add an observer for webhookTokenAuthenticator #890
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
stlaz
force-pushed
the
webhook-authenticators
branch
2 times, most recently
from
b66e007
to
753ec77
Compare
|
/retest |
stlaz
force-pushed
the
webhook-authenticators
branch
2 times, most recently
from
b6dbace
to
e40b56b
Compare
stlaz
force-pushed
the
webhook-authenticators
branch
from
e40b56b
to
ee4171b
Compare
stlaz
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
/retest |
|
|
||
| if secretErrors := validateKubeconfigSecret(kubeconfigSecret); len(secretErrors) > 0 { | ||
| return existingConfig, append(errs, | ||
| fmt.Errorf("secret openshift-config/%s: %w", webhookSecretName, utilerrors.NewAggregate(secretErrors))) |
There was a problem hiding this comment.
secret openshift-config/%s is not a real error message. Am not sure that appending on aggregate error will look good at the end.
There was a problem hiding this comment.
I turned it into an actual error message
| resourceSyncer.SyncSecret( | ||
| resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "webhook-authenticator"}, | ||
| resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: webhookSecretName}, | ||
| ) |
There was a problem hiding this comment.
syncing from an observer is an unexpected side-effect. How do we do this elsewhere?
There was a problem hiding this comment.
This is being done in other observers as well:
We're handling the field that's a reference to a secret here, it makes sense to me to handle the sync as well.
There was a problem hiding this comment.
This is backed by the resource sync controller, which then essential does this:
c.configMapSyncRules[destination] = source
So this sync is ongoing, the call only registers a rule, does not do the a synchronous sync. And a new, different source overrides the old source.
So, I think this is fine.
stlaz
force-pushed
the
webhook-authenticators
branch
from
ee4171b
to
8bf9741
Compare
|
|
||
| var ( | ||
| webhookTokenAuthenticatorPath = []string{"apiServerArguments", "authentication-token-webhook-config-file"} | ||
| webhookTokenAuthenticatorFile = []interface{}{"/etc/kubernetes/static-pod-resources/secrets/webhook-authenticator/kubeConfig"} |
There was a problem hiding this comment.
is kubeConfig right? (usually it is kubeconfig)
There was a problem hiding this comment.
as per API doc, this is expected
| ) | ||
| } | ||
|
|
||
| if observedWebhookConfigured != existingWebhookConfigured { |
There was a problem hiding this comment.
we usually use reflect.DeepEqual()
There was a problem hiding this comment.
this is a comparison of two booleans
|
couple nits, LGTM otherwise |
stlaz
force-pushed
the
webhook-authenticators
branch
from
8bf9741
to
4078b00
Compare
stlaz
force-pushed
the
webhook-authenticators
branch
from
4078b00
to
5f86326
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mfojtik, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/retest |
Adds an observer that's supposed to observe the
authentication.Spec.WebhookTokenAuthenticatorfield and sync a potential referenced secret toopenshift-kube-apiserverNS