Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create and populate OIDC blob store for the cluster #3564

Merged
merged 14 commits into from
Jul 1, 2024
Merged

Create and populate OIDC blob store for the cluster #3564

merged 14 commits into from
Jul 1, 2024

Conversation

rajdeepc2792
Copy link
Collaborator

@rajdeepc2792 rajdeepc2792 commented May 7, 2024
edited
Loading

Which issue this PR addresses:

Jira issue :- ARO-4373
Related Docs:-
https://msazure.visualstudio.com/AzureRedHatOpenShift/_wiki/wikis/AzureRedHatOpenShift.wiki/603739/OIDC-Traffic-Flow
Similar Implementation:-
https://gitlab.cee.redhat.com/service/uhc-clusters-service/-/tree/master/pkg/aws/cloudcredentialbuilder

What this PR does / why we need it:

  • The RP needs to generate a keypair
  • The private key needs to be stored in cosmos, It needs to be encrypted if it's stored in cosmos
  • The private key will be passed to the installer-aro-wrapper via a secret as part of the existing cluster document in CosmosDB(Not implemented here)
  • Set / populate OIDC issuerURL in the internal API
  • The RP should generate OIDC docs
  • Should populate them in regional storage accounts
  • The OIDC doc needs to be resolvable through the regional AFD instances and should follow a hashing pattern

Test plan for issue:

  • Unit Tests
  • Full RP Cluster Creation
  • CI
  • CI e2e
  • Local cluster installation
  • INT Deployment / e2e

Is there any documentation that needs to be updated for this PR?

  • Doc for setting up the full RP. (Part of the PR)

How do you know this will function as expected in production?

Testing the implementation in all the environments.

@rajdeepc2792 rajdeepc2792 added work-in-progress chainsaw Pull requests or issues owned by Team Chainsaw labels May 7, 2024
@rajdeepc2792 rajdeepc2792 force-pushed the rajdeepc2792/ARO-4373 branch 2 times, most recently from 58d9129 to 1b8076a Compare May 7, 2024 17:01
@rajdeepc2792
Copy link
Collaborator Author

/azp run ci,e2e

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 2 pipeline(s).

cadenmarchese
cadenmarchese reviewed May 7, 2024
View reviewed changes
Copy link
Collaborator

@cadenmarchese cadenmarchese left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not a full review, just a few questions as you're working through the draft and testing. looks great!

pkg/util/storage/manager.go Outdated Show resolved Hide resolved
pkg/util/storage/manager.go Outdated Show resolved Hide resolved
@github-actions github-actions bot added the needs-rebase branch needs a rebase label May 7, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024

Please rebase pull request.

@rajdeepc2792
Copy link
Collaborator Author

/azp run e2e

@azure-pipelines Azure Pipelines
Copy link

Pull request contains merge conflicts.

@github-actions github-actions bot removed the needs-rebase branch needs a rebase label May 8, 2024
@rajdeepc2792 rajdeepc2792 added the hold Hold label May 8, 2024
bennerv
bennerv reviewed May 8, 2024
View reviewed changes
pkg/api/openshiftcluster.go Outdated Show resolved Hide resolved
pkg/api/openshiftcluster.go Outdated Show resolved Hide resolved
pkg/cluster/deploybaseresources.go Outdated Show resolved Hide resolved
pkg/cluster/install.go Show resolved Hide resolved
pkg/env/env.go Outdated Show resolved Hide resolved
pkg/frontend/asyncoperationresult_get.go Outdated Show resolved Hide resolved
pkg/util/oidcbuilder/jwks.go Show resolved Hide resolved
@github-actions github-actions bot added the needs-rebase branch needs a rebase label May 13, 2024
@github-actions GitHub Actions
Copy link

Please rebase pull request.

@github-actions github-actions bot removed the needs-rebase branch needs a rebase label May 28, 2024
cadenmarchese
cadenmarchese reviewed May 30, 2024
View reviewed changes
pkg/api/openshiftcluster.go Outdated Show resolved Hide resolved
pkg/cluster/install.go Show resolved Hide resolved
pkg/cluster/deploybaseresources.go Outdated Show resolved Hide resolved
@rajdeepc2792 rajdeepc2792 force-pushed the rajdeepc2792/ARO-4373 branch 4 times, most recently from d684aeb to a067322 Compare May 31, 2024 21:20
@rajdeepc2792 rajdeepc2792 marked this pull request as ready for review May 31, 2024 21:20
gouthamMN
gouthamMN reviewed Jun 21, 2024
View reviewed changes
Copy link
Contributor

@gouthamMN gouthamMN left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

niontive
niontive reviewed Jun 21, 2024
View reviewed changes
pkg/api/openshiftcluster.go
ResourceGroupID string `json:"resourceGroupId,omitempty"`
FipsValidatedModules FipsValidatedModules `json:"fipsValidatedModules,omitempty"`
OIDCIssuer *OIDCIssuer `json:"oidcIssuer,omitempty"`
BoundServiceAccountSigningKey *SecureString `json:"boundServiceAccountSigningKey,omitempty"`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we make the signing key a pointer to SecureString, but we make pull secret a SecureString?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's been discussed here: #3564 (comment)

kimorris27
kimorris27 requested changes Jun 21, 2024
View reviewed changes
Copy link
Contributor

@kimorris27 kimorris27 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm suggesting one change to ensure this code works in FairFax, and I left a few smaller comments/questions.

Edit: I think we're all good WRT the FairFax thing, so I just have some small questions and nits.

pkg/deploy/generator/resources_oic.go Show resolved Hide resolved
pkg/util/azblob/manager.go Outdated Show resolved Hide resolved
pkg/util/oidcbuilder/jwks.go Show resolved Hide resolved
pkg/util/oidcbuilder/oidcbuilder.go Show resolved Hide resolved
pkg/util/azblob/manager.go Show resolved Hide resolved
@kimorris27
Copy link
Contributor

LGTM, but my recommendation is to wait until we have E2E available before merging because of the size and scope of the PR.

@rajdeepc2792
Copy link
Collaborator Author

/azp run ci,e2e

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 2 pipeline(s).

@cadenmarchese
Copy link
Collaborator

As a note to other reviewers, we've decided to rely on a healthy signal from local e2e since we don't have PR e2e available yet. The CI e2e was passing when it was healthy, and we've confirmed it's still passing locally.

@rajdeepc2792
Copy link
Collaborator Author

/azp run ci,e2e

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 2 pipeline(s).

@rajdeepc2792
Copy link
Collaborator Author

/azp run e2e

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@cadenmarchese cadenmarchese merged commit 42daa82 into master Jul 1, 2024
21 checks passed
@SudoBrendan SudoBrendan deleted the rajdeepc2792/ARO-4373 branch July 24, 2024 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bennerv bennerv bennerv left review comments

@gouthamMN gouthamMN gouthamMN left review comments

@niontive niontive niontive left review comments

@cadenmarchese cadenmarchese cadenmarchese approved these changes

@kimorris27 kimorris27 kimorris27 approved these changes

@jewzaam jewzaam Awaiting requested review from jewzaam jewzaam is a code owner

@hawkowl hawkowl Awaiting requested review from hawkowl hawkowl is a code owner

@rogbas rogbas Awaiting requested review from rogbas rogbas is a code owner

@petrkotas petrkotas Awaiting requested review from petrkotas petrkotas is a code owner

@jharrington22 jharrington22 Awaiting requested review from jharrington22 jharrington22 is a code owner

@cblecker cblecker Awaiting requested review from cblecker cblecker is a code owner

@UlrichSchlueter UlrichSchlueter Awaiting requested review from UlrichSchlueter UlrichSchlueter is a code owner

@SudoBrendan SudoBrendan Awaiting requested review from SudoBrendan SudoBrendan is a code owner

@Shivkumar13 Shivkumar13 Awaiting requested review from Shivkumar13

@yjst2012 yjst2012 Awaiting requested review from yjst2012 yjst2012 is a code owner

@jaitaiwan jaitaiwan Awaiting requested review from jaitaiwan jaitaiwan is a code owner

@anshulvermapatel anshulvermapatel Awaiting requested review from anshulvermapatel anshulvermapatel is a code owner

@hlipsig hlipsig Awaiting requested review from hlipsig hlipsig is a code owner

@tiguelu tiguelu Awaiting requested review from tiguelu tiguelu is a code owner

Assignees

@rajdeepc2792 rajdeepc2792

Labels
chainsaw Pull requests or issues owned by Team Chainsaw ready-for-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@rajdeepc2792 @cadenmarchese @kimorris27 @bennerv @gouthamMN @niontive