Skip to content

Commit 130927b

Browse files
fix(deploy): use cluster audience in OIDC AuthPolicy patch
The OIDC patch template hardcoded https://kubernetes.default.svc as the TokenReview audience, but HyperShift/ROSA/Konflux clusters use non-standard audiences. After the merge patch applied, OpenShift tokens got 401 because the audience didn't match. Add __CLUSTER_AUDIENCE__ placeholder to the OIDC template and resolve it via get_cluster_audience before patching. Signed-off-by: Wen Liang <liangwen12year@gmail.com>
1 parent 7eafff8 commit 130927b

2 files changed

Lines changed: 9 additions & 2 deletions

File tree

scripts/data/maas-api-authpolicy-external-oidc-patch.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ spec:
4040
- predicate: '!request.headers.authorization.startsWith("Bearer sk-oai-")'
4141
kubernetesTokenReview:
4242
audiences:
43-
- https://kubernetes.default.svc
43+
- __CLUSTER_AUDIENCE__
4444
- maas-default-gateway-sa
4545
priority: 2
4646
metadata:

scripts/deploy.sh

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1496,6 +1496,7 @@ patch_authpolicy_from_template() {
14961496
local maas_namespace="$3"
14971497
local oidc_issuer_url="${4:-}"
14981498
local oidc_client_id="${5:-}"
1499+
local cluster_audience="${6:-https://kubernetes.default.svc}"
14991500

15001501
local rendered_patch
15011502
rendered_patch="$(mktemp)"
@@ -1504,6 +1505,7 @@ patch_authpolicy_from_template() {
15041505
-e "s|__MAAS_NAMESPACE__|${maas_namespace}|g" \
15051506
-e "s|__OIDC_ISSUER_URL__|${oidc_issuer_url}|g" \
15061507
-e "s|__OIDC_CLIENT_ID__|${oidc_client_id}|g" \
1508+
-e "s|__CLUSTER_AUDIENCE__|${cluster_audience}|g" \
15071509
"$template_file" > "$rendered_patch"
15081510

15091511
kubectl patch authpolicy "$authpolicy_name" -n "$NAMESPACE" --type=merge --patch-file "$rendered_patch"
@@ -1562,9 +1564,14 @@ configure_maas_api_authpolicy() {
15621564
return 1
15631565
}
15641566

1567+
# Resolve cluster audience for TokenReview (HyperShift/ROSA use non-standard audiences).
1568+
local cluster_aud
1569+
cluster_aud=$(get_cluster_audience 2>/dev/null || echo "https://kubernetes.default.svc")
1570+
log_info " Cluster audience: $cluster_aud"
1571+
15651572
local oidc_patch="$project_root/scripts/data/maas-api-authpolicy-external-oidc-patch.yaml"
15661573
log_info " Enabling OIDC JWT validation with issuer: $oidc_issuer_url, clientId: $oidc_client_id"
1567-
if ! patch_authpolicy_from_template "$authpolicy_name" "$oidc_patch" "$NAMESPACE" "$oidc_issuer_url" "$oidc_client_id"; then
1574+
if ! patch_authpolicy_from_template "$authpolicy_name" "$oidc_patch" "$NAMESPACE" "$oidc_issuer_url" "$oidc_client_id" "$cluster_aud"; then
15681575
log_error " Failed to patch AuthPolicy with external OIDC configuration"
15691576
return 1
15701577
fi

0 commit comments

Comments
 (0)