Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to override jwks_url #8348

Open
maschmid opened this issue Nov 26, 2024 · 2 comments · May be fixed by #8376
Open

Ability to override jwks_url #8348

maschmid opened this issue Nov 26, 2024 · 2 comments · May be fixed by #8376
Assignees
Labels
kind/feature-request triage/accepted Issues which should be fixed (post-triage)

Comments

@maschmid
Copy link
Contributor

Problem
By default, the jwks_url is taken from https://kubernetes.default.svc/.well-known/openid-configuration ,

In some k8s distributions, like OpenShift, the jwks_url defaults to a public address of the API load-balancer. This make sense for a lot of use cases, as the jwks_url is used for applications running outside of the cluster. A secured cluster, however, may block connections from inside of the cluster to the public load-balancer address; so such jwks_url is unusable from inside of the cluster, and Eventing cannot be used with OIDC enabled on such cluster by default.

In such cases, it would be helpful to have an option to override jwks_url, e.g. to https://kubernetes.default.svc/openid/v1/jwks , so as to connect to the API server directly, and not via its public API load-balancer address, which may be blocked from inside of the cluster.

Persona:
System Operator

Exit Criteria
A configuration option allowing to override jwks_url

Time Estimate (optional):
1

Additional context (optional)
It is already possible to use oidc-discovery-base-url configuration option , but using this option for this use-case would require setting up an HTTP server inside the cluster just to return the desired JSON with the desired jwks_url value as its response to GET /.well-known/openid-configuration , which is impractical.

@pierDipi
Copy link
Member

/triage accepted

@KapilSareen
Copy link

/assign

@KapilSareen KapilSareen linked a pull request Dec 8, 2024 that will close this issue
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature-request triage/accepted Issues which should be fixed (post-triage)
Projects
Status: 🔖 Ready
Development

Successfully merging a pull request may close this issue.

3 participants