add Audit-ID headers to TokenReview/SAR requests

Author: stlaz

providers/openshift/authentication.go

@@ -6,9 +6,12 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
+	"net/http"
 	"strings"
 	"time"
 
+	"github.com/google/uuid"
+
 	"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
 	"k8s.io/apiserver/pkg/authentication/request/headerrequest"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
@@ -195,10 +198,37 @@ func (s *DelegatingAuthenticationOptions) newTokenAccessReview() (authentication
 	if err != nil {
 		return nil, err
 	}
+
+	clientConfig.Wrap(auditIDRountripper)
+
 	client, err := authenticationclient.NewForConfig(clientConfig)
 	if err != nil {
 		return nil, err
 	}
 
 	return client, nil
 }
+
+func auditIDRountripper(rt http.RoundTripper) http.RoundTripper {
+	return roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		const auditIDKey = "Audit-ID"
+
+		auditID := r.Header.Get(auditIDKey)
+		if len(auditID) == 0 {
+			auditID = uuid.New().String()
+		}
+
+		r.Header.Add("Audit-ID", auditID)
+		resp, err := rt.RoundTrip(r)
+		if err != nil {
+			err = fmt.Errorf("audit-ID %q request failed: %w", auditID, err)
+		}
+		return resp, err
+	})
+}
+
+type roundTripFunc func(*http.Request) (*http.Response, error)
+
+func (fn roundTripFunc) RoundTrip(req *http.Request) (*http.Response, error) {
+	return fn(req)
+}

providers/openshift/authorization.go

@@ -74,6 +74,8 @@ func (s *DelegatingAuthorizationOptions) newSubjectAccessReview() (authorization
 		return nil, err
 	}
 
+	clientConfig.Wrap(auditIDRountripper)
+
 	client, err := authorizationclient.NewForConfig(clientConfig)
 	if err != nil {
 		return nil, err