feat: add TOKEN_AUDIENCE configuration

froz42 · froz42 · commit 639f5ab6154e · 2025-08-18T19:48:57.000+02:00
diff --git a/charts/kerbernetes/templates/deployment.yaml b/charts/kerbernetes/templates/deployment.yaml
@@ -24,6 +24,8 @@ spec:
               value: "{{ .Values.httpPort }}"
             - name: LDAP_ENABLED
               value: "{{ .Values.ldap.enabled }}"
+            - name: TOKEN_AUDIENCE
+              value: "{{ .Values.token.audience }}"
             {{- if and .Values.ldap.enabled .Values.secrets.ldapSecret }}
             - name: LDAP_BASE_DN
               value: "{{ .Values.ldap.baseDN }}"
diff --git a/charts/kerbernetes/values.yaml b/charts/kerbernetes/values.yaml
@@ -9,6 +9,9 @@ image:
 
 httpPort: 3000
 
+token:
+  audience: "https://kubernetes.default.svc.cluster.local"
+
 ldap:
   enabled: false
   url: "ldap://ldap.example.com"
diff --git a/internal/services/auth/auth.service.go b/internal/services/auth/auth.service.go
@@ -92,7 +92,11 @@ func (s *authService) AuthAccount(
 	}, nil
 }
 
-func (s *authService) ldapReconcilate(ctx context.Context, username string, sa *corev1.ServiceAccount) error {
+func (s *authService) ldapReconcilate(
+	ctx context.Context,
+	username string,
+	sa *corev1.ServiceAccount,
+) error {
 	user, err := s.ldapSvc.GetUser(username)
 	if err != nil {
 		s.logger.Error("Failed to get user from LDAP", "username", username, "error", err)
diff --git a/internal/services/env/env.service.go b/internal/services/env/env.service.go
@@ -16,7 +16,8 @@ type Env struct {
 	KeytabPath string `mapstructure:"KEYTAB_PATH" default:"/etc/krb5.keytab" validate:"required"`
 	Namespace  string `mapstructure:"NAMESPACE" default:"default" validate:"required"`
 
-	TokenDuration int `mapstructure:"TOKEN_DURATION" default:"600" validate:"required"`
+	TokenDuration int    `mapstructure:"TOKEN_DURATION" default:"600" validate:"required"`
+	TokenAudience string `mapstructure:"TOKEN_AUDIENCE" default:"https://kubernetes.default.svc.cluster.local"`
 
 	LDAPEnabled bool   `mapstructure:"LDAP_ENABLED" default:"false"`
 	LDAPURL     string `mapstructure:"LDAP_URL"`
diff --git a/internal/services/k8s/serviceaccounts/serviceaccounts.service.go b/internal/services/k8s/serviceaccounts/serviceaccounts.service.go
@@ -135,7 +135,7 @@ func (svc *serviceAccountsService) IssueToken(
 	token, err := svc.clientset.CoreV1().ServiceAccounts(svc.namespace).
 		CreateToken(ctx, username, &authv1.TokenRequest{
 			Spec: authv1.TokenRequestSpec{
-				Audiences:         []string{"https://kubernetes.default.svc.cluster.local"},
+				Audiences:         []string{svc.env.TokenAudience},
 				ExpirationSeconds: int64Ptr(int64(svc.env.TokenDuration)),
 			},
 		}, metav1.CreateOptions{})
