-
Notifications
You must be signed in to change notification settings - Fork 423
Per-workspace Authentication #3481
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
28 commits
Select commit
Hold shift + click to select a range
12a1a39
only resolve URLs once instead of once per mapping
xrstf f84efcc
remove redundant and wrong status code handling
xrstf dc95aab
WIP: middleware to resolve clusters
xrstf d1e378f
Add WorkspaceAuthenticationConfiguration
xrstf 2ee1d76
add reference to WAC to WorkspaceTypes
xrstf ca69948
keep track of workspace types per logicalcluster in the index
xrstf 58ecc27
implement auth controller and auth index
xrstf 41fd4d9
fix handling for local workspace types
xrstf c4ed4ce
tweak optionality of some fields
xrstf fc12b5d
codegen
xrstf 727847f
introduce new WorkspaceAuthentication feature gate
xrstf 19a9409
remove Path option for WorkspaceAuthConfig references
xrstf 948c924
fix shard handling in the index, move code out of pkg/proxy/ to prepa…
xrstf b7c141a
add workspaceauth handling to localproxy, enabling a single-shard to …
xrstf 16183bc
add basic e2e test to ensure custom authentication for a workspace works
xrstf b1f96fb
lint
xrstf 8a1938d
enable feature in shared e2e tests
xrstf c64753f
fix multiple logic issues in authentication chain
xrstf 7a89236
cleanup unit test
xrstf 74e8a17
constraint testcase to new workspace to allow multiple runs
xrstf d247b51
cancel and stop shard watchers when servers are stopped
xrstf be2d5ff
remove unneeded parameter since we're now relying on the context
xrstf 32a630f
improve error handling
xrstf 5e8d9e2
rename ref field from Configuration to Name
xrstf 39d6d4e
extend e2e testcases
xrstf 242e852
scope authn infos to the given logicalcluster, add test to ensure it …
xrstf 1c11747
add documentation
xrstf 46b1c0c
prevent workspace authentication from returning system groups or names
xrstf File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
208 changes: 208 additions & 0 deletions
208
config/crds/tenancy.kcp.io_workspaceauthenticationconfigurations.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,208 @@ | ||
| --- | ||
| apiVersion: apiextensions.k8s.io/v1 | ||
| kind: CustomResourceDefinition | ||
| metadata: | ||
| annotations: | ||
| controller-gen.kubebuilder.io/version: v0.17.3 | ||
| name: workspaceauthenticationconfigurations.tenancy.kcp.io | ||
| spec: | ||
| group: tenancy.kcp.io | ||
| names: | ||
| categories: | ||
| - kcp | ||
| kind: WorkspaceAuthenticationConfiguration | ||
| listKind: WorkspaceAuthenticationConfigurationList | ||
| plural: workspaceauthenticationconfigurations | ||
| singular: workspaceauthenticationconfiguration | ||
| scope: Cluster | ||
| versions: | ||
| - name: v1alpha1 | ||
| schema: | ||
| openAPIV3Schema: | ||
| description: |- | ||
| WorkspaceAuthenticationConfiguration specifies additional authentication options | ||
| for workspaces. | ||
| properties: | ||
| apiVersion: | ||
| description: |- | ||
| APIVersion defines the versioned schema of this representation of an object. | ||
| Servers should convert recognized schemas to the latest internal value, and | ||
| may reject unrecognized values. | ||
| More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | ||
| type: string | ||
| kind: | ||
| description: |- | ||
| Kind is a string value representing the REST resource this object represents. | ||
| Servers may infer this from the endpoint the client submits requests to. | ||
| Cannot be updated. | ||
| In CamelCase. | ||
| More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | ||
| type: string | ||
| metadata: | ||
| type: object | ||
| spec: | ||
| properties: | ||
| jwt: | ||
| items: | ||
| properties: | ||
| claimMappings: | ||
| description: ClaimMappings provides the configuration for claim | ||
| mapping. | ||
| properties: | ||
| extra: | ||
| items: | ||
| description: ExtraMapping provides the configuration for | ||
| a single extra mapping. | ||
| properties: | ||
| key: | ||
| type: string | ||
| valueExpression: | ||
| type: string | ||
| required: | ||
| - key | ||
| - valueExpression | ||
| type: object | ||
| type: array | ||
| groups: | ||
| description: PrefixedClaimOrExpression provides the configuration | ||
| for a single prefixed claim or expression. | ||
| properties: | ||
| claim: | ||
| type: string | ||
| expression: | ||
| type: string | ||
| prefix: | ||
| type: string | ||
| required: | ||
| - claim | ||
| type: object | ||
| uid: | ||
| description: ClaimOrExpression provides the configuration | ||
| for a single claim or expression. | ||
| properties: | ||
| claim: | ||
| type: string | ||
| expression: | ||
| type: string | ||
| required: | ||
| - claim | ||
| type: object | ||
| username: | ||
| description: PrefixedClaimOrExpression provides the configuration | ||
| for a single prefixed claim or expression. | ||
| properties: | ||
| claim: | ||
| type: string | ||
| expression: | ||
| type: string | ||
| prefix: | ||
| type: string | ||
| required: | ||
| - claim | ||
| type: object | ||
| required: | ||
| - groups | ||
| - username | ||
| type: object | ||
| claimValidationRules: | ||
| items: | ||
| description: ClaimValidationRule provides the configuration | ||
| for a single claim validation rule. | ||
| properties: | ||
| claim: | ||
| type: string | ||
| expression: | ||
| type: string | ||
| message: | ||
| type: string | ||
| requiredValue: | ||
| type: string | ||
| required: | ||
| - claim | ||
| - expression | ||
| - message | ||
| - requiredValue | ||
| type: object | ||
| type: array | ||
| issuer: | ||
| description: Issuer provides the configuration for an external | ||
| provider's specific settings. | ||
| properties: | ||
| audienceMatchPolicy: | ||
| description: AudienceMatchPolicyType is a set of valid values | ||
| for Issuer.AudienceMatchPolicy. | ||
| type: string | ||
| audiences: | ||
| items: | ||
| type: string | ||
| type: array | ||
| certificateAuthority: | ||
| type: string | ||
| discoveryURL: | ||
| description: |- | ||
| discoveryURL, if specified, overrides the URL used to fetch discovery | ||
| information instead of using "{url}/.well-known/openid-configuration". | ||
| The exact value specified is used, so "/.well-known/openid-configuration" | ||
| must be included in discoveryURL if needed. | ||
|
|
||
| The "issuer" field in the fetched discovery information must match the "issuer.url" field | ||
| in the AuthenticationConfiguration and will be used to validate the "iss" claim in the presented JWT. | ||
| This is for scenarios where the well-known and jwks endpoints are hosted at a different | ||
| location than the issuer (such as locally in the cluster). | ||
|
|
||
| Example: | ||
| A discovery url that is exposed using kubernetes service 'oidc' in namespace 'oidc-namespace' | ||
| and discovery information is available at '/.well-known/openid-configuration'. | ||
| discoveryURL: "https://oidc.oidc-namespace/.well-known/openid-configuration" | ||
| certificateAuthority is used to verify the TLS connection and the hostname on the leaf certificate | ||
| must be set to 'oidc.oidc-namespace'. | ||
|
|
||
| curl https://oidc.oidc-namespace/.well-known/openid-configuration (.discoveryURL field) | ||
| { | ||
| issuer: "https://oidc.example.com" (.url field) | ||
| } | ||
|
|
||
| discoveryURL must be different from url. | ||
| Required to be unique across all JWT authenticators. | ||
| Note that egress selection configuration is not used for this network connection. | ||
| type: string | ||
| url: | ||
| description: |- | ||
| url points to the issuer URL in a format https://url or https://url/path. | ||
| This must match the "iss" claim in the presented JWT, and the issuer returned from discovery. | ||
| Same value as the --oidc-issuer-url flag. | ||
| Discovery information is fetched from "{url}/.well-known/openid-configuration" unless overridden by discoveryURL. | ||
| Required to be unique across all JWT authenticators. | ||
| Note that egress selection configuration is not used for this network connection. | ||
| type: string | ||
| required: | ||
| - url | ||
| type: object | ||
| userValidationRules: | ||
| items: | ||
| description: UserValidationRule provides the configuration | ||
| for a single user validation rule. | ||
| properties: | ||
| expression: | ||
| type: string | ||
| message: | ||
| type: string | ||
| required: | ||
| - expression | ||
| - message | ||
| type: object | ||
| type: array | ||
| required: | ||
| - claimMappings | ||
| - issuer | ||
| type: object | ||
| type: array | ||
| required: | ||
| - jwt | ||
| type: object | ||
| required: | ||
| - metadata | ||
| - spec | ||
| type: object | ||
| served: true | ||
| storage: true |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With second flag this looks strange now. 2 featureflags flags. Should we maybe get ticket to deprecate
--shard-feature-gatesin favor of--feature-gatesand use use one everywhere?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because I needed to be able to control the feature independently between shard and front-proxy, because some tests are meant to ensure that the front-proxy does the authentication. That's why the sharded-test-server has a new CLI flag. The front-proxy's flag is called
--feature-gate, like the shard's CLI flag is. Only on the test server do we need 2 sets of feature gates, hence 2 CLI flags.