ROX-27432: allow regex in authentication claimrules

[tommartensen]

This allows multiple (Rover) groups to be specified in the OIDC configuration.

[rhacs-bot]

A single node development cluster (infra-pr-1441) was allocated in production infra for this PR.

CI will attempt to deploy quay.io/rhacs-eng/infra-server:0.10.59-4-g2eaa54df2d to it.

🔌 You can connect to this cluster with:

gcloud container clusters get-credentials infra-pr-1441 --zone us-central1-a --project acs-team-temp-dev

🛠️ And pull infractl from the deployed dev infra-server with:

nohup kubectl -n infra port-forward svc/infra-server-service 8443:8443 &
make pull-infractl-from-dev-server

🚲 You can then use the dev infra instance e.g.:

bin/infractl -k -e localhost:8443 whoami

⚠️ Any clusters that you start using your dev infra instance should have a lifespan shorter then the development cluster instance. Otherwise they will not be destroyed when the dev infra instance ceases to exist when the development cluster is deleted. ⚠️

Further Development

☕ If you make changes, you can commit and push and CI will take care of updating the development cluster.

🚀 If you only modify configuration (chart/infra-server/configuration) or templates (chart/infra-server/{static,templates}), you can get a faster update with:

make install-local

Logs

Logs for the development infra depending on your @redhat.com authuser:

• authuser=0
• authuser=1
• authuser=2

Or:

kubectl -n infra logs -l app=infra-server --tail=1 -f

[davdhacs]

Would it be useful to test that val3xyz does not trigger as a match, and prevent a regression that would allow subset matches?

[tommartensen]

I added additional substring tests in 2eaa54d.

I am preventing substring matching by wrapping the test string with ^$: https://github.com/stackrox/infra/pull/1441/files#diff-4686f933d92fd202f84313c97ceb4ee8b35f5eb949a71b7ab8a6687a452947daR74