Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement to optionally fetch the OIDCAuthIntrospectionURL #571

Merged
merged 3 commits into from
Jul 13, 2020
Merged

Enhancement to optionally fetch the OIDCAuthIntrospectionURL #571

merged 3 commits into from
Jul 13, 2020

Conversation

abellotti
Copy link
Member

  • Enhancement to optionally fetch the OIDCAuthIntrospectionURL from the Provider Metadata URL if not provided to us.

Solves: #512

@abellotti abellotti requested review from bdunne and carbonin as code owners July 2, 2020 17:31
@abellotti abellotti force-pushed the auto_fetch_oidc_introspection_endpoint branch from 20eb63e to 5f777be Compare July 2, 2020 17:39
carbonin
carbonin suggested changes Jul 2, 2020
View reviewed changes
Copy link
Member

@carbonin carbonin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High level review to start. I figure it's easier to get this into the right place in the source, then we can tackle the implementation.

manageiq-operator/pkg/apis/manageiq/v1alpha1/manageiq_types.go Outdated
if spec.OIDCProviderURL == "" || spec.OIDCClientSecret == "" {
errs = append(errs, "HttpdAuthConfig or both OIDCProviderURL and OIDCClientSecret must be provided for openid-connect authentication")
} else {
// If the OAuth Introspection URL was not specified, let's try to fetch it from the Provider URL
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't really think this belongs in Validate.

My intention here was to make this act kind of like an AR validation where we wouldn't change the object we're validating and wouldn't take any further action.

I think it would be better to make the introspection URL optional and fetch it if it was not provided. Then if we fail to fetch it at that point we can error out of reconcile.

manageiq-operator/pkg/apis/manageiq/v1alpha1/manageiq_types.go Outdated
@@ -283,6 +286,28 @@ func init() {
SchemeBuilder.Register(&ManageIQ{}, &ManageIQList{})
}

func fetchIntrospectionUrl(providerUrl string) (introspectionUrl string, errMsg string) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't belong in the v1alpha1 package. I think this all should go at least into the controller, possibly into the httpd component.

@chessbyte
Copy link
Member

@abellotti @carbonin let's get this one over the finish line, so we can call ManageIQ/manageiq#19867 complete for Jansa (I removed the lower priority nice-to-haves from the list on that issue).

@carbonin
Copy link
Member

carbonin commented Jul 8, 2020

Alberto and I chatted about the direction this should go last week. That new direction would have conflicted with #572, but since that was merged today we should be able to make more progress here.

@Fryguy
Copy link
Member

Fryguy commented Jul 8, 2020

I'm assuming that #572 is jansa/no, though, right? So will it still have issues on backport?

@carbonin
Copy link
Member

carbonin commented Jul 8, 2020

Ah, yeah. Will probably need a separate jansa-only PR as I did with #579 and #580

abellotti added 2 commits July 9, 2020 17:09
@abellotti
Enhancement to optionally fetch the OIDCAuthIntrospectionURL from
f94430f 
the Provider Metadata URL if not provided to us.
@abellotti
Moving the Fetching of the OIDC Introspection URL out of the validati…
f5d658d 
…on code

and into the config map generation code.
@abellotti abellotti force-pushed the auto_fetch_oidc_introspection_endpoint branch from 5f777be to f5d658d Compare July 10, 2020 18:18
@abellotti
Copy link
Member Author

/cc @carbonin latest changes on master, I will create a separate PR for Jansa. Thanks for all your help!!

@abellotti
Copy link
Member Author

The Jansa PR: #582

carbonin
carbonin reviewed Jul 10, 2020
View reviewed changes
Copy link
Member

@carbonin carbonin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a bit to the comment in the ManageIQSpec struct about how we will fetch the introspection URL if it isn't provided?

Few minor comments. Otherwise looks good

manageiq-operator/pkg/helpers/miq-components/httpd.go Outdated
@@ -81,7 +84,16 @@ func Ingress(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*extensionsv1bet
return ingress, f
}

func HttpdConfigMap(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*corev1.ConfigMap, controllerutil.MutateFn) {
func HttpdConfigMap(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*corev1.ConfigMap, controllerutil.MutateFn, error) {

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can lose this leading whitespace.

manageiq-operator/pkg/helpers/miq-components/httpd.go Outdated
if err != nil {
return nil, nil, err
}
(&cr.Spec).OIDCOAuthIntrospectionURL = introspectionURL
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't need the & and parens here. cr.Spec.OIDCOAuthIntrospectionURL = introspectionURL will do what you want as cr is already a pointer.

I assume you lifted this from Initialize?

If that's the case that's different because we're using an intermediate local to store the spec so we don't need m.Spec everywhere.

manageiq-operator/pkg/helpers/miq-components/httpd.go Outdated
}

if result["token_introspection_endpoint"] == nil {
return "", fmt.Errorf("%s - token_introspection_endpoint is missing", errMsg)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe "token_introspection_endpoint is missing from response"?
I don't think I would understand what this was saying as is.

@abellotti abellotti force-pushed the auto_fetch_oidc_introspection_endpoint branch from 78e720a to cbc1236 Compare July 10, 2020 20:15
@abellotti
PR Review updates
aec43e3 
- Added comments on the fetching of the introspection URL if not specified.
- Removed unnecessary white spaces
- Defining introspection URL via cr.Spec... = instead of (&cr.Spec)
- Clarified error message for missing token_introspection_endpoint
@abellotti abellotti force-pushed the auto_fetch_oidc_introspection_endpoint branch from cbc1236 to aec43e3 Compare July 10, 2020 20:29
@miq-bot
Copy link
Member

miq-bot commented Jul 10, 2020

Checked commits abellotti/manageiq-pods@f94430f~...aec43e3 with ruby 2.5.7, rubocop 0.69.0, haml-lint 0.28.0, and yamllint
2 files checked, 1 offense detected

**

  • 💣 💥 🔥 🚒 - Linter/Yaml - missing config files

@abellotti
Copy link
Member Author

ok @carbonin I think I got 'em.

@carbonin carbonin merged commit 64a2c27 into ManageIQ:master Jul 13, 2020
@abellotti abellotti mentioned this pull request Jul 13, 2020
Merged
@simaishi
Copy link
Contributor

Backported to jansa via #582

@simaishi simaishi mentioned this pull request Aug 6, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carbonin carbonin carbonin approved these changes

@bdunne bdunne Awaiting requested review from bdunne bdunne is a code owner

Assignees

@carbonin carbonin

Labels
enhancement jansa/backported
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@abellotti @chessbyte @carbonin @Fryguy @miq-bot @simaishi @gtanzillo