Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Decouple internal and external logical-cluster-admin access #2882

Merged
merged 4 commits into from
Mar 24, 2023
Merged

🐛 Decouple internal and external logical-cluster-admin access #2882

merged 4 commits into from
Mar 24, 2023

Conversation

hardys
Copy link

@hardys hardys commented Mar 8, 2023
edited

Summary

Currently the logical cluster admin kubeconfig is used to access both the external front-proxy endpoint, and also the shard directly via the baseURL - this won't work in the case where different CA certs are used for shard and front-proxy (such as in the helm-charts)

This only works in CI because we use the same serving-ca.crt for both shard and front-proxy, (in a future PR I will propose a change which better reflects the likely scenario in production deployments).

Fixes #2872

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 8, 2023
@hardys
Copy link
Author

hardys commented Mar 8, 2023

/hold

This is WIP until I fix the e2e tests - currently there is an assumption that admin.kubeconfig can be used for internal and external access, and in particular to the VW server which won't work with the independent CA certs

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 8, 2023
@hardys
Copy link
Author

hardys commented Mar 8, 2023

/cc @sttts

@openshift-ci openshift-ci bot requested a review from sttts March 8, 2023 16:48
@hardys hardys force-pushed the logical_cluster_admin_fix branch 2 times, most recently from d167291 to 98c5407 Compare March 14, 2023 13:36
@hardys
Copy link
Author

hardys commented Mar 14, 2023

/retitle 🐛 Decouple internal and external logical-cluster-admin access

@openshift-ci openshift-ci bot changed the title [WIP] 🐛 Decouple internal and external logical-cluster-admin access 🐛 Decouple internal and external logical-cluster-admin access Mar 14, 2023
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 14, 2023
@hardys
Copy link
Author

hardys commented Mar 14, 2023

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 14, 2023
@hardys
Copy link
Author

hardys commented Mar 16, 2023

/hold

Still figuring out authz for the new external-logical-cluster-admin group

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 16, 2023
@openshift-ci openshift-ci bot added the kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API label Mar 17, 2023
@hardys hardys mentioned this pull request Mar 20, 2023
Closed
@hardys
Copy link
Author

hardys commented Mar 21, 2023

/hold cancel

@sttts @s-urbaniak this is ready for another review pass when you get a moment, thanks!

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 21, 2023
@hardys hardys requested a review from sttts March 22, 2023 08:31
@hardys
Copy link
Author

hardys commented Mar 22, 2023

/test e2e-sharded

Looks like #2865

@s-urbaniak
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 23, 2023
hardys pushed a commit to hardys/helm-charts that referenced this pull request Mar 23, 2023
Add external-logical-cluster-admin
4ef28f2 
Requires kcp-dev/kcp#2882

Fixes: kcp-dev#32
@hardys hardys mentioned this pull request Mar 23, 2023
Merged
@hardys
Copy link
Author

hardys commented Mar 24, 2023

@sttts this is ready for another review pass when you get time please - it's blocker for rebasing deployments based on the helm templates

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 24, 2023
Steven Hardy and others added 4 commits March 24, 2023 15:39
@sttts
server: add external-logical-cluster-admin flag
82442c3 
The current logical-cluster-admin config is used for both internal
shard-direct access, and also for access via the front-proxy.

This won't work when the CA certs for the shard and front-proxy
are different, so we add a new flag to specify an external config
that enables access via the front-proxy - the existing config should
be configured to enable access direct to the shards.

This is derived from 339a071 which was reverted in 3854f1b

Co-Authored-By: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
admission: remove redundant group check
eb40296 
The group evaluation is already done prior to the switch, returning
early if either group is found, so this test for non-membership is
redundant.
admission: allow external-logical-cluster-admin
c901627
required groups authorizer: allow external-logical-cluster-admin
36aa88c
@sttts
Copy link
Member

sttts commented Mar 24, 2023

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 24, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 24, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 24, 2023
@openshift-merge-robot openshift-merge-robot merged commit e65c243 into kcp-dev:main Mar 24, 2023
hardys pushed a commit to hardys/helm-charts that referenced this pull request Mar 27, 2023
Add external-logical-cluster-admin
f0a819a 
Requires kcp-dev/kcp#2882

Fixes: kcp-dev#32
hardys pushed a commit to hardys/helm-charts that referenced this pull request Mar 28, 2023
Add external-logical-cluster-admin
3431f3c 
Requires kcp-dev/kcp#2882

Fixes: kcp-dev#32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ncdc ncdc ncdc left review comments

@s-urbaniak s-urbaniak s-urbaniak left review comments

@sttts sttts sttts left review comments

@davidfestal davidfestal Awaiting requested review from davidfestal

@stevekuznetsov stevekuznetsov Awaiting requested review from stevekuznetsov

Assignees

@s-urbaniak s-urbaniak

@sttts sttts

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug: logical cluster admin can't access both internal/external endpoints
6 participants
@hardys @s-urbaniak @sttts @ncdc @davidfestal @openshift-merge-robot