Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce changes from master to sig-auth-acceptance branch #300

Open
wants to merge 9 commits into
base: sig-auth-acceptance
Choose a base branch
from
Open

Introduce changes from master to sig-auth-acceptance branch #300

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
b438fe7
go.*: bump deps
ibihim Jun 28, 2024
ad75c81
c/k/app,p/authn,test/e2e/oidc: fix oidc after bump
ibihim Jun 28, 2024
c598642
c/k/a/options: add oidc-username-prefix
ibihim Jul 2, 2024
7382c08
c/k/a/opts: add format to info log
ibihim Jun 25, 2024
7aaa847
examples,scripts,test: removed deprecated flags
ibihim Jun 26, 2024
142ff30
c/k/app: add the ability to disable http/2
ibihim Jun 27, 2024
a817834
Makefile: make e2e work for arm64
ibihim Jun 26, 2024
c7e1aff
Makefile: Introdocue Makefile from master
ibihim Jun 28, 2024
0b4a724
c/k/app,pkg/{authn,server}: use upstream oidc opts
ibihim Jul 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ on: [push, pull_request]

env:
QUAY_PATH: quay.io/brancz/kube-rbac-proxy
go-version: '1.22.1'
kind-version: 'v0.22.0'
go-version: '1.22.4'
kind-version: 'v0.23.0'

jobs:
check-license:
Expand Down Expand Up @@ -71,7 +71,7 @@ jobs:
go-version: ${{ env.go-version }}
- name: Create container & run tests
run: |
VERSION=local make container
VERSION=local VERSION_SEMVER=$(cat ./VERSION) make container
kind load docker-image ${QUAY_PATH}:local
until docker exec $(kind get nodes) crictl images | grep "${QUAY_PATH}"; do
echo "no kube-rbac-proxy image"
Expand Down
4 changes: 2 additions & 2 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
ARG GOARCH=amd64
FROM gcr.io/distroless/static:nonroot-$GOARCH
ARG BASEIMAGE=gcr.io/distroless/static:nonroot-amd64
FROM $BASEIMAGE

ARG BINARY=kube-rbac-proxy-linux-amd64
COPY _output/$BINARY /usr/local/bin/kube-rbac-proxy
Expand Down
31 changes: 17 additions & 14 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,22 @@ all: check-license build generate test
GO111MODULE=on
export GO111MODULE

PROGRAM_NAME?=kube-rbac-proxy
GITHUB_URL=github.com/brancz/kube-rbac-proxy
GOOS?=$(shell uname -s | tr A-Z a-z)
GOARCH?=$(shell go env GOARCH)
BASEIMAGE?=gcr.io/distroless/static:nonroot-$(GOARCH)
OUT_DIR=_output
BIN?=kube-rbac-proxy
VERSION?=$(shell cat VERSION)-$(shell git rev-parse --short HEAD)
VERSION_SEMVER?=$(shell echo $(VERSION) | grep -o 'v[0-9]\+\.[0-9]\+\.[0-9]\+')
PKGS=$(shell go list ./... | grep -v /test/e2e)
DOCKER_REPO?=quay.io/brancz/kube-rbac-proxy
KUBECONFIG?=$(HOME)/.kube/config
CONTAINER_NAME?=$(DOCKER_REPO):$(VERSION)

ALL_ARCH=amd64 arm arm64 ppc64le s390x
ALL_PLATFORMS=$(addprefix linux/,$(ALL_ARCH))
ALL_BINARIES ?= $(addprefix $(OUT_DIR)/$(BIN)-, \
ALL_BINARIES ?= $(addprefix $(OUT_DIR)/$(PROGRAM_NAME)-, \
$(addprefix linux-,$(ALL_ARCH)) \
darwin-amd64 \
windows-amd64.exe)
Expand All @@ -33,29 +35,29 @@ check-license:

crossbuild: $(ALL_BINARIES)

$(OUT_DIR)/$(BIN): $(OUT_DIR)/$(BIN)-$(GOOS)-$(GOARCH)
cp $(OUT_DIR)/$(BIN)-$(GOOS)-$(GOARCH) $(OUT_DIR)/$(BIN)
$(OUT_DIR)/$(PROGRAM_NAME): $(OUT_DIR)/$(PROGRAM_NAME)-$(GOOS)-$(GOARCH)
cp $(OUT_DIR)/$(PROGRAM_NAME)-$(GOOS)-$(GOARCH) $(OUT_DIR)/$(PROGRAM_NAME)

$(OUT_DIR)/$(BIN)-%:
@echo ">> building for $(GOOS)/$(GOARCH) to $(OUT_DIR)/$(BIN)-$*"
$(OUT_DIR)/$(PROGRAM_NAME)-%:
@echo ">> building for $(GOOS)/$(GOARCH) to $(OUT_DIR)/$(PROGRAM_NAME)-$*"
GOARCH=$(word 2,$(subst -, ,$(*:.exe=))) \
GOOS=$(word 1,$(subst -, ,$(*:.exe=))) \
CGO_ENABLED=0 \
go build --installsuffix cgo -o $(OUT_DIR)/$(BIN)-$* $(GITHUB_URL)/cmd/kube-rbac-proxy
go build --installsuffix cgo -ldflags="-X k8s.io/component-base/version.gitVersion=$(VERSION_SEMVER) -X k8s.io/component-base/version.gitCommit=$(shell git rev-parse HEAD) -X k8s.io/component-base/version/verflag.programName=$(PROGRAM_NAME)" -o $(OUT_DIR)/$(PROGRAM_NAME)-$* $(GITHUB_URL)/cmd/kube-rbac-proxy

clean:
-rm -r $(OUT_DIR)

build: clean $(OUT_DIR)/$(BIN)
build: clean $(OUT_DIR)/$(PROGRAM_NAME)

update-go-deps:
@for m in $$(go list -mod=readonly -m -f '{{ if and (not .Indirect) (not .Main)}}{{.Path}}{{end}}' all); do \
go get -d $$m; \
done
go mod tidy

container: $(OUT_DIR)/$(BIN)-$(GOOS)-$(GOARCH) Dockerfile
docker build --build-arg BINARY=$(BIN)-$(GOOS)-$(GOARCH) --build-arg GOARCH=$(GOARCH) -t $(CONTAINER_NAME)-$(GOARCH) .
container: $(OUT_DIR)/$(PROGRAM_NAME)-$(GOOS)-$(GOARCH) Dockerfile
docker build --build-arg BINARY=$(PROGRAM_NAME)-$(GOOS)-$(GOARCH) --build-arg BASEIMAGE=$(BASEIMAGE) -t $(CONTAINER_NAME)-$(GOARCH) .
ifeq ($(GOARCH), amd64)
docker tag $(DOCKER_REPO):$(VERSION)-$(GOARCH) $(CONTAINER_NAME)
endif
Expand All @@ -76,6 +78,9 @@ manifest-push: manifest-tool

push: crossbuild manifest-tool $(addprefix push-,$(ALL_ARCH)) manifest-push

test-container: $(OUT_DIR)/$(PROGRAM_NAME)-linux-$(GOARCH) Dockerfile
docker build --build-arg BINARY=$(PROGRAM_NAME)-linux-$(GOARCH) --build-arg BASEIMAGE=$(BASEIMAGE) -t $(CONTAINER_NAME) .

curl-container:
docker build -f ./examples/example-client/Dockerfile -t quay.io/brancz/krp-curl:v0.0.2 .

Expand All @@ -96,11 +101,9 @@ test-e2e:

test-local-setup: VERSION = local
test-local-setup: VERSION_SEMVER = $(shell cat VERSION)
test-local-setup: container kind-create-cluster
test-local-setup: clean test-container kind-create-cluster
test-local: test-local-setup test

test-e2e-local: test-local-setup test-e2e

kind-delete-cluster:
kind delete cluster

Expand All @@ -122,4 +125,4 @@ $(TOOLING): $(TOOLS_BIN_DIR)
@echo Installing tools from scripts/tools.go
@cat scripts/tools.go | grep _ | awk -F'"' '{print $$2}' | GOBIN=$(TOOLS_BIN_DIR) xargs -tI % go install -mod=readonly -modfile=scripts/go.mod %

.PHONY: all check-license crossbuild build container push push-% manifest-push curl-container test test-unit test-e2e generate update-go-deps clean kind-delete-cluster kind-create-cluster
.PHONY: all check-license crossbuild build container push push-% manifest-push test-container curl-container test test-unit test-e2e generate update-go-deps clean kind-delete-cluster kind-create-cluster
33 changes: 12 additions & 21 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ Usage:

Secure serving flags:

--bind-address ip The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank or an unspecified address (0.0.0.0 or ::), all interfaces will be used. (default 0.0.0.0)
--bind-address ip The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank or an unspecified address (0.0.0.0 or ::), all interfaces and IP address families will be used. (default 0.0.0.0)
--cert-dir string The directory where the TLS certs are located. If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored. (default "apiserver.local.config/certificates")
--http2-max-streams-per-connection int The limit that the server gives to clients for the maximum number of streams in an HTTP/2 connection. Zero means to use golang's default.
--permit-address-sharing If true, SO_REUSEADDR will be used when binding the port. This allows binding to wildcard IPs like 0.0.0.0 and specific IPs in parallel, and it avoids waiting for the kernel to release sockets in TIME_WAIT state. [default=false]
Expand Down Expand Up @@ -97,6 +97,7 @@ Proxy flags:
--auth-header-user-field-name string The name of the field inside a http(2) request header to tell the upstream server about the user's name (default "x-remote-user")
--auth-token-audiences strings Comma-separated list of token audiences to accept. By default a token does not have to have any specific audience. It is recommended to set a specific audience.
--config-file string Configuration file to configure static and rewrites authorization of the kube-rbac-proxy.
--disable-http2-serving If true, HTTP2 serving will be disabled [default=false]
ibihim marked this conversation as resolved.
Show resolved Hide resolved
--ignore-paths strings Comma-separated list of paths against which kube-rbac-proxy pattern-matches the incoming request. If the requst matches, it will proxy the request without performing an authentication or authorization check. Cannot be used with --allow-paths.
--proxy-endpoints-port int The port to securely serve proxy-specific endpoints (such as '/healthz'). Uses the host from the '--secure-listen-address'.
--upstream string The upstream URL to proxy to once requests have successfully been authenticated and authorized.
Expand All @@ -107,29 +108,19 @@ Proxy flags:

OIDC flags:

--oidc-ca-file string If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.
--oidc-clientID string The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.
--oidc-groups-claim string Identifier of groups in JWT claim, by default set to 'groups' (default "groups")
--oidc-groups-prefix string If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.
--oidc-issuer string The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).
--oidc-sign-alg stringArray Supported signing algorithms, default RS256 (default [RS256])
--oidc-username-claim string Identifier of the user in JWT claim, by default set to 'email' (default "email")
--oidc-ca-file string If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.
--oidc-clientID strings The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.
--oidc-groups-claim string Identifier of groups in JWT claim, by default set to 'groups' (default "groups")
--oidc-groups-prefix string If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.
--oidc-issuer string The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).
--oidc-sign-alg stringArray Supported signing algorithms, default RS256 (default [RS256])
--oidc-username-claim string Identifier of the user in JWT claim, by default set to 'email' (default "email")
--oidc-username-prefix string If provided, the username will be prefixed with this value to prevent conflicts with other authentication strategies.

Global flags:

--add-dir-header If true, adds the file directory to the header of the log messages (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--alsologtostderr log to standard error as well as files (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
-h, --help help for kube-rbac-proxy
--log-backtrace-at traceLocation when logging hits line file:N, emit a stack trace (default :0) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--log-dir string If non-empty, write log files in this directory (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--log-file string If non-empty, use this log file (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--log-file-max-size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--logtostderr log to standard error instead of files (default true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--one-output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--skip-headers If true, avoid header prefixes in the log messages (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--skip-log-headers If true, avoid headers when opening log files (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--version version[=true] Print version information and quit
-h, --help help for kube-rbac-proxy
--version version[=true] --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version
```

### Authorization configuration
Expand Down
17 changes: 9 additions & 8 deletions cmd/kube-rbac-proxy/app/kube-rbac-proxy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,13 @@ import (
utilerrors "k8s.io/apimachinery/pkg/util/errors"
waitgroup "k8s.io/apimachinery/pkg/util/waitgroup"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/union"
kubefilters "k8s.io/apiserver/pkg/endpoints/filters"
"k8s.io/apiserver/pkg/endpoints/request"
serverconfig "k8s.io/apiserver/pkg/server"
"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
"k8s.io/client-go/kubernetes/scheme"
"k8s.io/client-go/rest"
k8sapiflag "k8s.io/component-base/cli/flag"
Expand All @@ -47,7 +49,6 @@ import (
"k8s.io/klog/v2"

"github.com/brancz/kube-rbac-proxy/cmd/kube-rbac-proxy/app/options"
"github.com/brancz/kube-rbac-proxy/pkg/authn"
"github.com/brancz/kube-rbac-proxy/pkg/authn/identityheaders"
"github.com/brancz/kube-rbac-proxy/pkg/authorization/path"
"github.com/brancz/kube-rbac-proxy/pkg/authorization/rewrite"
Expand Down Expand Up @@ -152,7 +153,7 @@ func (opts *completedProxyRunOptions) ProxyConfig() (*server.KubeRBACProxyConfig
return nil, err
}

if err := opts.ProxyOptions.ApplyTo(proxyConfig.KubeRBACProxyInfo, proxyConfig.DelegatingAuthentication); err != nil {
if err := opts.ProxyOptions.ApplyTo(proxyConfig); err != nil {
return nil, err
}

Expand Down Expand Up @@ -195,14 +196,14 @@ func Run(cfg *server.KubeRBACProxyConfig) error {

var authenticator authenticator.Request
// If OIDC configuration provided, use oidc authenticator
if cfg.KubeRBACProxyInfo.OIDC.IssuerURL != "" {
oidcAuthenticator, err := authn.NewOIDCAuthenticator(cfg.KubeRBACProxyInfo.OIDC)
if cfg.KubeRBACProxyInfo.HasOIDCSetup() {
tokenAuthenticator, err := oidc.New(ctx, *cfg.KubeRBACProxyInfo.OIDC)
if err != nil {
return fmt.Errorf("failed to instantiate OIDC authenticator: %w", err)
return fmt.Errorf("setting up oidc failed: %w", err)
}

go oidcAuthenticator.Run(ctx)
authenticator = oidcAuthenticator
go cfg.KubeRBACProxyInfo.OIDCDynamicCAContent.Run(ctx, 1)
authenticator = bearertoken.New(tokenAuthenticator)
} else {
authenticator = cfg.DelegatingAuthentication.Authenticator
}
Expand Down Expand Up @@ -232,7 +233,7 @@ func Run(cfg *server.KubeRBACProxyConfig) error {

handler := identityheaders.WithAuthHeaders(proxy, cfg.KubeRBACProxyInfo.UpstreamHeaders)
handler = kubefilters.WithAuthorization(handler, authz, scheme.Codecs)
handler = kubefilters.WithAuthentication(handler, authenticator, http.HandlerFunc(filters.UnauthorizedHandler), cfg.DelegatingAuthentication.APIAudiences)
handler = kubefilters.WithAuthentication(handler, authenticator, http.HandlerFunc(filters.UnauthorizedHandler), cfg.DelegatingAuthentication.APIAudiences, nil)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens when you supply the request header nil here? It won't get autodetected from the cluster, right?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO add explanation of what nil does.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It enables you to cleanse custom headers that you use for your proxy to contain additional information. It is necessary to drop those.

We write custom headers in case of request headers and we read custom headers based on the rewrite logic: link.
The rewrite logic for Query parameters relies on upstream to interpret them, which is usually a hostile behavior that you want to avoid, but in our case, we want Prometheus to be able to interpret it. Therefore I am hesitant to introduce it for custom headers as well. We could add a boolean flag that defaults to true, which enables / disables cleansing of header values? WDYT @stlaz?

Ref: k8s.io/apiserver/pkg/endpoints/filters/authentication.go

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should avoid forwarding the default headers at least, which is what WithAuthentication()does already.

Generally I think we should drop any headers we're processing, more so if we're using them for authentication. I don't think we wired any authn via request headers, correct?

Outside of that we should also make sure that none of the headers we produce can be just passed upstream from the original request.

// passing an empty RequestInfoFactory results in attaching a non-resource RequestInfo to the context
handler = kubefilters.WithRequestInfo(handler, &request.RequestInfoFactory{})
handler = rewrite.WithKubeRBACProxyParamsHandler(handler, cfg.KubeRBACProxyInfo.Authorization.RewriteAttributesConfig)
Expand Down
45 changes: 37 additions & 8 deletions cmd/kube-rbac-proxy/app/options/oidcoptions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,25 +17,41 @@ limitations under the License.
package options

import (
"github.com/brancz/kube-rbac-proxy/pkg/authn"
"fmt"

"k8s.io/apiserver/pkg/server/dynamiccertificates"
"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"

"github.com/brancz/kube-rbac-proxy/pkg/server"

"github.com/spf13/pflag"
)

type OIDCOptions struct {
*authn.OIDCConfig
oidc.Options

CAFile string
}

func (o *OIDCOptions) AddFlags(flagset *pflag.FlagSet) {
//Authn OIDC flags
flagset.StringVar(&o.IssuerURL, "oidc-issuer", "", "The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).")
flagset.StringVar(&o.ClientID, "oidc-clientID", "", "The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.")
flagset.StringVar(&o.GroupsClaim, "oidc-groups-claim", "groups", "Identifier of groups in JWT claim, by default set to 'groups'")
flagset.StringVar(&o.UsernameClaim, "oidc-username-claim", "email", "Identifier of the user in JWT claim, by default set to 'email'")
flagset.StringVar(&o.GroupsPrefix, "oidc-groups-prefix", "", "If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.")
flagset.StringVar(&o.JWTAuthenticator.Issuer.URL, "oidc-issuer", "", "The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).")
flagset.StringSliceVar(&o.JWTAuthenticator.Issuer.Audiences, "oidc-clientID", []string{}, "The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.")
flagset.StringVar(&o.JWTAuthenticator.ClaimMappings.Username.Claim, "oidc-username-claim", "email", "Identifier of the user in JWT claim, by default set to 'email'")
flagset.StringVar(&o.JWTAuthenticator.ClaimMappings.Groups.Claim, "oidc-groups-claim", "groups", "Identifier of groups in JWT claim, by default set to 'groups'")
flagset.StringArrayVar(&o.SupportedSigningAlgs, "oidc-sign-alg", []string{"RS256"}, "Supported signing algorithms, default RS256")
flagset.StringVar(&o.CAFile, "oidc-ca-file", "", "If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.")

uprefix := flagset.String("oidc-username-prefix", "", "If provided, the username will be prefixed with this value to prevent conflicts with other authentication strategies.")
if uprefix != nil {
o.JWTAuthenticator.ClaimMappings.Username.Prefix = uprefix
}

gprefix := flagset.String("oidc-groups-prefix", "", "If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.")
if gprefix != nil {
o.JWTAuthenticator.ClaimMappings.Groups.Prefix = gprefix
}

}

func (o *OIDCOptions) Validate() []error {
Expand All @@ -44,6 +60,19 @@ func (o *OIDCOptions) Validate() []error {
}

func (o *OIDCOptions) ApplyTo(c *server.KubeRBACProxyInfo) error {
c.OIDC = o.OIDCConfig
if o.JWTAuthenticator.Issuer.URL == "" {
return nil
}

dyCA, err := dynamiccertificates.NewDynamicCAContentFromFile("oidc-ca", o.CAFile)

if err != nil {
return fmt.Errorf("failed to create dynamic CA content: %w", err)
}

o.CAContentProvider = dyCA
c.OIDCDynamicCAContent = dyCA
c.OIDC = &o.Options

return nil
}