From 4d2399c37643c262840df460d05ec4dc88a4d1cd Mon Sep 17 00:00:00 2001 From: Cesar Celis Hernandez Date: Tue, 18 Jun 2024 13:30:12 -0400 Subject: [PATCH] Using k8s idp instead of providing console-sa --- api/config.go | 16 +++++++++------- api/config_test.go | 2 +- api/login.go | 12 ++++++++++-- 3 files changed, 20 insertions(+), 10 deletions(-) diff --git a/api/config.go b/api/config.go index ae107322401..aa1b0ee97b9 100644 --- a/api/config.go +++ b/api/config.go @@ -18,12 +18,13 @@ package api import ( "crypto/x509" - "io/ioutil" "net" "strconv" "strings" "time" + "k8s.io/klog/v2" + "github.com/minio/operator/pkg/auth/idp/oauth2" xcerts "github.com/minio/pkg/certs" @@ -60,14 +61,15 @@ var ( GlobalTLSCertsManager *xcerts.Manager ) -// getK8sSAToken assumes the plugin is running inside a k8s pod and extract the current service account from the -// /var/run/secrets/kubernetes.io/serviceaccount/token file -func getK8sSAToken() string { - dat, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token") - if err != nil { +// getK8sSAToken assumes the plugin is running inside a k8s pod and gets the token directly from IdP as id_token +// if id_token is valid token for k8s, then user will have access as described in k8s documentation: +// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens +func getK8sSAToken(token string) string { + if token == "" { + klog.Warning("we no longer provide console-sa access token but rather your should consider configuring k8s idp to get the token in a production environment") return env.Get(OperatorSAToken, "") } - return string(dat) + return token } // Get Marketplace deployment platform diff --git a/api/config_test.go b/api/config_test.go index 113a9ac0d82..e9e15e8ae24 100644 --- a/api/config_test.go +++ b/api/config_test.go @@ -47,7 +47,7 @@ func Test_getK8sSAToken(t *testing.T) { os.Setenv(k, v) } } - if got := getK8sSAToken(); got != tt.want { + if got := getK8sSAToken(""); got != tt.want { t.Errorf("getK8sSAToken() = %v, want %v", got, tt.want) } if tt.envs != nil { diff --git a/api/login.go b/api/login.go index 5c70cc73ba7..792ca8e8423 100644 --- a/api/login.go +++ b/api/login.go @@ -184,14 +184,22 @@ func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams) (*models.L KeyFunc: oauth2.DefaultDerivedKey, Client: oauth2Client, } + + // Pointer to extract the whole token from IdP + var oauth2Token *xoauth2.Token + // Validate user against IDP - _, err = verifyUserAgainstIDP(ctx, identityProvider, *lr.Code, requestItems.State) + oauth2Token, err = verifyUserAgainstIDP(ctx, identityProvider, *lr.Code, requestItems.State) if err != nil { return nil, ErrorWithContext(ctx, err) } + + // The extraction of id_token alone + idToken := oauth2Token.Extra("id_token") + // If we pass here that means the IDP correctly authenticate the user with the operator resource // we proceed to use the service account token configured in the operator-console pod - creds, err := newConsoleCredentials(getK8sSAToken()) + creds, err := newConsoleCredentials(getK8sSAToken(idToken.(string))) if err != nil { return nil, ErrorWithContext(ctx, err) }