Skip to content

Use both lookup.ClusterNameFrom and request.ClusterNameFrom to retreive cluster name#4064

Merged
kcp-ci-bot merged 2 commits into
kcp-dev:mainfrom
ntnn:fix-user-extra
Apr 24, 2026
Merged

Use both lookup.ClusterNameFrom and request.ClusterNameFrom to retreive cluster name#4064
kcp-ci-bot merged 2 commits into
kcp-dev:mainfrom
ntnn:fix-user-extra

Conversation

@ntnn
Copy link
Copy Markdown
Member

@ntnn ntnn commented Apr 24, 2026
edited
Loading

Summary

withClusterScope is used both in the front-proxy and shards.
Both set the cluster name on different context keys due to
differing handler chains and middlewares.

On top of that synthetic requests like a TokenReview only
pass the authentication chain only have the cluster on the
context key from the request package - not from the lookup
package.

Related: #4061

What Type of PR Is This?

/kind bug

Related Issue(s)

Fixes #

Release Notes

NONE

@kcp-ci-bot kcp-ci-bot added release-note-none Denotes a PR that doesn't merit a release note. kind/bug Categorizes issue or PR as related to a bug. dco-signoff: yes Indicates the PR's author has signed the DCO. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Apr 24, 2026
@ntnn ntnn requested a review from Copilot April 24, 2026 07:31
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes TokenReview “extra” fields for per-workspace authentication by retrieving the logical cluster name from the apiserver request context (available during authentication), rather than from a front-proxy/middleware-specific context key.

Changes:

  • Switch cluster name lookup in the workspace authenticator to request.ClusterNameFrom.
  • Extend the OIDC TokenReview e2e test to assert the expected cluster-related User.Extra fields.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
pkg/authentication/authenticators.go Uses apiserver request context (request.ClusterNameFrom) when populating cluster-scoped TokenReview extras.
test/e2e/authentication/workspace_test.go Adds assertions that TokenReview responses include expected authentication.kcp.io/scopes and authentication.kcp.io/cluster-name extras.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread test/e2e/authentication/workspace_test.go Outdated
Comment thread pkg/authentication/authenticators.go Outdated
@ntnn ntnn force-pushed the fix-user-extra branch 2 times, most recently from 14f2c34 to 168feac Compare April 24, 2026 07:42
@ntnn ntnn added this to tbd Apr 24, 2026
@ntnn ntnn moved this to In review in tbd Apr 24, 2026
mjudeikis
mjudeikis approved these changes Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mjudeikis mjudeikis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@kcp-ci-bot kcp-ci-bot added the lgtm Indicates that a PR is ready to be merged. label Apr 24, 2026
@kcp-ci-bot
Copy link
Copy Markdown
Contributor

kcp-ci-bot commented Apr 24, 2026

LGTM label has been added.

DetailsGit tree hash: 7cc23d52316429e01faf1e5d086b5758dee39c5f

@kcp-ci-bot kcp-ci-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 24, 2026
@kcp-ci-bot kcp-ci-bot removed the lgtm Indicates that a PR is ready to be merged. label Apr 24, 2026
@kcp-ci-bot kcp-ci-bot requested a review from mjudeikis April 24, 2026 08:20
@ntnn
Copy link
Copy Markdown
Member Author

ntnn commented Apr 24, 2026

/cherry-pick 0.31

@kcp-ci-bot
Copy link
Copy Markdown
Contributor

kcp-ci-bot commented Apr 24, 2026

@ntnn: once the present PR merges, I will cherry-pick it on top of 0.31 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick 0.31

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@mjudeikis
Copy link
Copy Markdown
Contributor

mjudeikis commented Apr 24, 2026

/lgtm
/approve

@kcp-ci-bot kcp-ci-bot added the lgtm Indicates that a PR is ready to be merged. label Apr 24, 2026
@kcp-ci-bot
Copy link
Copy Markdown
Contributor

kcp-ci-bot commented Apr 24, 2026

LGTM label has been added.

DetailsGit tree hash: 53c13535dcb1bb68b25ba5d9a08107c191005b9d

@kcp-ci-bot kcp-ci-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Apr 24, 2026
@ntnn ntnn requested a review from Copilot April 24, 2026 09:18
@ntnn
Copy link
Copy Markdown
Member Author

ntnn commented Apr 24, 2026

/cherry-pick release-0.31

@kcp-ci-bot
Copy link
Copy Markdown
Contributor

kcp-ci-bot commented Apr 24, 2026

@ntnn: once the present PR merges, I will cherry-pick it on top of release-0.31 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-0.31

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/authentication/authenticators.go Outdated
Comment thread pkg/authentication/authenticators.go Outdated
Comment thread pkg/authentication/authenticators.go Outdated
Comment thread test/e2e/authentication/workspace_test.go Outdated
ntnn added 2 commits April 24, 2026 11:24
@ntnn
Use both lookup.ClusterNameFrom and request.ClusterNameFrom to retrei…
e3bb185 
…ve cluster name

withClusterScope is used both in the front-proxy and shards.
Both set the cluster name on different context keys due to
differing handler chains and middlewares.

On top of that synthetic requests like a TokenReview only
pass the authentication chain only have the cluster on the
context key from the request package - not from the lookup
package.
@ntnn
Verify user scope extras
38e455f
@ntnn ntnn changed the title Use request.ClusterNameFrom to retreive cluster name Use both lookup.ClusterNameFrom and request.ClusterNameFrom to retreive cluster name Apr 24, 2026
@ntnn
Copy link
Copy Markdown
Member Author

ntnn commented Apr 24, 2026

/test pull-kcp-test-e2e-multiple-runs

flake on unrelated tests

mjudeikis
mjudeikis approved these changes Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mjudeikis mjudeikis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@kcp-ci-bot kcp-ci-bot added the lgtm Indicates that a PR is ready to be merged. label Apr 24, 2026
@kcp-ci-bot
Copy link
Copy Markdown
Contributor

kcp-ci-bot commented Apr 24, 2026

LGTM label has been added.

DetailsGit tree hash: b4c549d92f1d7f6118bca0357e3da75a7f32c5c6

@kcp-ci-bot
Copy link
Copy Markdown
Contributor

kcp-ci-bot commented Apr 24, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mjudeikis

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kcp-ci-bot kcp-ci-bot merged commit bb0f3e7 into kcp-dev:main Apr 24, 2026
14 checks passed
@github-project-automation github-project-automation Bot moved this from In review to Done in tbd Apr 24, 2026
@kcp-ci-bot
Copy link
Copy Markdown
Contributor

kcp-ci-bot commented Apr 24, 2026

@ntnn: cannot checkout 0.31: error checking out "0.31": exit status 1 error: pathspec '0.31' did not match any file(s) known to git

Details

In response to this:

/cherry-pick 0.31

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kcp-ci-bot
Copy link
Copy Markdown
Contributor

kcp-ci-bot commented Apr 24, 2026

@ntnn: new pull request created: #4068

Details

In response to this:

/cherry-pick release-0.31

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kcp-ci-bot kcp-ci-bot mentioned this pull request Apr 24, 2026
Merged
@ntnn ntnn deleted the fix-user-extra branch April 24, 2026 10:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mjudeikis mjudeikis mjudeikis approved these changes

Assignees

@mjudeikis mjudeikis

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has signed the DCO. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ntnn @kcp-ci-bot @mjudeikis