michaeljmarshall commented on PR #19849: URL: https://github.com/apache/pulsar/pull/19849#issuecomment-1488032894
@EronWright - I added support for better integration with k8s. There were some surprising nuances depending on the cloud I tested in. First, in EKS, the result of calling `https://kubernetes.default.svc/.well-known/openid-configuration` provides the expected issuer for the service account token, but calling `https://kubernetes.default.svc/openid/v1/jwks` returned a JWKS that did not have a matching key id, so verification failed. Even using the `jwks_uri` from the EKS `https://kubernetes.default.svc/.well-known/openid-configuration` didn't work correctly. However, when I followed the token's issuer to discover the `jwks_uri`, it worked easily (and I could see many more public keys). This indicated to me that we need a mode where we first validate that a token's issuer is on the k8s discovery doc, and then we follow that issuer to get the public keys. Next, in AKS, the result of calling `https://kubernetes.default.svc/.well-known/openid-configuration` provides the expected issuer for the service account token, but that issuer is the K8s Api Server's public address, which means that it needs authentication and the custom root ca cert. In that case, it is easier to just use the kubernetes client to get the JWKS hosted at the Api Server's `/openid/v1/jwks` endpoint. This case inspired the setting to use the k8s client to retrieve the JWKS. The AKS mode worked in GKE. I haven't tested if you can also do the EKS mode, but based on past testing, I think that one should work too. Here are some helpful curl commands I used when testing out the different providers: ```shell curl --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt \ -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" \ https://kubernetes.default.svc/.well-known/openid-configuration ``` ```shell curl --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt \ -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" \ https://kubernetes.default.svc/openid/v1/jwks ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
