New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1906808: configobservation: override service-account-jwks-uri to use LB address #1020
Conversation
"service-account-jwks-uri": []interface{}{ | ||
// We need to set the URL so that it points to our LB and doesn't | ||
// default to KAS IP which isn't included in the serving certificate. | ||
internalLBURL + "/openid/v1/jwks", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If sts or cco were to override the default issuer, would they need to be affect the value of service-account-jwks-uri
?
Also, maybe an update to the enhancement is suggested?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right. If I understand the logic of this observer, this would have to be moved to the condition above when no issuer is set, correct?
Then there would be no need for changes when the default issuer is overriden, although we might consider allowing this modification in the future.
Updated to only set the jwks uri when the issuer is unset, lets' see whether it can pass CI |
@stlaz: This pull request references Bugzilla bug 1906808, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh |
@stlaz: This pull request references Bugzilla bug 1906808, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
) (map[string]interface{}, []error) { | ||
|
||
issuer, errs := observedIssuer(existingConfig, authConfigAccessor) | ||
config := unstructuredConfigForIssuer(issuer) | ||
|
||
infrastructureConfig, err := infrastructureConfigAccessor("cluster") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe only perform this step when the issuer length is zero? Otherwise an error could occur trying to retrieve something that isn't needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What you've done looks fine, but maybe could have been accomplished with less effort?
internalURL := ""
if len(issuer) == 0 {
...
internalURL = ...
}
Without the override, the KAS would point to its own IP which is not covered by the default serving certificate.
@marun I fixed the logic to only grab the infra config when an issuer is not set. PTAL |
/retest |
/lgtm |
/retest |
@stlaz: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest |
} | ||
|
||
// observedConfig returns an unstructured fragment of KubeAPIServerConfig that may | ||
// include an override of the default service account issuer if one was set in the | ||
// Authentication resource. | ||
func observedConfig( | ||
existingConfig map[string]interface{}, | ||
authConfigAccessor func(string) (*v1.Authentication, error), | ||
authConfigAccessor func(string) (*configv1.Authentication, error), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: accessor is a fixed term in apimachinery. Better: getAuthConfig, getInfrastructureConfig
} | ||
|
||
// observedConfig returns an unstructured fragment of KubeAPIServerConfig that may | ||
// include an override of the default service account issuer if one was set in the | ||
// Authentication resource. | ||
func observedConfig( | ||
existingConfig map[string]interface{}, | ||
authConfigAccessor func(string) (*v1.Authentication, error), | ||
authConfigAccessor func(string) (*configv1.Authentication, error), | ||
infrastructureConfigAccessor func(string) (*configv1.Infrastructure, error), | ||
) (map[string]interface{}, []error) { | ||
|
||
issuer, errs := observedIssuer(existingConfig, authConfigAccessor) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what can errs be? Keep going with all the logic is a little confusing. At least doc some rational why.
}, | ||
}, | ||
}, errs | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
drop empty line
nits |
/approve Follow-up for nits. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: marun, stlaz, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest Please review the full test history for this PR and help us cut down flakes. |
@stlaz: All pull requests linked via external trackers have merged: Bugzilla bug 1906808 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Without the override, the KAS would point to its own IP which is not
covered by the default serving certificate.
/assign @marun
/cc @tnozicka