-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Expose /token endpoint as API extension #22
Conversation
Skipping CI for Draft Pull Request. |
5a09cb8
to
0e96b2d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added one comment for now, I will review the rest tomorrow.
metadata: | ||
name: v1alpha1.token.kubevirt.io | ||
annotations: | ||
service.beta.openshift.io/inject-cabundle: "true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will it break deployments on plain Kubernetes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently the proxy does not work on plain k8s, because of this annotation and a similar one in serivce.yaml
.
They make the implementation simpler. There is already an open issue #16 to do this certificate generation manually and to not depend on openshift.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW I'm cool with this being fixed in the future once this API moves to beta etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still need to play around with this locally but overall it's looking good. I've just left a few supernits and a question about the resource naming for now.
metadata: | ||
name: v1alpha1.token.kubevirt.io | ||
annotations: | ||
service.beta.openshift.io/inject-cabundle: "true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW I'm cool with this being fixed in the future once this API moves to beta etc.
_, err := authReader.GetGroupHeaders() | ||
return err | ||
}, time.Second, 100*time.Millisecond). | ||
Should(MatchError(ContainSubstring(groupHeadersKey + " not found in configmap"))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this valid use of MatchError
and ContainSubstring
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it's valid. We use it in SSP for example:
https://github.com/kubevirt/ssp-operator/blob/3470569dbecbe6fee98b45b23a071d85c2cfae55/tests/webhook_test.go#L156
And here is the relevant part of the implementation of MatchErrorMatcher.Match()
:
vm-console-proxy/vendor/github.com/onsi/gomega/matchers/match_error_matcher.go
Lines 35 to 42 in d139fec
var subMatcher omegaMatcher | |
var hasSubMatcher bool | |
if expected != nil { | |
subMatcher, hasSubMatcher = (expected).(omegaMatcher) | |
if hasSubMatcher { | |
return subMatcher.Match(actualErr.Error()) | |
} | |
} |
It allows passing nested matchers.
} | ||
|
||
// testCa is s self-signed certificate with that expires at 2033-07-23 | ||
const testCa = `-----BEGIN CERTIFICATE----- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Put this cnst at top of file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, I think this constant is a non-important detail. Having it on the top would only make readers scroll down.
pkg/console/service/service_test.go
Outdated
testService.TokenHandler(request, response) | ||
|
||
Expect(recorder.Code).To(Equal(http.StatusUnauthorized)) | ||
Expect(recorder.Body.String()).To(ContainSubstring("does not have permission to access virtualmachineinstances/vnc endpoint")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it still return this error message? I thought we removed all err messages when returing 401?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the PR to remove the message was not merged yet: #23
@@ -266,3 +308,25 @@ func TestTlsConfig(t *testing.T) { | |||
RegisterFailHandler(Fail) | |||
RunSpecs(t, "TLS Config Suite") | |||
} | |||
|
|||
// testCa is s self-signed certificate with that expires at 2033-07-23 | |||
const testCa = `-----BEGIN CERTIFICATE----- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Put this on top of the file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, the same reason as in the other file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some nits but in general I approve.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 0xFelix The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
Some previous commit did not update go.mod Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
In tests/test_suite_test.go, the package "golang.org/x/net/context" was imported by mistake. Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
This change uses ApiService resource to register the vm-console-proxy service as an API extension. The connection from API server to the proxy uses TLS with certificate authentication on both sides. To check the certificate from the API server, the proxy uses a CA loaded from the ConfigMap "extension-apiserver-authentication" in the "kube-system" namespace. More information: https://kubernetes.io/docs/tasks/extend-kubernetes/setup-extension-api-server/ Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
This PR is still a work in progress
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes part of #20
Jira: https://issues.redhat.com/browse/CNV-31169
Release note: