updated

mfaizanse · mfaizanse · commit db0089aa5a7d · 2025-11-26T10:17:11.000+01:00
diff --git a/pkg/kubernetes/auth_headers.go b/pkg/kubernetes/auth_headers.go
@@ -11,10 +11,6 @@ type AuthType string
 type ContextKey string
 
 const (
-	// AuthTypeToken represents token-based authentication.
-	AuthTypeToken AuthType = "token"
-	// AuthTypeClientCertificate represents client certificate authentication.
-	AuthTypeClientCertificate AuthType = "client_certificate"
 	// AuthHeadersContextKey is the context key for the Kubernetes authentication headers.
 	AuthHeadersContextKey ContextKey = "k8s_auth_headers"
 )
@@ -40,11 +36,12 @@ func GetDecodedData(data string) ([]byte, error) {
 	return base64.StdEncoding.DecodeString(data)
 }
 
+// NewK8sAuthHeadersFromHeaders creates a new K8sAuthHeaders from the provided headers.
 func NewK8sAuthHeadersFromHeaders(data map[string]any) (*K8sAuthHeaders, error) {
 	var ok bool
 	var err error
 
-	// Initialize auth headers.
+	// Initialize auth headers with default values.
 	authHeaders := &K8sAuthHeaders{
 		InsecureSkipTLSVerify: false,
 	}
@@ -92,21 +89,20 @@ func NewK8sAuthHeadersFromHeaders(data map[string]any) (*K8sAuthHeaders, error)
 	}
 
 	// Check if a valid authentication type is provided.
-	_, err = authHeaders.GetAuthType()
-	if err != nil {
+	if !authHeaders.IsValid() {
 		return nil, fmt.Errorf("either %s header for token authentication or (%s and %s) headers for client certificate authentication required", CustomAuthorizationHeader, CustomClientCertificateDataHeader, CustomClientKeyDataHeader)
 	}
 
 	return authHeaders, nil
 }
 
-// GetAuthType returns the authentication type based on the provided headers.
-func (h *K8sAuthHeaders) GetAuthType() (AuthType, error) {
+// IsValid checks if the authentication headers are valid.
+func (h *K8sAuthHeaders) IsValid() bool {
 	if h.AuthorizationToken != "" {
-		return AuthTypeToken, nil
+		return true
 	}
 	if h.ClientCertificateData != nil && h.ClientKeyData != nil {
-		return AuthTypeClientCertificate, nil
+		return true
 	}
-	return "", fmt.Errorf("invalid authentication type")
+	return false
 }
diff --git a/pkg/kubernetes/provider_auth_headers.go b/pkg/kubernetes/provider_auth_headers.go
@@ -27,25 +27,27 @@ func init() {
 // newAuthHeadersClusterProvider creates a provider that requires header-based authentication.
 // Users must provide tokens via request headers (server URL, Token or client certificate and key).
 func newAuthHeadersClusterProvider(cfg *config.StaticConfig) (Provider, error) {
-	klog.V(1).Infof("Auth-headers provider initialized - all requests must include valid headers")
+	klog.V(1).Infof("Auth-headers provider initialized - all requests must include valid k8s auth headers")
 
 	return &AuthHeadersClusterProvider{staticConfig: cfg}, nil
 }
 
 func (p *AuthHeadersClusterProvider) IsOpenShift(ctx context.Context) bool {
+	klog.V(1).Infof("IsOpenShift not supported for auth-headers provider. Returning false.")
 	return false
 }
 
 func (p *AuthHeadersClusterProvider) VerifyToken(ctx context.Context, target, token, audience string) (*authenticationv1api.UserInfo, []string, error) {
-	return nil, nil, fmt.Errorf("auth-headers VerifyToken not implemented")
+	return nil, nil, fmt.Errorf("VerifyToken not supported for auth-headers provider")
 }
 
 func (p *AuthHeadersClusterProvider) GetTargets(_ context.Context) ([]string, error) {
-	// Single cluster mode
+	klog.V(1).Infof("GetTargets not supported for auth-headers provider. Returning empty list.")
 	return []string{""}, nil
 }
 
 func (p *AuthHeadersClusterProvider) GetTargetParameterName() string {
+	klog.V(1).Infof("GetTargetParameterName not supported for auth-headers provider. Returning empty name.")
 	return ""
 }
 
@@ -64,10 +66,12 @@ func (p *AuthHeadersClusterProvider) GetDerivedKubernetes(ctx context.Context, t
 }
 
 func (p *AuthHeadersClusterProvider) GetDefaultTarget() string {
+	klog.V(1).Infof("GetDefaultTarget not supported for auth-headers provider. Returning empty name.")
 	return ""
 }
 
 func (p *AuthHeadersClusterProvider) WatchTargets(watch func() error) {
+	klog.V(1).Infof("WatchTargets not supported for auth-headers provider. Ignoring watch function.")
 }
 
 func (p *AuthHeadersClusterProvider) Close() {
diff --git a/pkg/kubernetes/provider_auth_headers_test.go b/pkg/kubernetes/provider_auth_headers_test.go

Original file line number	Diff line number	Diff line change
`@@ -11,10 +11,6 @@ type AuthType string`
`11`	`11`	`type ContextKey string`
`12`	`12`
`13`	`13`	`const (`
`14`		`- // AuthTypeToken represents token-based authentication.`
`15`		`- AuthTypeToken AuthType = "token"`
`16`		`- // AuthTypeClientCertificate represents client certificate authentication.`
`17`		`- AuthTypeClientCertificate AuthType = "client_certificate"`
`18`	`14`	`// AuthHeadersContextKey is the context key for the Kubernetes authentication headers.`
`19`	`15`	`AuthHeadersContextKey ContextKey = "k8s_auth_headers"`
`20`	`16`	`)`
`@@ -40,11 +36,12 @@ func GetDecodedData(data string) ([]byte, error) {`
`40`	`36`	`return base64.StdEncoding.DecodeString(data)`
`41`	`37`	`}`
`42`	`38`
	`39`	`+// NewK8sAuthHeadersFromHeaders creates a new K8sAuthHeaders from the provided headers.`
`43`	`40`	`func NewK8sAuthHeadersFromHeaders(data map[string]any) (*K8sAuthHeaders, error) {`
`44`	`41`	`var ok bool`
`45`	`42`	`var err error`
`46`	`43`
`47`		`- // Initialize auth headers.`
	`44`	`+ // Initialize auth headers with default values.`
`48`	`45`	`authHeaders := &K8sAuthHeaders{`
`49`	`46`	`InsecureSkipTLSVerify: false,`
`50`	`47`	`}`
`@@ -92,21 +89,20 @@ func NewK8sAuthHeadersFromHeaders(data map[string]any) (*K8sAuthHeaders, error)`
`92`	`89`	`}`
`93`	`90`
`94`	`91`	`// Check if a valid authentication type is provided.`
`95`		`- _, err = authHeaders.GetAuthType()`
`96`		`- if err != nil {`
	`92`	`+ if !authHeaders.IsValid() {`
`97`	`93`	`return nil, fmt.Errorf("either %s header for token authentication or (%s and %s) headers for client certificate authentication required", CustomAuthorizationHeader, CustomClientCertificateDataHeader, CustomClientKeyDataHeader)`
`98`	`94`	`}`
`99`	`95`
`100`	`96`	`return authHeaders, nil`
`101`	`97`	`}`
`102`	`98`
`103`		`-// GetAuthType returns the authentication type based on the provided headers.`
`104`		`-func (h *K8sAuthHeaders) GetAuthType() (AuthType, error) {`
	`99`	`+// IsValid checks if the authentication headers are valid.`
	`100`	`+func (h *K8sAuthHeaders) IsValid() bool {`
`105`	`101`	`if h.AuthorizationToken != "" {`
`106`		`- return AuthTypeToken, nil`
	`102`	`+ return true`
`107`	`103`	`}`
`108`	`104`	`if h.ClientCertificateData != nil && h.ClientKeyData != nil {`
`109`		`- return AuthTypeClientCertificate, nil`
	`105`	`+ return true`
`110`	`106`	`}`
`111`		`- return "", fmt.Errorf("invalid authentication type")`
	`107`	`+ return false`
`112`	`108`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,25 +27,27 @@ func init() {`
`27`	`27`	`// newAuthHeadersClusterProvider creates a provider that requires header-based authentication.`
`28`	`28`	`// Users must provide tokens via request headers (server URL, Token or client certificate and key).`
`29`	`29`	`func newAuthHeadersClusterProvider(cfg *config.StaticConfig) (Provider, error) {`
`30`		`- klog.V(1).Infof("Auth-headers provider initialized - all requests must include valid headers")`
	`30`	`+ klog.V(1).Infof("Auth-headers provider initialized - all requests must include valid k8s auth headers")`
`31`	`31`
`32`	`32`	`return &AuthHeadersClusterProvider{staticConfig: cfg}, nil`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`func (p *AuthHeadersClusterProvider) IsOpenShift(ctx context.Context) bool {`
	`36`	`+ klog.V(1).Infof("IsOpenShift not supported for auth-headers provider. Returning false.")`
`36`	`37`	`return false`
`37`	`38`	`}`
`38`	`39`
`39`	`40`	`func (p AuthHeadersClusterProvider) VerifyToken(ctx context.Context, target, token, audience string) (authenticationv1api.UserInfo, []string, error) {`
`40`		`- return nil, nil, fmt.Errorf("auth-headers VerifyToken not implemented")`
	`41`	`+ return nil, nil, fmt.Errorf("VerifyToken not supported for auth-headers provider")`
`41`	`42`	`}`
`42`	`43`
`43`	`44`	`func (p *AuthHeadersClusterProvider) GetTargets(_ context.Context) ([]string, error) {`
`44`		`- // Single cluster mode`
	`45`	`+ klog.V(1).Infof("GetTargets not supported for auth-headers provider. Returning empty list.")`
`45`	`46`	`return []string{""}, nil`
`46`	`47`	`}`
`47`	`48`
`48`	`49`	`func (p *AuthHeadersClusterProvider) GetTargetParameterName() string {`
	`50`	`+ klog.V(1).Infof("GetTargetParameterName not supported for auth-headers provider. Returning empty name.")`
`49`	`51`	`return ""`
`50`	`52`	`}`
`51`	`53`
`@@ -64,10 +66,12 @@ func (p *AuthHeadersClusterProvider) GetDerivedKubernetes(ctx context.Context, t`
`64`	`66`	`}`
`65`	`67`
`66`	`68`	`func (p *AuthHeadersClusterProvider) GetDefaultTarget() string {`
	`69`	`+ klog.V(1).Infof("GetDefaultTarget not supported for auth-headers provider. Returning empty name.")`
`67`	`70`	`return ""`
`68`	`71`	`}`
`69`	`72`
`70`	`73`	`func (p *AuthHeadersClusterProvider) WatchTargets(watch func() error) {`
	`74`	`+ klog.V(1).Infof("WatchTargets not supported for auth-headers provider. Ignoring watch function.")`
`71`	`75`	`}`
`72`	`76`
`73`	`77`	`func (p *AuthHeadersClusterProvider) Close() {`