-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The option to autoconfigure Kubernetes API server as oauth
authorization server, and to use service account tokens
#10260
Conversation
00c98bd
to
b1c6d3d
Compare
a83a3d1
to
51b391b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @mstruk
public boolean isCheckAccessTokenType() { | ||
public Boolean getCheckAccessTokenType() { | ||
return checkAccessTokenType; | ||
} | ||
|
||
public void setCheckAccessTokenType(boolean checkAccessTokenType) { | ||
public void setCheckAccessTokenType(Boolean checkAccessTokenType) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a breaking change in the api
module. Maybe we're OK with that, but it deserves discussion.
this.includeAcceptHeader = includeAcceptHeader; | ||
} | ||
|
||
@Description("Whether to automatically configure the listener to use fast local token validation using Kubernetes API server as the authorization server.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is 'fast local token validation' a term of art? We should perhaps explain what it means.
if (oauth.isConfigureServiceAccountAuth()) { | ||
oauth = normalizeClientAuthenticationOAuthForValidation(oauth); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since normalize...()
calls isConfigureServiceAccountAuth
itself anyway, maybe better drop the guard here and rename normalize to maybeNormalize...()
.
* @return The copy of 'oauth' object with changes or the original 'oauth' if no changes were needed | ||
*/ | ||
private static KafkaClientAuthenticationOAuth normalizeClientAuthenticationOAuthForValidation(KafkaClientAuthenticationOAuth oauth) { | ||
if (oauth.isConfigureServiceAccountAuth()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should, at a minimum, be documenting both of those properties to explain how the boolean one overrides the location, and that the location will be ignored if the boolean is true. The current doc is not clear enough imho and could lead to user confusion ("why is my location being ignored?"). Better would be to log a warning if the flag is true and the location is set.
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Config option `configureServiceAccountAuth` is introduced to `oauth` authentication for the listener and the client. Signed-off-by: Marko Strukelj <[email protected]>
…oconfigure changes are needed Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
Signed-off-by: Marko Strukelj <[email protected]>
51b391b
to
2df5f30
Compare
Put on hold for now. |
This is an alternative implementation to #9657.
Rather than introducting a new authentication method, the existing
oauth
authentication is used to support easy autoconfiguration for the Kubernetes API server case by introducing additional listener and client config optionconfigureServiceAccountAuth
onoauth
authentication.