Skip to content

Fix authentication in sharded setup. #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 31, 2025
Merged

Fix authentication in sharded setup. #75

merged 1 commit into from
Jul 31, 2025

Conversation

mjudeikis
Copy link
Contributor

@mjudeikis mjudeikis commented Jul 17, 2025
edited
Loading

Summary

What Type of PR Is This?

Kubernetes only checks on the provided keys to SA validity. Not chain.
FrontProxy without flags denies SA's as "not enabled"
This boils down to "every shard & frontproxy must use same SA certs"

In addition SubjectAccessReview calls in delegated authentication mode are passed down to the shards. So if OIDC is used, shards need to be able to verify the tokens.

FrontProxy with enabled SA authentication:

  containers:
  - args:
    - --secure-port=6443
    - --root-kubeconfig=/etc/kcp-front-proxy/kubeconfig/kubeconfig
    - --shards-kubeconfig=/etc/kcp-front-proxy/kubeconfig/kubeconfig
    - --tls-private-key-file=/etc/kcp-front-proxy/tls/tls.key
    - --tls-cert-file=/etc/kcp-front-proxy/tls/tls.crt
    - --client-ca-file=/etc/kcp-front-proxy/client-ca/tls.crt
    - --mapping-file=/etc/kcp-front-proxy/config/path-mapping.yaml
    - --service-account-lookup=false
    - --service-account-key-file=/etc/kcp/tls/shard-sample/service-account/tls.key
    - --service-account-key-file=/etc/kcp/tls/secondary-shard/service-account/tls.key
    - --service-account-key-file=/etc/kcp/tls/shard2-sample/service-account/tls.key

/kind bug

Related Issue(s)

Fixes #

Release Notes

Fix ServiceAccount resolution & authentication in sharded model

@kcp-ci-bot kcp-ci-bot added release-note-none Denotes a PR that doesn't merit a release note. dco-signoff: yes Indicates the PR's author has signed the DCO. do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Jul 17, 2025
@mjudeikis mjudeikis changed the title Fix SA authentication in sharded setup. Fix authentication in sharded setup. Jul 22, 2025
@kcp-ci-bot kcp-ci-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 22, 2025
@mjudeikis mjudeikis force-pushed the mjudeikis/fix.sa.sharded branch from b783c29 to 5ea69d1 Compare July 25, 2025 19:18
@kcp-ci-bot kcp-ci-bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 25, 2025
@mjudeikis mjudeikis force-pushed the mjudeikis/fix.sa.sharded branch from b20b2a3 to 3b6022f Compare July 25, 2025 19:35
@mjudeikis mjudeikis requested review from xrstf, embik and Copilot July 25, 2025 19:36
Copilot
Copilot AI reviewed Jul 25, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes authentication issues in sharded KCP setups by implementing proper ServiceAccount authentication configuration. The changes enable FrontProxy and shards to share ServiceAccount certificates and configure OIDC token verification across all components.

Key changes:

  • Adds ServiceAccount authentication configuration to AuthSpec for FrontProxy, RootShard, and Shard resources
  • Implements automatic mounting of all shard ServiceAccount certificates to FrontProxy when enabled
  • Updates RootShard controller to track child shards in status for certificate distribution

Reviewed Changes

Copilot reviewed 30 out of 30 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
sdk/apis/operator/v1alpha1/frontproxy_types.go Adds ServiceAccountAuthentication struct and field to AuthSpec
sdk/apis/operator/v1alpha1/shard_types.go Adds Auth field to CommonShardSpec for shard authentication
sdk/apis/operator/v1alpha1/rootshard_types.go Adds ShardReference tracking to RootShardStatus
internal/resources/utils/authentication.go Implements ServiceAccount certificate mounting logic
internal/resources/frontproxy/deployment.go Updates to use new FrontProxy-specific auth configuration
internal/controller/rootshard_controller.go Adds shard tracking and watching logic
config/samples/ Sample configurations demonstrating new authentication features

@mjudeikis mjudeikis force-pushed the mjudeikis/fix.sa.sharded branch 3 times, most recently from 69575e3 to 31c976c Compare July 25, 2025 19:42
@kcp-ci-bot kcp-ci-bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jul 25, 2025
@mjudeikis mjudeikis force-pushed the mjudeikis/fix.sa.sharded branch from 31c976c to 2507e8b Compare July 25, 2025 19:44
embik
embik requested changes Jul 28, 2025
View reviewed changes
@mjudeikis mjudeikis requested a review from embik July 29, 2025 12:22
@mjudeikis mjudeikis force-pushed the mjudeikis/fix.sa.sharded branch 2 times, most recently from 80dfcb5 to 11ce278 Compare July 29, 2025 18:38
@mjudeikis
Copy link
Contributor Author

/retest

embik
embik requested changes Jul 30, 2025
View reviewed changes
Copy link
Member

@embik embik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor language/typo nit. Don't forget to re-run codegen afterwards.

@mjudeikis
Add better SA auth handling
938a027 
On-behalf-of: SAP <[email protected]>
Signed-off-by: Mangirdas Judeikis <[email protected]>
@mjudeikis mjudeikis force-pushed the mjudeikis/fix.sa.sharded branch from 11ce278 to 938a027 Compare July 30, 2025 18:13
@mjudeikis
Copy link
Contributor Author

/retest

@mjudeikis mjudeikis added the kind/feature Categorizes issue or PR as related to a new feature. label Jul 31, 2025
@kcp-ci-bot kcp-ci-bot removed the do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. label Jul 31, 2025
embik
embik approved these changes Jul 31, 2025
View reviewed changes
Copy link
Member

@embik embik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@kcp-ci-bot kcp-ci-bot added the lgtm Indicates that a PR is ready to be merged. label Jul 31, 2025
@kcp-ci-bot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 2b1ee69a5f5d3ec0ed376168deb0f5e54de7272d

@kcp-ci-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: embik

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kcp-ci-bot kcp-ci-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 31, 2025
@kcp-ci-bot kcp-ci-bot merged commit 45f2b93 into kcp-dev:main Jul 31, 2025
10 checks passed
@mjudeikis mjudeikis mentioned this pull request Aug 4, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@embik embik embik approved these changes

@xrstf xrstf Awaiting requested review from xrstf

Assignees

@embik embik

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has signed the DCO. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mjudeikis @kcp-ci-bot @xrstf @embik