New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ROX-23709: Load token from file in fleetshard-sync #1802

Merged

kovayur merged 2 commits into main from yury/ROX-23709-fleetshard-token-auth

Jun 3, 2024

Contributor

kovayur commented May 8, 2024

Description

This change adds a new AuthType called TOKEN_FILE in order to load a service account token for authentication in Fleet Manager. This type becomes the default value in the dp-terraform helm chart instead of RHSSO.

Checklist (Definition of Done)

Test manual

TODO: Add manual testing efforts

# To run tests locally run:
make db/teardown db/setup db/migrate
make ocm/setup
make verify lint binary test test/integration

openshift-ci bot added the do-not-merge/work-in-progress label

Contributor

openshift-ci bot commented May 8, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

kovayur temporarily deployed to development

May 8, 2024 18:26

— with

GitHub Actions Inactive

openshift-ci bot added the approved label

kovayur requested a review from dhaus67

May 8, 2024 18:26

kovayur force-pushed the yury/ROX-23709-fleetshard-authz branch from 0064307 to fd7a041 Compare

May 10, 2024 19:17

kovayur force-pushed the yury/ROX-23709-fleetshard-token-auth branch from 6629044 to b4fd1c0 Compare

May 10, 2024 19:17

kovayur temporarily deployed to development

May 10, 2024 19:17

— with

GitHub Actions Inactive

kovayur temporarily deployed to development

May 10, 2024 19:17

— with

GitHub Actions Inactive

Contributor Author

kovayur commented May 10, 2024 •

edited

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @kovayur and the rest of your teammates on Graphite

This was referenced May 10, 2024

ROX-23709: Refactor authentication handler #1789

Merged

ROX-23709: Trust Data Plane OAuth issuers in fleetshard authorization middleware #1801

Merged

dhaus67 reviewed

View reviewed changes

dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml

+                        projected:
+                          sources:
+                            - serviceAccountToken:
+                                path: fleet-manager-token

Contributor

dhaus67 May 13, 2024

Let's also set a custom audience here (see also this comment) to have a) additional verification on FM side and b) avoid the token to be used to access the kube API.

dp-terraform/helm/rhacs-terraform/values.yaml Outdated

    
                # Can be either OCM, RHSSO, STATIC_TOKEN. When choosing RHSSO, make sure the clientId/secret is set. By default, uses RHSSO.

                authType: "RHSSO"

                # Can be either OCM, RHSSO, STATIC_TOKEN, TOKEN_FILE. When choosing RHSSO, make sure the clientId/secret is set. By default, uses TOKEN_FILE.

                authType: "TOKEN_FILE"

Contributor

dhaus67 May 13, 2024

nit: might be better to use service account token? It's a bit hard to really understand what is backing the "token file" auth type.

dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml

@@ @@ -148,3 +154,8 @@ spec: @@
                             - serviceAccountToken:
                                 path: aws-token
                                 audience: sts.amazonaws.com
+                      - name: fleet-manager-token

Contributor

dhaus67 May 13, 2024

This should only be done optional if the auth type is used (same applies for the mount + env variable).

pkg/client/fleetmanager/impl/auth.go Outdated

               	return newAuth(ctx, staticTokenFactory.GetName(), Option{Static: opt})
               }
+              // NewFileAuth will return Auth that uses a token file to provide authentication for HTTP requests.
+              func NewFileAuth(ctx context.Context, opt TokenFileOption) (Auth, error) {

Contributor

dhaus67 May 13, 2024

nit: if we keep the name token file auth, this should be named appropriately then (i.e. NewTokenFileAuth).

pkg/client/fleetmanager/impl/auth_file.go Outdated

+              const (
+              	// TokenFileAuthName is the name of the token file auth authentication method
+              	TokenFileAuthName = "TOKEN_FILE"

Contributor

dhaus67 May 13, 2024

Doesn't need to be exposed I think?

Contributor Author

kovayur May 21, 2024

The constants of other types are public too.
It can be used in impl.NewAuth

pkg/client/fleetmanager/impl/auth_file.go Outdated

+              )
+              const (
+              	// TokenFileAuthName is the name of the token file auth authentication method

Contributor

dhaus67 May 13, 2024

Suggested change

      
            	// TokenFileAuthName is the name of the token file auth authentication method
          
            	// TokenFileAuthName is the name of the token file auth authentication method.

Contributor Author

kovayur May 21, 2024

Fixed

pkg/client/fleetmanager/impl/auth_file.go Outdated

+              	return TokenFileAuthName
+              }
+              // CreateAuth creates a new instance of Auth or returns error

Contributor

dhaus67 May 13, 2024

Suggested change

      
            // CreateAuth creates a new instance of Auth or returns error
          
            // CreateAuth creates a new instance of Auth or returns error.

Contributor Author

kovayur May 21, 2024

Fixed

pkg/client/fleetmanager/impl/auth_file.go Outdated

+              func (f *tokenFileAuthFactory) CreateAuth(_ context.Context, o Option) (Auth, error) {
+              	tokenFile := o.TokenFile.File
+              	if _, err := os.Stat(tokenFile); err != nil {
+              		return nil, fmt.Errorf("failed to read token file %s: %w", tokenFile, err)

Contributor

dhaus67 May 13, 2024

Suggested change

      
            		return nil, fmt.Errorf("failed to read token file %s: %w", tokenFile, err)
          
            		return nil, fmt.Errorf("failed to read token file %q: %w", tokenFile, err)

Contributor Author

kovayur May 21, 2024

fixed

pkg/client/fleetmanager/impl/auth_file.go Outdated

+              // AddAuth add auth token to the request retrieved from OCM.
+              func (o *tokenFileAuth) AddAuth(req *http.Request) error {
+              	token, err := shared.ReadFile(o.file)

Contributor

dhaus67 May 13, 2024

It's a bit unfortunate that we greedily always read from file here, especially since we do send quite a few requests from fleet-sync to fleet-manager.

On the options to improve this, we can either a) use an expiring cache where the duration is a bit less than the 1 hour b) use the file watcher concept we have in stackrox to read updates on changes.

Either way, I don't think we should be reading on every request here.

Contributor Author

kovayur May 21, 2024

Expiring cache added

pkg/client/fleetmanager/impl/testdata/token Outdated

		@@ -0,0 +1 @@
		some-value

Contributor

dhaus67 May 13, 2024

super nit: might make sense to just take the sample JWT from jwt.io and paste it here to have a more "closer to reality" example.

Contributor Author

kovayur May 21, 2024

Done.

kovayur force-pushed the yury/ROX-23709-fleetshard-authz branch from d6f9367 to 2752423 Compare

May 15, 2024 11:40

kovayur force-pushed the yury/ROX-23709-fleetshard-token-auth branch from b4fd1c0 to e23cfa2 Compare

May 15, 2024 11:44

kovayur temporarily deployed to development

May 15, 2024 11:44

— with

GitHub Actions Inactive

kovayur force-pushed the yury/ROX-23709-fleetshard-token-auth branch from e23cfa2 to 32edb7f Compare

May 15, 2024 11:58

openshift-merge-robot added the needs-rebase label

kovayur force-pushed the yury/ROX-23709-fleetshard-authz branch from a7a9c4c to 44ede5a Compare

May 15, 2024 11:59

openshift-merge-robot removed the needs-rebase label

kovayur force-pushed the yury/ROX-23709-fleetshard-authz branch from 46ccc7b to bbf4f42 Compare

May 16, 2024 12:47

kovayur force-pushed the yury/ROX-23709-fleetshard-token-auth branch from 32edb7f to c350c3b Compare

May 16, 2024 12:48

kovayur temporarily deployed to development

May 16, 2024 12:48

— with

GitHub Actions Inactive

kovayur force-pushed the yury/ROX-23709-fleetshard-token-auth branch from c350c3b to bb72437 Compare

May 21, 2024 12:47

openshift-merge-robot added the needs-rebase label

kovayur force-pushed the yury/ROX-23709-fleetshard-authz branch from bbf4f42 to a40721e Compare

May 21, 2024 12:48

kovayur marked this pull request as ready for review

May 21, 2024 14:52

kovayur requested review from ebensh, johannes94 and GrimmiMeloni as code owners

May 21, 2024 14:52

kovayur force-pushed the yury/ROX-23709-fleetshard-authz branch from 14eb2cd to c5a1af0 Compare

May 22, 2024 10:14

kovayur force-pushed the yury/ROX-23709-fleetshard-token-auth branch from 578da9a to c4e7dc6 Compare

May 22, 2024 11:26

kovayur temporarily deployed to development

May 22, 2024 11:26

— with

GitHub Actions Inactive

kovayur force-pushed the yury/ROX-23709-fleetshard-authz branch from 6417b2b to f48b741 Compare

May 22, 2024 15:17

Base automatically changed from yury/ROX-23709-fleetshard-authz to main

May 22, 2024 16:06

openshift-merge-robot added the needs-rebase label

kovayur force-pushed the yury/ROX-23709-fleetshard-token-auth branch from c4e7dc6 to 4576c4b Compare

May 22, 2024 16:26

kovayur temporarily deployed to development

May 22, 2024 16:26

— with

GitHub Actions Inactive

openshift-merge-robot added needs-rebase and removed needs-rebase labels

kovayur force-pushed the yury/ROX-23709-fleetshard-token-auth branch from 4576c4b to f54e96c Compare

May 27, 2024 15:40

kovayur temporarily deployed to development

May 27, 2024 15:40

— with

GitHub Actions Inactive

openshift-merge-robot removed the needs-rebase label


          ROX-23709: Load token from file in fleetshard-sync

a0dc8e3

kovayur force-pushed the yury/ROX-23709-fleetshard-token-auth branch from f54e96c to a0dc8e3 Compare

May 27, 2024 16:11

kovayur temporarily deployed to development

May 27, 2024 16:11

— with

GitHub Actions Inactive

kovayur requested a review from dhaus67

May 28, 2024 12:42

dhaus67 approved these changes

View reviewed changes

openshift-ci bot assigned dhaus67

openshift-ci bot added the lgtm label

Contributor

openshift-ci bot commented May 29, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dhaus67, kovayur

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [dhaus67,kovayur]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci bot removed the lgtm label

Contributor

openshift-ci bot commented May 31, 2024

New changes are detected. LGTM label has been removed.

kovayur temporarily deployed to development

May 31, 2024 14:32

— with

GitHub Actions Inactive


          Make RHSSO default auth type again

21275d8

kovayur force-pushed the yury/ROX-23709-fleetshard-token-auth branch from 96026d6 to 21275d8 Compare

May 31, 2024 14:50

kovayur temporarily deployed to development

May 31, 2024 14:50

— with

GitHub Actions Inactive

Contributor Author

kovayur commented Jun 3, 2024

Had to rollback the default value in the helm chart due to the issues on the local / CI environment. Will follow-up in the next PR

kovayur merged commit bcefc5f into main

7 checks passed

kovayur deleted the yury/ROX-23709-fleetshard-token-auth branch

June 3, 2024 10:08

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment