WIP: CNTRLPLANE-334: Update KAS structured authentication configuration generation logic to use new uid and extra field
#5840
Conversation
openshift-ci
bot
added
do-not-merge/work-in-progress
openshift-ci
bot
added
the
area/control-plane-operator
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: everettraven The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
It is expected that all tests will fail as this is consuming unmerged changes to the openshift/api dependency. |
|
@jonesbr17 ptal |
everettraven
changed the title
uid and extra fielduid and extra field
openshift-ci-robot
added
the
jira/valid-reference
|
@everettraven: This pull request references CNTRLPLANE-334 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-merge-robot
added
the
needs-rebase
everettraven
force-pushed
the
feature/oidc-uid-extra
branch
from
a0fc23a to
c3f2ffa
Compare
openshift-merge-robot
removed
the
needs-rebase
|
/retest |
|
/testwith openshift/hypershift/main/e2e-aws openshift/api#2234 |
|
/test e2e-aws |
|
/label tide/merge-method-squash |
openshift-ci
bot
added
the
tide/merge-method-squash
|
/test e2e-aws |
1 similar comment
|
/test e2e-aws |
|
/payload-with-prs 4.19 ci blocking openshift/api#2234 |
|
@everettraven: trigger 4 job(s) of type blocking for the ci release of OCP 4.19
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/cb5c9ea0-0a33-11f0-8c09-1b0434e6e3a5-0 |
|
/payload-abort |
|
@everettraven: aborted active payload jobs for pull request #5840 |
openshift-ci
bot
added
area/api
openshift-merge-robot
added
the
needs-rebase
|
@everettraven: trigger 4 job(s) of type blocking for the ci release of OCP 4.19
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/6f211ab0-0bfc-11f0-87b2-e5e70c1f99a6-0 |
openshift-merge-robot
added
the
needs-rebase
| required: | ||
| - name | ||
| type: object | ||
| oidcProviders: |
There was a problem hiding this comment.
This seems wrong. Digging.
openshift-merge-robot
removed
the
needs-rebase
openshift-ci
bot
added
the
area/ci-tooling
everettraven
force-pushed
the
feature/oidc-uid-extra
branch
3 times, most recently
from
e83d621 to
ab7df82
Compare
| out.Username = username | ||
| out.Groups = groups | ||
|
|
||
| if featuregate.Gates.Enabled(featuregate.ExternalOIDCWithUIDAndExtraClaimMappings) { |
There was a problem hiding this comment.
TODO: pending #5976 merging, will need to update how the feature gates are being used here
everettraven
force-pushed
the
feature/oidc-uid-extra
branch
2 times, most recently
from
bbf1630 to
a9e70f1
Compare
Signed-off-by: Bryce Palmer <[email protected]>
Signed-off-by: Bryce Palmer <[email protected]>
Signed-off-by: Bryce Palmer <[email protected]>
everettraven
force-pushed
the
feature/oidc-uid-extra
branch
from
1196519 to
8d7c47f
Compare
Signed-off-by: Bryce Palmer <[email protected]>
openshift-ci
bot
added
the
area/hypershift-operator
| // TODO: using the default compiler means that we are allowing CEL library usage for the Kube version that maps to our | ||
| // dependency import. This should align with the version of Kubernetes that will be running for a guest cluster instead | ||
| // since that is what will actually load and validate the configuration. |
There was a problem hiding this comment.
2 lines of thought here:
- We leave this as-is. This means we validate against progressively newer validations every time we bump our kube dependencies. Should generally be safe as kube tries to avoid breaking changes and is heavily concerned with backwards compatibility. However, we may end up with false-positives where a CEL library is available in the version we are using for our dependency, but not available on the KAS being deployed. Seems like a non-starter, but sharing my train of thought here for others.
- We implement a system to map an OCP version --> Kubernetes version. This seems like the only reasonable way to really approach this. In practice, I'm not sure how one would extract this information from the
HostedControlPlaneresource as it doesn't seem to include the OCP release version it is using in the spec anywhere. Doing some digging on this.
Signed-off-by: Bryce Palmer <[email protected]>
…on for CEL compilation validation Signed-off-by: Bryce Palmer <[email protected]>
|
/retest |
|
@everettraven: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Closing in favor of #6073 |
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
5 participants
What this PR does / why we need it:
uidandextraclaim mapping fields introduced to theauthentications.config.openshift.ioCRD in CNTRLPLANE-332: Add uid and extra claim mappings for external OIDC configuration api#2234Which issue(s) this PR fixes (optional, use
fixes #<issue_number>(, fixes #<issue_number>, ...)format, where issue_number might be a GitHub issue, or a Jira story:Fixes #
Checklist