Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for bearer token auth in Prow Jenkins controller #4210

Merged
merged 1 commit into from
Sep 5, 2017

Conversation

stevekuznetsov
Copy link
Contributor

Not all Jenkins masters allow for basic auth. This patch adds support
for bearer token auth in the Prow Jenkins client.

Signed-off-by: Steve Kuznetsov [email protected]

/area prow
/cc @spxtr @Kargakis @csrwng

@k8s-ci-robot k8s-ci-robot added area/prow Issues or PRs related to prow cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 28, 2017
@stevekuznetsov
Copy link
Contributor Author

@stevekuznetsov
Copy link
Contributor Author

/assign @Kargakis

Copy link
Contributor

@spxtr spxtr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall idea SGTM, as long as it doesn't break our current setup :)

I'll let @Kargakis review in depth.

}
}
} else {
logrus.Fatal("An auth token for basic or bearer token auth must be supplied.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

deck is used only for logs and on public jenkins instances we don't even need basic auth so we shouldn't break this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code prior to this change is

	if *jenkinsURL != "" {
		jenkinsSecretRaw, err := ioutil.ReadFile(*jenkinsTokenFile)
		if err != nil {
			logrus.WithError(err).Fatalf("Could not read token file.")
		}
		jenkinsToken := string(bytes.TrimSpace(jenkinsSecretRaw))
		jc = jenkins.NewClient(*jenkinsURL, *jenkinsUserName, jenkinsToken)
	}

How does that allow for no token?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh well.. I think I had a branch where I was making optional the parsing of the file because it's not really needed (tested). Nevermind, it's ok for now.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It allows for no token if *jenkinsURL is empty.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It won't work without a url.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It won't be able to look up any agent: jenkins jobs, but it will be able to do everything else.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I was referring to getting the logs from Jenkins.

@0xmichalis
Copy link
Contributor

Jenkins controller changes lgtm

Thoughts on deck: As we move forward, adding agent-specific flags in deck will become untenable. For this PR this is fine, but is it reasonable in the future to feed deck with a secret that contains all the HTTP headers required for auth or is this a crazy idea? Related issue: #3407

@stevekuznetsov
Copy link
Contributor Author

@Kargakis do we need to dry out the flag parsing --> jenkins client creation code? Where would we put it?

@0xmichalis
Copy link
Contributor

@Kargakis do we need to dry out the flag parsing --> jenkins client creation code? Where would we put it?

No, this is ok.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 29, 2017
jenkinsSecretRaw, err := ioutil.ReadFile(*jenkinsTokenFile)
if err != nil {
logrus.WithError(err).Fatalf("Could not read token file.")
if jenkinsTokenFile != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this ever be non-nil? I think we should keep the default values empty and populate the options inside the deployments.

@0xmichalis
Copy link
Contributor

/lgtm cancel

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 29, 2017
@stevekuznetsov stevekuznetsov force-pushed the skuznets/bearer-token branch 3 times, most recently from d9860bb to 1d2c796 Compare August 29, 2017 14:56
@@ -25,9 +25,10 @@ spec:
spec:
containers:
- name: jenkins-operator
image: gcr.io/k8s-prow/jenkins-operator:0.39
image: gcr.io/k8s-prow/jenkins-operator:.1
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Kargakis right now ...

$ prow/bump.sh jenkins-operator
program: jenkins-operator
old version: 
new version: .1
$ prow/bump.sh jenkins
program: jenkins
old version: 0.39
new version: 0.40

One of these updates the deployment, one gets the Makefile?

@stevekuznetsov stevekuznetsov force-pushed the skuznets/bearer-token branch 2 times, most recently from d1e6fe2 to 1cd9fca Compare August 29, 2017 15:01
@0xmichalis
Copy link
Contributor

Add an announcement similar to what you did in #4213

@stevekuznetsov
Copy link
Contributor Author

I'll wait for it to merge so we can do that cleanly

@stevekuznetsov stevekuznetsov force-pushed the skuznets/bearer-token branch 3 times, most recently from 9ffdbcb to f36ef2a Compare September 1, 2017 14:03
@stevekuznetsov
Copy link
Contributor Author

@Kargakis rebased. added README

@0xmichalis
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 1, 2017
@0xmichalis
Copy link
Contributor

I will let @spxtr merge.

@stevekuznetsov
Copy link
Contributor Author

stevekuznetsov commented Sep 1, 2017

@spxtr @Kargakis rebased

@spxtr
Copy link
Contributor

spxtr commented Sep 1, 2017

#4213 is in.

@stevekuznetsov
Copy link
Contributor Author

Yeah, I've got the README bits in here now as well

prow/README.md Outdated
@@ -31,6 +31,12 @@ state and no claims of backwards compatibility are made for any external API.
Cluster administrators upgrading to the newest version of Prow should move
plugin configuration from the main `ConfigMap`. For more context, please see
[this pull request.](https://github.com/kubernetes/test-infra/pull/4213)
- *September 1, 2017* Deck and Jenkins-Operator controllers no longer provide
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These should go the other way, with newer entries at the top.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we also include the versions or commits that break?

@stevekuznetsov stevekuznetsov force-pushed the skuznets/bearer-token branch 3 times, most recently from 50312a1 to 9d6b45a Compare September 5, 2017 14:28
@stevekuznetsov
Copy link
Contributor Author

@spxtr @Kargakis updated the README -- NACK in general to adding versions to the comments as that requires a bump in the PR adding it ... and we were just converging in #4292 on not asking contributors to bump versions in their PRs.

@stevekuznetsov
Copy link
Contributor Author

Adding a SHA in there might be risky as it has a high chance of drifting.

@0xmichalis
Copy link
Contributor

and we were just converging in #4292 on not asking contributors to bump versions in their PRs.

Hopefully not every PR breaks something. For breakages, bumping makes sense to me.

@0xmichalis
Copy link
Contributor

Btw, you need to rebase on top of HEAD

@stevekuznetsov
Copy link
Contributor Author

Btw, you need to rebase on top of HEAD

I rebased before the last push

@stevekuznetsov
Copy link
Contributor Author

Hopefully not every PR breaks something. For breakages, bumping makes sense to me.

Fair point -- that makes good sense to me too.

args:
- --dry-run=false
- --jenkins-token=/etc/jenkins/jenkins
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--jenkins-token-file

ports:
- name: http
containerPort: 8080
args:
- --jenkins-url=$(JENKINS_URL)
- --jenkins-token=/etc/jenkins/jenkins
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--jenkins-token-file

Not all Jenkins masters allow for basic auth. This patch adds support
for bearer token auth in the Prow Jenkins client.

Signed-off-by: Steve Kuznetsov <[email protected]>
@0xmichalis
Copy link
Contributor

/lgtm

@0xmichalis 0xmichalis merged commit 67103c0 into kubernetes:master Sep 5, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/prow Issues or PRs related to prow cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants