fix(deploy): use cluster audience in OIDC AuthPolicy patch

liangwen12year · liangwen12year · commit 130927b69928 · 2026-04-21T10:01:28.000-04:00
The OIDC patch template hardcoded https://kubernetes.default.svc as the TokenReview audience, but HyperShift/ROSA/Konflux clusters use non-standard audiences. After the merge patch applied, OpenShift tokens got 401 because the audience didn't match. Add __CLUSTER_AUDIENCE__ placeholder to the OIDC template and resolve it via get_cluster_audience before patching. Signed-off-by: Wen Liang <liangwen12year@gmail.com>
diff --git a/scripts/data/maas-api-authpolicy-external-oidc-patch.yaml b/scripts/data/maas-api-authpolicy-external-oidc-patch.yaml
@@ -40,7 +40,7 @@ spec:
           - predicate: '!request.headers.authorization.startsWith("Bearer sk-oai-")'
         kubernetesTokenReview:
           audiences:
-            - https://kubernetes.default.svc
+            - __CLUSTER_AUDIENCE__
             - maas-default-gateway-sa
         priority: 2
     metadata:
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
@@ -1496,6 +1496,7 @@ patch_authpolicy_from_template() {
   local maas_namespace="$3"
   local oidc_issuer_url="${4:-}"
   local oidc_client_id="${5:-}"
+  local cluster_audience="${6:-https://kubernetes.default.svc}"
 
   local rendered_patch
   rendered_patch="$(mktemp)"
@@ -1504,6 +1505,7 @@ patch_authpolicy_from_template() {
     -e "s|__MAAS_NAMESPACE__|${maas_namespace}|g" \
     -e "s|__OIDC_ISSUER_URL__|${oidc_issuer_url}|g" \
     -e "s|__OIDC_CLIENT_ID__|${oidc_client_id}|g" \
+    -e "s|__CLUSTER_AUDIENCE__|${cluster_audience}|g" \
     "$template_file" > "$rendered_patch"
 
   kubectl patch authpolicy "$authpolicy_name" -n "$NAMESPACE" --type=merge --patch-file "$rendered_patch"
@@ -1562,9 +1564,14 @@ configure_maas_api_authpolicy() {
     return 1
   }
 
+  # Resolve cluster audience for TokenReview (HyperShift/ROSA use non-standard audiences).
+  local cluster_aud
+  cluster_aud=$(get_cluster_audience 2>/dev/null || echo "https://kubernetes.default.svc")
+  log_info "  Cluster audience: $cluster_aud"
+
   local oidc_patch="$project_root/scripts/data/maas-api-authpolicy-external-oidc-patch.yaml"
   log_info "  Enabling OIDC JWT validation with issuer: $oidc_issuer_url, clientId: $oidc_client_id"
-  if ! patch_authpolicy_from_template "$authpolicy_name" "$oidc_patch" "$NAMESPACE" "$oidc_issuer_url" "$oidc_client_id"; then
+  if ! patch_authpolicy_from_template "$authpolicy_name" "$oidc_patch" "$NAMESPACE" "$oidc_issuer_url" "$oidc_client_id" "$cluster_aud"; then
     log_error "  Failed to patch AuthPolicy with external OIDC configuration"
     return 1
   fi
