Skip to content

Comments

CFE-882: Route external certificate validation#1549

Closed
thejasn wants to merge 3 commits intoopenshift:masterfrom
thejasn:feature/route-external-certificate
Closed

CFE-882: Route external certificate validation#1549
thejasn wants to merge 3 commits intoopenshift:masterfrom
thejasn:feature/route-external-certificate

Conversation

@thejasn
Copy link
Contributor

@thejasn thejasn commented Jul 5, 2023
edited
Loading

Description

Updates route validations based on openshift/enhancements#1307 which introduces a new field in the route API externalCertificate behind the TP feature gate.

Changes

  • ValidateRoute() has been updated to pass additional args (secrets lister and subjectaccessreviewer) to validate
    externalCertificate and the rbac required. Now it also does additional subject access review authorization checks to verify if the router SA has the correct permissions to parse externalCertificate. It also adds a hard requirement that the secret referenced in externalCertificate be present prior to creating the route.
  • ValidateHostUpdate() has also been updated since updating route host/subdomain is also affected by updating
    certificates on the route. Now certificateChangeRequiresAuth() will always return true if the route has a externalCertificate set (check EP for additional info).
  • ValidateHostExternalCertificate() has been introduced as part of the validations done during route updates, this function specifically checks if the user has the correct permissions on the custom-host sub-resource. Additional details can be found on the EP.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 5, 2023
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jul 5, 2023
edited by openshift-ci bot
Loading

@thejasn: This pull request references CFE-882 which is a valid jira issue.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 5, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jul 5, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@thejasn thejasn changed the title [WIP] CFE-882: Feature/route external certificate validation [WIP] CFE-882: Route external certificate validation Jul 5, 2023
@thejasn thejasn force-pushed the feature/route-external-certificate branch from bc7829a to 679f3fc Compare July 27, 2023 13:01
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 27, 2023
@thejasn thejasn force-pushed the feature/route-external-certificate branch from 679f3fc to e6f2ca7 Compare July 27, 2023 13:08
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 27, 2023
@thejasn thejasn changed the title [WIP] CFE-882: Route external certificate validation CFE-882: Route external certificate validation Jul 27, 2023
@thejasn thejasn force-pushed the feature/route-external-certificate branch from e6f2ca7 to 31a4e26 Compare July 27, 2023 13:27
@thejasn thejasn marked this pull request as ready for review July 27, 2023 14:03
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 27, 2023
@openshift-ci openshift-ci bot requested review from Miciah and soltysh July 27, 2023 14:05
@thejasn thejasn force-pushed the feature/route-external-certificate branch 2 times, most recently from f340708 to 2245efc Compare July 31, 2023 08:22
@thejasn thejasn mentioned this pull request Jul 31, 2023
Closed
@thejasn thejasn force-pushed the feature/route-external-certificate branch from b9b6aac to 9e93e53 Compare August 1, 2023 09:23
@openshift-ci-robot
Copy link

openshift-ci-robot commented Aug 2, 2023
edited by openshift-ci bot
Loading

@thejasn: This pull request references CFE-882 which is a valid jira issue.

Details

In response to this:

Description

Updates route validations based on openshift/enhancements#1307 which introduces a new field in the route API externalCertificate behind the TP feature gate.

Changes

  • ValidateRoute() has been updated to pass additional args (secrets lister and subjectaccessreviewer) to validate
    externalCertificate and the rbac required. Now it also does additional subject access review authorization checks to verify if the router SA has the correct permissions to parse externalCertificate. It also adds a hard requirement that the secret referenced in externalCertificate be present prior to creating the route.
  • ValidateHostUpdate() has also been updated since updating route host/subdomain is also affected by updating
    certificates on the route. Now certificateChangeRequiresAuth() will always return true if the route has a externalCertificate set (check EP for additional info).
  • ValidateHostExternalCertificate() has been introduced as part of the validations done during route updates, this function specifically checks if the user has the correct permissions on the custom-host sub-resource. Additional details can be found on the EP.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@thejasn thejasn force-pushed the feature/route-external-certificate branch from 9e93e53 to 90c9115 Compare August 3, 2023 05:02
@p0lyn0mial
Copy link
Contributor

p0lyn0mial commented Aug 3, 2023

/cc @p0lyn0mial

@thejasn thejasn mentioned this pull request Aug 8, 2023
Closed
@thejasn thejasn force-pushed the feature/route-external-certificate branch from 90c9115 to 2805597 Compare October 10, 2023 13:40
@thejasn
Copy link
Contributor Author

thejasn commented Oct 11, 2023

/cc @alebedev87

@openshift-ci openshift-ci bot requested a review from alebedev87 October 11, 2023 08:33
@thejasn
Add ValidateHostExternalCertificate to validate routes
7b9e876 
Introduce new external certificate validation function to
check if user has the required rbac when updating routes
and using the ExternalCertificate field on the route.
@thejasn
Update route validations to honour ExternalCertificate
971698e 
Update all route validation functions to parse TP featuregate
and validate ExternalCertificate field on the route.
@thejasn thejasn force-pushed the feature/route-external-certificate branch from 2805597 to 971698e Compare October 11, 2023 09:42
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 11, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: thejasn
Once this PR has been reviewed and has the lgtm label, please assign miciah for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

alebedev87
alebedev87 reviewed Oct 12, 2023
View reviewed changes
Copy link
Contributor

@alebedev87 alebedev87 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First run: code oriented, not logic oriented.

pkg/route/common.go
AllowExternalCertificates bool
}

func CheckRouteCustomHostSAR(ctx context.Context, fldPath *field.Path, sarc SubjectAccessReviewCreator) field.ErrorList {
Copy link
Contributor

@alebedev87 alebedev87 Oct 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please provide a comment which verbs and sub resources are supposed to be checked?

Copy link
Contributor

@alebedev87 alebedev87 Nov 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved.

pkg/route/hostassignment/assignment_test.go
Comment on lines +57 to +59
validType bool
secretData map[string]string
validNS bool
Copy link
Contributor

@alebedev87 alebedev87 Oct 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as in validation package. What do you think about providing corev1.Secret as a test case input?

@thejasn thejasn force-pushed the feature/route-external-certificate branch from f276dc4 to 186073d Compare October 17, 2023 11:22
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 17, 2023

@thejasn: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@chiragkyal chiragkyal mentioned this pull request Nov 22, 2023
Merged
@chiragkyal
Copy link
Member

chiragkyal commented Jan 17, 2024

/close
Being covered in #1625

@openshift-ci openshift-ci bot closed this Jan 17, 2024
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 17, 2024

@chiragkyal: Closed this PR.

Details

In response to this:

/close
Being covered in #1625

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Miciah Miciah Awaiting requested review from Miciah

@soltysh soltysh Awaiting requested review from soltysh

1 more reviewer

@alebedev87 alebedev87 alebedev87 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@thejasn @openshift-ci-robot @p0lyn0mial @chiragkyal @alebedev87 @openshift-merge-robot