Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[StructuredAuthenticationConfig] Create struct for authn config and re-wire OIDC flags to use it #118984

Merged
merged 2 commits into from
Aug 25, 2023
Merged

[StructuredAuthenticationConfig] Create struct for authn config and re-wire OIDC flags to use it #118984

merged 2 commits into from
Aug 25, 2023

Conversation

aramase
Copy link
Member

@aramase aramase commented Jun 29, 2023
edited

  • Adds the v1alpha1 API for AuthenticationConfiguration
  • Wires up existing --oidc-* flags with the internal struct
    • The AuthenticationConfiguration validation is used after the struct is created.

Fixes #118832
Fixes #119384

Does this PR introduce a user-facing change?

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[KEP]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3331-structured-authentication-configuration

@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 29, 2023
@aramase aramase changed the title [StructuredAuthenticatonConfig [StructuredAuthenticatonConfig] Create struct for authn config and re-wire OIDC flags to use it Jun 29, 2023
@aramase aramase changed the title [StructuredAuthenticatonConfig] Create struct for authn config and re-wire OIDC flags to use it [WIP][StructuredAuthenticatonConfig] Create struct for authn config and re-wire OIDC flags to use it Jun 29, 2023
@k8s-ci-robot k8s-ci-robot added area/apiserver do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 29, 2023
@aramase
Copy link
Member Author

aramase commented Jun 29, 2023

/kind feature
/sig auth
/triage accepted
/milestone v1.28

@k8s-ci-robot k8s-ci-robot added this to the v1.28 milestone Jun 29, 2023
@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. triage/accepted Indicates an issue or PR is ready to be actively worked on. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jun 29, 2023
@aramase aramase force-pushed the aramase/c/kep_3331_wiring_flag_with_api branch from 66a2fc0 to 7af3258 Compare June 29, 2023 16:22
@aramase aramase changed the title [WIP][StructuredAuthenticatonConfig] Create struct for authn config and re-wire OIDC flags to use it [WIP][StructuredAuthenticationConfig] Create struct for authn config and re-wire OIDC flags to use it Jun 29, 2023
@aramase aramase force-pushed the aramase/c/kep_3331_wiring_flag_with_api branch from 7af3258 to ee29ae5 Compare June 29, 2023 18:09
@aramase
Copy link
Member Author

aramase commented Jun 29, 2023
edited

/assign @enj

Not ready for review yet, just adding it to your list!

@aramase aramase force-pushed the aramase/c/kep_3331_wiring_flag_with_api branch from 5ee20d2 to 621fb42 Compare June 30, 2023 05:20
@aramase aramase force-pushed the aramase/c/kep_3331_wiring_flag_with_api branch from f9483a1 to f74783a Compare August 18, 2023 20:35
@aramase aramase requested a review from enj August 18, 2023 20:37
enj
enj suggested changes Aug 19, 2023
View reviewed changes
staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go
Comment on lines +267 to +269
// prefix is prepended to claim's value to prevent clashes with existing names.
// +required
Prefix *string `json:"prefix"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liggitt I assume this won't be required once we add expression field, so what should the tag be set to optional or required?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can leave it +required for now and switch to +optional once we have another field, or just make it +optional with good docs now

the tag doesn't drive any behavior and we don't have openapi for this config file API, so it doesn't really matter... we just don't want to be confusing

staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go Outdated Show resolved Hide resolved
pkg/kubeapiserver/options/authentication.go Show resolved Hide resolved
@aramase aramase force-pushed the aramase/c/kep_3331_wiring_flag_with_api branch 2 times, most recently from 11822f0 to 58d0422 Compare August 22, 2023 21:03
@liggitt liggitt moved this from Changes requested to In progress in API Reviews Aug 25, 2023
liggitt
liggitt reviewed Aug 25, 2023
View reviewed changes
pkg/kubeapiserver/options/authentication.go
ret.OIDCIssuerURL = o.OIDC.IssuerURL
ret.OIDCUsernameClaim = o.OIDC.UsernameClaim
ret.OIDCUsernamePrefix = o.OIDC.UsernamePrefix
if o.OIDC != nil && len(o.OIDC.IssuerURL) > 0 && len(o.OIDC.ClientID) > 0 {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no action required now, but we'll eventually need to make this path mutually exclusive with the flag for providing the jwt authentication config ... didn't see a TODO and wanted to make sure that was tracked

Copy link
Member Author

@aramase aramase Aug 25, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm doing that as part of #119142. I'll rebase that on top of this PR now.

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go
Comment on lines +267 to +269
// prefix is prepended to claim's value to prevent clashes with existing names.
// +required
Prefix *string `json:"prefix"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can leave it +required for now and switch to +optional once we have another field, or just make it +optional with good docs now

the tag doesn't drive any behavior and we don't have openapi for this config file API, so it doesn't really matter... we just don't want to be confusing

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go Outdated Show resolved Hide resolved
@liggitt
Copy link
Member

liggitt commented Aug 25, 2023

/approve
/lgtm
API bits lgtm.

/hold
Can fix the godoc nits in this PR or in a follow-up if you want, up to you

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Aug 25, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: f21705ad5b23ff348287177c4f212ba252d16012

@liggitt liggitt moved this from In progress to API review completed, 1.29 in API Reviews Aug 25, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aramase, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 25, 2023
@aramase
add AuthenticationConfiguration v1alpha1 api
f909eb6 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
@aramase
wiring existing oidc flags with internal API struct
1bad3cb 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
@aramase aramase force-pushed the aramase/c/kep_3331_wiring_flag_with_api branch from 58d0422 to 1bad3cb Compare August 25, 2023 17:15
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 25, 2023
@aramase
Copy link
Member Author

aramase commented Aug 25, 2023

/hold cancel

@liggitt fixed the godoc comments!

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 25, 2023
@liggitt
Copy link
Member

liggitt commented Aug 25, 2023

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 25, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 2e02c6fb0593ba35e1ec2b97379fa6130e268e88

@k8s-ci-robot k8s-ci-robot merged commit 0e86fa5 into kubernetes:master Aug 25, 2023
14 of 15 checks passed
@aramase aramase deleted the aramase/c/kep_3331_wiring_flag_with_api branch August 25, 2023 19:19
@liggitt liggitt mentioned this pull request Sep 5, 2023
Merged
@dimityrmirchev dimityrmirchev mentioned this pull request Jan 16, 2024
Open
@openshift-ci-robot openshift-ci-robot mentioned this pull request Feb 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@jpbetz jpbetz Awaiting requested review from jpbetz

@enj enj Awaiting requested review from enj

@liggitt liggitt Awaiting requested review from liggitt

Assignees

@liggitt liggitt

@enj enj

Labels
api-review Categorizes an issue or PR as actively needing an API review. approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
API Reviews
Status: API review completed, 1.29
SIG Auth
Archived in project
[sig-release] Bug Triage
Archived in project
Milestone
v1.29
5 participants
@aramase @furkatgofurov7 @enj @k8s-ci-robot @liggitt