Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCPBUGS-45371: Fix issue where TokenReview was not working as expected #14681

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

TheRealJon
Copy link
Member

@TheRealJon TheRealJon commented Jan 15, 2025

We expected the console service account bearer token to be present on the internal k8s REST
configuration, but it was not. This caused all TokenReview requests to be skipped since no bearer
token was available to make the requests.

  • Update OpenShift authenticator to use a k8s client-go Clientset to make TokenReview requests. This
    Clientset is configured using the same REST config that the main server uses to proxy console
    service account delegated requests, meaning whatever console service account bearer token is
    configured on the main server is the same one used for TokenReview requests.
  • Update main.go to accept an off-cluster bearer token, which is used to make console service
    account delegated requests in an off-cluster, auth-enabled environment.
  • Update the README instructions for auth-enabled dev environments to include setting up a console
    service account API token and consume it through the new bridge arg.
  • Update examples/run-bridge.sh to consume an off-cluster service acccount token file

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 15, 2025
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jan 15, 2025
@openshift-ci-robot
Copy link
Contributor

@TheRealJon: This pull request references Jira Issue OCPBUGS-45371, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.19.0) matches configured target version for branch (4.19.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yanpzhan

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Use the internal k8s rest config property on the openshift authenticator to make a k8s Clientset that can be used to create TokenReviews as part of the Authenticate flow.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added component/backend Related to backend approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jan 15, 2025
@openshift-ci-robot
Copy link
Contributor

@TheRealJon: This pull request references Jira Issue OCPBUGS-45371, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.19.0) matches configured target version for branch (4.19.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yanpzhan

In response to this:

We expected the console service account bearer token to be present on the internal k8s REST
configuration, but it was not. This caused all TokenReview requests to be skipped since no bearer
token was available to make the requests.

  • Update OpenShift authenticator to use a k8s client-go Clientset to make TokenReview requests. This
    Clientset is configured using the same REST config that the main server uses to proxy console
    service account delegated requests, meaning whatever console service account bearer token is
    configured on the main server is the same one used for TokenReview requests.
  • Update main.go to accept an off-cluster bearer token, which is used to make console service
    account delegated requests in an off-cluster, auth-enabled environment.
  • Update the README instructions for auth-enabled dev environments to include setting up a console
    service account API token and consume it through the new bridge arg.
  • Update examples/run-bridge.sh to consume an off-cluster service acccount token file

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@TheRealJon TheRealJon changed the title [WIP] OCPBUGS-45371: Use k8s client-go Clientset to create TokenReviews OCPBUGS-45371: Fix issue where TokenReview was not working as expected Jan 16, 2025
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 16, 2025
Copy link
Member

@jhadvig jhadvig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

}

// Check if the token is authenticated
if !responseTokenReview.Status.Authenticated {
if !tokenReview.Status.Authenticated {
err := fmt.Errorf("invalid token: %v", token)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit

Suggested change
err := fmt.Errorf("invalid token: %v", token)
err := fmt.Errorf("invalid token: %s", token)

these service account secrets need to be created manually.
Otherwise copy the CA bundle to
`examples/ca.crt`:
Create a long-lived API token Secret for the console ServiceAccount, and extract it to the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Create a long-lived API token Secret for the console ServiceAccount, and extract it to the
Create a long-lived API token Secret for the console ServiceAccount and extract it to the

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 16, 2025
@jhadvig
Copy link
Member

jhadvig commented Jan 16, 2025

/lgtm cancel

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Jan 16, 2025
@jhadvig
Copy link
Member

jhadvig commented Jan 16, 2025

test-beckend.sh is failing on the TestNewOpenShiftAuthenticator apparently we are passing a nil client in some cases

We expected the console service account bearer token to be present on the internal k8s REST
configuration, but it was not. This caused all TokenReview requests to be skipped since no bearer
token was available to make the requests.

- Update OpenShift authenticator to use a k8s client-go Clientset to make TokenReview requests. This
  Clientset is configured using the same REST config that the main server uses to proxy console
  service account delegated requests, meaning whatever console service account bearer token is
  configured on the main server is the same one used for TokenReview requests.
- Update main.go to accept an off-cluster bearer token, which is used to make console service
  account delegated requests in an off-cluster, auth-enabled environment.
- Update the README instructions for auth-enabled dev environments to include setting up a console
  service account API token and consume it through the new bridge arg.
- Update `examples/run-bridge.sh` to consume an off-cluster service acccount token file
@TheRealJon
Copy link
Member Author

@jhadvig Tests should be fixed now!

Copy link
Member

@jhadvig jhadvig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/retest

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 20, 2025
Copy link
Contributor

openshift-ci bot commented Jan 20, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhadvig, TheRealJon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jhadvig
Copy link
Member

jhadvig commented Jan 21, 2025

/retest

Copy link
Contributor

openshift-ci bot commented Jan 21, 2025

@TheRealJon: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-console 6d33e97 link true /test e2e-gcp-console

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. component/backend Related to backend jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants