Add identityURL to internal apis for CMSI usage #3514
Conversation
cadenmarchese
added
hold
|
Left a few comments, all other changes seems good for identityURL. |
cadenmarchese
changed the title
cadenmarchese
added
size-small
cadenmarchese
requested review from
jewzaam,
bennerv,
hawkowl,
rogbas,
jharrington22,
cblecker,
UlrichSchlueter,
s-amann,
SudoBrendan,
Shivkumar13,
yjst2012,
jaitaiwan and
anshulvermapatel
as code owners
|
/azp run ci,e2e |
|
Azure Pipelines successfully started running 2 pipeline(s). |
cadenmarchese
force-pushed
the
ARO-6086/cuamsi-api-changes
branch
from
38b747c
to
aaccab3
Compare
|
/azp run ci, e2e |
|
Azure Pipelines successfully started running 2 pipeline(s). |
|
/azp run e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| if !f.env.IsLocalDevelopmentMode() /* not local dev or CI */ { | ||
| doc.OpenShiftCluster.Properties.FeatureProfile.GatewayEnabled = true | ||
| } | ||
| } | ||
|
|
||
| err = validateIdentityUrl(doc.OpenShiftCluster, identityURL, isCreate) |
There was a problem hiding this comment.
Nit: in general, it's not good to have flag arguments: https://martinfowler.com/bliki/FlagArgument.html
So maybe to follow the paradigm in this function, we can change validation based on isCreate:
if isCreate {
...
} else {
...
}
There was a problem hiding this comment.
Do you think it would be better to split validateIdentityUrl into two functions? I ask because either way, we will need the isCreate logic in place as you pointed out, it's just a matter of where it goes.
There was a problem hiding this comment.
I'd like us to clean this up before GA (or soon after) but not hold up overall progress. Since this a current norm in our codebase we can acknowledge that it should be improved and move on to mission critical pieces. A good fist issue for a new joiner would be this refactor.
| @@ -41,18 +43,20 @@ func (f *frontend) putOrPatchOpenShiftCluster(w http.ResponseWriter, r *http.Req | |||
| subId := chi.URLParam(r, "subscriptionId") | |||
| resourceProviderNamespace := chi.URLParam(r, "resourceProviderNamespace") | |||
|
|
|||
| identityURL := r.Header.Get("x-ms-identity-url") | |||
There was a problem hiding this comment.
I'll add a todo in msi dataplane repo to make this an exportable const: https://github.com/Azure/msi-dataplane/blob/557894f3863f5591445903674cc6ba90e2a26fb7/pkg/dataplane/constants.go#L13
Which issue this PR addresses:
Fixes ARO-6086
What this PR does / why we need it:
The cluster doc needs to persist identityURL in order for Cluster MSI (CUAMSI) token refreshing to work. The identityURL is a header that is provided by ARM to the RP and is used for token refreshing purposes. For more info, see the design doc: https://docs.google.com/document/d/1dtgp6B-VYyXUmPsMX9f9MdlAE9sON4OuH1Cw9Ij0mmg/edit that @rajdeep wrote.
Test plan for issue:
API calls should succeed in persisting identityURL header when a put or patch call to RP is made.
Is there any documentation that needs to be updated for this PR?
How do you know this will function as expected in production?