New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom Certs for OAuth Route #430
Custom Certs for OAuth Route #430
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: awgreene The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the host of the route get changed anywhere?
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go
Outdated
Show resolved
Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go
Outdated
Show resolved
Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go
Outdated
Show resolved
Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go
Outdated
Show resolved
Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go
Outdated
Show resolved
Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go
Outdated
Show resolved
Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go
Outdated
Show resolved
Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go
Outdated
Show resolved
Hide resolved
pkg/controllers/configobservation/routersecret/observe_router_secret.go
Outdated
Show resolved
Hide resolved
|
e049f49
to
1b61037
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there now appears to be both the controller and the observer to sync the secret. Keep the controller, add ingress status reporting about the route.
Route hostname change should still happen, right?
edit: I did not notice the observer getting remove in the later commit. Squash please.
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go
Outdated
Show resolved
Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go
Outdated
Show resolved
Hide resolved
pkg/controllers/configobservation/customroutersecret/observe_custom_router_secret.go
Outdated
Show resolved
Hide resolved
pkg/controllers/componentroutesecretsync/component_route_secret_sync_controller.go
Outdated
Show resolved
Hide resolved
pkg/controllers/componentroutesecretsync/component_route_secret_sync_controller.go
Outdated
Show resolved
Hide resolved
pkg/controllers/componentroutesecretsync/component_route_secret_sync_controller.go
Outdated
Show resolved
Hide resolved
pkg/controllers/componentroutesecretsync/component_route_secret_sync_controller.go
Outdated
Show resolved
Hide resolved
pkg/controllers/componentroutesecretsync/component_route_secret_sync_controller.go
Outdated
Show resolved
Hide resolved
547c451
to
de2397e
Compare
pkg/controllers/componentroutestatus/ingress_component_route.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- merge the status and secret sync controllers
- the componentRoutes in status should have
Conditions
describing their current state (see the enhancement) - the componentRoutes in status should have
consumingUsers
set - don't pass variables by value unless you've got a good reason to do so, your stack might start hating you for that
pkg/controllers/componentroutesecretsync/component_route_secret_sync_controller.go
Outdated
Show resolved
Hide resolved
pkg/controllers/componentroutestatus/ingress_component_route.go
Outdated
Show resolved
Hide resolved
pkg/controllers/componentroutestatus/ingress_component_route.go
Outdated
Show resolved
Hide resolved
pkg/controllers/componentroutestatus/ingress_component_route.go
Outdated
Show resolved
Hide resolved
pkg/controllers/componentroutestatus/ingress_component_route.go
Outdated
Show resolved
Hide resolved
pkg/controllers/configobservation/routersecret/observe_router_secret.go
Outdated
Show resolved
Hide resolved
I just realized: should we use the "CustomRoute" instead of "ComponentRoute" terminology in the controller name(s)? IMO it makes more sense to call it that |
Done |
@stlaz I do not believe that we need to set this value. Doing so would cause the ingress-controller to generate RBAC for the provided users. This controller already has the rbac necessary to read the admin provided secrets. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
needs an e2e test
pkg/controllers/configobservation/routersecret/observe_router_secret.go
Outdated
Show resolved
Hide resolved
pkg/controllers/configobservation/routersecret/observe_router_secret_test.go
Show resolved
Hide resolved
pkg/controllers/configobservation/routersecret/observe_router_secret.go
Outdated
Show resolved
Hide resolved
pkg/controllers/configobservation/configobservercontroller/observe_config_controller.go
Show resolved
Hide resolved
pkg/controllers/oauthclientscontroller/oauthclientscontroller.go
Outdated
Show resolved
Hide resolved
In the unlikely event we decide to narrow down the RBAC of this operator to only the resources it needs (even though it basically sets up the components that decide who is who), this would still break. Also, this would be helpful if we were to move this controller to library-go. |
if len(conditions) == 0 { | ||
return []metav1.Condition{ | ||
{ | ||
Type: "Available", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the enhancement and the API do not speak of an "Available" condition
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you think of a scenario where we could go "progressing=true"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you think of a scenario where we could go "progressing=true"?
Degraded could be set to true if the secret is invalid.
Progressing could be set to true if the secret is valid and the deployment is rolling out with the new secrets,
pkg/controllers/configobservation/configobservercontroller/observe_config_controller.go
Show resolved
Hide resolved
hostname := "" | ||
if route != nil { | ||
hostname = route.Spec.Host | ||
} | ||
conditions = append(conditions, c.updateIngressConfigStatus(ctx, hostname, componentRouteConditions(conditions), ingress)...) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should be outside this function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One possible (small) issue found. Otherwise LGTM
/lgtm
|
||
// check that the hostname was updated | ||
err = checkRouteHostname(t, routeClient, "openshift-authentication", "oauth-openshift", "foo.bar.com") | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need require.NoError(t, err)
here.
/lgtm cancel
|
4a6a3fa
to
1f247db
Compare
/retest |
3 similar comments
/retest |
/retest |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
pkg/operator/datasync/validation.go
Outdated
if numCerts := len(certs); numCerts != 1 { | ||
return append(errs, fmt.Errorf("expected a single server certificate, got %d", numCerts)) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The server cert PEM will likely contain the full certificate chain so I would remove this check
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will update the check to expect at least one cert.
This commit introduces a number of changes that allow the Cluster-Authentication-Operator to customize the openshift-authentication/oauth-openshift route's hostname and serving certificate when a user provides this information via the cluster ingress config.
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awgreene, slaskawi, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@awgreene: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/hold cancel |
No description provided.