Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Expose /token endpoint as API extension #22

Merged
merged 4 commits into from
Aug 4, 2023
Merged

feat: Expose /token endpoint as API extension #22

merged 4 commits into from
Aug 4, 2023

Conversation

akrejcir
Copy link
Collaborator

@akrejcir akrejcir commented Jul 25, 2023
edited
Loading

This PR is still a work in progress

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes part of #20

Jira: https://issues.redhat.com/browse/CNV-31169

Release note:

The /token endpoint is exposed as a kubernetes API extension

@kubevirt-bot kubevirt-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Jul 25, 2023
@openshift-ci
Copy link

openshift-ci bot commented Jul 25, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@kubevirt-bot kubevirt-bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label Jul 25, 2023
@akrejcir akrejcir added this to the v0.3.0 milestone Jul 25, 2023
@akrejcir akrejcir force-pushed the api-extension branch 2 times, most recently from 5a09cb8 to 0e96b2d Compare August 1, 2023 14:53
@akrejcir akrejcir marked this pull request as ready for review August 1, 2023 14:53
@kubevirt-bot kubevirt-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 1, 2023
@akrejcir
Copy link
Collaborator Author

akrejcir commented Aug 1, 2023

This is ready for review now.

/cc @0xFelix @ksimon1 @lyarwood

0xFelix
0xFelix reviewed Aug 1, 2023
View reviewed changes
Copy link
Member

@0xFelix 0xFelix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added one comment for now, I will review the rest tomorrow.

manifests/api_service.yaml
metadata:
name: v1alpha1.token.kubevirt.io
annotations:
service.beta.openshift.io/inject-cabundle: "true"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will it break deployments on plain Kubernetes?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently the proxy does not work on plain k8s, because of this annotation and a similar one in serivce.yaml.
They make the implementation simpler. There is already an open issue #16 to do this certificate generation manually and to not depend on openshift.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW I'm cool with this being fixed in the future once this API moves to beta etc.

lyarwood
lyarwood reviewed Aug 2, 2023
View reviewed changes
Copy link
Member

@lyarwood lyarwood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still need to play around with this locally but overall it's looking good. I've just left a few supernits and a question about the resource naming for now.

pkg/console/auth-config/auth-config.go Outdated Show resolved Hide resolved
pkg/console/console.go Outdated Show resolved Hide resolved
pkg/console/console.go Outdated Show resolved Hide resolved
manifests/api_service.yaml
metadata:
name: v1alpha1.token.kubevirt.io
annotations:
service.beta.openshift.io/inject-cabundle: "true"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW I'm cool with this being fixed in the future once this API moves to beta etc.

0xFelix
0xFelix reviewed Aug 2, 2023
View reviewed changes
pkg/console/auth-config/auth-config.go Outdated Show resolved Hide resolved
pkg/console/service/service.go Outdated Show resolved Hide resolved
pkg/console/auth-config/auth-config.go Outdated Show resolved Hide resolved
tests/tests_suite_test.go Outdated Show resolved Hide resolved
pkg/console/service/service.go Outdated Show resolved Hide resolved
pkg/console/service/service.go Outdated Show resolved Hide resolved
0xFelix
0xFelix reviewed Aug 3, 2023
View reviewed changes
pkg/console/auth-config/auth-config.go Outdated Show resolved Hide resolved
pkg/console/auth-config/auth-config_test.go Outdated Show resolved Hide resolved
pkg/console/auth-config/auth-config_test.go Outdated
_, err := authReader.GetGroupHeaders()
return err
}, time.Second, 100*time.Millisecond).
Should(MatchError(ContainSubstring(groupHeadersKey + " not found in configmap")))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this valid use of MatchError and ContainSubstring?

Copy link
Collaborator Author

@akrejcir akrejcir Aug 3, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it's valid. We use it in SSP for example:
https://github.com/kubevirt/ssp-operator/blob/3470569dbecbe6fee98b45b23a071d85c2cfae55/tests/webhook_test.go#L156

And here is the relevant part of the implementation of MatchErrorMatcher.Match():

vm-console-proxy/vendor/github.com/onsi/gomega/matchers/match_error_matcher.go

Lines 35 to 42 in d139fec

var subMatcher omegaMatcher
var hasSubMatcher bool
if expected != nil {
subMatcher, hasSubMatcher = (expected).(omegaMatcher)
if hasSubMatcher {
return subMatcher.Match(actualErr.Error())
}
}

It allows passing nested matchers.

pkg/console/auth-config/auth-config_test.go Outdated
}

// testCa is s self-signed certificate with that expires at 2033-07-23
const testCa = `-----BEGIN CERTIFICATE-----
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Put this cnst at top of file?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I think this constant is a non-important detail. Having it on the top would only make readers scroll down.

pkg/console/service/service.go Outdated Show resolved Hide resolved
pkg/console/service/service_test.go Outdated
testService.TokenHandler(request, response)

Expect(recorder.Code).To(Equal(http.StatusUnauthorized))
Expect(recorder.Body.String()).To(ContainSubstring("does not have permission to access virtualmachineinstances/vnc endpoint"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it still return this error message? I thought we removed all err messages when returing 401?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the PR to remove the message was not merged yet: #23

pkg/console/tlsconfig/tlsconfig_test.go Outdated Show resolved Hide resolved
pkg/console/tlsconfig/tlsconfig_test.go Outdated Show resolved Hide resolved
pkg/console/tlsconfig/tlsconfig_test.go
@@ -266,3 +308,25 @@ func TestTlsConfig(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(t, "TLS Config Suite")
}

// testCa is s self-signed certificate with that expires at 2033-07-23
const testCa = `-----BEGIN CERTIFICATE-----
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Put this on top of the file?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, the same reason as in the other file.

tests/proxy_test.go Show resolved Hide resolved
0xFelix
0xFelix reviewed Aug 3, 2023
View reviewed changes
Copy link
Member

@0xFelix 0xFelix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some nits but in general I approve.

/approve

manifests/api_service.yaml Outdated Show resolved Hide resolved
manifests/role_binding.yaml Show resolved Hide resolved
manifests/transformer_namespace.yaml Outdated Show resolved Hide resolved
pkg/console/authConfig/fake/fake.go Outdated Show resolved Hide resolved
pkg/console/console.go Outdated Show resolved Hide resolved
@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 0xFelix

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 3, 2023
@akrejcir
chore: Use constructor function in unit test
45c3c71 
Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
@akrejcir
chore: run go mod vendor
bf8843f 
Some previous commit did not update go.mod

Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
@akrejcir
fix: Import correct "context" package
1d07ce6 
In tests/test_suite_test.go, the package "golang.org/x/net/context"
was imported by mistake.

Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
@akrejcir
feat: expose the /token endpoint as an API extension
939070d 
This change uses ApiService resource to register the vm-console-proxy
service as an API extension. The connection from API server to the proxy
uses TLS with certificate authentication on both sides.

To check the certificate from the API server, the proxy uses a CA loaded
from the ConfigMap "extension-apiserver-authentication" in the "kube-system"
namespace.

More information: https://kubernetes.io/docs/tasks/extend-kubernetes/setup-extension-api-server/

Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
lyarwood
lyarwood approved these changes Aug 4, 2023
View reviewed changes
Copy link
Member

@lyarwood lyarwood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Aug 4, 2023
@kubevirt-bot kubevirt-bot merged commit da56dd7 into kubevirt:main Aug 4, 2023
@akrejcir akrejcir deleted the api-extension branch August 4, 2023 09:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@0xFelix 0xFelix 0xFelix left review comments

@lyarwood lyarwood lyarwood approved these changes

@codingben codingben Awaiting requested review from codingben

@opokornyy opokornyy Awaiting requested review from opokornyy

@ksimon1 ksimon1 Awaiting requested review from ksimon1

Assignees

@lyarwood lyarwood

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL
Projects
None yet
Milestone
v0.3.0
Development

Successfully merging this pull request may close these issues.
5 participants
@akrejcir @kubevirt-bot @lyarwood @0xFelix @codingben