[v18] Add a caching OIDC validator for use with Kubernetes OIDC (#57862)#60711
Merged
timothyb89 merged 1 commit intobranch/v18from Oct 30, 2025
Merged
Conversation
* Add a caching OIDC validator for use with Kubernetes OIDC This adds a generic caching OIDC validator which is initially used to cache Kubernetes OIDC requests. This takes a simpler approach to the one explored in #57789 and explicitly caches the two resources in question: - We cache the OIDC discovery configuration for an hour - We cache the JWKS keyset for 24 hours, and additionally allow the library to cache internally. It currently has no internal method for invalidating old keys, so we purge the `oidc.KeySet` regularly. However, upon encountering an unknown `kid`, the library will attempt to fetch new keys on its own. This validator is designed to be generic and should be easy to apply to other users of our existing OIDC helper. * Manage validator instances by issuer; use in Kubernetes validator This adds an indirection layer to automatically manage validator instances as cached data is specific to a particular (issuer, audience) combination. Additionally, this swaps the new caching validator in in place of the standard non-caching validator. * Fix comments and add missing mutex lock * Add tests for the caching validator * Fix lints * Add logging * Fix imports * Code review suggestions: atomic expiry, misc fixes This changes `validatorExpires` to be an atomic int64, which removes a locks from `Expires()` / `IsStale()` and ensures an ongoing pruning won't block `ValidateToken()`. * Replace validator cache and pruning with `utils.FnCache` This swaps the hand-rolled cache for validators with utils.FnCache, since it's more robust and its TTL mechanism works properly for our needs. * Remove commented out test code * Fix build errors and enable ReloadOnErr * Code review suggestions
timothyb89
requested review from
boxofrad,
espadolini,
smallinsky and
strideynet
strideynet
approved these changes
Oct 29, 2025
smallinsky
approved these changes
Oct 29, 2025
public-teleport-github-review-bot
bot
removed request for
boxofrad and
espadolini
tigrato
approved these changes
Oct 29, 2025
timothyb89
deleted the
timothyb89/v18/kubernetes-oidc-caching-validator
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #57862 for branch/v18
changelog: Kubernetes OIDC responses are now cached to improve performance and reliability when joining bots and nodes
This adds a generic caching OIDC validator which is initially used to cache Kubernetes OIDC requests. This takes a simpler approach to the one explored in #57789 and explicitly caches the two resources in question:
oidc.KeySetregularly. However, upon encountering an unknownkid, the library will attempt to fetch new keys on its own.This validator is designed to be generic and should be easy to apply to other users of our existing OIDC helper.
This adds an indirection layer to automatically manage validator instances as cached data is specific to a particular (issuer, audience) combination.
Additionally, this swaps the new caching validator in in place of the standard non-caching validator.
Fix comments and add missing mutex lock
Add tests for the caching validator
Fix lints
Add logging
Fix imports
Code review suggestions: atomic expiry, misc fixes
This changes
validatorExpiresto be an atomic int64, which removes a locks fromExpires()/IsStale()and ensures an ongoing pruning won't blockValidateToken().utils.FnCacheThis swaps the hand-rolled cache for validators with utils.FnCache, since it's more robust and its TTL mechanism works properly for our needs.
Remove commented out test code
Fix build errors and enable ReloadOnErr
Code review suggestions