Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ability to override jwks_url #8376

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions pkg/apis/feature/features.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,9 @@ const (
// DefaultRequestReplyTimeout is a value for RequestReplyDefaultTimeout that indicates to timeout
// a RequestReply resource after 30 seconds by default.
DefaultRequestReplyTimeout Flag = "30s"

// DefaultJWKSURI is the default JWKS URI used in most Kubernetes clusters.
DefaultJWKSURI Flag = ""
)

// Flags is a map containing all the enabled/disabled flags for the experimental features.
Expand All @@ -90,6 +93,7 @@ func newDefaults() Flags {
AuthorizationDefaultMode: AuthorizationAllowSameNamespace,
OIDCDiscoveryBaseURL: DefaultOIDCDiscoveryBaseURL,
RequestReplyDefaultTimeout: DefaultRequestReplyTimeout,
JWKSURI: DefaultJWKSURI,
}
}

Expand Down Expand Up @@ -169,6 +173,19 @@ func (e Flags) RequestReplyDefaultTimeout() string {
return string(timeout)
}

func (e Flags) JWKSURI() string {
if e == nil {
return string(DefaultJWKSURI)
}

jwksURI, ok := e[JWKSURI]
if !ok {
return string(DefaultJWKSURI)
}

return string(jwksURI)
}

func (e Flags) String() string {
return fmt.Sprintf("%+v", map[string]Flag(e))
}
Expand Down Expand Up @@ -220,6 +237,8 @@ func NewFlagsConfigFromMap(data map[string]string) (Flags, error) {
flags[sanitizedKey] = AuthorizationAllowSameNamespace
} else if strings.Contains(k, NodeSelectorLabel) || sanitizedKey == OIDCDiscoveryBaseURL {
flags[sanitizedKey] = Flag(v)
} else if sanitizedKey == JWKSURI {
flags[sanitizedKey] = Flag(v)
} else {
flags[k] = Flag(v)
log.Printf("Warning: unknown feature flag value %q=%q\n", k, v)
Expand Down
2 changes: 2 additions & 0 deletions pkg/apis/feature/features_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,8 @@ func TestGetFlags(t *testing.T) {
require.Equal(t, expectedNodeSelector, nodeSelector)

require.Equal(t, flags.OIDCDiscoveryBaseURL(), "https://oidc.eks.eu-west-1.amazonaws.com/id/1")

require.Equal(t, flags.JWKSURI(), "https://oidc.eks.eu-west-1.amazonaws.com/id/1/jwk")
}

func TestShouldNotOverrideDefaults(t *testing.T) {
Expand Down
1 change: 1 addition & 0 deletions pkg/apis/feature/flag_names.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,5 @@ const (
AuthorizationDefaultMode = "default-authorization-mode"
OIDCDiscoveryBaseURL = "oidc-discovery-base-url"
RequestReplyDefaultTimeout = "requestreply-default-timeout"
JWKSURI = "oidc-jwks-uri"
)
1 change: 1 addition & 0 deletions pkg/apis/feature/testdata/config-features.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,4 @@ data:
apiserversources-nodeselector-testkey1: testvalue1
apiserversources-nodeselector-testkey2: testvalue2
oidc-discovery-base-url: "https://oidc.eks.eu-west-1.amazonaws.com/id/1"
oidc-jwks-uri: "https://oidc.eks.eu-west-1.amazonaws.com/id/1/jwk"
7 changes: 6 additions & 1 deletion pkg/auth/verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -283,7 +283,7 @@ func (v *Verifier) getHTTPClientForKubeAPIServer() (*http.Client, error) {
}

func (v *Verifier) getHTTPClient(features feature.Flags) (*http.Client, error) {
if features.OIDCDiscoveryBaseURL() == "https://kubernetes.default.svc" {
if features.OIDCDiscoveryBaseURL() == "https://kubernetes.default.svc" && features.JWKSURI() == "" {
return v.getHTTPClientForKubeAPIServer()
}

Expand Down Expand Up @@ -329,6 +329,11 @@ func (v *Verifier) getKubernetesOIDCDiscovery(features feature.Flags, client *ht
return nil, fmt.Errorf("could not unmarshall openid config: %w", err)
}

// overwrite jwk uri if it is set in the feature flags
if features.JWKSURI() != "" {
openIdConfig.JWKSURI = features.JWKSURI()
}

return openIdConfig, nil
}

Expand Down