Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Wire core server for Impersonation #1612

Merged
merged 2 commits into from Mar 9, 2022
Merged

feat: Wire core server for Impersonation #1612

merged 2 commits into from Mar 9, 2022

Conversation

Callisto13
Copy link
Contributor

@Callisto13 Callisto13 commented Mar 4, 2022
edited

2 commits here:

337d703:

feat: Refactor chart service account

  1. Strip out the service account (mostly) in the Helm Chart. To keep the
    app's scope limited we are making it "impersonate only". The caveat
    to this is that the Profiles functionality is always on, with queries
    not made by the user. Therefore in this case there is nothing to
    impersonate. So for now, the wego-app service account has an
    extra role which will let it query those resources.
  2. Add an Admin user to the Chart. With the "impersonate only" plan, we
    require users to enable auth by default. I have therefore added a
    template to create an Admin user with the required permissions.
    The actual password is configurable via values and is left empty.
  3. Update the Tiltfile to deploy this Chart locally. All current local
    dev instructions remain true. The dev password is dev.
  4. Create a default const to hold the value of the default claims
    subject (admin).

f56c707:

feat: Wire the core server to Impersonate queries

  1. Move the ImpersonatingConfigGetter into the kube package. This
    felt like a "natural" place to me, feel free to suggest elsewhere if
    you disagree. It has to be moved somewhere to avoid import cycles
    with t'other server.
  2. Update the core server to use the default client getter rather than
    our placeholder. With the import cycle fixed this is now doable.
    This default ClientGetter takes a ConfigGetter, so now core will
    Impersonate.
  3. Update the server wiring to receive a CoreServerConfig, following
    the same pattern as seen in the ApplicationsServer and the
    ProfilesServer. I have included a Logger on the server, which I
    intend to use in my next ticket, but feel free to complain that it
    can technically be dropped from this PR.

@Callisto13 Callisto13 mentioned this pull request Mar 4, 2022
Merged
Base automatically changed from fix-sa-role to v2 March 4, 2022 16:00
@Callisto13 Callisto13 linked an issue Mar 8, 2022 that may be closed by this pull request
Refactor wego-app service account role binding #1454
Closed
@Callisto13 Callisto13 force-pushed the refactor-sa branch 2 times, most recently from da22626 to f56c707 Compare March 9, 2022 09:58
@Callisto13 Callisto13 marked this pull request as ready for review March 9, 2022 10:01
@Callisto13 Callisto13 changed the title wip: refactor chart service account feat: Wire core server for Impersonation Mar 9, 2022
@Callisto13
Copy link
Contributor Author

@JamWils @sympatheticmoose could you 2 look at the Chart changes in commit 337d703?

yitsushi
yitsushi approved these changes Mar 9, 2022
View reviewed changes
Copy link
Contributor

@yitsushi yitsushi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love it with all the readability changes ❤️

@Callisto13
Copy link
Contributor Author

No-one get keen and merge anything - looking into something curious in the superuser flow.

jpellizzari
jpellizzari approved these changes Mar 9, 2022
View reviewed changes
Copy link
Contributor

@jpellizzari jpellizzari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent work! I was originally wondering if there is any test coverage to be added here, but I don't see any obvious places to add any.

README.md
@@ -74,6 +74,8 @@ To set up a development environment for the CLI
5. Run `./bin/gitops install --config-repo=<repo url>` (or just `flux install -n flux-system` if you don't care about doing the whole dance.)
6. Start the in-cluster API replacement job (powered by [http://tilt.dev](tilt.dev)) with `make cluster-dev`
7. make or make unit-tests to ensure everything built correctly.
8. The UI will start immediately on port `9001`. Auth is now always on (I do not recommend
turning it off). The password is `dev`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@Callisto13
feat: Refactor chart service account
e63be9d 
1. Strip out the service account (mostly) in the Helm Chart. To keep the
   app's scope limited we are making it "impersonate only". The caveat
   to this is that the Profiles functionality is always on, with queries
   not made by the user. Therefore in this case there is nothing to
   impersonate. So *for now*, the wego-app service account has an
   extra role which will let it query those resources.
2. Add an Admin user to the Chart. With the "impersonate only" plan, we
   require users to enable auth by default. I have therefore added a
   template to create an Admin user with the required permissions.
   The actually password is configurable via values and is left empty.
3. Update the Tiltfile to deploy this Chart locally. All current local
   dev instructions remain true. The dev password is `dev`.
4. Create a default const to hold the value of the default claims
   subject (admin).
@Callisto13
feat: Wire the core server to Impersonate queries
e056f4d 
1. Move the `ImpersonatingConfigGetter` into the `kube` package. This
   felt like a "natural" place to me, feel free to suggest elsewhere if
   you disagree. It has to be moved _somewhere_ to avoid import cycles
   with t'other server.
2. Update the core server to use the default client getter rather than
   our placeholder. With the import cycle fixed this is now doable.
   This default ClientGetter takes a ConfigGetter, so now core will
   Impersonate.
3. Update the server wiring to receive a `CoreServerConfig`, following
   the same pattern as seen in the `ApplicationsServer` and the
   `ProfilesServer`. I have included a `Logger` on the server, which I
   intend to use in my next ticket, but feel free to complain that it
   can technically be dropped from this PR.
@Callisto13
Copy link
Contributor Author

looking into something curious in the superuser flow

false alarm, all good

@Callisto13 Callisto13 merged commit 7ceb85a into v2 Mar 9, 2022
@Callisto13 Callisto13 deleted the refactor-sa branch March 9, 2022 17:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yitsushi yitsushi yitsushi approved these changes

@jpellizzari jpellizzari jpellizzari approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Refactor wego-app service account role binding
3 participants
@Callisto13 @yitsushi @jpellizzari