[WIP]: CNTRLPLANE-312: Add generation logic for new API fields in the Authentication CR #810
Conversation
Signed-off-by: Shaza Aldawamneh <shaza.aldawamneh@hotmail.com>
openshift-ci-robot
added
the
jira/valid-reference
|
@ShazaAldawamneh: This pull request references CNTRLPLANE-312 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set. DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are limited based on label configuration. 🚫 Excluded labels (none allowed) (1)
Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ShazaAldawamneh The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
everettraven
left a comment
everettraven
left a comment
There was a problem hiding this comment.
Overall, the structure looks pretty good.
I have a handful of comments.
| // validate CEL expression | ||
| if err := validateCELExpression(&authenticationcel.ClaimMappingExpression{ | ||
| Expression: claimValidationRule.Expression.Expression, | ||
| }); err != nil { | ||
| return apiserverv1beta1.ClaimValidationRule{}, fmt.Errorf("invalid CEL expression: %v", err) | ||
| } |
There was a problem hiding this comment.
As a note, we should update https://github.com/openshift/kubernetes/blob/891f5bb0306166d5625b89fc8dc86bbc8c85f549/openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go#L240 to perform admission time validation of these expressions.
It doesn't hurt to also include the runtime validations here, but admission validations should be sufficient here because we are embedding that in the kube-apiserver
There was a problem hiding this comment.
I'm not entirely sure what you mean here, can you explain more in details on what needs to be done ?
There was a problem hiding this comment.
I mean that we will also need to take an action item to update our admission plugin that we inject into the Kubernetes API server to validate that the CEL expressions here compile successfully.
There is nothing that needs to be done in this PR to address this comment.
There was a problem hiding this comment.
I see, make sense, will make a note on that!
| DiscoveryURL: "https://example.com/.well-known/openid-configuration", | ||
| }, | ||
| OIDCClients: []configv1.OIDCClientConfig{ | ||
| { | ||
| ComponentName: "console", | ||
| ComponentNamespace: "openshift-console", | ||
| ClientID: "console-oidc-client", | ||
| }, | ||
| { | ||
| ComponentName: "kube-apiserver", | ||
| ComponentNamespace: "openshift-kube-apiserver", | ||
| ClientID: "test-oidc-client", | ||
| }, | ||
| }, | ||
| ClaimMappings: configv1.TokenClaimMappings{ | ||
| Username: configv1.UsernameClaimMapping{ | ||
| Claim: "username", | ||
| PrefixPolicy: configv1.Prefix, | ||
| Prefix: &configv1.UsernamePrefix{ | ||
| PrefixString: "oidc-user:", | ||
| }, | ||
| }, | ||
| Groups: configv1.PrefixedClaimMapping{ | ||
| TokenClaimMapping: configv1.TokenClaimMapping{ | ||
| Claim: "groups", | ||
| }, | ||
| Prefix: "oidc-group:", | ||
| }, | ||
| }, | ||
| ClaimValidationRules: []configv1.TokenClaimValidationRule{ | ||
| { | ||
| Type: configv1.TokenValidationRuleTypeRequiredClaim, | ||
| Type: configv1.TokenValidationRuleRequiredClaim, | ||
| RequiredClaim: &configv1.TokenRequiredClaim{ | ||
| Claim: "username", | ||
| RequiredValue: "test-username", | ||
| }, | ||
| }, | ||
| { | ||
| Type: configv1.TokenValidationRuleTypeRequiredClaim, | ||
| RequiredClaim: &configv1.TokenRequiredClaim{ | ||
| Claim: "email", | ||
| RequiredValue: "test-email", | ||
| Type: configv1.TokenValidationRuleExpression, | ||
| Expression: configv1.TokenExpressionRule{ | ||
| Expression: "claims.email.endsWith('@example.com')", | ||
| Message: "email domain must be example.com", | ||
| }, | ||
| }, | ||
| }, | ||
| UserValidationRules: []configv1.TokenUserValidationRule{ | ||
| { | ||
| Expression: "user.groups.exists(g, g == 'system:authenticated')", | ||
| Message: "user must be authenticated", | ||
| }, | ||
| }, |
There was a problem hiding this comment.
I don't think we should be making these changes to the base configuration because these new fields are only present on a cluster where the associated feature gate is enabled.
These tests will run against clusters where the feature gate is and is not enabled.
There was a problem hiding this comment.
Do you mean that the existing tests should remain unchanged, and that I should avoid modifying the base expected configuration?
There was a problem hiding this comment.
Yes, you should not modify existing tests to fit the requirements of a tech-preview feature. Instead, add new tests that are gated on that feature-gate being present and make modifications accordingly.
As an example:
cluster-authentication-operator/test/e2e-oidc/external_oidc_test.go
Lines 158 to 166 in e6c52f8
Signed-off-by: Shaza Aldawamneh <shaza.aldawamneh@hotmail.com>
Signed-off-by: Shaza Aldawamneh <shaza.aldawamneh@hotmail.com>
|
@ShazaAldawamneh: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
3 participants
No description provided.