New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1879492: Add secure access token annotation controller to handle downgrade from 4.6 #153
Bug 1879492: Add secure access token annotation controller to handle downgrade from 4.6 #153
Conversation
8f91c7a
to
c19d380
Compare
@sttts: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
} | ||
return factory.New(). | ||
WithInformers( | ||
operatorClient.Informer(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we need this informer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we don't
c19d380
to
bc8bef9
Compare
func (c Controller) sync(ctx context.Context, syncCtx factory.SyncContext) error { | ||
obj, err := c.apiserverLister.Get("cluster") | ||
if errors.IsNotFound(err) { | ||
syncCtx.Recorder().Warningf("SecureAccessTokenAnnotationController", "Required apiservers.%s/cluster not found", configv1.GroupName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
usually, events are reserved for informing about the state change.
/lgtm |
fedf089
to
efbfab5
Compare
efbfab5
to
a192891
Compare
@sttts: This pull request references Bugzilla bug 1878648, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@sttts: This pull request references Bugzilla bug 1879492, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
a192891
to
8e6a9b9
Compare
/lgtm |
8e6a9b9
to
483686f
Compare
/bugzilla refresh Recalculating validity in case the underlying Bugzilla bug has changed. |
@openshift-bot: This pull request references Bugzilla bug 1879492, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla-refresh |
/bugzilla refresh Recalculating validity in case the underlying Bugzilla bug has changed. |
@openshift-bot: This pull request references Bugzilla bug 1879492, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 6 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@sttts: This pull request references Bugzilla bug 1879492, which is valid. 6 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retitle Bug 1879492: Add secure access token annotation controller to handle downgrade from 4.6 |
/retest Please review the full test history for this PR and help us cut down flakes. |
6 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest |
1 similar comment
/retest |
/test e2e-gcp |
/retest Please review the full test history for this PR and help us cut down flakes. |
5 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
@sttts: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@sttts: All pull requests linked via external trackers have merged: Bugzilla bug 1879492 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The annotation oauth-apiserver.openshift.io/secure-token-storage: true set on the config/v1 apiserver object make openshift-apiserver deeply log oauth tokens, noth access and authorize (if openshift-apiserver is responsible for this; in fresh 4.6 install it is not, but oauth-apiserver is).
This requires that there are no non-sha256 tokens in the system. For 4.6 installs this is guaranteed.
This PR adds a controller to remove the "oauth-apiserver.openshift.io/secure-token-storage" annotation from the APIServer config/v1 object after a potential downgrade from 4.6, to allow for the fact that non-sha256 are created on 4.5.
Counterpart to 4.6 PRs: