New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump go-oidc to 3.6.0 #114772
Bump go-oidc to 3.6.0 #114772
Conversation
Hi @skitt. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/kind cleanup |
@@ -17,4 +13,5 @@ const ( | |||
PS256 = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256 | |||
PS384 = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384 | |||
PS512 = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512 | |||
EdDSA = "EdDSA" // Ed25519 using SHA-512 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm... not a great sign that the one addition here isn't defined in the linked RFC
@@ -205,7 +205,7 @@ func TestServiceAccountTokenCreate(t *testing.T) { | |||
} | |||
|
|||
checkPayload(t, treq.Status.Token, `"system:serviceaccount:myns:test-svcacct"`, "sub") | |||
checkPayload(t, treq.Status.Token, `["api"]`, "aud") | |||
checkPayload(t, treq.Status.Token, `"api"`, "aud") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this change is surprising... does the serialization actually modify the shape of the service account tokens we emit? (string aud
field instead of array of strings)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was introduced by square/go-jose#247 — tokens with a single audience are emitted with a string field rather than an array of strings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have time to review the square → go-jose changes in depth in the short-term, but they need an in-depth review, given the importance of the authn layer using this
/uncc liggitt /assign aramase |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@skitt Are you still working on this?
/remove-sig instrumentation |
Yes, but I won’t have time to revisit it for another two weeks or so. |
bump on this! The PR requires rebase. |
This replaces gopkg.in/square/go-jose.v2 with github.com/go-jose/go-jose/v3 which is the currently-maintained stable version of go-jose. This adds to vendor, but once go-oidc is bumped to a version including its go-jose bump, go-jose.v2 will be removed entirely. Signed-off-by: Stephen Kitt <skitt@redhat.com>
@skitt: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This is now a proper semantically-versioned Go module. Notably for Kubernetes, it pulls in gopkg.in/go-jose/go-jose/v3, which means gopkg.in/square/go-jose.v2 is dropped from vendor. go-oidc re-introduces a dependency on appengine through oauth2, add it to the unwanted references. Signed-off-by: Stephen Kitt <skitt@redhat.com>
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
This updates go-oidc to v3.5.0, which is now a proper semantically-versioned Go module. Most importantly for Kubernetes, it pulls in newer versions of various Go dependencies, which help with the cloud.google.com/go / genproto untangling (#113366).
The transitive upgrade of cloud.google.com/go/compute/metadata requires a bump of cloud.google.com/go/compute to a version where metadata is split out; this patch upgrades to the version matching metadata v0.2.1, compute v1.12.1. (Later versions pull in newer genproto versions which re-introduce a firestore module dependency.)
go-jose is bumped too; this involves handling the change in jwt.NewNumericDate(), which now returns a pointer.
Which issue(s) this PR fixes:
None.
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: