Add Authentication and OAuth crds

[sallyom]

This PR adds CRDs for Authentication and OAuth and a default CR for each.
@enj

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sallyom
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: abhinavdahiya

If they are not already assigned, you can assign the PR to them by writing /assign @abhinavdahiya in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[abhinavdahiya]

why am i seeing these changes https://github.com/openshift/installer/pull/948/files#diff-6883245a42348c108776e47496bbf7c7

[staebler]

Comments in pkg/asset/manifests/authentication.go apply to pkg/asset/manifests/oauth.go as well.

See #943 for a discussion about whether these manifests should be written out by the manifest-templates target.

[staebler]

Better error message.

[sallyom]

done

[staebler]

Wrap error in a meaningful message.

[sallyom]

done

[staebler]

This asset should not be loadable. Its files will be loaded by the Common Manifests asset. For more context, see #877.

[sallyom]

👍 got it, thanks

[staebler]

Remove this field. It is not needed.

[sallyom]

done

[sallyom]

@abhinavdahiya I updated the commit in Gopkg.tomlfor openshift/api, then ran dep ensure, commited those changes in a single commit. I don't know why this file pkg/terraform/exec/vendor/github.com/masterzen/winrm/ntlm.go showed that diff, was not my direct doing. I over gofmt-ed, whoops

[staebler]

@abhinavdahiya I updated the commit in Gopkg.tomlfor openshift/api, then ran dep ensure, commited those changes in a single commit. I don't know why this file pkg/terraform/exec/vendor/github.com/masterzen/winrm/ntlm.go showed that diff, was not my direct doing.

@sallyom It looks like the result of running go fmt on the files.

[abhinavdahiya]

I updated the commit in Gopkg.tomlfor openshift/api, then ran dep ensure, commited those changes in a single commit. I don't know why this file pkg/terraform/exec/vendor/github.com/masterzen/winrm/ntlm.go showed that diff, was not my direct doing.

the seem formatting changes... maybe gofmt issues?

[enj]

Set spec.subresources.status to the empty object for both resources.

[sallyom]

done

[enj]

All we need for this is:

	configv1.Authentication{
		TypeMeta: metav1.TypeMeta{
			Kind:       "Authentication",
			APIVersion: configv1.GroupVersion.String(),
		},
		ObjectMeta: metav1.ObjectMeta{
			Name: "cluster",
		},
	}

[sallyom]

done

[enj]

	configv1.OAuth{
		TypeMeta: metav1.TypeMeta{
			Kind:       "OAuth",
			APIVersion: configv1.GroupVersion.String(),
		},
		ObjectMeta: metav1.ObjectMeta{
			Name: "cluster",
		},
		Spec: configv1.OAuthSpec{
			TokenConfig: configv1.TokenConfig{
				AuthorizeTokenMaxAgeSeconds: 5 * 60,       // 5 minutes
				AccessTokenMaxAgeSeconds:    24 * 60 * 60, // 1 day
			},
		},
	}

[sallyom]

done

[sallyom]

@abhinavdahiya @staebler yes, was gofmt, duh! I was wondering why gofmt -w pkg/. took so much longer than usual , I would've noticed it eventually.. thanks

[sallyom]

@enj from cluster installed w/ this PR:

$ oc get authentications -o yaml
apiVersion: v1
items:
- apiVersion: config.openshift.io/v1
  kind: Authentication
  metadata:
    creationTimestamp: 2018-12-20T02:13:49Z
    generation: 1
    name: cluster
    namespace: ""
    resourceVersion: "225"
    selfLink: /apis/config.openshift.io/v1/authentications/cluster
    uid: e341ed0d-03fc-11e9-9f58-0256a9d73dc6
  spec:
    oauthMetadata:
      name: ""
    webhookTokenAuthenticators: null
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

and

$ oc get oauths -o yaml
apiVersion: v1
items:
- apiVersion: config.openshift.io/v1
  kind: OAuth
  metadata:
    creationTimestamp: 2018-12-20T02:13:49Z
    generation: 1
    name: cluster
    namespace: ""
    resourceVersion: "232"
    selfLink: /apis/config.openshift.io/v1/oauths/cluster
    uid: e3464dbd-03fc-11e9-9f58-0256a9d73dc6
  spec:
    identityProviders: null
    templates:
      error:
        name: ""
      login:
        name: ""
      providerSelection:
        name: ""
    tokenConfig:
      accessTokenMaxAgeSeconds: 86400
      authorizeTokenMaxAgeSeconds: 300
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

[sallyom]

@staebler addressed your feedback, thanks!
@abhinavdahiya un-gofmt-ed files unrelated to this PR

[wking]

Why does the installer need to be involved here? These look like static objects that could be injected following the standard approach.

[deads2k]

Why does the installer need to be involved here? These look like static objects that could be injected following the standard approach.

@wking we have a unusual situation that we need to kick loose. Our operators are based on binaries, but our configuration is explicitly built to group features not binaries. This makes it easy for admins to describe a unified configuration without worrying about a deployment topology, but it leaves us in a spot where there isn't an obvious owning operator to produce the CRDs themselves.

In addition, this feature based configuration is logically an object that cluster-admins will want access to when they render out from the installer. I suspect that long term we will produce a "fake" operator that's only job is to provide CRD manifests for rending. The one that occurs to me is cluster-bootstrap (bootkube replacement), but the parallel efforts have not met. That would give you a CRD resource, but not the CR, which I think would be cleaner to render from the installer itself because it would never be later produced or managed by any component we have.

[sallyom]

/test e2e-aws

[wking]

Our operators are based on binaries, but our configuration is explicitly built to group features not binaries.

Putting these under a parent operator makes sense to me.

The one that occurs to me is cluster-bootstrap (bootkube replacement), but the parallel efforts have not met.

When the CVO rolls out an update, will it push out updated objects from cluster-boptstrap's manifests?

That would give you a CRD resource, but not the CR, which I think would be cleaner to render from the installer itself because it would never be later produced or managed by any component we have.

Anything injected only by the installer will make 3.x -> 4 transition more complicated. Why can't the CRD-managine operator set the default, tell the CVO it's happy, and exit?

[ericavonb]

I agree with @wking. I don't think this approach makes sense. The purpose of the operator-driven architecture is specifically to decouple components into individual control loops focusing on specific concerns. This is important for automatic updates, faster development by teams, more resilient clusters, etc.

Our operators are based on binaries, but our configuration is explicitly built to group features not binaries.
This is the wrong framing. Our operators should be built around features. The operators are not the thing we want users to concentrate on configuring but rather we want user interacting with the custom resources managed by the operators that abstract away underlying services. Yes, a binary often needs to be run to achieve that functionality but that's not driving factor.

Operators do need to be installed, upgraded, scaled. To automate that process, I'd prefer creating an abstraction to represent the operators (ideally the same resource types for all operators, like ClusterOperators or ClusterServiceVersions). Then a meta-operator can react to changes to desired operator state and such.

[sallyom]

closing, in favor of this: openshift/cluster-authentication-operator#7