New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bound SA Token to Tekton Result API server in OpenShift #2145
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/kind misc
The following is the coverage report on the affected files.
|
8c5720f
to
d33c739
Compare
The following is the coverage report on the affected files.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jkandasa The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@savitaashture Probably, we can get this merge. Can you review this? |
LGTM |
@@ -76,6 +84,7 @@ func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Tr | |||
occommon.RemoveRunAsUser(), | |||
occommon.RemoveRunAsGroup(), | |||
occommon.ApplyCABundles, | |||
injectBoundSAToken(comp), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think we should get the value of field required for this before and only pass the field required in transformer function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or add this function based on the condition
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already have a condition in injectBoundSAToken and we would need it anyway to apply only to a particular deployment. I feel having a condition introduces a bad coupling between functions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I am passing properties now.
@@ -141,3 +150,79 @@ func filterAndTransform() client.FilterAndTransform { | |||
return manifest, nil | |||
} | |||
} | |||
|
|||
// injectBoundSAToken adds a sa token projected volume to the Results Deployment | |||
func injectBoundSAToken(comp v1alpha1.TektonComponent) mf.Transformer { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this will be added for all the users. Can there will be cases where users do not want to do this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it will be added for all users. It's a conscious decision on my part.
It doesn't matter whether the user requires this or not. This is something which is used when we have WIF. Even if it's not WIF, then we are just getting a SA token mounted.
We just don't allow removing this token which is provided by OpenShift in all clusters. Or we can have just a configuration to enable or disable this but every configuration adds overhead towards default installation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jkandasa if this looks good, i am fine
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@khrm can you point some documentation about WIF will be available for all the namespaces?
from @khrm about WIF
(I asked him on DM, What does WIF
?)
Workload Identity Fedeation used by GCS and AWS. We support three format for logging atm: S3, GCS and PVC .
Azure also has some identity management. We would need to support this later on. I didn't check how different it is from the rest.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not required to be available at all namespaces. It's only for a particular deployment that needs cloud provider service like s3 or GCS bucket. The Kubernetes service account token needs to be available at "/var/run/secrets/openshift/serviceaccount".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this case results API server requires s3 or GCS bucket for logging.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as discussed on chat, this will not impact and results should work fine for both type of usersm using WIF or not
d33c739
to
9076bdb
Compare
The following is the coverage report on the affected files.
|
This enables workload identity federation.
9076bdb
to
893ae13
Compare
The following is the coverage report on the affected files.
|
@piyush-garg Please re-review. |
/lgtm |
This enables workload identity federation. We mount the projected the SA token at
/var/run/secrets/openshift/serviceaccount
Changes
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
make test lint
before submitting a PRSee the contribution guide for more details.
Release Notes