Skip to content

Commit

Permalink
Using k8s idp instead of providing console-sa
Browse files Browse the repository at this point in the history
  • Loading branch information
cniackz committed Jun 18, 2024
1 parent cabe56d commit 4d2399c
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 10 deletions.
16 changes: 9 additions & 7 deletions api/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,13 @@ package api

import (
"crypto/x509"
"io/ioutil"
"net"
"strconv"
"strings"
"time"

"k8s.io/klog/v2"

"github.com/minio/operator/pkg/auth/idp/oauth2"

xcerts "github.com/minio/pkg/certs"
Expand Down Expand Up @@ -60,14 +61,15 @@ var (
GlobalTLSCertsManager *xcerts.Manager
)

// getK8sSAToken assumes the plugin is running inside a k8s pod and extract the current service account from the
// /var/run/secrets/kubernetes.io/serviceaccount/token file
func getK8sSAToken() string {
dat, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
if err != nil {
// getK8sSAToken assumes the plugin is running inside a k8s pod and gets the token directly from IdP as id_token
// if id_token is valid token for k8s, then user will have access as described in k8s documentation:
// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
func getK8sSAToken(token string) string {
if token == "" {
klog.Warning("we no longer provide console-sa access token but rather your should consider configuring k8s idp to get the token in a production environment")
return env.Get(OperatorSAToken, "")
}
return string(dat)
return token
}

// Get Marketplace deployment platform
Expand Down
2 changes: 1 addition & 1 deletion api/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ func Test_getK8sSAToken(t *testing.T) {
os.Setenv(k, v)
}
}
if got := getK8sSAToken(); got != tt.want {
if got := getK8sSAToken(""); got != tt.want {
t.Errorf("getK8sSAToken() = %v, want %v", got, tt.want)
}
if tt.envs != nil {
Expand Down
12 changes: 10 additions & 2 deletions api/login.go
Original file line number Diff line number Diff line change
Expand Up @@ -184,14 +184,22 @@ func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams) (*models.L
KeyFunc: oauth2.DefaultDerivedKey,
Client: oauth2Client,
}

// Pointer to extract the whole token from IdP
var oauth2Token *xoauth2.Token

// Validate user against IDP
_, err = verifyUserAgainstIDP(ctx, identityProvider, *lr.Code, requestItems.State)
oauth2Token, err = verifyUserAgainstIDP(ctx, identityProvider, *lr.Code, requestItems.State)
if err != nil {
return nil, ErrorWithContext(ctx, err)
}

// The extraction of id_token alone
idToken := oauth2Token.Extra("id_token")

// If we pass here that means the IDP correctly authenticate the user with the operator resource
// we proceed to use the service account token configured in the operator-console pod
creds, err := newConsoleCredentials(getK8sSAToken())
creds, err := newConsoleCredentials(getK8sSAToken(idToken.(string)))
if err != nil {
return nil, ErrorWithContext(ctx, err)
}
Expand Down

0 comments on commit 4d2399c

Please sign in to comment.