Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1986810: trust the oauth-server when constructing a client to OpenShift #220

Merged
merged 2 commits into from Jul 28, 2021
Merged

Bug 1986810: trust the oauth-server when constructing a client to OpenShift #220

merged 2 commits into from Jul 28, 2021

Conversation

stlaz
Copy link
Member

@stlaz stlaz commented Jul 27, 2021
edited

implements the oauth-proxy part of openshift/enhancements#797

WIP because: untested

@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jul 27, 2021
@openshift-ci openshift-ci bot requested review from deads2k and sttts July 27, 2021 14:25
@stlaz stlaz force-pushed the oauth-server-trust branch 2 times, most recently from 15cef28 to 4d9f40e Compare July 28, 2021 11:02
@stlaz stlaz changed the title WIP: trust the oauth-server when constructing a client to OpenShift trust the oauth-server when constructing a client to OpenShift Jul 28, 2021
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 28, 2021
@stlaz stlaz changed the title trust the oauth-server when constructing a client to OpenShift Bug 1986810: trust the oauth-server when constructing a client to OpenShift Jul 28, 2021
@openshift-ci openshift-ci bot added the bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. label Jul 28, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jul 28, 2021

@stlaz: This pull request references Bugzilla bug 1986810, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.9.0) matches configured target release for branch (4.9.0)
  • bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

No GitHub users were found matching the public email listed for the QA contact in Bugzilla (liyao@redhat.com), skipping review request.

In response to this:

Bug 1986810: trust the oauth-server when constructing a client to OpenShift

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Jul 28, 2021
s-urbaniak
s-urbaniak reviewed Jul 28, 2021
View reviewed changes
providers/openshift/provider.go Outdated
return err
}

kubeInformersMachineNS := informers.NewSharedInformerFactoryWithOptions(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is the meaning of Machine?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should've probably been MachineConfig. It's the NS with the configs that are maintained by operators, hence the "machine"

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖

s-urbaniak
s-urbaniak reviewed Jul 28, 2021
View reviewed changes
providers/openshift/provider.go
return nil, err
}

oauthServerCert, err := p.configMapLister.ConfigMaps("openshift-config-managed").Get("oauth-serving-cert")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably obvious, but this assumes that the client newOpenShiftClient is never ever reused betwen invocations, correct?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the newOpenShiftClient does in fact promote the reuse of the constructed client (which is cached in the httpClientCache)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, thank you, I wasn't aware. How do we deal with changes/rotation on those certs then?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just noticed there was a bug that would cause failure of the reuse, that's now fixed (see cachedKey).

When the certs change, we cache a new client that's then used. Each of the calls to OpenShift usually starts by calling the newOpenshiftClient()

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Each of the calls to OpenShift usually starts by calling the newOpenshiftClient()

ah, combined with the cached http client that makes sense to me now 👍

@s-urbaniak
Copy link

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 28, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jul 28, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: s-urbaniak, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit c4b9b82 into openshift:master Jul 28, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jul 28, 2021

@stlaz: All pull requests linked via external trackers have merged:

Bugzilla bug 1986810 has been moved to the MODIFIED state.

In response to this:

Bug 1986810: trust the oauth-server when constructing a client to OpenShift

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@s-urbaniak s-urbaniak mentioned this pull request Sep 6, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@s-urbaniak s-urbaniak s-urbaniak left review comments

@deads2k deads2k Awaiting requested review from deads2k

@sttts sttts Awaiting requested review from sttts

Assignees

@s-urbaniak s-urbaniak

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@stlaz @s-urbaniak @openshift-merge-robot