c/k/app,pkg/{authn,server}: use upstream oidc opts

README.md

@@ -109,7 +109,7 @@ Proxy flags:
 OIDC flags:
 
       --oidc-ca-file string           If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.
-      --oidc-clientID string          The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.
+      --oidc-clientID strings         The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.
       --oidc-groups-claim string      Identifier of groups in JWT claim, by default set to 'groups' (default "groups")
       --oidc-groups-prefix string     If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.
       --oidc-issuer string            The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).

cmd/kube-rbac-proxy/app/kube-rbac-proxy.go

@@ -32,11 +32,13 @@ import (
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	waitgroup "k8s.io/apimachinery/pkg/util/waitgroup"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/union"
 	kubefilters "k8s.io/apiserver/pkg/endpoints/filters"
 	"k8s.io/apiserver/pkg/endpoints/request"
 	serverconfig "k8s.io/apiserver/pkg/server"
+	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
 	k8sapiflag "k8s.io/component-base/cli/flag"
@@ -47,7 +49,6 @@ import (
 	"k8s.io/klog/v2"
 
 	"github.com/brancz/kube-rbac-proxy/cmd/kube-rbac-proxy/app/options"
-	"github.com/brancz/kube-rbac-proxy/pkg/authn"
 	"github.com/brancz/kube-rbac-proxy/pkg/authn/identityheaders"
 	"github.com/brancz/kube-rbac-proxy/pkg/authorization/path"
 	"github.com/brancz/kube-rbac-proxy/pkg/authorization/rewrite"
@@ -195,14 +196,14 @@ func Run(cfg *server.KubeRBACProxyConfig) error {
 
 	var authenticator authenticator.Request
 	// If OIDC configuration provided, use oidc authenticator
-	if cfg.KubeRBACProxyInfo.OIDC.IssuerURL != "" {
-		oidcAuthenticator, err := authn.NewOIDCAuthenticator(ctx, cfg.KubeRBACProxyInfo.OIDC)
+	if cfg.KubeRBACProxyInfo.HasOIDCSetup() {
+		tokenAuthenticator, err := oidc.New(ctx, *cfg.KubeRBACProxyInfo.OIDC)
 		if err != nil {
-			return fmt.Errorf("failed to instantiate OIDC authenticator: %w", err)
+			return fmt.Errorf("setting up oidc failed: %w", err)
 		}
 
-		go oidcAuthenticator.Run(ctx)
-		authenticator = oidcAuthenticator
+		go cfg.KubeRBACProxyInfo.OIDCDynamicCAContent.Run(ctx, 1)
+		authenticator = bearertoken.New(tokenAuthenticator)
 	} else {
 		authenticator = cfg.DelegatingAuthentication.Authenticator
 	}

cmd/kube-rbac-proxy/app/options/oidcoptions.go

@@ -17,26 +17,41 @@ limitations under the License.
 package options
 
 import (
-	"github.com/brancz/kube-rbac-proxy/pkg/authn"
+	"fmt"
+
+	"k8s.io/apiserver/pkg/server/dynamiccertificates"
+	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
+
 	"github.com/brancz/kube-rbac-proxy/pkg/server"
+
 	"github.com/spf13/pflag"
 )
 
 type OIDCOptions struct {
-	*authn.OIDCConfig
+	oidc.Options
+
+	CAFile string
 }
 
 func (o *OIDCOptions) AddFlags(flagset *pflag.FlagSet) {
 	//Authn OIDC flags
-	flagset.StringVar(&o.IssuerURL, "oidc-issuer", "", "The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).")
-	flagset.StringVar(&o.ClientID, "oidc-clientID", "", "The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.")
-	flagset.StringVar(&o.UsernameClaim, "oidc-username-claim", "email", "Identifier of the user in JWT claim, by default set to 'email'")
-	flagset.StringVar(&o.GroupsClaim, "oidc-groups-claim", "groups", "Identifier of groups in JWT claim, by default set to 'groups'")
-	flagset.StringVar(&o.UsernamePrefix, "oidc-username-prefix", "", "If provided, the username will be prefixed with this value to prevent conflicts with other authentication strategies.")
-	flagset.StringVar(&o.GroupsPrefix, "oidc-groups-prefix", "", "If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.")
+	flagset.StringVar(&o.JWTAuthenticator.Issuer.URL, "oidc-issuer", "", "The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).")
+	flagset.StringSliceVar(&o.JWTAuthenticator.Issuer.Audiences, "oidc-clientID", []string{}, "The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.")
+	flagset.StringVar(&o.JWTAuthenticator.ClaimMappings.Username.Claim, "oidc-username-claim", "email", "Identifier of the user in JWT claim, by default set to 'email'")
+	flagset.StringVar(&o.JWTAuthenticator.ClaimMappings.Groups.Claim, "oidc-groups-claim", "groups", "Identifier of groups in JWT claim, by default set to 'groups'")
 	flagset.StringArrayVar(&o.SupportedSigningAlgs, "oidc-sign-alg", []string{"RS256"}, "Supported signing algorithms, default RS256")
 	flagset.StringVar(&o.CAFile, "oidc-ca-file", "", "If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.")
 
+	uprefix := flagset.String("oidc-username-prefix", "", "If provided, the username will be prefixed with this value to prevent conflicts with other authentication strategies.")
+	if uprefix != nil {
+		o.JWTAuthenticator.ClaimMappings.Username.Prefix = uprefix
+	}
+
+	gprefix := flagset.String("oidc-groups-prefix", "", "If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.")
+	if gprefix != nil {
+		o.JWTAuthenticator.ClaimMappings.Groups.Prefix = gprefix
+	}
+
 }
 
 func (o *OIDCOptions) Validate() []error {
@@ -45,6 +60,19 @@ func (o *OIDCOptions) Validate() []error {
 }
 
 func (o *OIDCOptions) ApplyTo(c *server.KubeRBACProxyInfo) error {
-	c.OIDC = o.OIDCConfig
+	if o.JWTAuthenticator.Issuer.URL == "" {
+		return nil
+	}
+
+	dyCA, err := dynamiccertificates.NewDynamicCAContentFromFile("oidc-ca", o.CAFile)
+
+	if err != nil {
+		return fmt.Errorf("failed to create dynamic CA content: %w", err)
+	}
+
+	o.CAContentProvider = dyCA
+	c.OIDCDynamicCAContent = dyCA
+	c.OIDC = &o.Options
+
 	return nil
 }

cmd/kube-rbac-proxy/app/options/options.go

@@ -19,10 +19,11 @@ package options
 import (
 	"fmt"
 
-	"github.com/brancz/kube-rbac-proxy/pkg/authn"
-	"github.com/brancz/kube-rbac-proxy/pkg/authn/identityheaders"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
+	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
 	kubeflags "k8s.io/component-base/cli/flag"
+
+	"github.com/brancz/kube-rbac-proxy/pkg/authn/identityheaders"
 )
 
 // ProxyRunOptions bundles both generic server run options from upstream, the
@@ -54,7 +55,7 @@ func NewProxyRunOptions() *ProxyRunOptions {
 			UpstreamHeader: &identityheaders.AuthnHeaderConfig{},
 		},
 		OIDCOptions: &OIDCOptions{
-			OIDCConfig: &authn.OIDCConfig{},
+			Options: oidc.Options{},
 		},
 	}
 }

pkg/authn/config.go

@@ -16,6 +16,8 @@ limitations under the License.
 
 package authn
 
+import "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
+
 // X509Config holds public client certificate used for authentication requests if specified
 type X509Config struct {
 	ClientCAFile              string
@@ -30,12 +32,7 @@ type TokenConfig struct {
 
 // OIDCConfig represents configuration used for JWT request authentication
 type OIDCConfig struct {
-	IssuerURL            string
-	ClientID             string
-	CAFile               string
-	UsernameClaim        string
-	UsernamePrefix       string
-	GroupsClaim          string
-	GroupsPrefix         string
-	SupportedSigningAlgs []string
+	CAFile string
+
+	oidc.Options
 }

pkg/server/config.go

@@ -26,8 +26,9 @@ import (
 	"os"
 
 	serverconfig "k8s.io/apiserver/pkg/server"
+	"k8s.io/apiserver/pkg/server/dynamiccertificates"
+	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
 
-	"github.com/brancz/kube-rbac-proxy/pkg/authn"
 	"github.com/brancz/kube-rbac-proxy/pkg/authn/identityheaders"
 	authz "github.com/brancz/kube-rbac-proxy/pkg/authorization"
 	"github.com/brancz/kube-rbac-proxy/pkg/authorization/rewrite"
@@ -55,7 +56,8 @@ type KubeRBACProxyInfo struct {
 
 	Authorization *authz.AuthzConfig
 
-	OIDC *authn.OIDCConfig
+	OIDC                 *oidc.Options
+	OIDCDynamicCAContent *dynamiccertificates.DynamicFileCAContent
 
 	AllowPaths  []string
 	IgnorePaths []string
@@ -75,6 +77,10 @@ func NewConfig() *KubeRBACProxyConfig {
 	}
 }
 
+func (i *KubeRBACProxyInfo) HasOIDCSetup() bool {
+	return i.OIDC != nil && i.OIDC.JWTAuthenticator.Issuer.URL != ""
+}
+
 // SetUpstreamTransport configures the transport to use when talking to upstream
 // with a CA and/or client cert/key pair.
 // An empty string on `upstreamCAPath` means system cert pool will be used.