Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Header finalizer handling for multiple headers with the same name #2206

Open
2 of 3 tasks
aslafy-z opened this issue Feb 21, 2025 · 0 comments · May be fixed by #2244
Open
2 of 3 tasks

Header finalizer handling for multiple headers with the same name #2206

aslafy-z opened this issue Feb 21, 2025 · 0 comments · May be fixed by #2244
Labels
feature Used for new features
Milestone
v0.16.0

Comments

@aslafy-z
Copy link
Contributor

aslafy-z commented Feb 21, 2025
edited
Loading

Preflight checklist

Describe the background of your feature request

Certain applications, such as the [Kubernetes Dashboard in impersonation mode](/~https://github.com/kubernetes/dashboard/blob/master/docs/user/README.md), require multiple headers with the same name but different values. Currently, Heimdall's header finalizer does not support dynamically generating multiple headers with identical names, limiting its applicability in these scenarios.

With the current implementation of the header finalizer, I could not find a way to set Impersonation-Group multiple times. Also, I'm not sure how multiple headers with the same key can be populated dynamically from the subject.

For example:

  • With the subject group having [Group1, Group2], Heimdall should export: 
    Impersonation-Group: Group1
Impersonation-Group: Group2
  • With the subject group having [Group2, Group3, Group4], Heimdall should export: 
    Impersonation-Group: Group2
Impersonation-Group: Group3
Impersonation-Group: Group4

Describe your idea

Modify the headers configuration in the header finalizer to accept newline-separated lists of values for a single header name.

id: dynamic_group_headers
type: header
config:
  headers:
    Impersonation-Group: |
      {{- range .Subject.Attributes.groups }}
      {{ . }}
      {{- end }}

  • Impersonation-Group: The header name that should be repeated.

  • The templated value iterates over the groups attribute of the subject, injecting each group as a separate Impersonation-Group header.

  • Since newline characters are not allowed in headers, the current validation rules may need to be relaxed to accommodate this functionality.

Are there any workarounds or alternatives?

Not that I can think of.

Here's what I used previously: /~https://github.com/aslafy-z/k8s-dashboard-impersonation-proxy.

Version

v0.15.16

Additional Context

Ingress-nginx currently [has a blocking issue](kubernetes/ingress-nginx#12880) that prevents this from working well in decision mode, as it forcibly flattens same-name headers. In proxy mode, this feature will allow impersonation headers to reach the upstream without additional changes.

Discussion is open at https://discord.com/channels/1100447190796742698/1344691327958519860/1344691327958519860
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature Used for new features
Projects
None yet
Milestone
v0.16.0
Development

Successfully merging a pull request may close this issue.

feat(header-finalizer): support multiple headers with same name aslafy-z/heimdall
2 participants
@aslafy-z @dadrus