THREESCALE-10523 - oidc in OpenAPI CR ignores some attributes for Product CR #909

valerymo · 2024-01-03T17:47:18Z

WHAT

Jira: https://issues.redhat.com/browse/THREESCALE-10523
PR is based on #908 (jira https://issues.redhat.com/browse/THREESCALE-10518) and will be merged after it.

The current PR does not change any flow, but adds/fix errors handling that making flow to be correct and clear for understanding.
Follow-on task is opened to check/fix gatewayResponse (and Security attributes?) population into Product CR from Openapi CR: https://issues.redhat.com/browse/THREESCALE-10678
Documentation has been updated - a detailed description has been added for this case.
PR makes it easier to understand the Product Oidc authentication flow settings.
The Validation section provides detailed notes on regression testing of the OIDC product authentication flow functionality and helps you understand it better.

Validation - Preparation

Prepare cluster (could be OSD)

Install RHSSO

Create project rhsso-test

Install RHSSO from OperatorHub into project rhsso-test
Create Keycloak Instance of RHSSO
Open RHSSO portal
Create a realm for the petstore product
In RH User SSO web console:

Click Add realm. Add realm page will be opened
Set name, as petstore
Click Create. Petstore realm page will be opened. No changes required.

Create a client for 3scale

In RH User SSO web console:
- Choose Petstore realm (in top-left corner)
- Select Configure -> Client
- Click Create
- Set Client ID: 3scale-zync
- Click Save. Clients->3scale-zync page will be opened
Client Settings:

3scale-zync Client setting will be as in the table below

Parameter	Value
Name	3scale-zync
Client Protocol	openid-connect
Access Type	confidential
Standard Flow Enabled	Off
Direct Access Grants Enabled	Off
Service Accounts Enabled	On

Click Save
Provide Realm-Management - manage-clients:
- Enter Service Account Roles tab -> Client Roles
  - Choose realm-management -> manage-clients
  - Click Add selected

Install 3scale

Install and run 3scale operator

cd 3scale-operator
make install
oc new-project 3scale-test
make download
make run

Apply s3 secret

Secret example (s3-creds-secret.yaml):

kind: Secret
apiVersion: v1
metadata: 
  name: s3-credentials
  namespace: 3scale-test
data: 
  AWS_ACCESS_KEY_ID: QU12345
  AWS_SECRET_ACCESS_KEY: aU12345=
  AWS_BUCKET: dm12345=
  AWS_REGION: ZX1234==
type: Opaque

oc apply -f s3-creds-secret.yaml

Apply Apimanager CR

Apimanager CR example (apimanagerCR.yaml),
please place your wildcardDomain
apimanagerCR.yaml:

apiVersion: apps.3scale.net/v1alpha1
kind: APIManager
metadata:
    name: example-apimanager
    namespace: 3scale-test
spec:
    wildcardDomain: apps.vmogilev01.xxx.s1.devshift.org

oc apply -f apimanagerCR.yaml

Apply oidc issuer client secret
This is the secret that contains URL for issuerEndpoint.
The secret is referenced in OpenApi CR - field issuerEndpointRef.

issuerEndpoint meed to be encryupted; below - just for sample
oidc-issuer-client-secret.yaml:

kind: Secret
apiVersion: v1
metadata:
  name: oidc-issuer-client-secret
  namespace: 3scale-test
data:
  issuerEndpoint: https://3scale-zync:some-secret@keycloak-rhsso-test.apps.xxxxx.xxxx.xx.xx.org/auth/realms/petstore
type: Opaque

oc apply -f oidc-issuer-client-secret.yaml

Openapi Secret

Apply Secret that contains OAS (swagger) - OpenApi spec:

openapi-secret-oauth2.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: openapi-secret-oauth2
  namespace: 3scale-test
type: Opaque
stringData:
  openapi-oauth2.yaml: |
    ---
    components:
      schemas:
        Error:
          properties:
            code:
              format: int32
              type: integer
            message:
              type: string
          required:
          - code
          - message
          type: object
        NewPet:
          properties:
            name:
              type: string
            tag:
              type: string
          required:
          - name
          type: object
        Pet:
          allOf:
          - $ref: '#/components/schemas/NewPet'
          - properties:
              id:
                format: int64
                type: integer
            required:
            - id
            type: object
      securitySchemes:
        myOauth:
          description: This API uses OAuth 2 with the implicit grant flow. [More info](https://api.example.com/docs/auth)
          flows:
            password:
              scopes:
                read_pets: read your pets
                write_pets: modify pets in your account
              tokenUrl: https://api.example.com/oauth2/token
            implicit:
              authorizationUrl: https://example.com/api/oauth/dialog
              scopes:
                write_pets: modify pets in your account
                read_pets: read your pets
            authorizationCode:
              authorizationUrl: https://example.com/api/oauth/dialog
              tokenUrl: https://example.com/api/oauth/token
              scopes:
                write_pets: modify pets in your account
                read_pets: read your pets 
            clientCredentials:
              tokenUrl: https://example.com/api/oauth/token
              scopes:
                write_pets: modify pets in your account
                read_pets: read your pets           
          type: oauth2
    info:
      contact:
        email: apiteam@swagger.io
        name: Swagger API Team
        url: http://swagger.io
      description: A sample API that uses a petstore as an example to demonstrate features
        in the OpenAPI 3.0 specification
      license:
        name: Apache 2.0
        url: https://www.apache.org/licenses/LICENSE-2.0.html
      termsOfService: http://swagger.io/terms/
      title: Swagger Petstore
      version: 1.0.0
    openapi: 3.0.0
    paths:
      /pets:
        get:
          description: 'Returns all pets from the system that the user has access to

            Nam sed condimentum est. Maecenas tempor sagittis sapien, nec rhoncus sem
            sagittis sit amet. Aenean at gravida augue, ac iaculis sem. Curabitur odio
            lorem, ornare eget elementum nec, cursus id lectus. Duis mi turpis, pulvinar
            ac eros ac, tincidunt varius justo. In hac habitasse platea dictumst. Integer
            at adipiscing ante, a sagittis ligula. Aenean pharetra tempor ante molestie
            imperdiet. Vivamus id aliquam diam. Cras quis velit non tortor eleifend sagittis.
            Praesent at enim pharetra urna volutpat venenatis eget eget mauris. In eleifend
            fermentum facilisis. Praesent enim enim, gravida ac sodales sed, placerat
            id erat. Suspendisse lacus dolor, consectetur non augue vel, vehicula interdum
            libero. Morbi euismod sagittis libero sed lacinia.


            Sed tempus felis lobortis leo pulvinar rutrum. Nam mattis velit nisl, eu condimentum
            ligula luctus nec. Phasellus semper velit eget aliquet faucibus. In a mattis
            elit. Phasellus vel urna viverra, condimentum lorem id, rhoncus nibh. Ut pellentesque
            posuere elementum. Sed a varius odio. Morbi rhoncus ligula libero, vel eleifend
            nunc tristique vitae. Fusce et sem dui. Aenean nec scelerisque tortor. Fusce
            malesuada accumsan magna vel tempus. Quisque mollis felis eu dolor tristique,
            sit amet auctor felis gravida. Sed libero lorem, molestie sed nisl in, accumsan
            tempor nisi. Fusce sollicitudin massa ut lacinia mattis. Sed vel eleifend
            lorem. Pellentesque vitae felis pretium, pulvinar elit eu, euismod sapien.

            '
          operationId: findPets
          parameters:
          - description: tags to filter by
            in: query
            name: tags
            required: false
            schema:
              items:
                type: string
              type: array
            style: form
          - description: maximum number of results to return
            in: query
            name: limit
            required: false
            schema:
              format: int32
              type: integer
          responses:
            '200':
              content:
                application/json:
                  schema:
                    items:
                      $ref: '#/components/schemas/Pet'
                    type: array
              description: pet response
            default:
              content:
                application/json:
                  schema:
                    $ref: '#/components/schemas/Error'
              description: unexpected error
          security:
          - myOauth:
            - read
            - write
        post:
          description: Creates a new pet in the store. Duplicates are allowed
          operationId: addPet
          requestBody:
            content:
              application/json:
                schema:
                  $ref: '#/components/schemas/NewPet'
            description: Pet to add to the store
            required: true
          responses:
            '200':
              content:
                application/json:
                  schema:
                    $ref: '#/components/schemas/Pet'
              description: pet response
            default:
              content:
                application/json:
                  schema:
                    $ref: '#/components/schemas/Error'
              description: unexpected error
          security:
          - myOauth:
            - read
            - write
      /pets/{id}:
        delete:
          description: deletes a single pet based on the ID supplied
          operationId: deletePet
          parameters:
          - description: ID of pet to delete
            in: path
            name: id
            required: true
            schema:
              format: int64
              type: integer
          responses:
            '204':
              description: pet deleted
            default:
              content:
                application/json:
                  schema:
                    $ref: '#/components/schemas/Error'
              description: unexpected error
          security:
          - myOauth:
            - read
            - write
        get:
          description: Returns a user based on a single ID, if the user does not have
            access to the pet
          operationId: find pet by id
          parameters:
          - description: ID of pet to fetch
            in: path
            name: id
            required: true
            schema:
              format: int64
              type: integer
          responses:
            '200':
              content:
                application/json:
                  schema:
                    $ref: '#/components/schemas/Pet'
              description: pet response
            default:
              content:
                application/json:
                  schema:
                    $ref: '#/components/schemas/Error'
              description: unexpected error
          security:
          - myOauth:
            - read
            - write
    security:
    - myOauth:
      - read
      - write
    servers:
    - url: http://petstore.swagger.io/v1

oc apply -f openapi-secret-oauth2.yaml

NOTES openapi-secret-oauth2 Secret contains securitySchemes with all authentication flows defined; this should result in all products OIDC authentication flows being selected. OpenAPI CR OIDC Authentication flows (spec/oidc/authenticationFlow) will be ignored.

OpenApi CR

apiVersion: capabilities.3scale.net/v1beta1
kind: OpenAPI
metadata:
  annotations:
    insecure_skip_verify: 'true'
  name: openapi-example
  namespace: 3scale-test
spec:
  oidc:
    issuerType: keycloak
    issuerEndpointRef:
      name: oidc-issuer-client-secret
    jwtClaimWithClientID: azp
    jwtClaimWithClientIDType: plain
    authenticationFlow:
      standardFlowEnabled: true
      implicitFlowEnabled: false
      serviceAccountsEnabled: false
      directAccessGrantsEnabled: false
  openapiRef:
    secretRef:
      name: openapi-secret-oauth2
      namespace: 3scale-test
  prefixMatching: true

Validation

Test1

OpenAPI CR spec: OIDC
OAS securitySchemes type: oauth2
- example from openapi-secret-oauth2 Secret:
Expected behavior:
- CR OIDC Authentication Flows parameters will be ignored
- Product OIDC Authentication Flows will be set to match oauth2 flows that defined in OAS, as following
  - StandardFlowEnabled = true if oauth2 AuthorizationCode is defined
  - ImplicitFlowEnabled = true if oauth2 Implicit is defined
  - DirectAccessGrantsEnabled = true if oauth2 Password is defined
  - ServiceAccountsEnabled = true if oauth2 ClientCredentials is defined
    Notes: As noted before - openapi-secret-oauth2 Secret contains securitySchemes with all authentication flows defined.
Expected result:
- Product OIDC Authentication Flows: all flows selected
- Warning in openapi CR, as in example:

$ oc describe openapi openapi-example
......
......
  Warning  OIDC authentication flows in CR will be ignored and Product OIDC authentication flows will be set to match oauth2 flows in OAS since the SecuritySchemes type in OAS is "oauth2" (for OIDC it should be "openIdConnect")  96s   OpenAPI  Product OIDC authentication flows parameters will be set to match oauth2 flows as following (OIDC ~ OAuth2): StandardFlowEnabled ~ AuthorizationCode, ImplicitFlowEnabled ~ Implicit, DirectAccessGrantsEnabled ~ Password, ServiceAccountsEnabled ~ ClientCredentials

See Authentication flows in openapi CR and product CR. They will be differ, as openapi CR definitions for oidc authentication flows will be ignored. Product will be set according to OAS.

$ oc describe openapi openapi-example
....
Spec:
  Oidc:
    Authentication Flow:
      Direct Access Grants Enabled:  false
      Implicit Flow Enabled:         false
      Service Accounts Enabled:      false
      Standard Flow Enabled:         true

$ oc describe products
    ......
Spec:
  Backend Usages:
    Swagger_Petstore:
      Path:  /
  Deployment:
    Apicast Hosted:
      Authentication:
        Oidc:
          Authentication Flow:
            Direct Access Grants Enabled:  true
            Implicit Flow Enabled:         true
            Service Accounts Enabled:      true
            Standard Flow Enabled:         true
....

Test2 - Regression

OpenAPI CR spec: OIDC
OAS securitySchemes type: openIdConnect
Expected result:
- Product OIDC Authentication Flows will be set as defined in OpenApiCR
- No warnings in OpenApi CR

$ oc apply  -f openapi-secret_oidc.yaml
secret/openapi-secret-oidc created
$ oc apply -f openapiCR_oidc.yaml
openapi.capabilities.3scale.net/openapi-example2 created

These are files below.
New Product will be created Swagger Petstore 2, that has OIDC Authentication flows as defined in CR.

OpenApi CR

apiVersion: capabilities.3scale.net/v1beta1
kind: OpenAPI
metadata:
  annotations:
    insecure_skip_verify: 'true'
  name: openapi-example2
  namespace: 3scale-test
spec:
  oidc:
    issuerType: keycloak
    issuerEndpointRef:
      name: oidc-issuer-client-secret
    jwtClaimWithClientID: azp
    jwtClaimWithClientIDType: plain
    authenticationFlow:
      standardFlowEnabled: true
      implicitFlowEnabled: false
      serviceAccountsEnabled: false
      directAccessGrantsEnabled: false
  openapiRef:
    secretRef:
      name: openapi-secret-oidc
      namespace: 3scale-test
  prefixMatching: true

Openapi Secret, contains OAS

You can compare the swagger below with oauth2, used for Test1. Small number of diffrences - name of the product, but the main thing is secutirySchema type is openIdConnect (it was oauth2 before). Missing flows definitions, it will be taken from CR.

apiVersion: v1
kind: Secret
metadata:
  name: openapi-secret-oidc
  namespace: 3scale-test
type: Opaque
stringData:
  openapi-oidc.yaml: |
    ---
    components:
      schemas:
        Error:
          properties:
            code:
              format: int32
              type: integer
            message:
              type: string
          required:
          - code
          - message
          type: object
        NewPet:
          properties:
            name:
              type: string
            tag:
              type: string
          required:
          - name
          type: object
        Pet:
          allOf:
          - $ref: '#/components/schemas/NewPet'
          - properties:
              id:
                format: int64
                type: integer
            required:
            - id
            type: object
      securitySchemes:
        myOauth:
           type: openIdConnect
           openIdConnectUrl: https://example.com/.well-known/openid-configuration
    info:
      contact:
        email: apiteam@swagger.io
        name: Swagger API Team
        url: http://swagger.io
      description: A sample API that uses a petstore as an example to demonstrate features
        in the OpenAPI 3.0 specification
      license:
        name: Apache 2.0
        url: https://www.apache.org/licenses/LICENSE-2.0.html
      termsOfService: http://swagger.io/terms/
      title: Swagger Petstore 2
      version: 1.0.0
    openapi: 3.0.0
    paths:
      /pets:
        get:
          description: 'Returns all pets from the system that the user has access to

            Nam sed condimentum est. Maecenas tempor sagittis sapien, nec rhoncus sem
            sagittis sit amet. Aenean at gravida augue, ac iaculis sem. Curabitur odio
            lorem, ornare eget elementum nec, cursus id lectus. Duis mi turpis, pulvinar
            ac eros ac, tincidunt varius justo. In hac habitasse platea dictumst. Integer
            at adipiscing ante, a sagittis ligula. Aenean pharetra tempor ante molestie
            imperdiet. Vivamus id aliquam diam. Cras quis velit non tortor eleifend sagittis.
            Praesent at enim pharetra urna volutpat venenatis eget eget mauris. In eleifend
            fermentum facilisis. Praesent enim enim, gravida ac sodales sed, placerat
            id erat. Suspendisse lacus dolor, consectetur non augue vel, vehicula interdum
            libero. Morbi euismod sagittis libero sed lacinia.


            Sed tempus felis lobortis leo pulvinar rutrum. Nam mattis velit nisl, eu condimentum
            ligula luctus nec. Phasellus semper velit eget aliquet faucibus. In a mattis
            elit. Phasellus vel urna viverra, condimentum lorem id, rhoncus nibh. Ut pellentesque
            posuere elementum. Sed a varius odio. Morbi rhoncus ligula libero, vel eleifend
            nunc tristique vitae. Fusce et sem dui. Aenean nec scelerisque tortor. Fusce
            malesuada accumsan magna vel tempus. Quisque mollis felis eu dolor tristique,
            sit amet auctor felis gravida. Sed libero lorem, molestie sed nisl in, accumsan
            tempor nisi. Fusce sollicitudin massa ut lacinia mattis. Sed vel eleifend
            lorem. Pellentesque vitae felis pretium, pulvinar elit eu, euismod sapien.

            '
          operationId: findPets
          parameters:
          - description: tags to filter by
            in: query
            name: tags
            required: false
            schema:
              items:
                type: string
              type: array
            style: form
          - description: maximum number of results to return
            in: query
            name: limit
            required: false
            schema:
              format: int32
              type: integer
          responses:
            '200':
              content:
                application/json:
                  schema:
                    items:
                      $ref: '#/components/schemas/Pet'
                    type: array
              description: pet response
            default:
              content:
                application/json:
                  schema:
                    $ref: '#/components/schemas/Error'
              description: unexpected error
          security:
          - myOauth:
            - read
            - write
        post:
          description: Creates a new pet in the store. Duplicates are allowed
          operationId: addPet
          requestBody:
            content:
              application/json:
                schema:
                  $ref: '#/components/schemas/NewPet'
            description: Pet to add to the store
            required: true
          responses:
            '200':
              content:
                application/json:
                  schema:
                    $ref: '#/components/schemas/Pet'
              description: pet response
            default:
              content:
                application/json:
                  schema:
                    $ref: '#/components/schemas/Error'
              description: unexpected error
          security:
          - myOauth:
            - read
            - write
      /pets/{id}:
        delete:
          description: deletes a single pet based on the ID supplied
          operationId: deletePet
          parameters:
          - description: ID of pet to delete
            in: path
            name: id
            required: true
            schema:
              format: int64
              type: integer
          responses:
            '204':
              description: pet deleted
            default:
              content:
                application/json:
                  schema:
                    $ref: '#/components/schemas/Error'
              description: unexpected error
          security:
          - myOauth:
            - read
            - write
        get:
          description: Returns a user based on a single ID, if the user does not have
            access to the pet
          operationId: find pet by id
          parameters:
          - description: ID of pet to fetch
            in: path
            name: id
            required: true
            schema:
              format: int64
              type: integer
          responses:
            '200':
              content:
                application/json:
                  schema:
                    $ref: '#/components/schemas/Pet'
              description: pet response
            default:
              content:
                application/json:
                  schema:
                    $ref: '#/components/schemas/Error'
              description: unexpected error
          security:
          - myOauth:
            - read
            - write
    security:
    - myOauth:
      - read
      - write
    servers:
    - url: http://petstore.swagger.io/v1

Test3 - Regression

Check that OpenApi must have oidc spec if Oauth2 or OIDC defined in OAS.
It will be enough to test just oauth2.

Ecpected results:
- Error in OpenApi CR
- Product 3 - will not be created

cp openapi-secret_oauth2.yaml openapi-secret_oauth2-prod3.yaml
cp openapiCR_oauth2.yaml openapiCR_oauth2-prod3.yaml
vi openapi-secret_oauth2-prod3.yaml // rename secret (to `openapi-secret-oauth2-prod3`) and product (to `title: Swagger Petstore 3`)
vi openapiCR_oauth2-prod3.yaml  // remove oidc section from spec

oc apply -f openapi-secret_oauth2-prod3.yaml
oc apply -f openapiCR_oauth2-prod3.yaml

oc describe openapi openapi-example3
.....

  Warning  Invalid OpenAPI Spec  24s (x16 over 25s)  OpenAPI  (combined from similar events): spec.openapiRef: Invalid value: v1beta1.OpenAPIRefSpec{SecretRef:(*v1.ObjectReference)(0xc0013820e0), URL:(*string)(nil)}: Missing OIDC definitions in CR. The referenced OpenAPI spec's sec scheme is openIdConnect or oauth2, the spec.oidc must not be nil or empty

MStokluska · 2024-01-15T11:32:07Z

controllers/capabilities/proxy.go

@@ -200,6 +200,10 @@ func (t *ProductThreescaleReconciler) syncProxyOIDC(params threescaleapi.Params,
 	// If plain value is not nil - use plain value as precedence over secret
 	issuerEndpoint := oidcSpec.IssuerEndpoint
 	if issuerEndpoint == "" {
+		if oidcSpec.IssuerEndpointRef == nil {
+			// If missing both IssuerEndpoint and  IssuerEndpointRef in OpenApi CR - Product will fail SyncProxy
+			return fmt.Errorf("missing IssuerEndpoint definition in OIDC spec in openapi CR. Product OpenID Connect Issuer will not be set.")


Hey @valerymo - this should be a validationError IMO and the reconciler should not be re-triggered, instead, it should wait for user change to the CR and re-reconcile then

hey @MStokluska . This Task was based on 10518, where the fix was done. Now after #915 PR (task 10518) merge - issue resolved and proxy.go file disapered from the list of changes in this PR. Tasks 10523 and 10524 are dependent to 10518 and mostly resolved there (in 10518). The main goal of current task - make the process more clear for user (documentation) Thank you for comment

@valerymo I see, thanks. But please update the error handling as part of this PR since it got pretty bad with the reconciliation, alternatively open another PR. We are about to release so we either need the error fixed or the previous PR reverted.

MStokluska · 2024-01-15T11:35:13Z

hey @valerymo in validation scenario no 3, when this error is encountered, Operator is spamming the error very heavily. Instead, IMO the error should be an "InvalidSpec" type error and should not reconcile again until the owner of the CR makes an appropriate change.

…backend ...

…ct CR

MStokluska · 2024-01-17T08:43:09Z

controllers/capabilities/openapi_controller.go

+			r.EventRecorder().Eventf(openapiCR, corev1.EventTypeWarning, "OIDC authentication flows in CR will be ignored and Product OIDC authentication flows will be set to match oauth2 flows in OAS since the SecuritySchemes type in OAS is \"oauth2\" (for OIDC it should be \"openIdConnect\")", "%v", "Product OIDC authentication flows parameters will be set to match oauth2 flows as following (OIDC ~ OAuth2): StandardFlowEnabled ~ AuthorizationCode, ImplicitFlowEnabled ~ Implicit, DirectAccessGrantsEnabled ~ Password, ServiceAccountsEnabled ~ ClientCredentials")
+		}
+	}
+	if openapiCR.Spec.OIDC != nil &&


this is duplicated from line 403. Please remove

done. Thank you

MStokluska · 2024-01-17T08:44:14Z

controllers/capabilities/openapi_controller.go

@@ -428,6 +428,17 @@ func (r *OpenAPIReconciler) validateOIDCSettingsInCR(openapiCR *capabilitiesv1be
 				}
 			}
 		}
+		// when OAS securitySchemes type is oauth2, and openapiCR spec is OIDC, then CR OIDC Authentication Flows parameters will be ignored,


line 423 has ref to openapiref which causes constant updates to status of the CR which in turn re-reconciles on invalid error. Please double check the refs in invalidErrors.
Thanks

Updated. Thanks very much for this comment and discussion. Hope it's ok now. Images for 2 cases below:

No IssuerEndpoint nor IssuerEndpointRef found in OIDC spec in CR

Missing OIDC definitions in CR

MStokluska · 2024-01-17T11:14:31Z

doc/openapi-user-guide.md

@@ -151,7 +151,7 @@ spec:
 - Only for OIDC: 

 | **Field**                | **Required** | **Description**                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| --- | --- | --- |
+| --- | --- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|


Suggested change

| --- | --- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|

| --- | --- |---|

Fixed. Thank you. I will check in future such things, seem IDE is doing this.

MStokluska · 2024-01-17T11:25:56Z

/lgtm
Thanks Valery, good job.

The e2e will fail most likely due to on-going issue with apisonator. We can wait for the fix which should be available "soon" or merge with failed e2e - which I'm not a fan of. I suggest to wait.

MStokluska · 2024-01-17T11:39:26Z

As for missing forwarding of the spec.oidc.gateway responses and security, they will be resolved as part of new Jira.

codeclimate · 2024-01-17T15:39:35Z

Code Climate has analyzed commit 0e27914 and detected 0 issues on this pull request.

View more on Code Climate.

THREESCALE-10523 - oidc in OpenAPI CR ignores some attributes for Product CR

valerymo requested a review from a team as a code owner January 3, 2024 17:47

openshift-ci bot added the do-not-merge/work-in-progress label Jan 3, 2024

valerymo force-pushed the THREESCALE-10523 branch 2 times, most recently from 97ecf2f to 185e1ae Compare January 4, 2024 07:40

valerymo changed the title ~~[WIP] THREESCALE-10523 - oidc in OpenAPI CR ignores some attributes for Product CR~~ THREESCALE-10523 - oidc in OpenAPI CR ignores some attributes for Product CR Jan 4, 2024

openshift-ci bot removed the do-not-merge/work-in-progress label Jan 4, 2024

This was referenced Jan 10, 2024

THREESCALE-10518 - Operator crash - OpenAPI CR doesn't create correct backend... #908

Closed

THREESCALE-10518 - Operator crash - OpenAPI CR doesn't create correct backend… #915

Merged

MStokluska reviewed Jan 15, 2024

View reviewed changes

valerymo force-pushed the THREESCALE-10523 branch from 185e1ae to 73b805f Compare January 15, 2024 13:38

valerymo added 2 commits January 16, 2024 16:45

THREESCALE-10518- Operator crash - OpenAPI CR doesn't create correct …

78e1417

…backend ...

THREESCALE-10523 oidc in OpenAPI CR ignores some attributes for Produ…

aec599b

…ct CR

valerymo force-pushed the THREESCALE-10523 branch from 73b805f to 8fb156e Compare January 16, 2024 15:45

MStokluska reviewed Jan 17, 2024

View reviewed changes

valerymo force-pushed the THREESCALE-10523 branch from 8fb156e to 24c11fb Compare January 17, 2024 10:24

MStokluska reviewed Jan 17, 2024

View reviewed changes

valerymo force-pushed the THREESCALE-10523 branch from 24c11fb to 43d3bd0 Compare January 17, 2024 11:21

MStokluska approved these changes Jan 17, 2024

View reviewed changes

THREESCALE-10523 - address review comments

0e27914

valerymo force-pushed the THREESCALE-10523 branch from 08f8928 to 0e27914 Compare January 17, 2024 15:38

carlkyrillos merged commit 3f9a0a6 into 3scale:master Jan 17, 2024
14 checks passed

valerymo pushed a commit that referenced this pull request Jan 18, 2024

Merge pull request #909 from valerymo/THREESCALE-10523

7184159

THREESCALE-10523 - oidc in OpenAPI CR ignores some attributes for Product CR

valerymo mentioned this pull request Jan 18, 2024

THREESCALE-10678 - OIDC in OpenAPI CR ignores gatewayResponse and Sec… #916

Merged

briangallagher mentioned this pull request Jan 24, 2024

OpenAPI CRD: support for OIDC sec requirement #842

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

THREESCALE-10523 - oidc in OpenAPI CR ignores some attributes for Product CR #909

THREESCALE-10523 - oidc in OpenAPI CR ignores some attributes for Product CR #909

valerymo commented Jan 3, 2024 •

edited

MStokluska Jan 15, 2024

valerymo Jan 15, 2024

MStokluska Jan 16, 2024

MStokluska commented Jan 15, 2024

MStokluska Jan 17, 2024

valerymo Jan 17, 2024

MStokluska Jan 17, 2024

valerymo Jan 17, 2024

MStokluska Jan 17, 2024

valerymo Jan 17, 2024

MStokluska commented Jan 17, 2024

MStokluska commented Jan 17, 2024

codeclimate bot commented Jan 17, 2024

THREESCALE-10523 - oidc in OpenAPI CR ignores some attributes for Product CR #909

THREESCALE-10523 - oidc in OpenAPI CR ignores some attributes for Product CR #909

Conversation

valerymo commented Jan 3, 2024 • edited

WHAT

Validation - Preparation

Install RHSSO

Install 3scale

Openapi Secret

OpenApi CR

Validation

Test1

Test2 - Regression

OpenApi CR

Openapi Secret, contains OAS

Test3 - Regression

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

MStokluska commented Jan 15, 2024

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

MStokluska commented Jan 17, 2024

MStokluska commented Jan 17, 2024

codeclimate bot commented Jan 17, 2024

valerymo commented Jan 3, 2024 •

edited