Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add always-fail auth handler #24609

Merged
merged 1 commit into from Apr 5, 2023
Merged

Add always-fail auth handler #24609

merged 1 commit into from Apr 5, 2023

Conversation

meyskens
Copy link
Member

Part of #24600

This adds an always fail auth handler that will always deny auth requests.
This is useful for testing policies and to use in end-to-end testing to
ensure the auth mechanism in the datapath is functional.

Add network policy auth method "always-fail"

@meyskens
Add always-fail auth handler
e0306e4 
This adds an always fail auth handler that will always deny auth
requests.
This is useful for tesing policies and to use in end-to-end testing to
ensure the auth mechanism in the datapath is functional.

Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 28, 2023
@meyskens meyskens added kind/feature This introduces new functionality. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. area/servicemesh GH issues or PRs regarding servicemesh labels Mar 28, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 28, 2023
@meyskens meyskens marked this pull request as ready for review March 28, 2023 15:33
@meyskens meyskens requested review from a team as code owners March 28, 2023 15:33
@meyskens
Copy link
Member Author

/test

@meyskens
Copy link
Member Author

Fail in jenkins test seems to be a non-related flake

18:19:13 STEP: WaitforPods(namespace="kube-system", filter="-l k8s-app=cilium") => timed out waiting for pods with filter -l k8s-app=cilium to be ready: 5m0s timeout expired

youngnick
youngnick approved these changes Mar 30, 2023
View reviewed changes
Copy link
Contributor

@youngnick youngnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, nice work.

mhofstetter
mhofstetter approved these changes Mar 30, 2023
View reviewed changes
Copy link
Member

@mhofstetter mhofstetter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change itself looks good - even though i kind of question having these "test" auth types (null & always-fail) in the public API (CRD). kind of a smell for not testing on the right level - e.g. trying to cover datapath with e2e tests.

@meyskens
Copy link
Member Author

@mhofstetter i would agree (however i think null could be removed as we can test a working case with mtls-spiffe) but we cannot leave them out of the CRD as the 2e tests use plain cilium to run this. This is why i was hesitant myself to implement this

@meyskens
Copy link
Member Author

Fail in jenkins seems not related:

        s: "timed out waiting for pods with filter -l k8s-app=cilium to be ready: 5m0s timeout expired",

@meyskens meyskens added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 5, 2023
@squeed squeed merged commit 0ea6999 into cilium:master Apr 5, 2023
43 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathanjsweet nathanjsweet nathanjsweet approved these changes

@nebril nebril nebril approved these changes

@mhofstetter mhofstetter mhofstetter approved these changes

@youngnick youngnick youngnick approved these changes

Assignees
No one assigned
Labels
area/servicemesh GH issues or PRs regarding servicemesh kind/feature This introduces new functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@meyskens @nathanjsweet @nebril @mhofstetter @youngnick @squeed