New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add an observer for webhookTokenAuthenticator #890
add an observer for webhookTokenAuthenticator #890
Conversation
b66e007
to
753ec77
Compare
/retest |
b6dbace
to
e40b56b
Compare
e40b56b
to
ee4171b
Compare
/retest |
|
||
if secretErrors := validateKubeconfigSecret(kubeconfigSecret); len(secretErrors) > 0 { | ||
return existingConfig, append(errs, | ||
fmt.Errorf("secret openshift-config/%s: %w", webhookSecretName, utilerrors.NewAggregate(secretErrors))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
secret openshift-config/%s
is not a real error message. Am not sure that appending on aggregate error will look good at the end.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I turned it into an actual error message
resourceSyncer.SyncSecret( | ||
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "webhook-authenticator"}, | ||
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: webhookSecretName}, | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
syncing from an observer is an unexpected side-effect. How do we do this elsewhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is being done in other observers as well:
cluster-kube-apiserver-operator/pkg/operator/configobservation/apiserver/observe_apiserver.go
Line 226 in f73bebb
errs = append(errs, syncObservedResources(resourceSync, resourceSyncRules)...) |
cluster-kube-apiserver-operator/pkg/operator/configobservation/auth/auth_metadata.go
Lines 84 to 93 in f73bebb
err = listers.ResourceSyncer().SyncConfigMap( | |
resourcesynccontroller.ResourceLocation{ | |
Namespace: targetNamespaceName, | |
Name: "oauth-metadata", | |
}, | |
resourcesynccontroller.ResourceLocation{ | |
Namespace: sourceNamespace, | |
Name: sourceConfigMap, | |
}, | |
) |
We're handling the field that's a reference to a secret here, it makes sense to me to handle the sync as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is backed by the resource sync controller, which then essential does this:
c.configMapSyncRules[destination] = source
So this sync is ongoing, the call only registers a rule, does not do the a synchronous sync. And a new, different source overrides the old source.
So, I think this is fine.
ee4171b
to
8bf9741
Compare
|
||
var ( | ||
webhookTokenAuthenticatorPath = []string{"apiServerArguments", "authentication-token-webhook-config-file"} | ||
webhookTokenAuthenticatorFile = []interface{}{"/etc/kubernetes/static-pod-resources/secrets/webhook-authenticator/kubeConfig"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is kubeConfig
right? (usually it is kubeconfig
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as per API doc, this is expected
) | ||
} | ||
|
||
if observedWebhookConfigured != existingWebhookConfigured { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we usually use reflect.DeepEqual()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is a comparison of two booleans
couple nits, LGTM otherwise |
8bf9741
to
4078b00
Compare
4078b00
to
5f86326
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mfojtik, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
Adds an observer that's supposed to observe the
authentication.Spec.WebhookTokenAuthenticator
field and sync a potential referenced secret toopenshift-kube-apiserver
NS