Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement OIDC client AuthProvider #25270

Merged
merged 6 commits into from
May 20, 2016
Merged

Implement OIDC client AuthProvider #25270

merged 6 commits into from
May 20, 2016

Conversation

bobbyrullo
Copy link
Contributor

@bobbyrullo bobbyrullo commented May 6, 2016
edited
Loading

@erictune @cjcullen @liggitt @sym3tri @philips @ericchiang

fixes #18549

With this PR, kubectl and other RestClient's using the AuthProvider framework can make OIDC authenticated requests, and, if there is a refresh token present, the tokens will be refreshed as needed.

Analytics

@googlebot
Copy link

We found a Contributor License Agreement for you (the sender of this pull request) and all commit authors, but as best as we can tell these commits were authored by someone else. If that's the case, please add them to this pull request and have them confirm that they're okay with these commits being contributed to Google. If we're mistaken and you did author these commits, just reply here to confirm.

@k8s-bot
Copy link

k8s-bot commented May 6, 2016

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

2 similar comments
@k8s-bot
Copy link

k8s-bot commented May 6, 2016

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

@k8s-bot
Copy link

k8s-bot commented May 6, 2016

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

@k8s-github-robot k8s-github-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. kind/design Categorizes issue or PR as related to design. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. release-note-label-needed labels May 6, 2016
@k8s-github-robot k8s-github-robot assigned rmmh and ixdy and unassigned brendandburns and rmmh May 6, 2016
@ixdy ixdy removed their assignment May 6, 2016
@fabioy
Copy link
Contributor

fabioy commented May 9, 2016

@erictune Feel free to reassign as you see fit. Thank you.

@erictune
Copy link
Member

fyi, you can probably do a git rebase -i and delete all the commits that are not yours or CJ's.

erictune
erictune reviewed May 11, 2016
View reviewed changes
plugin/pkg/client/auth/oidc/oidc.go

clientConfig := restclient.Config{
TLSClientConfig: restclient.TLSClientConfig{
CAFile: cfg["idp-certifiate-authority"],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/certifiate/certificate

@erictune
Copy link
Member

The way this stores its config and refresh token in the .kube/config seems fine.

@bobbyrullo
Copy link
Contributor Author

Thanks for your comments @erictune; I'm going to rebase onto master now that CJ's changes are merged...If the comments get lost, I'll paste 'em back in.

@googlebot
Copy link

CLAs look good, thanks!

@k8s-github-robot k8s-github-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. kind/design Categorizes issue or PR as related to design. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels May 11, 2016
@k8s-github-robot
Copy link

@yifan-gu
You must link to the test flake issue which caused you to request this manual re-test.
Re-test requests should be in the form of: k8s-bot test this issue: #<number>
Here is the list of open test flakes.

@bobbyrullo bobbyrullo force-pushed the deps branch 2 times, most recently from f4e8467 to e6f6776 Compare May 18, 2016 22:11
@yifan-gu
Copy link
Contributor

Applying LGTM according to #25270 (comment)

@yifan-gu yifan-gu added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 18, 2016
@yifan-gu
Copy link
Contributor

@k8s-bot ok to test

@erictune erictune assigned yifan-gu and unassigned erictune May 18, 2016
@yifan-gu
Copy link
Contributor

@k8s-bot test this issue: #25791

@erictune
Copy link
Member

I did an offline design discussion with @philips @bobbyrullo @sym3tri and I understand better how this PR will work.

They explained how my previous concerns were satisfied by this PR.

  • not using wierd apiserver refresh flow that seemed not OIDC compliant to me (at least to the spirit of the law)
    • not assuming a single client_secret for all instances of kubectl.
    • it will work with many IdPs, depending on how you configure it. different IdPs will support different modes.
  • they are going to document several ways to use this with different IdP implementations.

I am now fine with keeping the name the same.

I don't have time to review before deadine. I asked @sym3tri to review @bobbyrullo code, and @yifan-gu to manage the LGTM labels.

Ways to use this, as I now understand it:

  1. a single client_id/client_secret
    • should work with any IdP
    • typically for use in a single organization where there is not a need to separately track clients (apps),
      and where redirect URL attacks are protected by localhost redirect and the corporation restricting
      what software can run on the nodes to avoid redirect-url-MITMs.
    • client_id/secret is distributed as part of introducing users to the cluster (e.g. email telling you what to put in your .kube/config
    • using same client_id for kubectl and apiserver
    • with a single client_id allocated for the company/team and distributed offline ; for I am okay with the design and
  2. cross-client on Google
    • client_id for kubectl and different client_id for apiserver.
    • since Google only supports same-project client-ids, this is probably for a single organization, but they can at least get some benefit from the apiserver client_secret being confidential
    • other IdP may not support cross-client today, but maybe someday.
  3. cross-client on Dex
    • CoreOS working on something for Dex similar to Google cross-client
    • they plan to have good setup instructions in open source for Dex + Kubernetes, and for it to be a top choice as an on-prem IdP.
    • they may have a consent flow that is more customized to the kubernetes use case.

So, users have multiple IdP choices and the flow is OIDC-compliant.

@yifan-gu
Copy link
Contributor

@k8s-bot test this issue: #25791

Bobby Rullo added 5 commits May 18, 2016 17:02
Implement new OIDC client AuthProvider
f2135bd 
This commit handles:
     * Passing ID Token as Bearer token
     * Refreshing of tokens using refresh-tokens
     * Persisting refreshed tokens
     * ability to add arbitrary extra scopes via config
       * this is what enables the cross-client/azp stuff
Refactor test oidc provider into its own package
c990462 
This makes it easier to test other OIDC code.
add tests for newOIDCAuthProvider
e85940e
OIDC authprovider more testable, and add backoff
94ffa34 
* Use an interface for OIDC Client, so that we're testing the behavior
  of the client, not the go-oidc package itself
* add backoff and retry when server rejects token
add tests for the OIDC WrapTransport
f575f89 
tests that tokens gets refreshed, passed along as bearers, etc.
@k8s-github-robot k8s-github-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 19, 2016
@yifan-gu yifan-gu added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 19, 2016
@k8s-bot
Copy link

k8s-bot commented May 19, 2016

GCE e2e build/test passed for commit f575f89.

@k8s-bot
Copy link

k8s-bot commented May 19, 2016

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

@bobbyrullo
Copy link
Contributor Author

@brendandburns - could you please tag this as p1 and 1.3 as per the Effort tracking Spreadsheet? It keeps getting bumped in the queue....

@erictune erictune added this to the v1.3 milestone May 19, 2016
@mikedanese mikedanese merged commit 7170c89 into kubernetes:master May 20, 2016
@bobbyrullo
Copy link
Contributor Author

@erictune - I promised you some docs, but could use some guidance on where to put things.

Setting up OIDC on the API Server goes here, but not sure where to put the following:

  1. Document the structure of the AuthProvider config; this is a map[string]string whose configuration depends on the specific AuthProvider plugin. There's no precedence here, since AuthProvider is new. I could put a README.md in plugin/pkg/client/auth/oidc/. Does that sound good? ( @cjcullen ?)

  2. Notes on secure deployment of OIDC in your cluster (the stuff we talked about, @erictune ) - This makes sense to go in http://kubernetes.io/docs/admin/authentication as well yes? Maybe a separate document linked from the root auth page?

@cjcullen
Copy link
Member

Re 1) I think a README next to the plugin with the meanings of the config fields is good. I should also put one together for the GCP plugin.

@pwittrock
Copy link
Member

@bobbyrullo
@erictune
@yifan-gu

Would you provide an update on the status for the documentation for this feature as well as add any PRs as they are created?

Not Started / In Progress / In Review / Done

Thanks
@pwittrock

@erictune
Copy link
Member

erictune commented Jul 7, 2016

Done:
https://github.com/kubernetes/kubernetes.github.io/blob/master/docs/admin/authentication.md

hanikesn
hanikesn reviewed Aug 15, 2016
View reviewed changes
plugin/pkg/client/auth/oidc/oidc.go
return nil, errors.New("Must provide idp-issuer-url")
}

providerCfg, err := oidc.FetchProviderConfig(hc, strings.TrimSuffix(issuer, "/"))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bobbyrullo This seems to create the same issues as #29749

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bobbyrullo This seems to create the same issues as #29749

@ericchiang not sure if there's something you need to do here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I haven't looked at this code for a second. Will send a PR to not trim the trailing slash.

openshift-publish-robot pushed a commit to openshift/kubernetes that referenced this pull request Jul 14, 2020
@k8s-publishing-bot
Merge pull request kubernetes#25270 from soltysh/debug_pr
87690b6 
FIx CI for 3.11

Origin-commit: 64b44fbcfe4b692474a72d1ce2fa13c53a48ec85
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@yifan-gu yifan-gu

Labels
lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v1.3
Development

Successfully merging this pull request may close these issues.

Refresh Tokens