Support external issuer case

knative · Sep 28, 2023 · 4d29b8a · 4d29b8a
1 parent 18e62de
commit 4d29b8a
Showing 1 changed file with 41 additions and 2 deletions.
diff --git a/pkg/auth/token_handler.go b/pkg/auth/token_handler.go
@@ -18,6 +18,7 @@ package auth
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"net/http"
 	"time"
@@ -58,7 +59,16 @@ func NewOIDCTokenHandler(ctx context.Context, kubeClient kubernetes.Interface, l
 func (c *OIDCTokenHandler) initProvider() error {
 	ctx := context.Background()
 
-	// TODO: setup http client for external issuer (e.g. load CA certs from a config-map)
+	oidcConfig, err := c.getKubernetesOIDCConfiguration(ctx)
+	if err != nil {
+		return fmt.Errorf("could not load Kubernetes OIDC configuration: %w", err)
+	}
+
+	if oidcConfig.Issuer != KubernetesDefaultIssuer {
+		// in case we have another issuer as the api server:
+		ctx = oidc.InsecureIssuerURLContext(ctx, oidcConfig.Issuer)
+	}
+
 	httpClient, err := c.getHTTPClientForKubeAPIServer()
 	if err != nil {
 		return fmt.Errorf("could not get HTTP client with TLS certs of API server: %w", err)
@@ -71,7 +81,7 @@ func (c *OIDCTokenHandler) initProvider() error {
 		return fmt.Errorf("could not get OIDC provider: %w", err)
 	}
 
-	c.logger.Debug("updated OIDC provider config", zap.Any("provider", c.provider.Endpoint()))
+	c.logger.Debug("updated OIDC provider config")
 
 	return nil
 }
@@ -90,6 +100,27 @@ func (c *OIDCTokenHandler) getHTTPClientForKubeAPIServer() (*http.Client, error)
 	return client, nil
 }
 
+func (c *OIDCTokenHandler) getKubernetesOIDCConfiguration(ctx context.Context) (*openIDMetadata, error) {
+	req := c.kubeClient.Discovery().RESTClient().Get().RequestURI("/.well-known/openid-configuration")
+
+	res := req.Do(ctx)
+	if err := res.Error(); err != nil {
+		return nil, fmt.Errorf("could not execute request: %w", err)
+	}
+
+	body, err := res.Raw()
+	if err != nil {
+		return nil, fmt.Errorf("could not get response: %w", err)
+	}
+
+	openIdConfig := &openIDMetadata{}
+	if err := json.Unmarshal(body, openIdConfig); err != nil {
+		return nil, fmt.Errorf("could not unmarshall openid config: %w", err)
+	}
+
+	return openIdConfig, nil
+}
+
 // GetJWT returns a JWT from the given service account for the given audience.
 func (c *OIDCTokenHandler) GetJWT(serviceAccount types.NamespacedName, audience string) (string, error) {
 	// TODO: check the cache
@@ -146,3 +177,11 @@ type IDToken struct {
 	IssuedAt        time.Time
 	AccessTokenHash string
 }
+
+type openIDMetadata struct {
+	Issuer        string   `json:"issuer"`
+	JWKSURI       string   `json:"jwks_uri"`
+	ResponseTypes []string `json:"response_types_supported"`
+	SubjectTypes  []string `json:"subject_types_supported"`
+	SigningAlgs   []string `json:"id_token_signing_alg_values_supported"`
+}