将x509证书复制进入容器中

2025-09-03 16:37:28 +08:00 · 2025-09-03 16:37:28 +08:00 · ff86d7a31e
parent b73e25a87b
commit ff86d7a31e
4 changed files with 8 additions and 58 deletions
--- a/5
+++ b/5
@ -60,15 +60,18 @@ FROM ${RUNTIME_IMAGE}
 # Reload version
 ARG VERSION
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/oauth2-proxy /bin/oauth2-proxy
 COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/jwt_signing_key.pem /etc/ssl/private/jwt_signing_key.pem
 LABEL org.opencontainers.image.licenses=MIT \
      org.opencontainers.image.description="A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers." \
      org.opencontainers.image.documentation=https://oauth2-proxy.github.io/oauth2-proxy/ \
-      org.opencontainers.image.source=https://github.com/oauth2-proxy/oauth2-proxy \
+      org.opencontainers.image.source=https://github.com/opensourceways/oauth2-proxy \
      org.opencontainers.image.url=https://quay.io/oauth2-proxy/oauth2-proxy \
      org.opencontainers.image.title=oauth2-proxy \
      org.opencontainers.image.version=${VERSION}
 USER 2000:2000
 ENTRYPOINT ["/bin/oauth2-proxy"]
--- a/pkg/providers/oidc/verifier.go
+++ b/pkg/providers/oidc/verifier.go
@ -3,7 +3,6 @@ package oidc
 import (
 	"context"
 	"fmt"
 	"reflect"
 	"github.com/coreos/go-oidc/v3/oidc"
 )
@ -53,57 +52,5 @@ func (v *idTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*oidc.
 		return nil, fmt.Errorf("failed to parse default id_token claims: %v", err)
 	}
 	// if isValidAudience, err := v.verifyAudience(token, claims); !isValidAudience {
 	// 	return nil, err
 	// }
 	return token, err
 }
 func (v *idTokenVerifier) verifyAudience(token *oidc.IDToken, claims map[string]interface{}) (bool, error) {
 	for _, audienceClaim := range v.verificationOptions.AudienceClaims {
 		if audienceClaimValue, audienceClaimExists := claims[audienceClaim]; audienceClaimExists {
 			// audience claim value can be either interface{} or []interface{},
 			// as per spec `aud` can be either a string or a list of strings
 			switch audienceClaimValueType := audienceClaimValue.(type) {
 			case []interface{}:
 				token.Audience = v.interfaceSliceToString(audienceClaimValue)
 			case interface{}:
 				token.Audience = []string{audienceClaimValue.(string)}
 			default:
 				return false, fmt.Errorf("audience claim %s holds unsupported type %T",
 					audienceClaim, audienceClaimValueType)
 			}
 			return v.isValidAudience(audienceClaim, token.Audience, v.allowedAudiences)
 		}
 	}
 	return false, fmt.Errorf("audience claims %v do not exist in claims: %v",
 		v.verificationOptions.AudienceClaims, claims)
 }
 func (v *idTokenVerifier) isValidAudience(claim string, audience []string, allowedAudiences map[string]struct{}) (bool, error) {
 	for _, aud := range audience {
 		if _, allowedAudienceExists := allowedAudiences[aud]; allowedAudienceExists {
 			return true, nil
 		}
 	}
 	return false, fmt.Errorf(
 		"audience from claim %s with value %s does not match with any of allowed audiences %v",
 		claim, audience, allowedAudiences)
 }
 func (v *idTokenVerifier) interfaceSliceToString(slice interface{}) []string {
 	s := reflect.ValueOf(slice)
 	if s.Kind() != reflect.Slice {
 		panic(fmt.Sprintf("given a non-slice type %s", s.Kind()))
 	}
 	var strings []string
 	for i := 0; i < s.Len(); i++ {
 		strings = append(strings, s.Index(i).Interface().(string))
 	}
 	return strings
 }