fix jwt service auth config loading

Yelp · Mar 5, 2025 · ab4c419 · ab4c419
1 parent 3ca3e7c
commit ab4c419
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 16 deletions.
diff --git a/pkg/configstore/store.go b/pkg/configstore/store.go
@@ -220,3 +220,11 @@ func (s *Store) Load(key string, dst interface{}) (bool, error) {
 	}
 	return true, mapstructure.Decode(val, dst)
 }
+
+// AddHint inserts a new hint to find keys among config files
+func (s *Store) AddHint(key string, filename string) {
+	if s.Hints == nil {
+		s.Hints = map[string]string{}
+	}
+	s.Hints[key] = filename
+}
diff --git a/pkg/volumes/service_authentication.go b/pkg/volumes/service_authentication.go
@@ -14,6 +14,7 @@ import (
 const (
 	authenticatingServicesConfigPath    = "/nail/etc/services/authenticating.yaml"
 	jwtServiceAuthConfigName            = "jwt_service_auth"
+	jwtServiceAuthConfigKey             = "service_auth_token_settings"
 	authenticatingServicesCacheDuration = 10 * time.Minute
 	defaultTokenExpirationSeconds       = 3600
 )
@@ -23,13 +24,9 @@ type authenticatingServicesConfig struct {
 }
 
 type jwtServiceAuthTokenSettings struct {
-	Audience          string `json:"audience"`
-	ContainerPath     string `json:"container_path"`
-	ExpirationSeconds int64  `json:"expiration_seconds"`
-}
-
-type jwtServiceAuthConfig struct {
-	TokenSettings jwtServiceAuthTokenSettings `json:"service_auth_token_settings"`
+	Audience          string `json:"audience" mapstructure:"audience"`
+	ContainerPath     string `json:"container_path" mapstructure:"container_path"`
+	ExpirationSeconds int64  `json:"expiration_seconds" mapstructure:"expiration_seconds"`
 }
 
 var authenticatingServicesCache map[string]bool
@@ -106,14 +103,14 @@ func GetProjectedServiceAccountVolume(audience string, path string, expirationSe
 }
 
 func GetServiceAuthenticationTokenVolume(configStore *configstore.Store) (corev1.VolumeMount, corev1.Volume, error) {
-	var jwtServiceAuth jwtServiceAuthConfig
-	if ok, err := configStore.Load(jwtServiceAuthConfigName, &jwtServiceAuth); !ok || err != nil {
+	var tokenSettings jwtServiceAuthTokenSettings
+	configStore.AddHint(jwtServiceAuthConfigKey, jwtServiceAuthConfigName)
+	if ok, err := configStore.Load(jwtServiceAuthConfigKey, &tokenSettings); !ok || err != nil {
 		if err == nil {
 			err = fmt.Errorf("%s configuration not found", jwtServiceAuthConfigName)
 		}
 		return corev1.VolumeMount{}, corev1.Volume{}, err
 	}
-	tokenSettings := jwtServiceAuth.TokenSettings
 	if tokenSettings.Audience == "" || tokenSettings.ContainerPath == "" {
 		return corev1.VolumeMount{}, corev1.Volume{}, fmt.Errorf("Missing token settings in %s configuration", jwtServiceAuthConfigName)
 	}

diff --git a/pkg/volumes/service_authentication_test.go b/pkg/volumes/service_authentication_test.go
@@ -36,12 +36,10 @@ func TestGetServiceAuthenticationTokenVolume(t *testing.T) {
 	}
 	mockJwtAuthConfig := &sync.Map{}
 	mockJwtAuthConfig.Store(
-		jwtServiceAuthConfigName,
-		jwtServiceAuthConfig{
-			TokenSettings: jwtServiceAuthTokenSettings{
-				Audience:      "foo.yelp.com",
-				ContainerPath: "/var/secret/serviceaccount/foo",
-			},
+		jwtServiceAuthConfigKey,
+		jwtServiceAuthTokenSettings{
+			Audience:      "foo.yelp.com",
+			ContainerPath: "/var/secret/serviceaccount/foo",
 		},
 	)
 	configReader := &configstore.Store{Data: mockJwtAuthConfig}