Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom Certs for OAuth Route #430

Merged
merged 2 commits into from Jul 12, 2021
Merged

Custom Certs for OAuth Route #430

merged 2 commits into from Jul 12, 2021

Conversation

awgreene
Copy link
Contributor

@awgreene awgreene commented Apr 6, 2021

No description provided.

@openshift-ci-robot openshift-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Apr 6, 2021
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: awgreene
To complete the pull request process, please assign sttts after the PR has been reviewed.
You can assign the PR to them by writing /assign @sttts in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

stlaz
stlaz requested changes Apr 6, 2021
View reviewed changes
Copy link
Member

@stlaz stlaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the host of the route get changed anywhere?

pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go Outdated Show resolved Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go Outdated Show resolved Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go Outdated Show resolved Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go Outdated Show resolved Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go Outdated Show resolved Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go Outdated Show resolved Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go Outdated Show resolved Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go Outdated Show resolved Hide resolved
pkg/controllers/configobservation/routersecret/observe_router_secret.go Outdated Show resolved Hide resolved
pkg/controllers/deployment/default_deployment.go Outdated Show resolved Hide resolved
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 6, 2021
@awgreene
Copy link
Contributor Author

awgreene commented Apr 6, 2021

Does the host of the route get changed anywhere?
@stlaz not yet.

@awgreene awgreene force-pushed the custom-routes branch 2 times, most recently from e049f49 to 1b61037 Compare April 7, 2021 16:05
stlaz
stlaz requested changes Apr 8, 2021
View reviewed changes
Copy link
Member

@stlaz stlaz left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there now appears to be both the controller and the observer to sync the secret. Keep the controller, add ingress status reporting about the route.

Route hostname change should still happen, right?

edit: I did not notice the observer getting remove in the later commit. Squash please.

pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go Outdated Show resolved Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go Outdated Show resolved Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go Outdated Show resolved Hide resolved
pkg/controllers/configobservation/routersecret/observe_router_secret.go Show resolved Hide resolved
pkg/controllers/metadata/metadata_controller.go Outdated Show resolved Hide resolved
pkg/controllers/componentroutesecretsync/component_route_secret_sync_controller.go Outdated Show resolved Hide resolved
pkg/controllers/componentroutesecretsync/component_route_secret_sync_controller.go Outdated Show resolved Hide resolved
pkg/controllers/componentroutesecretsync/component_route_secret_sync_controller.go Outdated Show resolved Hide resolved
pkg/controllers/componentroutesecretsync/component_route_secret_sync_controller.go Outdated Show resolved Hide resolved
pkg/controllers/componentroutesecretsync/component_route_secret_sync_controller.go Outdated Show resolved Hide resolved
@awgreene awgreene force-pushed the custom-routes branch 2 times, most recently from 547c451 to de2397e Compare April 8, 2021 18:12
stlaz
stlaz requested changes Apr 9, 2021
View reviewed changes
Copy link
Member

@stlaz stlaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • merge the status and secret sync controllers
  • the componentRoutes in status should have Conditions describing their current state (see the enhancement)
  • the componentRoutes in status should have consumingUsers set
  • don't pass variables by value unless you've got a good reason to do so, your stack might start hating you for that

pkg/controllers/common/ingress_config.go Outdated Show resolved Hide resolved
pkg/controllers/common/ingress_config.go Outdated Show resolved Hide resolved
pkg/controllers/common/ingress_config.go Outdated Show resolved Hide resolved
pkg/controllers/common/ingress_config.go Outdated Show resolved Hide resolved
pkg/controllers/componentroutesecretsync/component_route_secret_sync_controller.go Outdated Show resolved Hide resolved
pkg/controllers/componentroutestatus/ingress_component_route.go Outdated Show resolved Hide resolved
pkg/controllers/componentroutestatus/ingress_component_route.go Outdated Show resolved Hide resolved
pkg/controllers/componentroutestatus/ingress_component_route.go Outdated Show resolved Hide resolved
pkg/controllers/componentroutestatus/ingress_component_route.go Outdated Show resolved Hide resolved
pkg/controllers/configobservation/routersecret/observe_router_secret.go Outdated Show resolved Hide resolved
@stlaz
Copy link
Member

stlaz commented Apr 9, 2021

I just realized: should we use the "CustomRoute" instead of "ComponentRoute" terminology in the controller name(s)? IMO it makes more sense to call it that

@awgreene
Copy link
Contributor Author

awgreene commented Apr 9, 2021

I just realized: should we use the "CustomRoute" instead of "ComponentRoute" terminology in the controller name(s)? IMO it makes more sense to call it that

Done

@awgreene
Copy link
Contributor Author

awgreene commented Apr 9, 2021

the componentRoutes in status should have consumingUsers set

@stlaz I do not believe that we need to set this value. Doing so would cause the ingress-controller to generate RBAC for the provided users. This controller already has the rbac necessary to read the admin provided secrets.

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 12, 2021
stlaz
stlaz requested changes Apr 14, 2021
View reviewed changes
Copy link
Member

@stlaz stlaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needs an e2e test

pkg/controllers/configobservation/routersecret/observe_router_secret.go Outdated Show resolved Hide resolved
pkg/controllers/configobservation/routersecret/observe_router_secret_test.go Show resolved Hide resolved
pkg/controllers/configobservation/routersecret/observe_router_secret.go Outdated Show resolved Hide resolved
pkg/controllers/configobservation/configobservercontroller/observe_config_controller.go Show resolved Hide resolved
pkg/controllers/customroute/custom_route_controller.go Outdated Show resolved Hide resolved
pkg/controllers/customroute/custom_route_controller.go Outdated Show resolved Hide resolved
pkg/controllers/customroute/custom_route_controller.go Show resolved Hide resolved
pkg/controllers/customroute/custom_route_controller.go Outdated Show resolved Hide resolved
pkg/controllers/oauthclientscontroller/oauthclientscontroller.go Outdated Show resolved Hide resolved
pkg/controllers/oauthendpoints/oauth_endpoints_controller.go Outdated Show resolved Hide resolved
@stlaz
Copy link
Member

stlaz commented Apr 14, 2021

I do not believe that we need to set this value. Doing so would cause the ingress-controller to generate RBAC for the provided users. This controller already has the rbac necessary to read the admin provided secrets.

In the unlikely event we decide to narrow down the RBAC of this operator to only the resources it needs (even though it basically sets up the components that decide who is who), this would still break. Also, this would be helpful if we were to move this controller to library-go.

stlaz
stlaz requested changes Apr 15, 2021
View reviewed changes
pkg/controllers/customroute/custom_route_controller.go Outdated
if len(conditions) == 0 {
return []metav1.Condition{
{
Type: "Available",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the enhancement and the API do not speak of an "Available" condition

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you think of a scenario where we could go "progressing=true"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you think of a scenario where we could go "progressing=true"?

Degraded could be set to true if the secret is invalid.
Progressing could be set to true if the secret is valid and the deployment is rolling out with the new secrets,

pkg/controllers/configobservation/configobservercontroller/observe_config_controller.go Show resolved Hide resolved
pkg/controllers/customroute/custom_route_controller.go Outdated Show resolved Hide resolved
pkg/controllers/customroute/custom_route_controller.go Outdated Show resolved Hide resolved
pkg/controllers/customroute/custom_route_controller.go Outdated Show resolved Hide resolved
pkg/controllers/customroute/custom_route_controller.go Outdated
Comment on lines 132 to 136
hostname := ""
if route != nil {
hostname = route.Spec.Host
}
conditions = append(conditions, c.updateIngressConfigStatus(ctx, hostname, componentRouteConditions(conditions), ingress)...)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be outside this function

pkg/controllers/metadata/metadata_controller.go Outdated Show resolved Hide resolved
pkg/operator/assets/bindata.go Outdated Show resolved Hide resolved
slaskawi
slaskawi approved these changes Jun 25, 2021
View reviewed changes
Copy link

@slaskawi slaskawi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One possible (small) issue found. Otherwise LGTM

/lgtm

test/e2e/custom_route_test.go

// check that the hostname was updated
err = checkRouteHostname(t, routeClient, "openshift-authentication", "oauth-openshift", "foo.bar.com")

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need require.NoError(t, err) here.

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 25, 2021
@stlaz
Copy link
Member

stlaz commented Jun 28, 2021

/lgtm cancel
Unit tests are failing:

FAIL: github.com/openshift/cluster-authentication-operator/pkg/controllers/routercerts TestValidateRouterCertificates/CustomSecretMissingRouterCertsPEM 0s
FAIL: github.com/openshift/cluster-authentication-operator/pkg/controllers/routercerts TestValidateRouterCertificates/CustomSecretMalformedRouterCertsPEM 0s
FAIL: github.com/openshift/cluster-authentication-operator/pkg/controllers/routercerts TestValidateRouterCertificates/CustomSecretNoServerCertRouterCerts 0s
FAIL: github.com/openshift/cluster-authentication-operator/pkg/controllers/routercerts TestValidateRouterCertificates/CustomSecretInvalidServerCertRouterCertsBadChain 0s
FAIL: github.com/openshift/cluster-authentication-operator/pkg/controllers/routercerts TestValidateRouterCertificates 19.49s

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Jun 28, 2021
@slaskawi slaskawi mentioned this pull request Jun 29, 2021
Closed
@awgreene awgreene force-pushed the custom-routes branch 2 times, most recently from 4a6a3fa to 1f247db Compare July 8, 2021 15:25
@awgreene
Copy link
Contributor Author

awgreene commented Jul 8, 2021

/retest

3 similar comments
@awgreene
Copy link
Contributor Author

awgreene commented Jul 8, 2021

/retest

@awgreene
Copy link
Contributor Author

awgreene commented Jul 9, 2021

/retest

@awgreene
Copy link
Contributor Author

awgreene commented Jul 9, 2021

/retest

slaskawi
slaskawi approved these changes Jul 9, 2021
View reviewed changes
Copy link

@slaskawi slaskawi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2021
stlaz
stlaz requested changes Jul 9, 2021
View reviewed changes
pkg/operator/datasync/validation.go Outdated
Comment on lines 87 to 89
if numCerts := len(certs); numCerts != 1 {
return append(errs, fmt.Errorf("expected a single server certificate, got %d", numCerts))
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The server cert PEM will likely contain the full certificate chain so I would remove this check

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will update the check to expect at least one cert.

@awgreene
Introduce custom route hostnames and serving certs
7c29d66 
This commit introduces a number of changes that allow the Cluster-Authentication-Operator
to customize the openshift-authentication/oauth-openshift route's hostname and serving
certificate when a user provides this information via the cluster ingress config.
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2021
@stlaz
Copy link
Member

stlaz commented Jul 9, 2021

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jul 9, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: awgreene, slaskawi, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 9, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jul 9, 2021

@awgreene: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/e2e-aws-operator-encryption-perf 14554e5 link /test e2e-aws-operator-encryption-perf
ci/prow/e2e-agnostic-ipv6 7c29d66 link /test e2e-agnostic-ipv6

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@stlaz
Copy link
Member

stlaz commented Jul 12, 2021

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 12, 2021
@openshift-merge-robot openshift-merge-robot merged commit 65cd3f0 into openshift:master Jul 12, 2021
@slaskawi slaskawi mentioned this pull request Jul 20, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@EmilyM1 EmilyM1 EmilyM1 left review comments

@stlaz stlaz stlaz requested changes

@slaskawi slaskawi slaskawi approved these changes

@sttts sttts Awaiting requested review from sttts

Assignees

@stlaz stlaz

@slaskawi slaskawi

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@awgreene @openshift-ci-robot @stlaz @slaskawi @EmilyM1 @openshift-merge-robot