Skip to content

Commit

Permalink
c/k/app,pkg/{authn,server}: use upstream oidc opts
Browse files Browse the repository at this point in the history
  • Loading branch information
ibihim committed Jul 24, 2024
1 parent c7e1aff commit f31c187
Show file tree
Hide file tree
Showing 6 changed files with 63 additions and 112 deletions.
13 changes: 7 additions & 6 deletions cmd/kube-rbac-proxy/app/kube-rbac-proxy.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,13 @@ import (
utilerrors "k8s.io/apimachinery/pkg/util/errors"
waitgroup "k8s.io/apimachinery/pkg/util/waitgroup"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/union"
kubefilters "k8s.io/apiserver/pkg/endpoints/filters"
"k8s.io/apiserver/pkg/endpoints/request"
serverconfig "k8s.io/apiserver/pkg/server"
"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
"k8s.io/client-go/kubernetes/scheme"
"k8s.io/client-go/rest"
k8sapiflag "k8s.io/component-base/cli/flag"
Expand All @@ -47,7 +49,6 @@ import (
"k8s.io/klog/v2"

"github.com/brancz/kube-rbac-proxy/cmd/kube-rbac-proxy/app/options"
"github.com/brancz/kube-rbac-proxy/pkg/authn"
"github.com/brancz/kube-rbac-proxy/pkg/authn/identityheaders"
"github.com/brancz/kube-rbac-proxy/pkg/authorization/path"
"github.com/brancz/kube-rbac-proxy/pkg/authorization/rewrite"
Expand Down Expand Up @@ -195,14 +196,14 @@ func Run(cfg *server.KubeRBACProxyConfig) error {

var authenticator authenticator.Request
// If OIDC configuration provided, use oidc authenticator
if cfg.KubeRBACProxyInfo.OIDC.IssuerURL != "" {
oidcAuthenticator, err := authn.NewOIDCAuthenticator(ctx, cfg.KubeRBACProxyInfo.OIDC)
if cfg.KubeRBACProxyInfo.HasOIDCSetup() {
tokenAuthenticator, err := oidc.New(ctx, *cfg.KubeRBACProxyInfo.OIDC)
if err != nil {
return fmt.Errorf("failed to instantiate OIDC authenticator: %w", err)
return fmt.Errorf("setting up oidc failed: %w", err)
}

go oidcAuthenticator.Run(ctx)
authenticator = oidcAuthenticator
go cfg.KubeRBACProxyInfo.OIDCDynamicCAContent.Run(ctx, 1)
authenticator = bearertoken.New(tokenAuthenticator)
} else {
authenticator = cfg.DelegatingAuthentication.Authenticator
}
Expand Down
46 changes: 37 additions & 9 deletions cmd/kube-rbac-proxy/app/options/oidcoptions.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,26 +17,41 @@ limitations under the License.
package options

import (
"github.com/brancz/kube-rbac-proxy/pkg/authn"
"fmt"

"k8s.io/apiserver/pkg/server/dynamiccertificates"
"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"

"github.com/brancz/kube-rbac-proxy/pkg/server"

"github.com/spf13/pflag"
)

type OIDCOptions struct {
*authn.OIDCConfig
oidc.Options

CAFile string
}

func (o *OIDCOptions) AddFlags(flagset *pflag.FlagSet) {
//Authn OIDC flags
flagset.StringVar(&o.IssuerURL, "oidc-issuer", "", "The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).")
flagset.StringVar(&o.ClientID, "oidc-clientID", "", "The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.")
flagset.StringVar(&o.UsernameClaim, "oidc-username-claim", "email", "Identifier of the user in JWT claim, by default set to 'email'")
flagset.StringVar(&o.GroupsClaim, "oidc-groups-claim", "groups", "Identifier of groups in JWT claim, by default set to 'groups'")
flagset.StringVar(&o.UsernamePrefix, "oidc-username-prefix", "", "If provided, the username will be prefixed with this value to prevent conflicts with other authentication strategies.")
flagset.StringVar(&o.GroupsPrefix, "oidc-groups-prefix", "", "If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.")
flagset.StringVar(&o.JWTAuthenticator.Issuer.URL, "oidc-issuer", "", "The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).")
flagset.StringSliceVar(&o.JWTAuthenticator.Issuer.Audiences, "oidc-clientID", []string{}, "The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.")
flagset.StringVar(&o.JWTAuthenticator.ClaimMappings.Username.Claim, "oidc-username-claim", "email", "Identifier of the user in JWT claim, by default set to 'email'")
flagset.StringVar(&o.JWTAuthenticator.ClaimMappings.Groups.Claim, "oidc-groups-claim", "groups", "Identifier of groups in JWT claim, by default set to 'groups'")
flagset.StringArrayVar(&o.SupportedSigningAlgs, "oidc-sign-alg", []string{"RS256"}, "Supported signing algorithms, default RS256")
flagset.StringVar(&o.CAFile, "oidc-ca-file", "", "If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.")

uprefix := flagset.String("oidc-username-prefix", "", "If provided, the username will be prefixed with this value to prevent conflicts with other authentication strategies.")
if uprefix != nil {
o.JWTAuthenticator.ClaimMappings.Username.Prefix = uprefix
}

gprefix := flagset.String("oidc-groups-prefix", "", "If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.")
if gprefix != nil {
o.JWTAuthenticator.ClaimMappings.Groups.Prefix = gprefix
}

}

func (o *OIDCOptions) Validate() []error {
Expand All @@ -45,6 +60,19 @@ func (o *OIDCOptions) Validate() []error {
}

func (o *OIDCOptions) ApplyTo(c *server.KubeRBACProxyInfo) error {
c.OIDC = o.OIDCConfig
if o.JWTAuthenticator.Issuer.URL == "" {
return nil
}

dyCA, err := dynamiccertificates.NewDynamicCAContentFromFile("oidc-ca", o.CAFile)

if err != nil {
return fmt.Errorf("failed to create dynamic CA content: %w", err)
}

o.CAContentProvider = dyCA
c.OIDC = &o.Options
c.OIDCDynamicCAContent = dyCA

return nil
}
9 changes: 6 additions & 3 deletions cmd/kube-rbac-proxy/app/options/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,11 @@ package options
import (
"fmt"

"github.com/brancz/kube-rbac-proxy/pkg/authn"
"github.com/brancz/kube-rbac-proxy/pkg/authn/identityheaders"
genericoptions "k8s.io/apiserver/pkg/server/options"
"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
kubeflags "k8s.io/component-base/cli/flag"

"github.com/brancz/kube-rbac-proxy/pkg/authn/identityheaders"
)

// ProxyRunOptions bundles both generic server run options from upstream, the
Expand Down Expand Up @@ -54,7 +55,7 @@ func NewProxyRunOptions() *ProxyRunOptions {
UpstreamHeader: &identityheaders.AuthnHeaderConfig{},
},
OIDCOptions: &OIDCOptions{
OIDCConfig: &authn.OIDCConfig{},
Options: oidc.Options{},
},
}
}
Expand Down Expand Up @@ -83,3 +84,5 @@ func (o *ProxyRunOptions) ExtraValidate() []error {

return errs
}

func stringP(s string) *string { return &s }

Check failure on line 88 in cmd/kube-rbac-proxy/app/options/options.go

View workflow job for this annotation

GitHub Actions / Lint

func `stringP` is unused (unused)
13 changes: 5 additions & 8 deletions pkg/authn/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ limitations under the License.

package authn

import "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"

// X509Config holds public client certificate used for authentication requests if specified
type X509Config struct {
ClientCAFile string
Expand All @@ -30,12 +32,7 @@ type TokenConfig struct {

// OIDCConfig represents configuration used for JWT request authentication
type OIDCConfig struct {
IssuerURL string
ClientID string
CAFile string
UsernameClaim string
UsernamePrefix string
GroupsClaim string
GroupsPrefix string
SupportedSigningAlgs []string
CAFile string

oidc.Options
}
84 changes: 0 additions & 84 deletions pkg/authn/oidc.go

This file was deleted.

10 changes: 8 additions & 2 deletions pkg/server/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,9 @@ import (
"os"

serverconfig "k8s.io/apiserver/pkg/server"
"k8s.io/apiserver/pkg/server/dynamiccertificates"
"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"

"github.com/brancz/kube-rbac-proxy/pkg/authn"
"github.com/brancz/kube-rbac-proxy/pkg/authn/identityheaders"
authz "github.com/brancz/kube-rbac-proxy/pkg/authorization"
"github.com/brancz/kube-rbac-proxy/pkg/authorization/rewrite"
Expand Down Expand Up @@ -55,7 +56,8 @@ type KubeRBACProxyInfo struct {

Authorization *authz.AuthzConfig

OIDC *authn.OIDCConfig
OIDC *oidc.Options
OIDCDynamicCAContent *dynamiccertificates.DynamicFileCAContent

AllowPaths []string
IgnorePaths []string
Expand All @@ -75,6 +77,10 @@ func NewConfig() *KubeRBACProxyConfig {
}
}

func (i *KubeRBACProxyInfo) HasOIDCSetup() bool {
return i.OIDC != nil && i.OIDC.JWTAuthenticator.Issuer.URL != ""
}

// SetUpstreamTransport configures the transport to use when talking to upstream
// with a CA and/or client cert/key pair.
// An empty string on `upstreamCAPath` means system cert pool will be used.
Expand Down

0 comments on commit f31c187

Please sign in to comment.