Search client auth with and without port

liggitt · liggitt · commit 2f5dde7672ea · 2019-09-03T13:52:35.000-04:00
diff --git a/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go b/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go
@@ -136,6 +136,23 @@ func (c *defaultAuthenticationInfoResolver) clientConfig(target string) (*rest.C
 		}
 	}
 
+	// If target included the default https port (443), search again without the port
+	if target, port, err := net.SplitHostPort(target); err == nil && port == "443" {
+		// exact match without port
+		if authConfig, ok := c.kubeconfig.AuthInfos[target]; ok {
+			return restConfigFromKubeconfig(authConfig)
+		}
+
+		// star prefixed match without port
+		serverSteps := strings.Split(target, ".")
+		for i := 1; i < len(serverSteps); i++ {
+			nickName := "*." + strings.Join(serverSteps[i:], ".")
+			if authConfig, ok := c.kubeconfig.AuthInfos[nickName]; ok {
+				return restConfigFromKubeconfig(authConfig)
+			}
+		}
+	}
+
 	// if we're trying to hit the kube-apiserver and there wasn't an explicit config, use the in-cluster config
 	if target == "kubernetes.default.svc" {
 		// if we can find an in-cluster-config use that.  If we can't, fall through.
diff --git a/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication_test.go b/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication_test.go
@@ -109,6 +109,90 @@ func TestAuthenticationDetection(t *testing.T) {
 			},
 			expected: rest.Config{BearerToken: "first"},
 		},
+		{
+			name:       "exact match with default https port",
+			serverName: "one.two.three.com:443",
+			kubeconfig: clientcmdapi.Config{
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{
+					"one.two.three.com:443": {Token: "exact"},
+					"*.two.three.com":       {Token: "first"},
+					"*.three.com":           {Token: "second"},
+					"*.com":                 {Token: "third"},
+					"*":                     {Token: "fallback"},
+				},
+			},
+			expected: rest.Config{BearerToken: "exact"},
+		},
+		{
+			name:       "wildcard match with default https port",
+			serverName: "one.two.three.com:443",
+			kubeconfig: clientcmdapi.Config{
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{
+					"*.two.three.com:443": {Token: "first-with-port"},
+					"*.two.three.com":     {Token: "first"},
+					"*.three.com":         {Token: "second"},
+					"*.com":               {Token: "third"},
+					"*":                   {Token: "fallback"},
+				},
+			},
+			expected: rest.Config{BearerToken: "first-with-port"},
+		},
+		{
+			name:       "wildcard match without default https port",
+			serverName: "one.two.three.com:443",
+			kubeconfig: clientcmdapi.Config{
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{
+					"*.two.three.com": {Token: "first"},
+					"*.three.com":     {Token: "second"},
+					"*.com":           {Token: "third"},
+					"*":               {Token: "fallback"},
+				},
+			},
+			expected: rest.Config{BearerToken: "first"},
+		},
+		{
+			name:       "exact match with non-default https port",
+			serverName: "one.two.three.com:8443",
+			kubeconfig: clientcmdapi.Config{
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{
+					"one.two.three.com:8443": {Token: "exact"},
+					"*.two.three.com":        {Token: "first"},
+					"*.three.com":            {Token: "second"},
+					"*.com":                  {Token: "third"},
+					"*":                      {Token: "fallback"},
+				},
+			},
+			expected: rest.Config{BearerToken: "exact"},
+		},
+		{
+			name:       "wildcard match with non-default https port",
+			serverName: "one.two.three.com:8443",
+			kubeconfig: clientcmdapi.Config{
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{
+					"*.two.three.com:8443": {Token: "first-with-port"},
+					"one.two.three.com":    {Token: "first-without-port"},
+					"*.two.three.com":      {Token: "first"},
+					"*.three.com":          {Token: "second"},
+					"*.com":                {Token: "third"},
+					"*":                    {Token: "fallback"},
+				},
+			},
+			expected: rest.Config{BearerToken: "first-with-port"},
+		},
+		{
+			name:       "wildcard match without non-default https port",
+			serverName: "one.two.three.com:8443",
+			kubeconfig: clientcmdapi.Config{
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{
+					"one.two.three.com": {Token: "first-without-port"},
+					"*.two.three.com":   {Token: "first"},
+					"*.three.com":       {Token: "second"},
+					"*.com":             {Token: "third"},
+					"*":                 {Token: "fallback"},
+				},
+			},
+			expected: rest.Config{BearerToken: "fallback"},
+		},
 	}
 
 	for _, tc := range tests {
