Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bound SA Token to Tekton Result API server in OpenShift #2145

Merged
merged 1 commit into from May 13, 2024
Merged

Bound SA Token to Tekton Result API server in OpenShift #2145

merged 1 commit into from May 13, 2024

Conversation

khrm
Copy link
Contributor

@khrm khrm commented May 9, 2024
edited

This enables workload identity federation. We mount the projected the SA token at /var/run/secrets/openshift/serviceaccount

Changes

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide for more details.

Release Notes

Bound SA Token to Tekton Result API server Pod and mount it a`t /var/run/secrets/openshift/serviceaccount`.

@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label May 9, 2024
khrm
khrm commented May 9, 2024
View reviewed changes
Copy link
Contributor Author

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/kind misc

@tekton-robot tekton-robot added kind/misc Categorizes issue or PR as a miscellaneuous one. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 9, 2024
@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/openshift/tektonresult/extension.go 12.2% 6.7% -5.5

@tekton-robot tekton-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 9, 2024
@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/openshift/tektonresult/extension.go 12.2% 41.3% 29.1

@tekton-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jkandasa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 9, 2024
@khrm
Copy link
Contributor Author

khrm commented May 10, 2024

@savitaashture Probably, we can get this merge. Can you review this?

@savitaashture
Copy link
Contributor

LGTM

piyush-garg
piyush-garg reviewed May 10, 2024
View reviewed changes
pkg/reconciler/openshift/tektonresult/extension.go Outdated
@@ -76,6 +84,7 @@ func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Tr
occommon.RemoveRunAsUser(),
occommon.RemoveRunAsGroup(),
occommon.ApplyCABundles,
injectBoundSAToken(comp),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think we should get the value of field required for this before and only pass the field required in transformer function

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or add this function based on the condition

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have a condition in injectBoundSAToken and we would need it anyway to apply only to a particular deployment. I feel having a condition introduces a bad coupling between functions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I am passing properties now.

piyush-garg
piyush-garg reviewed May 10, 2024
View reviewed changes
pkg/reconciler/openshift/tektonresult/extension.go Outdated
@@ -141,3 +150,79 @@ func filterAndTransform() client.FilterAndTransform {
return manifest, nil
}
}

// injectBoundSAToken adds a sa token projected volume to the Results Deployment
func injectBoundSAToken(comp v1alpha1.TektonComponent) mf.Transformer {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will be added for all the users. Can there will be cases where users do not want to do this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it will be added for all users. It's a conscious decision on my part.
It doesn't matter whether the user requires this or not. This is something which is used when we have WIF. Even if it's not WIF, then we are just getting a SA token mounted.
We just don't allow removing this token which is provided by OpenShift in all clusters. Or we can have just a configuration to enable or disable this but every configuration adds overhead towards default installation.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jkandasa if this looks good, i am fine

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@khrm can you point some documentation about WIF will be available for all the namespaces?

from @khrm about WIF (I asked him on DM, What does WIF?)

Workload Identity Fedeation used by GCS and AWS. We support three format for logging atm: S3, GCS and PVC .
Azure also has some identity management. We would need to support this later on. I didn't check how different it is from the rest.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.openshift.com/container-platform/4.11/authentication/managing_cloud_provider_credentials/cco-mode-sts.html

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not required to be available at all namespaces. It's only for a particular deployment that needs cloud provider service like s3 or GCS bucket. The Kubernetes service account token needs to be available at "/var/run/secrets/openshift/serviceaccount".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this case results API server requires s3 or GCS bucket for logging.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as discussed on chat, this will not impact and results should work fine for both type of usersm using WIF or not

@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/openshift/tektonresult/extension.go 12.2% 39.2% 27.0

@khrm
Bound SA Token to Tekton Result API server in OpenShift
893ae13 
This enables workload identity federation.
@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/openshift/tektonresult/extension.go 12.2% 39.2% 27.0

@khrm
Copy link
Contributor Author

khrm commented May 13, 2024

@piyush-garg Please re-review.

@piyush-garg
Copy link
Contributor

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label May 13, 2024
@tekton-robot tekton-robot merged commit 9915797 into tektoncd:main May 13, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkandasa jkandasa jkandasa approved these changes

@savitaashture savitaashture savitaashture left review comments

@piyush-garg piyush-garg piyush-garg left review comments

@PuneetPunamiya PuneetPunamiya Awaiting requested review from PuneetPunamiya

Assignees

@piyush-garg piyush-garg

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/misc Categorizes issue or PR as a miscellaneuous one. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@khrm @tekton-robot @savitaashture @piyush-garg @jkandasa