CFE-885:Feature route external certificate validation#407
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@chiragkyal: This pull request references CFE-885 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.15.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-merge-robot
added
the
needs-rebase
|
Continue : #385 |
chiragkyal
force-pushed
the
feature/route-externalcertificate-validation
branch
from
49d5243 to
532bd3b
Compare
openshift-merge-robot
removed
the
needs-rebase
|
/cc @alebedev87 |
|
/assign @alebedev87 |
|
/assign @vrutkovs |
openshift-merge-robot
added
the
needs-rebase
|
@chiragkyal: This pull request references CFE-885 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
chiragkyal
force-pushed
the
feature/route-externalcertificate-validation
branch
from
d4a6cd5 to
230d388
Compare
openshift-merge-robot
removed
the
needs-rebase
chiragkyal
force-pushed
the
feature/route-externalcertificate-validation
branch
from
ac0a1da to
a391162
Compare
chiragkyal
force-pushed
the
feature/route-externalcertificate-validation
branch
3 times, most recently
from
ab26c65 to
5234209
Compare
|
Looks like the CIs are failing due to Kube 1.29 rebase issue. |
|
Created a PR #425 for Kube 1.29 bump, which should unblock this PR. |
Signed-off-by: chiragkyal <ckyal@redhat.com>
Signed-off-by: chiragkyal <ckyal@redhat.com>
chiragkyal
force-pushed
the
feature/route-externalcertificate-validation
branch
from
5234209 to
dfe5716
Compare
|
I ran |
|
I had my forked repo cloned into |
|
/lgtm |
|
/test e2e-aws-ovn-serial |
p0lyn0mial
left a comment
p0lyn0mial
left a comment
There was a problem hiding this comment.
Are you planing to add an e2e test for this functionality ?
| // RunAPIServer takes the options, starts the API server and waits until stopCh is closed or initial listening fails. | ||
| func (o *OpenShiftAPIServer) RunAPIServer(stopCh <-chan struct{}) error { | ||
| if err := features.InitializeFeatureGates(feature.DefaultMutableFeatureGate, configv1.FeatureGateRouteExternalCertificate); err != nil { | ||
| if err := features.InitializeFeatureGates(feature.DefaultMutableFeatureGate, configv1.SelfManaged, configv1.FeatureGateRouteExternalCertificate); err != nil { |
There was a problem hiding this comment.
Assuming Hypershift runs this instance of the API server, how does it specify its own profile?
There was a problem hiding this comment.
@deads2k suggested always using self-managed here.
xref: https://redhat-internal.slack.com/archives/C06EK9ZH3Q8/p1713363742667139?thread_ts=1713363148.309629&cid=C06EK9ZH3Q8
There was a problem hiding this comment.
please add a comment explaining why to this PR.
There was a problem hiding this comment.
please add a comment explaining
whyto this PR.
Arbitrary choice since this binary doesn't care and teaching the operand about hypershift is not likely to end well.
| AdditionalTrustedCA: caData, | ||
| RouteAllocator: routeAllocator, | ||
| AllowRouteExternalCertificates: feature.DefaultFeatureGate.Enabled(featuregate.Feature(configv1.FeatureGateRouteExternalCertificate)), | ||
| AllowRouteExternalCertificates: feature.DefaultMutableFeatureGate.Enabled(featuregate.Feature(configv1.FeatureGateRouteExternalCertificate)), |
There was a problem hiding this comment.
why did you change it ?
There was a problem hiding this comment.
please bring back the previous version.
There was a problem hiding this comment.
Looks like both of them carry same thing internally
Is it suggested to use DefaultFeatureGate over DefaultMutableFeatureGate ? because we've used DefaultMutableFeatureGate in kube-apiserver
There was a problem hiding this comment.
DefaultMutableFeatureGate exposes a different interface. DefaultFeatureGate is read-only, it is not a big deal but I prefer DefaultFeatureGate.
There was a problem hiding this comment.
Okay, changed to DefaultFeatureGate
|
|
||
| // ValidateRoute tests if required fields in the route are set. | ||
| func ValidateRoute(route *routeapi.Route, opts RouteValidationOptions) field.ErrorList { | ||
| func ValidateRoute(ctx context.Context, route *routeapi.Route, sarc routecommon.SubjectAccessReviewCreator, secretsGetter corev1client.SecretsGetter, opts routecommon.RouteValidationOptions) field.ErrorList { |
There was a problem hiding this comment.
The units we have in strategy_test are going to validate ValidateRoute and ValidateRouteUpdate, right ?
There was a problem hiding this comment.
Yes, strategy_test are going to validate ValidateRoute and ValidateRouteUpdate
| route := obj.(*routeapi.Route) | ||
| errs := routehostassignment.AllocateHost(ctx, route, s.sarClient, s.hostnameGenerator) | ||
| errs = append(errs, validation.ValidateRoute(route, s.routeValidationOptions())...) | ||
| errs := routehostassignment.AllocateHost(ctx, route, s.sarClient, s.hostnameGenerator, s.routeValidationOptions()) |
There was a problem hiding this comment.
@benluddy why hasn't this been added as a normal admission plugin?
There was a problem hiding this comment.
okay, it looks like this code was added in openshift/kubernetes#1904 and it seems it could be refactored.
| func routeOptionsAdapter(route *routeapi.Route) field.ErrorList { | ||
| return routevalidation.ValidateRoute(route, routevalidation.RouteValidationOptions{}) | ||
| a := &authorizationclient.AuthorizationV1Client{} | ||
| return routevalidation.ValidateRoute(context.Background(), route, a.SubjectAccessReviews(), &v1.CoreV1Client{}, routecommon.RouteValidationOptions{}) | ||
| } | ||
|
|
||
| func routeUpdateOptionsAdapter(route *routeapi.Route, oldRoute *routeapi.Route) field.ErrorList { | ||
| return routevalidation.ValidateRouteUpdate(route, oldRoute, routevalidation.RouteValidationOptions{}) | ||
| a := &authorizationclient.AuthorizationV1Client{} | ||
| return routevalidation.ValidateRouteUpdate(context.Background(), route, oldRoute, a.SubjectAccessReviews(), &v1.CoreV1Client{}, routecommon.RouteValidationOptions{}) | ||
| } |
There was a problem hiding this comment.
Used by units in
(for validating object's metadata), we should be fine.
|
/approve until you resolve some of the comments, also it would be nice if you could add an e2e test for this functionality. |
openshift-ci
bot
added
do-not-merge/hold
|
please squash the new commits into |
…ificate Signed-off-by: chiragkyal <ckyal@redhat.com>
chiragkyal
force-pushed
the
feature/route-externalcertificate-validation
branch
from
595df6e to
74f2fc1
Compare
We are planning to add e2e tests while graduating this feature to GA. |
Done Are we good to unhold and merge? |
|
|
||
| // ValidateRoute tests if required fields in the route are set. | ||
| func ValidateRoute(route *routeapi.Route, opts RouteValidationOptions) field.ErrorList { | ||
| func ValidateRoute(ctx context.Context, route *routeapi.Route, sarClient routecommon.SubjectAccessReviewCreator, secretsGetter corev1client.SecretsGetter, opts routecommon.RouteValidationOptions) field.ErrorList { |
There was a problem hiding this comment.
As a final comment, create and update require a lot of SAR requests, but that was agreed upon, described in the proposal and added to the library-go code - https://github.com/thejasn/enhancements/blob/d4c7701193646105e2c60b2b996047ddfed083a4/enhancements/ingress/route-secret-injection-for-external-certificate-management.md
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chiragkyal, Miciah, p0lyn0mial The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@chiragkyal: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
[ART PR BUILD NOTIFIER] This PR has been included in build ose-openshift-apiserver-container-v4.17.0-202404302014.p0.gdd8658e.assembly.stream.el9 for distgit ose-openshift-apiserver. |
9 participants
Description
Updates route validations based on openshift/enhancements#1307 which introduces a new field in the route API
externalCertificatebehind the TP feature gate.Changes
ValidateRoute()has been updated to pass additional args (secrets lister and subjectaccessreviewer) to validateexternalCertificateand the rbac required.ValidateHostUpdate()has also been updated since updating route host/subdomain is also affected by updatingcertificates on the route.
ValidateHostExternalCertificate()has been introduced as part of the validations done during route updates, this function specifically checks if the user has the correct permissions on thecustom-hostsub-resource. Additional details can be found on the EP.Follow up from: openshift/library-go#1625
Featuregate wiring : #382