Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the ability to inject authenticators. #2311

Merged
merged 2 commits into from
Mar 24, 2025
Merged

Add the ability to inject authenticators. #2311

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6c3c488
Add the ability to inject authenticators.
brendandburns Mar 10, 2025
a26e167
Switch to config local authenticators instead of
brendandburns Mar 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion src/config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,15 @@ export class KubeConfig implements SecurityAuthentication {
new OpenIDConnectAuth(),
];

// List of custom authenticators that can be added by the user
private custom_authenticators: Authenticator[] = [];

// Optionally add additional external authenticators, you must do this
// before you load a kubeconfig file that references them.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think it is worth adding a test that intentionally does not do this (if for no other reason than knowing if it accidentally changes)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this can ever change, because the kubeconfig file references the authenticator as part of the YAML file, so if we don't know about the authenticator because it hasn't been registered when we load the kubeconfig, there's no way that we can link the authenticator requested in the file to the kubeconfig.

So while we could add a test, I'm not sure it would ever break.

public addAuthenticator(authenticator: Authenticator): void {
this.custom_authenticators.push(authenticator);
}

/**
* The list of all known clusters
*/
Expand Down Expand Up @@ -577,10 +586,16 @@ export class KubeConfig implements SecurityAuthentication {
if (!user) {
return;
}
const authenticator = KubeConfig.authenticators.find((elt: Authenticator) => {
let authenticator = KubeConfig.authenticators.find((elt: Authenticator) => {
return elt.isAuthProvider(user);
});

if (!authenticator) {
authenticator = this.custom_authenticators.find((elt: Authenticator) => {
return elt.isAuthProvider(user);
});
}

if (!opts.headers) {
opts.headers = {};
}
Expand Down
41 changes: 41 additions & 0 deletions src/config_test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import { mock } from 'node:test';

import mockfs from 'mock-fs';

import { Authenticator } from './auth.js';
import { Headers } from 'node-fetch';
import { HttpMethod } from './index.js';
import { assertRequestAgentsEqual, assertRequestOptionsEqual } from './test/match-buffer.js';
Expand Down Expand Up @@ -1703,5 +1704,45 @@ describe('KubeConfig', () => {
}
validateFileLoad(kc);
});

it('should inject a custom Authenticator', async () => {
class CustomAuthenticator implements Authenticator {
public isAuthProvider(user: User): boolean {
return user.authProvider === 'custom';
}

public async applyAuthentication(user: User, opts: RequestOptions): Promise<void> {
if (user.authProvider === 'custom') {
// Simulate token retrieval
const token = 'test-token';
opts.headers = opts.headers || {};
opts.headers.Authorization = `Bearer ${token}`;
} else {
throw new Error('No custom configuration found');
}
}
}

const customAuthenticator = new CustomAuthenticator();
const kc = new KubeConfig();
kc.addAuthenticator(customAuthenticator);

const cluster: Cluster = {
name: 'test-cluster',
server: 'https://localhost:6443',
skipTLSVerify: false,
};
const user: User = {
name: 'test-user',
authProvider: 'custom',
};

kc.loadFromClusterAndUser(cluster, user);

const opts: RequestOptions = {};
await kc.applyToHTTPSOptions(opts);

strictEqual(opts.headers!.Authorization, 'Bearer test-token');
});
});
});