K8s: standalone authenticator that allows a type of downstream forwarding (#85130)

pkg/services/apiserver/standalone/options/authn.go

@@ -0,0 +1,9 @@
+package options
+
+import "github.com/grafana/authlib/authn"
+
+func NewAuthnOptions() *AuthnOptions {
+	return &AuthnOptions{
+		IDVerifierConfig: &authn.IDVerifierConfig{},
+	}
+}

pkg/services/apiserver/standalone/options/options.go

@@ -7,6 +7,8 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
+
+	"github.com/grafana/authlib/authn"
 )
 
 type Options struct {
@@ -15,6 +17,7 @@ type Options struct {
 	RecommendedOptions *genericoptions.RecommendedOptions
 	TracingOptions     *TracingOptions
 	MetricsOptions     *MetricsOptions
+	AuthnOptions       *AuthnOptions
 }
 
 func New(logger log.Logger, codec runtime.Codec) *Options {
@@ -24,6 +27,7 @@ func New(logger log.Logger, codec runtime.Codec) *Options {
 		RecommendedOptions: options.NewRecommendedOptions(codec),
 		TracingOptions:     NewTracingOptions(logger),
 		MetricsOptions:     NewMetrcicsOptions(logger),
+		AuthnOptions:       NewAuthnOptions(),
 	}
 }
 
@@ -33,6 +37,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	o.RecommendedOptions.AddFlags(fs)
 	o.TracingOptions.AddFlags(fs)
 	o.MetricsOptions.AddFlags(fs)
+	o.AuthnOptions.AddFlags(fs)
 }
 
 func (o *Options) Validate() []error {
@@ -157,3 +162,15 @@ func (o *Options) ApplyTo(serverConfig *genericapiserver.RecommendedConfig) erro
 
 	return nil
 }
+
+type AuthnOptions struct {
+	IDVerifierConfig *authn.IDVerifierConfig
+}
+
+func (authOpts *AuthnOptions) AddFlags(fs *pflag.FlagSet) {
+	prefix := "grafana.authn"
+	fs.StringVar(&authOpts.IDVerifierConfig.SigningKeysURL, prefix+".signing-keys-url", "", "URL to jwks endpoint")
+
+	audience := fs.StringSlice(prefix+".allowed-audiences", []string{}, "Specifies a comma-separated list of allowed audiences.")
+	authOpts.IDVerifierConfig.AllowedAudiences = *audience
+}