From 942698f3774853160ab2a92ea7d5ecae5e92771c Mon Sep 17 00:00:00 2001 From: Johannes Aubart Date: Thu, 16 Oct 2025 13:52:57 +0200 Subject: [PATCH] enable '::' prefix in AccessRequest subject names to omit oidc provider name prefix --- internal/controllers/accessrequest/access.go | 7 ++++++- .../accessrequest/controller_test.go | 21 ++++++++++++------- .../test-05/platform/accessrequest-oidc.yaml | 2 ++ 3 files changed, 21 insertions(+), 9 deletions(-) diff --git a/internal/controllers/accessrequest/access.go b/internal/controllers/accessrequest/access.go index 04276c9..af5629f 100644 --- a/internal/controllers/accessrequest/access.go +++ b/internal/controllers/accessrequest/access.go @@ -5,6 +5,7 @@ import ( "fmt" "maps" "strconv" + "strings" "time" corev1 "k8s.io/api/core/v1" @@ -576,7 +577,11 @@ func (r *AccessRequestReconciler) ensureOIDCAccess(ctx context.Context, ar *clus for i, roleBinding := range ar.Spec.OIDC.RoleBindings { // append username prefix and groups prefix to subjects subjects := collections.ProjectSliceToSlice(roleBinding.Subjects, func(sub rbacv1.Subject) rbacv1.Subject { - sub.Name = oidcConfig.UsernameGroupsPrefix() + sub.Name + if suffix, ok := strings.CutPrefix(sub.Name, "::"); ok { + sub.Name = suffix + } else { + sub.Name = oidcConfig.UsernameGroupsPrefix() + sub.Name + } return sub }) // ensure (Cluster)RoleBindings diff --git a/internal/controllers/accessrequest/controller_test.go b/internal/controllers/accessrequest/controller_test.go index 39b26c5..7d07795 100644 --- a/internal/controllers/accessrequest/controller_test.go +++ b/internal/controllers/accessrequest/controller_test.go @@ -4,6 +4,7 @@ import ( "context" "fmt" "strconv" + "strings" "time" . "github.com/onsi/ginkgo/v2" @@ -474,10 +475,12 @@ var _ = Describe("AccessRequest Controller", func() { Namespace: subject.Namespace, } switch expected.Kind { - case rbacv1.GroupKind: - expected.Name = ar.Spec.OIDC.UsernameGroupsPrefix() + subject.Name - case rbacv1.UserKind: - expected.Name = ar.Spec.OIDC.UsernameGroupsPrefix() + subject.Name + case rbacv1.GroupKind, rbacv1.UserKind: + if suffix, ok := strings.CutPrefix(subject.Name, "::"); ok { + expected.Name = suffix + } else { + expected.Name = ar.Spec.OIDC.UsernameGroupsPrefix() + subject.Name + } default: expected.Name = subject.Name } @@ -503,10 +506,12 @@ var _ = Describe("AccessRequest Controller", func() { Namespace: subject.Namespace, } switch expected.Kind { - case rbacv1.GroupKind: - expected.Name = ar.Spec.OIDC.UsernameGroupsPrefix() + subject.Name - case rbacv1.UserKind: - expected.Name = ar.Spec.OIDC.UsernameGroupsPrefix() + subject.Name + case rbacv1.GroupKind, rbacv1.UserKind: + if suffix, ok := strings.CutPrefix(subject.Name, "::"); ok { + expected.Name = suffix + } else { + expected.Name = ar.Spec.OIDC.UsernameGroupsPrefix() + subject.Name + } default: expected.Name = subject.Name } diff --git a/internal/controllers/cluster/testdata/test-05/platform/accessrequest-oidc.yaml b/internal/controllers/cluster/testdata/test-05/platform/accessrequest-oidc.yaml index 82db07c..63b1e91 100644 --- a/internal/controllers/cluster/testdata/test-05/platform/accessrequest-oidc.yaml +++ b/internal/controllers/cluster/testdata/test-05/platform/accessrequest-oidc.yaml @@ -22,6 +22,8 @@ spec: name: foo - kind: Group name: bar + - kind: Group + name: "::asdf" # no prefix should be appended roleRefs: - kind: ClusterRole name: foo