UPSTREAM: <carry>: oauth-authn: add implicit audience support #24461
Conversation
openshift-ci-robot
added
size/S
openshift-ci-robot
added
the
approved
sttts
force-pushed
the
sttts-oauth-implicit-audiences
branch
from
6e5f508
to
5e8d514
Compare
openshift-ci-robot
added
size/M
|
I have to get to a computer to see, but this looks plausible. /Approve |
sttts
force-pushed
the
sttts-oauth-implicit-audiences
branch
from
5e8d514
to
163c216
Compare
|
Fixed the unit tests using the changed constructor. |
|
|
||
| auds := kauthenticator.Audiences(tokenAudiences).Intersect(requestedAudiences) | ||
| if len(auds) == 0 && len(a.implicitAuds) != 0 { | ||
| return nil, false, fmt.Errorf("token audiences %q is invalid for the target audiences %q", tokenAudiences, requestedAudiences) |
There was a problem hiding this comment.
I'll allow this because I think it will never happen, but the oidc example suggests return nil, false, nil
There was a problem hiding this comment.
It's copied one-to-one from the service account authenticator.
|
/lgtm holding on proof that the serial test is improve |
openshift-ci-robot
added
do-not-merge/hold
|
/retest |
|
GCP infra flakes |
|
/retest |
|
| @@ -55,6 +58,18 @@ func (a *tokenAuthenticator) AuthenticateToken(ctx context.Context, name string) | |||
| groupNames = append(groupNames, group.Name) | |||
| } | |||
|
|
|||
| tokenAudiences := a.implicitAuds | |||
There was a problem hiding this comment.
(No action required) Consider simplifying:
// Default to implicit audiences
audiences := a.implicitAuds
if len(a.implicitAuds) > 0 {
// Only validate audiences when both implicit audiences and context-provided
// audiences are present.
requestedAudiences, ok := kauthenticator.AudiencesFrom(ctx)
if ok {
// Valid audiences for the token consist of the non-empty intersection
// between the implicit and requested audiences.
audiences = kauthenticator.Audiences(a.implicitAuds).Intersect(requestedAudiences)
if len(audiences) == 0 {
return nil, false, fmt.Errorf("token audiences %q is invalid for the target audiences %q", a.implicitAuds, requestedAudiences)
}
}
}There was a problem hiding this comment.
wanted to keep the structure of the service account authenticator
There was a problem hiding this comment.
+1 to less nesting however visual-only that might appear
|
/retest |
|
Now that #24458 was manually merged e2e-aws-serial should be capable of passing. |
|
/retest |
|
/retest |
sttts
force-pushed
the
sttts-oauth-implicit-audiences
branch
from
163c216
to
0d87344
Compare
|
#24458 merged to fix the imagetags issue. Rebased. |
|
|
|
/retest GCP flakes |
|
/lgtm |
|
/test e2e-cmd |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, stlaz, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
|
/test e2e-cmd |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/retest |
|
/ignore e2e-cmd |
|
/override ci/prow/e2e-aws-serial |
|
force merging this as it make the queue stable again. |
|
@mfojtik: Overrode contexts on behalf of mfojtik: ci/prow/e2e-aws-serial, ci/prow/e2e-cmd, ci/prow/e2e-gcp, ci/prow/e2e-gcp-upgrade In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@sttts: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
The TokenReview REST implementation expects that the authn chain returns audiences in the authn response. Authenticators that don't support audiences must return the default slice of audiences, e.g. the legacy service account authenticator does that. This PR adds that to our custom oauth authenticator.
Folliowing https://github.com/kubernetes/kubernetes/blob/master/pkg/serviceaccount/jwt.go#L283.
Compare https://github.com/kubernetes/kubernetes/pull/69582/files#r225535241.