Bug 1906808: configobservation: override service-account-jwks-uri to use LB address #1020
Conversation
| "service-account-jwks-uri": []interface{}{ | ||
| // We need to set the URL so that it points to our LB and doesn't | ||
| // default to KAS IP which isn't included in the serving certificate. | ||
| internalLBURL + "/openid/v1/jwks", |
There was a problem hiding this comment.
If sts or cco were to override the default issuer, would they need to be affect the value of service-account-jwks-uri?
Also, maybe an update to the enhancement is suggested?
There was a problem hiding this comment.
You're right. If I understand the logic of this observer, this would have to be moved to the condition above when no issuer is set, correct?
Then there would be no need for changes when the default issuer is overriden, although we might consider allowing this modification in the future.
|
Updated to only set the jwks uri when the issuer is unset, lets' see whether it can pass CI |
stlaz
changed the title
openshift-ci-robot
added
the
bugzilla/severity-unspecified
|
@stlaz: This pull request references Bugzilla bug 1906808, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
bugzilla/invalid-bug
|
/bugzilla refresh |
openshift-ci-robot
added
bugzilla/severity-high
|
@stlaz: This pull request references Bugzilla bug 1906808, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
removed
the
bugzilla/invalid-bug
| ) (map[string]interface{}, []error) { | ||
|
|
||
| issuer, errs := observedIssuer(existingConfig, authConfigAccessor) | ||
| config := unstructuredConfigForIssuer(issuer) | ||
|
|
||
| infrastructureConfig, err := infrastructureConfigAccessor("cluster") |
There was a problem hiding this comment.
Maybe only perform this step when the issuer length is zero? Otherwise an error could occur trying to retrieve something that isn't needed.
There was a problem hiding this comment.
What you've done looks fine, but maybe could have been accomplished with less effort?
internalURL := ""
if len(issuer) == 0 {
...
internalURL = ...
}
Without the override, the KAS would point to its own IP which is not covered by the default serving certificate.
|
@marun I fixed the logic to only grab the infra config when an issuer is not set. PTAL |
|
/retest |
|
/lgtm |
|
/retest |
|
@stlaz: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
| } | ||
|
|
||
| // observedConfig returns an unstructured fragment of KubeAPIServerConfig that may | ||
| // include an override of the default service account issuer if one was set in the | ||
| // Authentication resource. | ||
| func observedConfig( | ||
| existingConfig map[string]interface{}, | ||
| authConfigAccessor func(string) (*v1.Authentication, error), | ||
| authConfigAccessor func(string) (*configv1.Authentication, error), |
There was a problem hiding this comment.
nit: accessor is a fixed term in apimachinery. Better: getAuthConfig, getInfrastructureConfig
| } | ||
|
|
||
| // observedConfig returns an unstructured fragment of KubeAPIServerConfig that may | ||
| // include an override of the default service account issuer if one was set in the | ||
| // Authentication resource. | ||
| func observedConfig( | ||
| existingConfig map[string]interface{}, | ||
| authConfigAccessor func(string) (*v1.Authentication, error), | ||
| authConfigAccessor func(string) (*configv1.Authentication, error), | ||
| infrastructureConfigAccessor func(string) (*configv1.Infrastructure, error), | ||
| ) (map[string]interface{}, []error) { | ||
|
|
||
| issuer, errs := observedIssuer(existingConfig, authConfigAccessor) |
There was a problem hiding this comment.
what can errs be? Keep going with all the logic is a little confusing. At least doc some rational why.
| }, | ||
| }, | ||
| }, errs | ||
|
|
|
nits |
|
/approve Follow-up for nits. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: marun, stlaz, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@stlaz: All pull requests linked via external trackers have merged: Bugzilla bug 1906808 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Without the override, the KAS would point to its own IP which is not
covered by the default serving certificate.
/assign @marun
/cc @tnozicka