Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to override jwks_url #8376

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add ability to override jwks_url #8376

wants to merge 3 commits into from

Conversation

KapilSareen
Copy link

@KapilSareen KapilSareen commented Dec 8, 2024
edited
Loading

Fixes #8348

Proposed Changes

  • Make jwks-uri configurable, allowing the default value to be overwritten by passing a value in JWKSURI in the feature config.
  • Default to an empty string (""), and use the JWKS URI provided by oidc-discovery-base-url if no jwks-uri is specified.

Pre-review Checklist

  • At least 80% unit test coverage
  • E2E tests for any new behavior
  • Docs PR for any user-facing impact
  • Spec PR for any new API feature
  • Conformance test for any change to the spec

@knative-prow knative-prow bot requested review from Cali0707 and Leo6Leo December 8, 2024 21:00
@knative-prow knative-prow bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Dec 8, 2024
@knative-prow Knative Prow
Copy link

knative-prow bot commented Dec 8, 2024

Welcome @KapilSareen! It looks like this is your first PR to knative/eventing 🎉

@knative-prow Knative Prow
Copy link

knative-prow bot commented Dec 8, 2024

Hi @KapilSareen. Thanks for your PR.

I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@knative-prow knative-prow bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Dec 8, 2024
@knative-prow Knative Prow
Copy link

knative-prow bot commented Dec 8, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: KapilSareen
Once this PR has been reviewed and has the lgtm label, please assign leo6leo for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@pierDipi
Copy link
Member

/cc @creydr

@knative-prow knative-prow bot requested a review from creydr December 13, 2024 08:01
@maschmid
Copy link
Contributor

We should probably have at least an oidc- prefix, so, maybe oidc-jwks-uri ?

@codecov Codecov
Copy link

codecov bot commented Dec 16, 2024

Codecov Report

Attention: Patch coverage is 40.00000% with 9 lines in your changes missing coverage. Please review.

Project coverage is 64.24%. Comparing base (414af5c) to head (850dfd8).

Files with missing lines Patch % Lines
pkg/apis/feature/features.go 50.00% 4 Missing and 2 partials ⚠️
pkg/auth/verifier.go 0.00% 3 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8376      +/-   ##
==========================================
- Coverage   64.25%   64.24%   -0.02%     
==========================================
  Files         388      388              
  Lines       23313    23328      +15     
==========================================
+ Hits        14980    14986       +6     
- Misses       7539     7546       +7     
- Partials      794      796       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

creydr
creydr reviewed Dec 16, 2024
View reviewed changes
Copy link
Member

@creydr creydr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot @KapilSareen for your work on this 💪
I guess we need to update the getHTTPClient() method somehow too, to also set the TLS config for the JWKS uri in case oidc-discovery-base-url == "https://kubernetes.default.svc" && oidc-jwks-uri != "".

@KapilSareen
Copy link
Author

Hi @creydr, thanks for the review! Do you think changing the getHTTPClient function as follows would resolve the issue?

func (v *Verifier) getHTTPClient(features feature.Flags) (*http.Client, error) {
	if features.OIDCDiscoveryBaseURL() == "https://kubernetes.default.svc" && features.JWKSURI() == "" {
		return v.getHTTPClientForKubeAPIServer()
	}

	var base = http.DefaultTransport.(*http.Transport).Clone()
	...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@creydr creydr creydr left review comments

@Cali0707 Cali0707 Awaiting requested review from Cali0707

@Leo6Leo Leo6Leo Awaiting requested review from Leo6Leo

Assignees
No one assigned
Labels
needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ability to override jwks_url
4 participants
@KapilSareen @pierDipi @maschmid @creydr