From 596879257dc1d4c3d0be1dbeb1173c118f59d5c4 Mon Sep 17 00:00:00 2001 From: Alexandre Allard Date: Mon, 18 Jan 2021 17:43:59 +0100 Subject: [PATCH] salt,ui: Prefix OIDC claims with `oidc:` This is needed to avoid name collision between different authentication plugins. Refs: #3051 --- CHANGELOG.md | 4 ++++ docs/operation/account_administration.rst | 2 +- salt/metalk8s/addons/dex/deployed/clusterrolebinding.sls | 2 +- salt/metalk8s/kubernetes/apiserver/installed.sls | 2 ++ ui/cypress/fixtures/salt-api/login.json | 2 +- ui/src/services/salt/api.js | 2 +- 6 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d59a10812a..1ec53928b4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ ## Release 2.8.0 (in development) ### Enhancements +- [#3051](https://github.com/scality/metalk8s/issues/3051) - Prefix OIDC claims + to prevent naming clashes + (PR [#3054](https://github.com/scality/metalk8s/pull/3054)) + - [#2164](https://github.com/scality/metalk8s/issues/2164) - Add RHEL 8 support (PR [#2997](https://github.com/scality/metalk8s/pull/2997)) diff --git a/docs/operation/account_administration.rst b/docs/operation/account_administration.rst index d3c7187624..24285969e8 100644 --- a/docs/operation/account_administration.rst +++ b/docs/operation/account_administration.rst @@ -144,7 +144,7 @@ these steps: name: subjects: - kind: User - name: + name: oidc: apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole diff --git a/salt/metalk8s/addons/dex/deployed/clusterrolebinding.sls b/salt/metalk8s/addons/dex/deployed/clusterrolebinding.sls index b297fda9bf..de6a066be1 100644 --- a/salt/metalk8s/addons/dex/deployed/clusterrolebinding.sls +++ b/salt/metalk8s/addons/dex/deployed/clusterrolebinding.sls @@ -6,7 +6,7 @@ metadata: name: dex-administrator subjects: - kind: User - name: "admin@metalk8s.invalid" + name: "oidc:admin@metalk8s.invalid" apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole diff --git a/salt/metalk8s/kubernetes/apiserver/installed.sls b/salt/metalk8s/kubernetes/apiserver/installed.sls index cdd1d6a3d3..dc4df596eb 100644 --- a/salt/metalk8s/kubernetes/apiserver/installed.sls +++ b/salt/metalk8s/kubernetes/apiserver/installed.sls @@ -85,7 +85,9 @@ Create kube-apiserver Pod manifest: - --oidc-client-id=oidc-auth-client - --oidc-ca-file=/etc/metalk8s/pki/nginx-ingress/ca.crt - --oidc-username-claim=email + - --oidc-username-prefix="oidc:" - --oidc-groups-claim=groups + - --oidc-groups-prefix="oidc:" - --v={{ 2 if metalk8s.debug else 0 }} requested_cpu: 250m volumes: diff --git a/ui/cypress/fixtures/salt-api/login.json b/ui/cypress/fixtures/salt-api/login.json index b36bbee4ce..8ed8d50952 100644 --- a/ui/cypress/fixtures/salt-api/login.json +++ b/ui/cypress/fixtures/salt-api/login.json @@ -5,7 +5,7 @@ "start": 1603349562.577489, "token": "fc14fe8d2c99b575642546ee219cc714204cf31a", "expire": 1603392762.577489, - "user": "admin@metalk8s.invalid", + "user": "oidc:admin@metalk8s.invalid", "eauth": "kubernetes_rbac" } ] diff --git a/ui/src/services/salt/api.js b/ui/src/services/salt/api.js index fdfbee773e..dc8f0617a6 100644 --- a/ui/src/services/salt/api.js +++ b/ui/src/services/salt/api.js @@ -26,7 +26,7 @@ export type SaltToken = { export function authenticate(user): Promise { var payload = { eauth: 'kubernetes_rbac', - username: user.profile.email, + username: `oidc:${user.profile.email}`, token: user.id_token, }; return saltApiClient.post('/login', payload);