salt,ui: Prefix OIDC claims with oidc:

This is needed to avoid name collision between different authentication plugins. Refs: #3051
scality · Jan 20, 2021 · 5968792 · 5968792
1 parent fcde4b7
commit 5968792
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@
 ## Release 2.8.0 (in development)
 ### Enhancements
 
+- [#3051](https://github.com/scality/metalk8s/issues/3051) - Prefix OIDC claims
+  to prevent naming clashes
+  (PR [#3054](https://github.com/scality/metalk8s/pull/3054))
+
 - [#2164](https://github.com/scality/metalk8s/issues/2164) - Add RHEL 8 support
   (PR [#2997](https://github.com/scality/metalk8s/pull/2997))
 

diff --git a/docs/operation/account_administration.rst b/docs/operation/account_administration.rst
@@ -144,7 +144,7 @@ these steps:
         name: <role-binding-name-of-your-choice>
       subjects:
         - kind: User
-          name: <email>
+          name: oidc:<email>
           apiGroup: rbac.authorization.k8s.io
       roleRef:
         kind: ClusterRole

diff --git a/salt/metalk8s/addons/dex/deployed/clusterrolebinding.sls b/salt/metalk8s/addons/dex/deployed/clusterrolebinding.sls
@@ -6,7 +6,7 @@ metadata:
   name: dex-administrator
 subjects:
 - kind: User
-  name: "[email protected]"
+  name: "oidc:[email protected]"
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole

diff --git a/salt/metalk8s/kubernetes/apiserver/installed.sls b/salt/metalk8s/kubernetes/apiserver/installed.sls
@@ -85,7 +85,9 @@ Create kube-apiserver Pod manifest:
           - --oidc-client-id=oidc-auth-client
           - --oidc-ca-file=/etc/metalk8s/pki/nginx-ingress/ca.crt
           - --oidc-username-claim=email
+          - --oidc-username-prefix="oidc:"
           - --oidc-groups-claim=groups
+          - --oidc-groups-prefix="oidc:"
           - --v={{ 2 if metalk8s.debug else 0 }}
         requested_cpu: 250m
         volumes:

diff --git a/ui/cypress/fixtures/salt-api/login.json b/ui/cypress/fixtures/salt-api/login.json
@@ -5,7 +5,7 @@
       "start": 1603349562.577489,
       "token": "fc14fe8d2c99b575642546ee219cc714204cf31a",
       "expire": 1603392762.577489,
-      "user": "[email protected]",
+      "user": "oidc:[email protected]",
       "eauth": "kubernetes_rbac"
     }
   ]

diff --git a/ui/src/services/salt/api.js b/ui/src/services/salt/api.js
@@ -26,7 +26,7 @@ export type SaltToken = {
 export function authenticate(user): Promise<SaltToken> {
   var payload = {
     eauth: 'kubernetes_rbac',
-    username: user.profile.email,
+    username: `oidc:${user.profile.email}`,
     token: user.id_token,
   };
   return saltApiClient.post('/login', payload);