Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix jwks object path in S3 for IRSA #11649

Merged
merged 2 commits into from
Jun 1, 2021
Merged

Fix jwks object path in S3 for IRSA #11649

merged 2 commits into from
Jun 1, 2021

Conversation

h3poteto
Copy link
Contributor

This is a small change.

jwks object path is wrong when I specify serviceAccountIssuerDiscovery according to https://kops.sigs.k8s.io/cluster_spec/#service-account-issuer-discovery-and-aws-iam-roles-for-service-accounts-irsa .

For example, when I specify following spec:

spec:
  serviceAccountIssuerDiscovery:
    discoveryStore: s3://h3poteto-playground-oidc
    enableAWSOIDCProvider: true

kube-apiserver's parameters are

    - --service-account-issuer=https://h3poteto-playground-oidc.s3.us-east-1.amazonaws.com/oidc
    - --service-account-jwks-uri=https://h3poteto-playground-oidc.s3.us-east-1.amazonaws.com/oidc/openid/v1/jwks
    - --service-account-key-file=/srv/kubernetes/service-account.key
    - --service-account-signing-key-file=/srv/kubernetes/service-account.key

But, there is no object in https://h3poteto-playground-oidc.s3.us-east-1.amazonaws.com/oidc/openid/v1/jwks. At the momen the jwks object is located in /openid/v1/jwks. It should be /oidc/openid/v1/jwks, so I fixed the path.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label May 31, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @h3poteto. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels May 31, 2021
@hakman
Copy link
Member

hakman commented May 31, 2021

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 31, 2021
@johngmyers
Copy link
Member

oidc/openid is a bit redundant. Perhaps the fix should be to take it out of iam.ServiceAccountIssuer()?

@johngmyers johngmyers added blocks-next kind/bug Categorizes issue or PR as related to a bug. labels May 31, 2021
@johngmyers
Copy link
Member

/cc @rifelpet

@olemarkus
Copy link
Member

If I remember my own reasoning correctly, it is to have a common prefix for both the .well-known/openid-configuration and openid/v1/jwks paths.

@johngmyers
Copy link
Member

Wouldn't the DiscoveryStore be the common prefix? The oidc prefix makes less sense now that DiscoveryStore is under ServiceAccountIssuerDiscoveryConfig.

@olemarkus
Copy link
Member

I agree. This is leftovers from when that VFS was intended to be shared for other things as well.

@olemarkus
Copy link
Member

olemarkus commented May 31, 2021
edited
Loading

@h3poteto i.e the block around line 125 in pkg/model/iam/subject.go should just return base.GetHTTPsUrl()

@h3poteto
Copy link
Contributor Author

h3poteto commented Jun 1, 2021

OK, I will try it.

johngmyers
johngmyers reviewed Jun 1, 2021
View reviewed changes
pkg/model/issuerdiscovery.go Outdated
@@ -80,7 +80,7 @@ func (b *IssuerDiscoveryModelBuilder) Build(c *fi.ModelBuilderContext) error {
keysFile := &fitasks.ManagedFile{
Contents: keys,
Lifecycle: b.Lifecycle,
Location: fi.String("/openid/v1/jwks"),
Location: fi.String("oidc/openid/v1/jwks"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@h3poteto please also change the .well-known path below on line 93. Also, please remove the appending of "oidc" around line 125 in pkg/model/iam/subject.go

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jun 1, 2021
@h3poteto h3poteto force-pushed the fix-jwks-location branch 2 times, most recently from 280974a to a7a659d Compare June 1, 2021 12:26
@h3poteto
Copy link
Contributor Author

h3poteto commented Jun 1, 2021

@olemarkus @johngmyers How about this?
a7a659d

@h3poteto h3poteto mentioned this pull request Jun 1, 2021
Closed
@johngmyers
Copy link
Member

/retest

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 1, 2021
johngmyers
johngmyers requested changes Jun 1, 2021
View reviewed changes
util/pkg/vfs/s3fs.go Outdated
@@ -447,7 +447,8 @@ func (p *S3Path) GetHTTPsUrl() (string, error) {
}
p.bucketDetails = bucketDetails
}
return fmt.Sprintf("https://%s.s3.%s.amazonaws.com/%s", p.bucketDetails.name, p.bucketDetails.region, p.Key()), nil
baseURL := fmt.Sprintf("https://%s.s3.%s.amazonaws.com", p.bucketDetails.name, p.bucketDetails.region)
return path.Join(baseURL, p.Key()), nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fmt.Println(path.Join("https://example.com", "/path")) returns https:/example.com/path which has too few / after the https:.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps use a URL struct literal.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh...sorry. I fixed it.
d52ec60

johngmyers
johngmyers approved these changes Jun 1, 2021
View reviewed changes
Copy link
Member

@johngmyers johngmyers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 1, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johngmyers

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 1, 2021
@k8s-ci-robot k8s-ci-robot merged commit 3c4b606 into kubernetes:master Jun 1, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Jun 1, 2021
@johngmyers johngmyers mentioned this pull request Jun 1, 2021
Merged
@h3poteto h3poteto deleted the fix-jwks-location branch June 1, 2021 15:50
k8s-ci-robot added a commit that referenced this pull request Jun 1, 2021
@k8s-ci-robot
Merge pull request #11662 from johngmyers/automated-cherry-pick-of-#1…
a92d74b 
…1649-upstream-release-1.21

Automated cherry pick of #11649: Fix issuer and jwks object path for IRSA
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johngmyers johngmyers johngmyers approved these changes

@joshbranham joshbranham Awaiting requested review from joshbranham

@mikesplain mikesplain Awaiting requested review from mikesplain

@rifelpet rifelpet Awaiting requested review from rifelpet

Assignees

@johngmyers johngmyers

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. blocks-next cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@h3poteto @k8s-ci-robot @hakman @johngmyers @olemarkus