Skip to content

Isolate bearer token config from kubeconfig #163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 7, 2025
Merged

Isolate bearer token config from kubeconfig #163

merged 1 commit into from
Jul 7, 2025

Conversation

@ardaguclu
Copy link
Member

@ardaguclu ardaguclu commented Jul 3, 2025
edited by manusa
Loading

Fixes #165

Copying the template from kubeconfig has security implications, as it also sets the certificates from kubeconfig that can be used as a fallback mechanism, if the bearer token is invalid.

We have to generate config from scratch by explicitly setting the required fields from kubeconfig, such as ca bundle, host, api path, qps, etc.

This PR generates derived config from scratch by setting the token manually, custom user-agent to be identified in the api server audit logs and required fields from kubeconfig.

Based on my tests, this works properly and expected.

@ardaguclu
Copy link
Member Author

ardaguclu commented Jul 3, 2025

/cc @manusa

@manusa manusa added this to the 0.1.0 milestone Jul 7, 2025 — with automated-tasks
@manusa
Copy link
Member

manusa commented Jul 7, 2025

A few tests to ensure behavior would be helpful.

manusa
manusa approved these changes Jul 7, 2025
View reviewed changes
Copy link
Member

@manusa manusa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thx!

@manusa manusa merged commit 00e4f18 into containers:main Jul 7, 2025
5 checks passed
@ardaguclu ardaguclu deleted the isolate-bearer-token branch July 7, 2025 05:10
@ardaguclu
Copy link
Member Author

ardaguclu commented Jul 7, 2025

A few tests to ensure behavior would be helpful.

Good point. I think, I'll have to add some tests for Derived config not only cover this case but also ensuring that the staticConfig is wired (as we discussed previously). Thank you.

@manusa
Copy link
Member

manusa commented Jul 7, 2025

A few tests to ensure behavior would be helpful.

Good point. I think, I'll have to add some tests for Derived config not only cover this case but also ensuring that the staticConfig is wired (as we discussed previously). Thank you.

❤️

I added the comment as a reminder.
It'd be good to have tests that ensure the expected behavior.

  • Derived config is deep equal to original config in case derived doesn't apply -> entry-point for further --require-auth refinement
  • ////////
  • Derived config has host matching original config
  • Derived config has APIPath matching original config
  • Derived config has ... matching original config
  • Derived config overrides Bearer token in original config

@ardaguclu ardaguclu mentioned this pull request Jul 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manusa manusa manusa approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

0.1.0

Development

Successfully merging this pull request may close these issues.

DerivedConfig includes certificate authentication

2 participants

@ardaguclu @manusa