Additional authentication type 'k8s-oidc' that extends 'oauth'

[mstruk]

Type of change

• Enhancement / new feature

Description

TODO: This PR uses an unreleased SNAPSHOT version of OAuth library.

Make it easy to configure the usage of Kubernetes internal OIDC server. The new authentication type 'k8s-oidc' is an extension of 'oauth' type for listeners and various managed Kafka clients (KafkaConnector, KafkaBridge, KafkaMirrorMaker2, ...).

Checklist

Please go through this checklist and make sure all applicable tasks have been done

• Write tests
• Make sure all tests pass
• Update documentation
• Check RBAC rights for Kubernetes / OpenShift roles
• Try your changes from Pod inside your Kubernetes and OpenShift cluster, not just locally
• Reference relevant issue(s) and close them after merging
• Update CHANGELOG.md
• Supply screenshots for visual changes, such as Grafana dashboards

[scholzj]

Should we call it kubernetes? Or serviceaccount?

[mstruk]

Sure, if it makes it clearer, it can be either. Both names make sense. Do you have a preference?

[scholzj]

I wonder if we should have a proposal for this to clarify details like this. @strimzi/maintainers Any thoughts on the type name?

[Frawless]

How about kubernetes-internal / KUBERNETES_INTERNAL / K8S_INTERNAL ? From the discussion during community call it would make sense to me.

[see-quick]

What about TYPE_KUBERNETES_OPEN_ID_CONNECT_AUTH?

[mstruk]

That's may actually not be a good idea because searching for it through documentation or search engines will not produce good results.

[Frawless]

So based on the community call from this week let's move this a little bit. In the comments there were the following options more or less:

• kubernetes-openid
• kubernetes-auth
• kubernetes
• kubernetes-oidc
• kubernetes-internal
• kubernetes-sa maybe (not listed above)?
• serviceaccount
• serviceacount-oidc
• serviceacount-oauth

Any other options?

edit: added serviceaccount, serviceacount-oidc, serviceacount-oauth

[scholzj]

serviceaccount or some variant on it? serviceacount-oidc or serviceaccount-oauth?

[Frawless]

ye I was thinking about serviceaccount as well, but alone it sounds little bit strange to me. serviceacount-oidc or serviceacount-oauth sounds better I think. I will put it into the list and I guess we could do some vote soon.

[scholzj]

Discussed on the community call of 16.5.2024: We decided to go with type: serviceaccount-oauth.

[scholzj]

Maybe we could add something like uses SASL OAUTHBEARER Authentication in combination with Kubernetes ServiceAccounts?

[mstruk]

Yes, sounds good.

[scholzj]

Same as earlier -> maybe you can explain how it differs from oauth.

[mstruk]

Your proposed string would work here as well. In order to be slightly more descriptive maybe we could say something like: 'uses SASL OAUTHBEARER Authentication pre-configured with Kubernetes ServiceAccount token file location'

[scholzj]

Yeah, I think what you suggest would work fine here.

[scholzj]

Should this test also when it is used for the source clusters?

[mstruk]

I added the test by pattern-matching other OAuth tests, and they only test with target cluster. I guess the reasoning here was that we really test KafkaClientAuthenticationOAuthBuilder here, which is used both for the target and for the source cluster, thus if it works for one why would it fail for the other?

[scholzj]

The env vars work differently for source clusters as there might be many of them. That is why I think it needs to be tested as well. It is possible it was forgotten for the previous part, but you can probably add it at least for this feature.

[scholzj]

Should we have test for producer as well? (or cover it in this test)

[mstruk]

That's a good catch. There's is a whole series of tests with consumer and with producer there. I missed the producer one.

[scholzj]

One more thing - this should also have some CHANGELOG record.