Skip to content

Commit

Permalink
enables overriding jwks_url
Browse files Browse the repository at this point in the history
  • Loading branch information
@KapilSareen
KapilSareen committed Dec 8, 2024
1 parent bff7b03 commit fd5e09e
Show file tree
Hide file tree
Showing 5 changed files with 28 additions and 0 deletions.
19 changes: 19 additions & 0 deletions pkg/apis/feature/features.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,9 @@ const (
// DefaultRequestReplyTimeout is a value for RequestReplyDefaultTimeout that indicates to timeout
// a RequestReply resource after 30 seconds by default.
DefaultRequestReplyTimeout Flag = "30s"

// DefaultJWKSURI is the default JWKS URI used in most Kubernetes clusters.
DefaultJWKSURI Flag = ""
)

// Flags is a map containing all the enabled/disabled flags for the experimental features.
Expand All @@ -90,6 +93,7 @@ func newDefaults() Flags {
AuthorizationDefaultMode: AuthorizationAllowSameNamespace,
OIDCDiscoveryBaseURL: DefaultOIDCDiscoveryBaseURL,
RequestReplyDefaultTimeout: DefaultRequestReplyTimeout,
JWKSURI: DefaultJWKSURI,
}
}

Expand Down Expand Up @@ -169,6 +173,19 @@ func (e Flags) RequestReplyDefaultTimeout() string {
return string(timeout)
}

func (e Flags) JWKSURI() string {
if e == nil {
return string(DefaultJWKSURI)
}

jwksURI, ok := e[JWKSURI]
if !ok {
return string(DefaultJWKSURI)
}

return string(jwksURI)
}

func (e Flags) String() string {
return fmt.Sprintf("%+v", map[string]Flag(e))
}
Expand Down Expand Up @@ -220,6 +237,8 @@ func NewFlagsConfigFromMap(data map[string]string) (Flags, error) {
flags[sanitizedKey] = AuthorizationAllowSameNamespace
} else if strings.Contains(k, NodeSelectorLabel) || sanitizedKey == OIDCDiscoveryBaseURL {
flags[sanitizedKey] = Flag(v)
} else if sanitizedKey == JWKSURI {
flags[sanitizedKey] = Flag(v)
} else {
flags[k] = Flag(v)
log.Printf("Warning: unknown feature flag value %q=%q\n", k, v)
Expand Down
2 changes: 2 additions & 0 deletions pkg/apis/feature/features_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,8 @@ func TestGetFlags(t *testing.T) {
require.Equal(t, expectedNodeSelector, nodeSelector)

require.Equal(t, flags.OIDCDiscoveryBaseURL(), "https://oidc.eks.eu-west-1.amazonaws.com/id/1")

require.Equal(t, flags.JWKSURI(), "https://oidc.eks.eu-west-1.amazonaws.com/id/1/jwk")
}

func TestShouldNotOverrideDefaults(t *testing.T) {
Expand Down
1 change: 1 addition & 0 deletions pkg/apis/feature/flag_names.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,5 @@ const (
AuthorizationDefaultMode = "default-authorization-mode"
OIDCDiscoveryBaseURL = "oidc-discovery-base-url"
RequestReplyDefaultTimeout = "requestreply-default-timeout"
JWKSURI = "jwks-uri"
)
1 change: 1 addition & 0 deletions pkg/apis/feature/testdata/config-features.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,4 @@ data:
apiserversources-nodeselector-testkey1: testvalue1
apiserversources-nodeselector-testkey2: testvalue2
oidc-discovery-base-url: "https://oidc.eks.eu-west-1.amazonaws.com/id/1"
jwks-uri: "https://oidc.eks.eu-west-1.amazonaws.com/id/1/jwk"
5 changes: 5 additions & 0 deletions pkg/auth/verifier.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -329,6 +329,11 @@ func (v *Verifier) getKubernetesOIDCDiscovery(features feature.Flags, client *ht
return nil, fmt.Errorf("could not unmarshall openid config: %w", err)
}

// overwrite jwk uri if it is set in the feature flags
if features.JWKSURI() != "" {
openIdConfig.JWKSURI = features.JWKSURI()
}

return openIdConfig, nil
}

Expand Down

0 comments on commit fd5e09e

Please sign in to comment.