-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add identityURL to internal apis for CMSI usage #3514
Conversation
Left a few comments, all other changes seems good for identityURL. |
/azp run ci,e2e |
Azure Pipelines successfully started running 2 pipeline(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Commented the doubts, rather than any change request.
Other than the concerns, changes LGTM.
38b747c
to
aaccab3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Requesting one more small change for readability's sake.
/azp run ci, e2e |
Azure Pipelines successfully started running 2 pipeline(s). |
/azp run e2e |
Azure Pipelines successfully started running 1 pipeline(s). |
/azp run e2e |
Azure Pipelines successfully started running 1 pipeline(s). |
if !f.env.IsLocalDevelopmentMode() /* not local dev or CI */ { | ||
doc.OpenShiftCluster.Properties.FeatureProfile.GatewayEnabled = true | ||
} | ||
} | ||
|
||
err = validateIdentityUrl(doc.OpenShiftCluster, identityURL, isCreate) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: in general, it's not good to have flag arguments: https://martinfowler.com/bliki/FlagArgument.html
So maybe to follow the paradigm in this function, we can change validation based on isCreate
:
if isCreate {
...
} else {
...
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think it would be better to split validateIdentityUrl into two functions? I ask because either way, we will need the isCreate
logic in place as you pointed out, it's just a matter of where it goes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like us to clean this up before GA (or soon after) but not hold up overall progress. Since this a current norm in our codebase we can acknowledge that it should be improved and move on to mission critical pieces. A good fist issue for a new joiner would be this refactor.
@@ -41,18 +43,20 @@ func (f *frontend) putOrPatchOpenShiftCluster(w http.ResponseWriter, r *http.Req | |||
subId := chi.URLParam(r, "subscriptionId") | |||
resourceProviderNamespace := chi.URLParam(r, "resourceProviderNamespace") | |||
|
|||
identityURL := r.Header.Get("x-ms-identity-url") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll add a todo in msi dataplane repo to make this an exportable const: https://github.com/Azure/msi-dataplane/blob/557894f3863f5591445903674cc6ba90e2a26fb7/pkg/dataplane/constants.go#L13
Which issue this PR addresses:
Fixes ARO-6086
What this PR does / why we need it:
The cluster doc needs to persist identityURL in order for Cluster MSI (CUAMSI) token refreshing to work. The identityURL is a header that is provided by ARM to the RP and is used for token refreshing purposes. For more info, see the design doc: https://docs.google.com/document/d/1dtgp6B-VYyXUmPsMX9f9MdlAE9sON4OuH1Cw9Ij0mmg/edit that @rajdeep wrote.
Test plan for issue:
API calls should succeed in persisting identityURL header when a put or patch call to RP is made.
Is there any documentation that needs to be updated for this PR?
How do you know this will function as expected in production?