-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for bearer token auth in Prow Jenkins controller #4210
Add support for bearer token auth in Prow Jenkins controller #4210
Conversation
/assign @Kargakis |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall idea SGTM, as long as it doesn't break our current setup :)
I'll let @Kargakis review in depth.
} | ||
} | ||
} else { | ||
logrus.Fatal("An auth token for basic or bearer token auth must be supplied.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
deck is used only for logs and on public jenkins instances we don't even need basic auth so we shouldn't break this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code prior to this change is
if *jenkinsURL != "" {
jenkinsSecretRaw, err := ioutil.ReadFile(*jenkinsTokenFile)
if err != nil {
logrus.WithError(err).Fatalf("Could not read token file.")
}
jenkinsToken := string(bytes.TrimSpace(jenkinsSecretRaw))
jc = jenkins.NewClient(*jenkinsURL, *jenkinsUserName, jenkinsToken)
}
How does that allow for no token?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh well.. I think I had a branch where I was making optional the parsing of the file because it's not really needed (tested). Nevermind, it's ok for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It allows for no token if *jenkinsURL is empty.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It won't work without a url.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It won't be able to look up any agent: jenkins
jobs, but it will be able to do everything else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I was referring to getting the logs from Jenkins.
Jenkins controller changes lgtm Thoughts on deck: As we move forward, adding agent-specific flags in deck will become untenable. For this PR this is fine, but is it reasonable in the future to feed deck with a secret that contains all the HTTP headers required for auth or is this a crazy idea? Related issue: #3407 |
@Kargakis do we need to dry out the flag parsing --> jenkins client creation code? Where would we put it? |
No, this is ok. /lgtm |
prow/cmd/deck/main.go
Outdated
jenkinsSecretRaw, err := ioutil.ReadFile(*jenkinsTokenFile) | ||
if err != nil { | ||
logrus.WithError(err).Fatalf("Could not read token file.") | ||
if jenkinsTokenFile != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this ever be non-nil? I think we should keep the default values empty and populate the options inside the deployments.
/lgtm cancel |
d9860bb
to
1d2c796
Compare
prow/cluster/jenkins_deployment.yaml
Outdated
@@ -25,9 +25,10 @@ spec: | |||
spec: | |||
containers: | |||
- name: jenkins-operator | |||
image: gcr.io/k8s-prow/jenkins-operator:0.39 | |||
image: gcr.io/k8s-prow/jenkins-operator:.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Kargakis right now ...
$ prow/bump.sh jenkins-operator
program: jenkins-operator
old version:
new version: .1
$ prow/bump.sh jenkins
program: jenkins
old version: 0.39
new version: 0.40
One of these updates the deployment, one gets the Makefile?
d1e6fe2
to
1cd9fca
Compare
Add an announcement similar to what you did in #4213 |
I'll wait for it to merge so we can do that cleanly |
9ffdbcb
to
f36ef2a
Compare
@Kargakis rebased. added README |
/lgtm |
I will let @spxtr merge. |
f36ef2a
to
8dd6824
Compare
#4213 is in. |
Yeah, I've got the README bits in here now as well |
prow/README.md
Outdated
@@ -31,6 +31,12 @@ state and no claims of backwards compatibility are made for any external API. | |||
Cluster administrators upgrading to the newest version of Prow should move | |||
plugin configuration from the main `ConfigMap`. For more context, please see | |||
[this pull request.](https://github.com/kubernetes/test-infra/pull/4213) | |||
- *September 1, 2017* Deck and Jenkins-Operator controllers no longer provide |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These should go the other way, with newer entries at the top.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we also include the versions or commits that break?
50312a1
to
9d6b45a
Compare
Adding a SHA in there might be risky as it has a high chance of drifting. |
Hopefully not every PR breaks something. For breakages, bumping makes sense to me. |
Btw, you need to rebase on top of HEAD |
I rebased before the last push |
Fair point -- that makes good sense to me too. |
prow/cluster/jenkins_deployment.yaml
Outdated
args: | ||
- --dry-run=false | ||
- --jenkins-token=/etc/jenkins/jenkins |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--jenkins-token-file
prow/cluster/deck_deployment.yaml
Outdated
ports: | ||
- name: http | ||
containerPort: 8080 | ||
args: | ||
- --jenkins-url=$(JENKINS_URL) | ||
- --jenkins-token=/etc/jenkins/jenkins |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--jenkins-token-file
Not all Jenkins masters allow for basic auth. This patch adds support for bearer token auth in the Prow Jenkins client. Signed-off-by: Steve Kuznetsov <[email protected]>
9d6b45a
to
206a5e9
Compare
/lgtm |
Not all Jenkins masters allow for basic auth. This patch adds support
for bearer token auth in the Prow Jenkins client.
Signed-off-by: Steve Kuznetsov [email protected]
/area prow
/cc @spxtr @Kargakis @csrwng