Commit 9b5ce521 authored by Eric Chiang's avatar Eric Chiang

pkg/apiserver/authenticator: move oidc after service accounts

Both plugins verify JWTs, but the OpenID Connect plugin performs much worse when faced with cache misses. Reorder the plugins so the service account plugin tries to authenticate a bearer token first.
parent ea69570f
...@@ -80,20 +80,26 @@ func New(config AuthenticatorConfig) (authenticator.Request, error) { ...@@ -80,20 +80,26 @@ func New(config AuthenticatorConfig) (authenticator.Request, error) {
authenticators = append(authenticators, tokenAuth) authenticators = append(authenticators, tokenAuth)
} }
if len(config.OIDCIssuerURL) > 0 && len(config.OIDCClientID) > 0 { if len(config.ServiceAccountKeyFile) > 0 {
oidcAuth, err := newAuthenticatorFromOIDCIssuerURL(config.OIDCIssuerURL, config.OIDCClientID, config.OIDCCAFile, config.OIDCUsernameClaim, config.OIDCGroupsClaim) serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountKeyFile, config.ServiceAccountLookup, config.ServiceAccountTokenGetter)
if err != nil { if err != nil {
return nil, err return nil, err
} }
authenticators = append(authenticators, oidcAuth) authenticators = append(authenticators, serviceAccountAuth)
} }
if len(config.ServiceAccountKeyFile) > 0 { // NOTE(ericchiang): Keep the OpenID Connect after Service Accounts.
serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountKeyFile, config.ServiceAccountLookup, config.ServiceAccountTokenGetter) //
// Because both plugins verify JWTs whichever comes first in the union experiences
// cache misses for all requests using the other. While the service account plugin
// simply returns an error, the OpenID Connect plugin may query the provider to
// update the keys, causing performance hits.
if len(config.OIDCIssuerURL) > 0 && len(config.OIDCClientID) > 0 {
oidcAuth, err := newAuthenticatorFromOIDCIssuerURL(config.OIDCIssuerURL, config.OIDCClientID, config.OIDCCAFile, config.OIDCUsernameClaim, config.OIDCGroupsClaim)
if err != nil { if err != nil {
return nil, err return nil, err
} }
authenticators = append(authenticators, serviceAccountAuth) authenticators = append(authenticators, oidcAuth)
} }
if len(config.KeystoneURL) > 0 { if len(config.KeystoneURL) > 0 {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment