From 779a5c26dac3557a09df179f23b7f03b6453e001 Mon Sep 17 00:00:00 2001 From: Karol Szwaj Date: Wed, 12 Feb 2025 15:24:30 +0100 Subject: [PATCH 1/2] enable structured authentication config flag Signed-off-by: Karol Szwaj --- pkg/server/options/flags.go | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/pkg/server/options/flags.go b/pkg/server/options/flags.go index 9323cad7496..79393666d16 100644 --- a/pkg/server/options/flags.go +++ b/pkg/server/options/flags.go @@ -59,6 +59,7 @@ var ( // authentication flags "anonymous-auth", // Enables anonymous requests to the secure port of the API server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated. "api-audiences", // Identifiers of the API. The service account token authenticator will validate that tokens used against the API are bound to at least one of these audiences. If the --service-account-issuer flag is configured and this flag is not, this field defaults to a single element list containing the issuer URL. + "authentication-config", // File with Authentication Configuration to configure the JWT Token authenticator. Note: This feature is in Alpha since v1.29.--feature-gate=StructuredAuthenticationConfiguration=true needs to be set for enabling this feature.This feature is mutually exclusive with the oidc-* flags. "authentication-token-webhook-cache-ttl", // The duration to cache responses from the webhook token authenticator. "authentication-token-webhook-config-file", // File with webhook configuration for token authentication in kubeconfig format. The API server will query the remote service to determine authentication for bearer tokens. "authentication-token-webhook-version", // The API version of the authentication.k8s.io TokenReview to send to and expect from the webhook @@ -200,9 +201,5 @@ var ( // logs flags "log-text-info-buffer-size", // [Alpha] In text format with split output streams, the info messages can be buffered for a while to increase performance. The default value of zero bytes disables buffering. The size can be specified as number of bytes (512), multiples of 1000 (1K), multiples of 1024 (2Ki), or powers of those (3M, 4G, 5Mi, 6Gi). Enable the LoggingAlphaOptions feature gate to use this. "log-text-split-stream", // [Alpha] In text format, write error messages to stderr and info messages to stdout. The default is to write a single stream to stdout. Enable the LoggingAlphaOptions feature gate to use this. - - // authentication flags - // TODO(embik): look at enabling this feature. - "authentication-config", // File with Authentication Configuration to configure the JWT Token authenticator. Note: This feature is in Alpha since v1.29.--feature-gate=StructuredAuthenticationConfiguration=true needs to be set for enabling this feature.This feature is mutually exclusive with the oidc-* flags. ) ) From 0cdf9191835059464cbd587ac9d680ee368392b9 Mon Sep 17 00:00:00 2001 From: Karol Szwaj Date: Thu, 13 Feb 2025 12:31:38 +0100 Subject: [PATCH 2/2] add structured auth config example to dex guide Signed-off-by: Karol Szwaj On-behalf-of: @SAP karol.szwaj@sap.com --- contrib/kcp-dex/README.md | 39 +++++++++++++++++++++++++++++++- contrib/kcp-dex/auth-config.yaml | 21 +++++++++++++++++ 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 contrib/kcp-dex/auth-config.yaml diff --git a/contrib/kcp-dex/README.md b/contrib/kcp-dex/README.md index 391d5b0d1f4..bc202db4494 100644 --- a/contrib/kcp-dex/README.md +++ b/contrib/kcp-dex/README.md @@ -25,7 +25,9 @@ GOBIN=$(pwd)/bin go install github.com/mjudeikis/genkey ### KCP -Start kcp with oidc enabled: +Start kcp with oidc enabled, you can either use the OIDC flags or structured authentication configuration from a file. Example configuration is shown in `auth-config.yaml`. + +## OIDC Flags ```bash go run ./cmd/kcp start \ @@ -35,6 +37,41 @@ go run ./cmd/kcp start \ --oidc-ca-file=127.0.0.1.pem ``` +## Structured Authentication Config + +```bash +CA_CERT=$(openssl x509 -in 127.0.0.1.pem | sed 's/^/ /') +``` +```bash +cat << EOF_AuthConfig > auth-config.yaml +apiVersion: apiserver.config.k8s.io/v1beta1 +kind: AuthenticationConfiguration +jwt: +- issuer: + url: https://127.0.0.1:5556/dex + certificateAuthority: | +$CA_CERT + audiences: + - kcp-dev + audienceMatchPolicy: MatchAny + claimMappings: + username: + claim: "email" + prefix: "" + groups: + claim: "groups" + prefix: "" + claimValidationRules: [] + userValidationRules: [] +EOF_AuthConfig +``` + +Start a kcp server: + +```bash +./bin/kcp start --authentication-config auth-config.yaml +``` + ### Login Use oidc plugin: diff --git a/contrib/kcp-dex/auth-config.yaml b/contrib/kcp-dex/auth-config.yaml new file mode 100644 index 00000000000..a724d0a1f28 --- /dev/null +++ b/contrib/kcp-dex/auth-config.yaml @@ -0,0 +1,21 @@ +apiVersion: apiserver.config.k8s.io/v1beta1 +kind: AuthenticationConfiguration +jwt: +- issuer: + url: https://127.0.0.1:5556/dex + certificateAuthority: | + -----BEGIN CERTIFICATE----- + enter your certificate here + -----END CERTIFICATE----- + audiences: + - kcp-dev + audienceMatchPolicy: MatchAny + claimMappings: + username: + claim: "email" + prefix: "" + groups: + claim: "groups" + prefix: "" + claimValidationRules: [] + userValidationRules: []