Wire in WebhookTokenAutenticator support

Signed-off-by: Simo Sorce <[email protected]>

Author: simo5

pkg/cmd/server/apis/config/helpers.go

@@ -238,6 +238,10 @@ func GetMasterFileReferences(config *MasterConfig) []*string {
 		refs = append(refs, &config.AuthConfig.RequestHeader.ClientCA)
 	}
 
+	for _, wta := range config.AuthConfig.WebhookTokenAuthenticators {
+		refs = append(refs, &wta.WebhookTokenAuthnConfigFile)
+	}
+
 	refs = append(refs, &config.AggregatorConfig.ProxyClientInfo.CertFile)
 	refs = append(refs, &config.AggregatorConfig.ProxyClientInfo.KeyFile)
 

pkg/cmd/server/apis/config/types.go

@@ -399,6 +399,7 @@ type MasterConfig struct {
 	EtcdConfig *EtcdConfig
 	// OAuthConfig, if present start the /oauth endpoint in this process
 	OAuthConfig *OAuthConfig
+
 	// DNSConfig, if present start the DNS server in this process
 	DNSConfig *DNSConfig
 
@@ -446,6 +447,8 @@ type MasterConfig struct {
 type MasterAuthConfig struct {
 	// RequestHeader holds options for setting up a front proxy against the the API.  It is optional.
 	RequestHeader *RequestHeaderAuthenticationOptions
+	// WebhookTokenAuthnConfig, if present configures remote token reviewers
+	WebhookTokenAuthenticators []WebhookTokenAuthenticator
 }
 
 // RequestHeaderAuthenticationOptions provides options for setting up a front proxy against the entire
@@ -828,6 +831,15 @@ type DNSConfig struct {
 	AllowRecursiveQueries bool
 }
 
+type WebhookTokenAuthenticator struct {
+	// WebhookTokenAuthnConfigFile is a path to a Kubeconfig file with the webhook configuration
+	WebhookTokenAuthnConfigFile string
+	// WebhookTokenAuthnCacheTTL indicates how long an authentication result should be cached.
+	// It takes a valid time duration string (e.g. "5m").
+	// If empty, you get the default timeout. If zero (e.g. "0m"), caching is disabled
+	WebhookTokenAuthnCacheTTL string
+}
+
 type OAuthConfig struct {
 	// MasterCA is the CA for verifying the TLS connection back to the MasterURL.
 	// "" to use system roots, set to use custom roots, never nil (guaranteed by conversion defaults)

pkg/cmd/server/apis/config/v1/types.go

@@ -247,6 +247,7 @@ type MasterConfig struct {
 	EtcdConfig *EtcdConfig `json:"etcdConfig"`
 	// OAuthConfig, if present start the /oauth endpoint in this process
 	OAuthConfig *OAuthConfig `json:"oauthConfig"`
+
 	// DNSConfig, if present start the DNS server in this process
 	DNSConfig *DNSConfig `json:"dnsConfig"`
 
@@ -294,6 +295,8 @@ type MasterConfig struct {
 type MasterAuthConfig struct {
 	// RequestHeader holds options for setting up a front proxy against the the API.  It is optional.
 	RequestHeader *RequestHeaderAuthenticationOptions `json:"requestHeader"`
+	// WebhookTokenAuthnConfig, if present configures remote token reviewers
+	WebhookTokenAuthenticators []WebhookTokenAuthenticator `json:"webhookTokenAuthenticators"`
 }
 
 // RequestHeaderAuthenticationOptions provides options for setting up a front proxy against the entire
@@ -711,6 +714,17 @@ type DNSConfig struct {
 	AllowRecursiveQueries bool `json:"allowRecursiveQueries"`
 }
 
+// WebhookTokenAuthenticators holds the necessary configuation options for
+// external token authenticators
+type WebhookTokenAuthenticator struct {
+	// WebhookTokenAuthnConfigFile is a path to a Kubeconfig file with the webhook configuration
+	WebhookTokenAuthnConfigFile string `json:"webhookTokenAuthnConfigFile"`
+	// WebhookTokenAuthnCacheTTL indicates how long an authentication result should be cached.
+	// It takes a valid time duration string (e.g. "5m").
+	// If empty, you get the default timeout. If zero (e.g. "0m"), caching is disabled
+	WebhookTokenAuthnCacheTTL string `json:"webhookTokenAuthnCacheTTL"`
+}
+
 // OAuthConfig holds the necessary configuration options for OAuth authentication
 type OAuthConfig struct {
 	// MasterCA is the CA for verifying the TLS connection back to the MasterURL.

pkg/cmd/server/apis/config/v1/zz_generated.deepcopy.go

@@ -192,6 +192,24 @@ func ValidateMasterAuthConfig(config configapi.MasterAuthConfig, fldPath *field.
 		validationResults.AddErrors(field.Required(fldPath.Child("requestHeader.extraHeaderPrefixes"), "must be specified for a secure connection"))
 	}
 
+	for _, wta := range config.WebhookTokenAuthenticators {
+		webhookTokenAuthnConfigFile := fldPath.Child("webhookTokenAuthenticators", "webhookTokenAuthnConfigFile")
+		if len(wta.WebhookTokenAuthnConfigFile) == 0 {
+			validationResults.AddErrors(field.Required(webhookTokenAuthnConfigFile, ""))
+		} else {
+			validationResults.AddErrors(ValidateFile(wta.WebhookTokenAuthnConfigFile, webhookTokenAuthnConfigFile)...)
+		}
+
+		webhookTokenAuthnCacheTTL := fldPath.Child("webhookTokenAuthenticators", "webhookTokenAuthnCacheTTL")
+		if len(wta.WebhookTokenAuthnCacheTTL) == 0 {
+			validationResults.AddErrors(field.Required(webhookTokenAuthnCacheTTL, ""))
+		} else if ttl, err := time.ParseDuration(wta.WebhookTokenAuthnCacheTTL); err != nil {
+			validationResults.AddErrors(field.Invalid(webhookTokenAuthnCacheTTL, wta.WebhookTokenAuthnCacheTTL, fmt.Sprintf("%v", err)))
+		} else if ttl < 0 {
+			validationResults.AddErrors(field.Invalid(webhookTokenAuthnCacheTTL, wta.WebhookTokenAuthnCacheTTL, "cannot be less than zero"))
+		}
+	}
+
 	return validationResults
 }
 

pkg/cmd/server/apis/config/validation/master.go

@@ -588,7 +588,7 @@ func BuildKubernetesMasterConfig(
 
 func defaultOpenAPIConfig(config configapi.MasterConfig) *openapicommon.Config {
 	securityDefinitions := spec.SecurityDefinitions{}
-	if len(config.ServiceAccountConfig.PublicKeyFiles) > 0 {
+	if len(config.ServiceAccountConfig.PublicKeyFiles) > 0 || len(config.AuthConfig.WebhookTokenAuthenticators) > 0 {
 		securityDefinitions["BearerToken"] = &spec.SecurityScheme{
 			SecuritySchemeProps: spec.SecuritySchemeProps{
 				Type:        "apiKey",

pkg/cmd/server/apis/config/zz_generated.deepcopy.go

@@ -16,6 +16,7 @@ import (
 	tokencache "k8s.io/apiserver/pkg/authentication/token/cache"
 	tokenunion "k8s.io/apiserver/pkg/authentication/token/union"
 	genericapiserver "k8s.io/apiserver/pkg/server"
+	webhooktoken "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
 	kclientsetexternal "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/util/cert"
@@ -108,6 +109,18 @@ func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclie
 			group.NewTokenGroupAdder(oauthTokenAuthenticator, []string{bootstrappolicy.AuthenticatedOAuthGroup}))
 	}
 
+	for _, wta := range config.AuthConfig.WebhookTokenAuthenticators {
+		ttl, err := time.ParseDuration(wta.WebhookTokenAuthnCacheTTL)
+		if err != nil {
+			return nil, nil, fmt.Errorf("Error converting WebhookTokenAuthnCacheTTL='%s' to duration", wta.WebhookTokenAuthnCacheTTL)
+		}
+		webhookTokenAuthenticator, err := webhooktoken.New(wta.WebhookTokenAuthnConfigFile, ttl)
+		if err != nil {
+			return nil, nil, fmt.Errorf("Failed to create authenticator for WebhookTokenAuthnConfigFile='%s'", wta.WebhookTokenAuthnConfigFile)
+		}
+		tokenAuthenticators = append(tokenAuthenticators, webhookTokenAuthenticator)
+	}
+
 	if len(tokenAuthenticators) > 0 {
 		// Combine all token authenticators
 		tokenAuth := tokenunion.New(tokenAuthenticators...)