feat: add kubernetes secret sync api#11
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 97c64757a5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if err := decodeSegment(parts[0], &header); err != nil { | ||
| return Claims{}, invalidToken("decode header: %v", err) | ||
| } | ||
| if header.Algorithm != "RS256" { |
There was a problem hiding this comment.
Accept ECDSA service account tokens
Clusters using an ECDSA service-account signing key are valid Kubernetes configurations (docs), but this verifier rejects every JWT whose header is not exactly RS256 before reading the JWKS. In those clusters, every valid pod token sent to /integrations/kubernetes/secrets will be returned as unauthorized; support the ES* algorithms/EC JWKs or fail configuration with an RSA-only requirement.
Useful? React with 👍 / 👎.
|
|
||
| var kubernetesClusterPattern = regexp.MustCompile(`^[a-z0-9*][a-z0-9_.*-]*$`) | ||
| var kubernetesNamespacePattern = regexp.MustCompile(`^[a-z0-9*][a-z0-9*-]*$`) | ||
| var kubernetesServiceAccountPattern = regexp.MustCompile(`^[a-z0-9*][a-z0-9*-]*$`) |
There was a problem hiding this comment.
Permit dots in service account patterns
ServiceAccount names are Kubernetes DNS subdomain names, so names containing . are valid (docs), but this validator rejects dots in service_account_patterns. A workload running as a valid account such as build.robot cannot be granted access with an exact rule and would require a broader wildcard, which can either block that workload or weaken the rule scope.
Useful? React with 👍 / 👎.
go test ./....