Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oidc authenticator: attempt to immediately initialize verifier #97693

Merged
merged 1 commit into from Jan 8, 2021
Merged

oidc authenticator: attempt to immediately initialize verifier #97693

merged 1 commit into from Jan 8, 2021

Conversation

enj
Copy link
Member

@enj enj commented Jan 4, 2021
edited by liggitt

This change updates the OIDC authenticator to not wait 10 seconds before attempting to fetch the /.well-known/openid-configuration
metadata from the OIDC issuer. In most situations this results in the API server being able to verify ID tokens sooner.

Signed-off-by: Monis Khan mok@vmware.com

/kind cleanup

kube-apiserver: The OIDC authenticator no longer waits 10 seconds before attempting to fetch the metadata required to verify tokens.

@enj
oidc authenticator: attempt to immediately initialize verifier
be99f37 
This change updates the OIDC authenticator to not wait 10 seconds
before attempting to fetch the /.well-known/openid-configuration
metadata from the OIDC issuer.  In most situations this results in
the API server being able to verify ID tokens sooner.

Signed-off-by: Monis Khan <mok@vmware.com>
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jan 4, 2021
@k8s-ci-robot k8s-ci-robot added area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jan 4, 2021
@enj
Copy link
Member Author

enj commented Jan 4, 2021

/priority important-longterm
/triage accepted

@k8s-ci-robot k8s-ci-robot added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jan 4, 2021
@liggitt
Copy link
Member

liggitt commented Jan 8, 2021

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 8, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enj, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 8, 2021
@liggitt liggitt mentioned this pull request Jan 8, 2021
Closed
@k8s-ci-robot k8s-ci-robot merged commit d1db90b into kubernetes:master Jan 8, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Jan 8, 2021
@enj enj mentioned this pull request Jan 8, 2021
Closed
@github-actions github-actions bot mentioned this pull request Jan 12, 2021
Open
mattmoyer added a commit to mattmoyer/pinniped that referenced this pull request Apr 20, 2021
@mattmoyer
Remove unneeded sleep in test.
1eb537e 
Now that we have the fix from kubernetes/kubernetes#97693, we no longer need this sleep.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
@mattmoyer mattmoyer mentioned this pull request Apr 20, 2021
Merged
mattmoyer added a commit to mattmoyer/pinniped that referenced this pull request Apr 20, 2021
@mattmoyer
Remove unneeded OIDC-related sleeps in tests.
47dd8e5 
Now that we have the fix from kubernetes/kubernetes#97693, we no longer need these sleeps.
The underlying authenticator initialization is still asynchronous, but should happen within milliseconds.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
mattmoyer added a commit to mattmoyer/pinniped that referenced this pull request Apr 20, 2021
@mattmoyer
Remove unneeded OIDC-related sleeps in tests.
961fa1b 
Now that we have the fix from kubernetes/kubernetes#97693, we no longer need these sleeps.
The underlying authenticator initialization is still asynchronous, but should happen within milliseconds.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
mattmoyer added a commit to mattmoyer/pinniped that referenced this pull request Apr 21, 2021
@mattmoyer
Remove unneeded OIDC-related sleeps in tests.
b4e0372 
Now that we have the fix from kubernetes/kubernetes#97693, we no longer need these sleeps.
The underlying authenticator initialization is still asynchronous, but should happen within milliseconds.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
mattmoyer added a commit to mattmoyer/pinniped that referenced this pull request Apr 21, 2021
@mattmoyer
Remove unneeded OIDC-related sleeps in tests.
3b032ae 
Now that we have the fix from kubernetes/kubernetes#97693, we no longer need these sleeps.
The underlying authenticator initialization is still asynchronous, but should happen within milliseconds.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
mattmoyer added a commit to mattmoyer/pinniped that referenced this pull request Apr 21, 2021
@mattmoyer
Remove unneeded OIDC-related sleeps in tests.
37e3612 
Now that we have the fix from kubernetes/kubernetes#97693, we no longer need these sleeps.
The underlying authenticator initialization is still asynchronous, but should happen within a few milliseconds.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
mattmoyer added a commit to mattmoyer/pinniped that referenced this pull request Apr 22, 2021
@mattmoyer
Remove unneeded OIDC-related sleeps in tests.
638d923 
Now that we have the fix from kubernetes/kubernetes#97693, we no longer need these sleeps.
The underlying authenticator initialization is still asynchronous, but should happen within a few milliseconds.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
@enj enj mentioned this pull request Jun 21, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericchiang ericchiang Awaiting requested review from ericchiang

@mikedanese mikedanese Awaiting requested review from mikedanese

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.21
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@enj @liggitt @k8s-ci-robot