go-vela · ecrupper · Jul 19, 2024 · Jul 15, 2024 · Jul 15, 2024 · Jul 19, 2024
@@ -11,7 +11,7 @@ import (
 	"github.com/sirupsen/logrus"
 
 	"github.com/go-vela/server/api/types"
-	"github.com/go-vela/server/internal"
+	"github.com/go-vela/server/internal/token"
 )
 
 // swagger:operation GET /_services/token/.well-known/openid-configuration token GetOpenIDConfig
@@ -32,14 +32,14 @@ import (
 
 // GetOpenIDConfig represents the API handler for requests for configurations in the Vela OpenID service.
 func GetOpenIDConfig(c *gin.Context) {
-	m := c.MustGet("metadata").(*internal.Metadata)
 	l := c.MustGet("logger").(*logrus.Entry)
+	tm := c.MustGet("token-manager").(*token.Manager)
 
 	l.Debug("reading OpenID configuration")
 
 	config := types.OpenIDConfig{
-		Issuer:      fmt.Sprintf("%s/_services/token", m.Vela.Address),
-		JWKSAddress: fmt.Sprintf("%s/%s", m.Vela.Address, "_services/token/.well-known/jwks"),
+		Issuer:      tm.Issuer,
+		JWKSAddress: fmt.Sprintf("%s/.well-known/jwks", tm.Issuer),
 		ClaimsSupported: []string{
 			"sub",
 			"exp",

@@ -187,6 +187,11 @@ func main() {
 			Usage:   "sets the duration of an OpenID token requested during a build (should be short)",
 			Value:   5 * time.Minute,
 		},
+		&cli.StringFlag{
+			EnvVars: []string{"VELA_OPEN_ID_ISSUER", "OPEN_ID_ISSUER"},
+			Name:    "oidc-issuer",
+			Usage:   "sets the issuer of the OpenID token requested during a build",
+		},
 		// Compiler Flags
 		&cli.BoolFlag{
 			EnvVars: []string{"VELA_COMPILER_GITHUB", "COMPILER_GITHUB"},

@@ -108,6 +108,15 @@ func server(c *cli.Context) error {
 		return err
 	}
 
+	// determine issuer for metadata and token manager
+	oidcIssuer := c.String("oidc-issuer")
+	if len(oidcIssuer) == 0 {
+		oidcIssuer = fmt.Sprintf("%s/_services/token", c.String("server-addr"))
+	}
+
+	metadata.Vela.OpenIDIssuer = oidcIssuer
+	tm.Issuer = oidcIssuer
+
 	jitter := wait.Jitter(5*time.Second, 2.0)
 
 	logrus.Infof("retrieving initial platform settings after %v delay", jitter)

@@ -3,8 +3,6 @@
 package main
 
 import (
-	"fmt"
-
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
 
@@ -24,7 +22,6 @@ func setupTokenManager(c *cli.Context, db database.Interface) (*token.Manager, e
 		WorkerAuthTokenDuration:     c.Duration("worker-auth-token-duration"),
 		WorkerRegisterTokenDuration: c.Duration("worker-register-token-duration"),
 		IDTokenDuration:             c.Duration("id-token-duration"),
-		Issuer:                      fmt.Sprintf("%s/_services/token", c.String("server-addr")),
 	}
 
 	// generate a new RSA key pair

@@ -4,6 +4,7 @@ package main
 
 import (
 	"fmt"
+	"net/url"
 	"strings"
 
 	"github.com/sirupsen/logrus"
@@ -105,6 +106,13 @@ func validateCore(c *cli.Context) error {
 		return fmt.Errorf("default-repo-approve-build (VELA_DEFAULT_REPO_APPROVE_BUILD) has the unsupported value of %s", c.String("default-repo-approve-build"))
 	}
 
+	if len(c.String("oidc-issuer")) > 0 {
+		_, err := url.Parse(c.String("oidc-issuer"))
+		if err != nil {
+			return fmt.Errorf("oidc-issuer (VELA_OPEN_ID_ISSUER) flag must be a valid URL")
+		}
+	}
+
 	return nil
 }
 

@@ -309,12 +309,14 @@ func environment(b *api.Build, m *internal.Metadata, r *api.Repo, u *api.User) m
 	// populate environment variables from metadata
 	if m != nil {
 		env["VELA_ADDR"] = m.Vela.WebAddress
+		env["VELA_SERVER_ADDR"] = m.Vela.Address
 		env["VELA_CHANNEL"] = m.Queue.Channel
 		env["VELA_DATABASE"] = m.Database.Driver
 		env["VELA_HOST"] = m.Vela.Address
 		env["VELA_NETRC_MACHINE"] = m.Source.Host
 		env["VELA_QUEUE"] = m.Queue.Driver
 		env["VELA_SOURCE"] = m.Source.Driver
+		env["VELA_OPEN_ID_ISSUER"] = m.Vela.OpenIDIssuer
 		env["VELA_ID_TOKEN_REQUEST_URL"] = fmt.Sprintf("%s/api/v1/repos/%s/builds/%d/id_token", m.Vela.Address, r.GetFullName(), b.GetNumber())
 		channel = m.Queue.Channel
 		workspace = fmt.Sprintf("%s/%s/%s/%s", workspace, m.Source.Host, r.GetOrg(), r.GetName())

@@ -31,6 +31,7 @@ type (
 		WebOauthCallbackPath string        `json:"web_oauth_callback_path"`
 		AccessTokenDuration  time.Duration `json:"access_token_duration"`
 		RefreshTokenDuration time.Duration `json:"refresh_token_duration"`
+		OpenIDIssuer         string        `json:"oidc_issuer"`
 	}
 
 	// Metadata is the extra set of data passed to the compiler for