0.0.0-00010101000000-000000000000
 	sigs.k8s.io/kind v0.0.0-00010101000000-000000000000
 )
 
 replace (
+	github.com/golang/mock => github.com/golang/mock v1.3.1
 	k8s.io/api => k8s.io/api v0.0.0-20190620084959-7cf5895f2711
 	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.0.0-20190620085554-14e95df34f1f
 	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719
-	k8s.io/apiserver => k8s.io/apiserver v0.0.0-20190620085212-47dc9a115b18
 	k8s.io/cli-runtime => k8s.io/cli-runtime v0.0.0-20190620085706-2090e6d8f84c
 	k8s.io/client-go => k8s.io/client-go v0.0.0-20190620085101-78d2af792bab
-	k8s.io/cloud-provider => k8s.io/cloud-provider v0.0.0-20190219215739-d1e3091efae0
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.0.0-20190620090013-c9a0fc045dc1
-	k8s.io/code-generator => k8s.io/code-generator v0.0.0-20190311093542-50b561225d70
 	k8s.io/component-base => k8s.io/component-base v0.0.0-20190620085130-185d68e6e6ea
-	k8s.io/cri-api => k8s.io/cri-api v0.0.0-20190531030430-6117653b35f1
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.0.0-20190620090116-299a7b270edc
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.0.0-20190620085325-f29e2b4a4f84
-	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.0.0-20190620085942-b7f18460b210
-	k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a3
-	k8s.io/kube-proxy => k8s.io/kube-proxy v0.0.0-20190620085809-589f994ddf7f
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.0.0-20190620085912-4acac5405ec6
-	k8s.io/kubectl => k8s.io/kubectl v0.0.0-20190602132728-7075c07e78bf
-	k8s.io/kubelet => k8s.io/kubelet v0.0.0-20190620085838-f1cb295a73c9
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.0.0-20190620090156-2138f2c9de18
-	k8s.io/metrics => k8s.io/metrics v0.0.0-20190620085625-3b22d835f165
-	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.0.0-20190620085408-1aef9010884e
-	sigs.k8s.io/structured-merge-diff => sigs.k8s.io/structured-merge-diff v0.0.0-20190302045857-e85c7b244fd2
-)
-
-replace (
-	github.com/golang/mock => github.com/golang/mock v1.3.1
-	k8s.io/kubernetes => k8s.io/kubernetes v1.15.0
 	sigs.k8s.io/kind => sigs.k8s.io/kind v0.4.0
 )