diff --git a/pkg/controlplane/apiserver/config.go b/pkg/controlplane/apiserver/config.go index c204e5058ef..fe99c7d4362 100644 --- a/pkg/controlplane/apiserver/config.go +++ b/pkg/controlplane/apiserver/config.go @@ -337,6 +337,7 @@ func CreateConfig( config.ClusterAuthenticationInfo.RequestHeaderExtraHeaderPrefixes = requestHeaderConfig.ExtraHeaderPrefixes config.ClusterAuthenticationInfo.RequestHeaderGroupHeaders = requestHeaderConfig.GroupHeaders config.ClusterAuthenticationInfo.RequestHeaderUsernameHeaders = requestHeaderConfig.UsernameHeaders + config.ClusterAuthenticationInfo.RequestHeaderUIDHeaders = requestHeaderConfig.UIDHeaders } // setup admission diff --git a/pkg/controlplane/controller/clusterauthenticationtrust/cluster_authentication_trust_controller.go b/pkg/controlplane/controller/clusterauthenticationtrust/cluster_authentication_trust_controller.go index 49539171391..12e6b250e04 100644 --- a/pkg/controlplane/controller/clusterauthenticationtrust/cluster_authentication_trust_controller.go +++ b/pkg/controlplane/controller/clusterauthenticationtrust/cluster_authentication_trust_controller.go @@ -77,6 +77,8 @@ type ClusterAuthenticationInfo struct { // RequestHeaderUsernameHeaders are the headers used by this kube-apiserver to determine username RequestHeaderUsernameHeaders headerrequest.StringSliceProvider + // RequestHeaderUIDHeaders are the headers used by this kube-apiserver to determine UID + RequestHeaderUIDHeaders headerrequest.StringSliceProvider // RequestHeaderGroupHeaders are the headers used by this kube-apiserver to determine groups RequestHeaderGroupHeaders headerrequest.StringSliceProvider // RequestHeaderExtraHeaderPrefixes are the headers used by this kube-apiserver to determine user.extra @@ -224,6 +226,7 @@ func combinedClusterAuthenticationInfo(lhs, rhs ClusterAuthenticationInfo) (Clus RequestHeaderExtraHeaderPrefixes: combineUniqueStringSlices(lhs.RequestHeaderExtraHeaderPrefixes, rhs.RequestHeaderExtraHeaderPrefixes), RequestHeaderGroupHeaders: combineUniqueStringSlices(lhs.RequestHeaderGroupHeaders, rhs.RequestHeaderGroupHeaders), RequestHeaderUsernameHeaders: combineUniqueStringSlices(lhs.RequestHeaderUsernameHeaders, rhs.RequestHeaderUsernameHeaders), + RequestHeaderUIDHeaders: combineUniqueStringSlices(lhs.RequestHeaderUIDHeaders, rhs.RequestHeaderUIDHeaders), } var err error @@ -259,6 +262,10 @@ func getConfigMapDataFor(authenticationInfo ClusterAuthenticationInfo) (map[stri if err != nil { return nil, err } + data["requestheader-uid-headers"], err = jsonSerializeStringSlice(authenticationInfo.RequestHeaderUIDHeaders.Value()) + if err != nil { + return nil, err + } data["requestheader-group-headers"], err = jsonSerializeStringSlice(authenticationInfo.RequestHeaderGroupHeaders.Value()) if err != nil { return nil, err @@ -298,6 +305,10 @@ func getClusterAuthenticationInfoFor(data map[string]string) (ClusterAuthenticat if err != nil { return ClusterAuthenticationInfo{}, err } + ret.RequestHeaderUIDHeaders, err = jsonDeserializeStringSlice(data["requestheader-uid-headers"]) + if err != nil { + return ClusterAuthenticationInfo{}, err + } if caBundle := data["requestheader-client-ca-file"]; len(caBundle) > 0 { ret.RequestHeaderCA, err = dynamiccertificates.NewStaticCAContent("existing", []byte(caBundle)) diff --git a/pkg/controlplane/controller/clusterauthenticationtrust/cluster_authentication_trust_controller_test.go b/pkg/controlplane/controller/clusterauthenticationtrust/cluster_authentication_trust_controller_test.go index 959fe3b35cb..d593799ee82 100644 --- a/pkg/controlplane/controller/clusterauthenticationtrust/cluster_authentication_trust_controller_test.go +++ b/pkg/controlplane/controller/clusterauthenticationtrust/cluster_authentication_trust_controller_test.go @@ -101,6 +101,7 @@ func TestWriteClientCAs(t *testing.T) { clusterAuthInfo: ClusterAuthenticationInfo{ ClientCA: someRandomCAProvider, RequestHeaderUsernameHeaders: headerrequest.StaticStringSlice{"alfa", "bravo", "charlie"}, + RequestHeaderUIDHeaders: headerrequest.StaticStringSlice{"golf", "hotel", "india"}, RequestHeaderGroupHeaders: headerrequest.StaticStringSlice{"delta"}, RequestHeaderExtraHeaderPrefixes: headerrequest.StaticStringSlice{"echo", "foxtrot"}, RequestHeaderCA: anotherRandomCAProvider, @@ -112,6 +113,7 @@ func TestWriteClientCAs(t *testing.T) { Data: map[string]string{ "client-ca-file": string(someRandomCA), "requestheader-username-headers": `["alfa","bravo","charlie"]`, + "requestheader-uid-headers": `["golf","hotel","india"]`, "requestheader-group-headers": `["delta"]`, "requestheader-extra-headers-prefix": `["echo","foxtrot"]`, "requestheader-client-ca-file": string(anotherRandomCA), @@ -132,6 +134,7 @@ func TestWriteClientCAs(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, Data: map[string]string{ "requestheader-username-headers": `[]`, + "requestheader-uid-headers": `[]`, "requestheader-group-headers": `[]`, "requestheader-extra-headers-prefix": `[]`, "requestheader-client-ca-file": string(anotherRandomCA), @@ -166,6 +169,7 @@ func TestWriteClientCAs(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, Data: map[string]string{ "requestheader-username-headers": `[]`, + "requestheader-uid-headers": `[]`, "requestheader-group-headers": `[]`, "requestheader-extra-headers-prefix": `[]`, "requestheader-client-ca-file": string(anotherRandomCA), @@ -201,6 +205,7 @@ func TestWriteClientCAs(t *testing.T) { name: "overwrite extension-apiserver-authentication requestheader", clusterAuthInfo: ClusterAuthenticationInfo{ RequestHeaderUsernameHeaders: headerrequest.StaticStringSlice{}, + RequestHeaderUIDHeaders: headerrequest.StaticStringSlice{}, RequestHeaderGroupHeaders: headerrequest.StaticStringSlice{}, RequestHeaderExtraHeaderPrefixes: headerrequest.StaticStringSlice{}, RequestHeaderCA: anotherRandomCAProvider, @@ -211,6 +216,7 @@ func TestWriteClientCAs(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, Data: map[string]string{ "requestheader-username-headers": `[]`, + "requestheader-uid-headers": `[]`, "requestheader-group-headers": `[]`, "requestheader-extra-headers-prefix": `[]`, "requestheader-client-ca-file": string(someRandomCA), @@ -223,6 +229,7 @@ func TestWriteClientCAs(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, Data: map[string]string{ "requestheader-username-headers": `[]`, + "requestheader-uid-headers": `[]`, "requestheader-group-headers": `[]`, "requestheader-extra-headers-prefix": `[]`, "requestheader-client-ca-file": string(someRandomCA) + string(anotherRandomCA), @@ -253,6 +260,7 @@ func TestWriteClientCAs(t *testing.T) { name: "skip on no change", clusterAuthInfo: ClusterAuthenticationInfo{ RequestHeaderUsernameHeaders: headerrequest.StaticStringSlice{}, + RequestHeaderUIDHeaders: headerrequest.StaticStringSlice{}, RequestHeaderGroupHeaders: headerrequest.StaticStringSlice{}, RequestHeaderExtraHeaderPrefixes: headerrequest.StaticStringSlice{}, RequestHeaderCA: anotherRandomCAProvider, @@ -263,6 +271,7 @@ func TestWriteClientCAs(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, Data: map[string]string{ "requestheader-username-headers": `[]`, + "requestheader-uid-headers": `[]`, "requestheader-group-headers": `[]`, "requestheader-extra-headers-prefix": `[]`, "requestheader-client-ca-file": string(anotherRandomCA), @@ -332,6 +341,7 @@ func TestWriteConfigMapDeleted(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, Data: map[string]string{ "requestheader-username-headers": `[]`, + "requestheader-uid-headers": `[]`, "requestheader-group-headers": `[]`, "requestheader-extra-headers-prefix": `[]`, "requestheader-client-ca-file": string(anotherRandomCA),