Enable overriding service account issuer for bound tokens #569
Conversation
openshift-ci-robot
added
the
size/S
|
|
||
| // serviceAccountIssuer is the identifier of the bound service account token issuer. | ||
| // +optional | ||
| ServiceAccountIssuer string `json:"serviceAccountIssuer"` |
There was a problem hiding this comment.
is there any special format? Is it a URL ?
There was a problem hiding this comment.
maybe serviceAccountIssuer configures the issuer for bound service account tokens would make more sense as an explanation for a common user?
There was a problem hiding this comment.
It's just a string. It can be configured with a URL to source the public key to verify issued tokens (as is the case for the EKS webhook), but it can also just be a textual value used by the verifier in kube-apiserver to identify that a token was issued by it.
As to the question of a default value, the operator will set auth.openshift.io in defaultconfig.yaml. Does that need to be documented here given that the API isn't the one defaulting it?
There was a problem hiding this comment.
It's just a string. It can be configured with a URL to source the public key to verify issued tokens (as is the case for the EKS webhook), but it can also just be a textual value used by the verifier in kube-apiserver to identify that a token was issued by it.
Provide the recommended options in the godoc.
As to the question of a default value, the operator will set
auth.openshift.ioin defaultconfig.yaml. Does that need to be documented here given that the API isn't the one defaulting it?
Yes, the behavior of the system and the repercussions of choices needs to be described here.
There was a problem hiding this comment.
something like [^:]*|someURLRegEx
There was a problem hiding this comment.
Wait, why don't I want to allow an empty string given that will be the default?
There was a problem hiding this comment.
We could. But then we have two ways to express that: empty and undefined. Kind of ugly.
There was a problem hiding this comment.
A 'url regex' is a non-trivial thing (as per https://mathiasbynens.be/demo/url-regex). I get that it's desirable to validate up-front, but having to validate complex data declaratively like this seems error prone. Do you still want regex valiation, or would it make sense to instead do a url check in code when the field is observed and report an error in the operator logs or an event?
There was a problem hiding this comment.
am fine with later validation and reporting via e.g. a condition
kubecontrolplane/v1/types.go
Outdated
| // issuer. | ||
| ServiceAccountIssuer string `json:"serviceAccountIssuer"` | ||
|
|
||
| // apiAudiences is a list of identifies of the API. The service account token |
kubecontrolplane/v1/types.go
Outdated
|
|
||
| // serviceAccountIssuer is the identifier of the bound service account token | ||
| // issuer. If not provided, a default value of "auth.openshift.io" will be used. | ||
| ServiceAccountIssuer string `json:"serviceAccountIssuer"` |
There was a problem hiding this comment.
these can be passed as flags, right? If we can use flags, then we don't add the types here. We want to eliminate this type over time and only use the upstream provided values.
There was a problem hiding this comment.
That sound preferable, but it is not clear from reading the code how exactly these flags would be specified by the operator (or overridden by an administrator). Are there docs/examples/code/etc you can point me to?
marun
changed the title
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: marun, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
In particular, to get openshift/api#585: config: disable IPv6DualStack feature flag so we don't launch kube-controller-manager with that (still-broken) feature Also includes: openshift/api#557: create the IBMCLoudPlatform type for the ingress operator try2 openshift/api#570: Clarify image config doc openshift/api#569: Enable overriding service account issuer for bound tokens openshift/api#527: Add kubebuilder annotations to the network types openshift/api#574: add deprecaction notice for build pipeline strategy openshift/api#582: config/v1/types_proxy: Clarify trustedCA semantics openshift/api#583: Clarify FROM behavior in builds openshift/api#573: Add CRD generator documentation to Readme openshift/api#576: Remove Description from CLI output to improve its display openshift/api#589: Add missing enum validations openshift/api#583: operator/ingress: add dnsrecord type
In particular, to get openshift/api#585: config: disable IPv6DualStack feature flag so we don't launch kube-controller-manager with that (still-broken) feature Also includes: openshift/api#557: create the IBMCLoudPlatform type for the ingress operator try2 openshift/api#570: Clarify image config doc openshift/api#569: Enable overriding service account issuer for bound tokens openshift/api#527: Add kubebuilder annotations to the network types openshift/api#574: add deprecaction notice for build pipeline strategy openshift/api#582: config/v1/types_proxy: Clarify trustedCA semantics openshift/api#583: Clarify FROM behavior in builds openshift/api#573: Add CRD generator documentation to Readme openshift/api#576: Remove Description from CLI output to improve its display openshift/api#589: Add missing enum validations openshift/api#583: operator/ingress: add dnsrecord type
In particular, to get openshift/api#585: config: disable IPv6DualStack feature flag so we don't launch kube-controller-manager with that (still-broken) feature Also includes: openshift/api#557: create the IBMCLoudPlatform type for the ingress operator try2 openshift/api#570: Clarify image config doc openshift/api#569: Enable overriding service account issuer for bound tokens openshift/api#527: Add kubebuilder annotations to the network types openshift/api#574: add deprecaction notice for build pipeline strategy openshift/api#582: config/v1/types_proxy: Clarify trustedCA semantics openshift/api#583: Clarify FROM behavior in builds openshift/api#573: Add CRD generator documentation to Readme openshift/api#576: Remove Description from CLI output to improve its display openshift/api#589: Add missing enum validations openshift/api#583: operator/ingress: add dnsrecord type
6 participants
Implements support for overriding the service account issuer as per openshift/enhancements#150: