OIDC module for contour-authserver #13
Conversation
|
@robinfoe for the DCO check to pass you need to sign your commits with |
| auth-svr-config.yaml: | | ||
| address: ":9443" | ||
| issuerURL: "http://dex.auth.app.192.168.10.134.nip.io:9080" | ||
| redirectURL: "https://echo.oidc.app.local:9443" |
There was a problem hiding this comment.
This is global config for an instance of contour-authserver, but it probably only makes sense for a single vhost. Could we use the vhost metadata to pass down this sort of configuration? WDYT?
There was a problem hiding this comment.
Feels like we could TODO this one, get this in, then come back and fix. We're still in experimental territory.
There was a problem hiding this comment.
I think this is okay for the first version, but it will need a TODO issue. I'll log one and update here. Once I do, @robinfoe, can you please drop a comment in here and in the docs for the command?
| return false | ||
| } | ||
|
|
||
| return true |
There was a problem hiding this comment.
Leave a TODO (and GitHub issue) for propagating the claims? I would guess that many apps would want to see the verified claims?
There was a problem hiding this comment.
This one needs an issue for tracking as well.
pkg/cli/oicd_connect.go
Outdated
| return ExitError{EX_CONFIG, err} | ||
| } | ||
|
|
||
| if cfg == nil { |
There was a problem hiding this comment.
This should be an error since a nil will make it panic later. Even better wold be for the config to be guaranteer non-nil when there is no error.
There was a problem hiding this comment.
I think that in the version I'm reviewing it's not possible for this to be nil here? It will always have at least the defaults? If so, this check will never be used.
Signed-off-by: James Peach <[email protected]> Signed-off-by: robinfoe <[email protected]>
…ojectcontour#3) The makefile task `make lint` did not work if the `golangci-lint` binary is not found locally on the machine. This fixes the run command for `docker` builds as well as upgrade to latest since issues were found in the older version. Signed-off-by: Steve Sloka <[email protected]> Signed-off-by: robinfoe <[email protected]>
Add standard `ProjectContour` copyright information to all source code files. Signed-off-by: Steve Sloka <[email protected]> Signed-off-by: robinfoe <[email protected]>
Internally, the check response heaers use maps, so the header slice ordering is not stable. Add a test helper to sort this for stable test comparisons. Signed-off-by: James Peach <[email protected]> Signed-off-by: robinfoe <[email protected]>
Signed-off-by: robinfoe <[email protected]>
Labels have more restrictive value validation than annotations, so switch to annotations for specifying the basic authentication realm and type. To make up for the use of annotations, add a label selector flag so that operators can filter which Secrets to actually use. This fixes projectcontour#4. Signed-off-by: James Peach <[email protected]> Signed-off-by: robinfoe <[email protected]>
Signed-off-by: robinfoe <[email protected]>
This fixes projectcontour#5. Signed-off-by: James Peach <[email protected]> Signed-off-by: robinfoe <[email protected]>
Signed-off-by: robinfoe <[email protected]>
Signed-off-by: robinfoe <[email protected]>
Move the common gRPC server initialization code into a helper function. Signed-off-by: James Peach <[email protected]> Signed-off-by: robinfoe <[email protected]>
The `testserver` subcommand was running the `Htpasswd` backend rather than the `Testserver` backend. Signed-off-by: James Peach <[email protected]> Signed-off-by: robinfoe <[email protected]>
Signed-off-by: James Peach <[email protected]> Signed-off-by: robinfoe <[email protected]>
Signed-off-by: robinfoe <[email protected]>
Signed-off-by: robinfoe <[email protected]>
Signed-off-by: robin foe <[email protected]> Signed-off-by: robinfoe <[email protected]>
robinfoe
force-pushed
the
contour-ext-auth
branch
from
61a966a to
d18e0a2
Compare
| auth-svr-config.yaml: | | ||
| address: ":9443" | ||
| issuerURL: "http://dex.auth.app.192.168.10.134.nip.io:9080" | ||
| redirectURL: "https://echo.oidc.app.local:9443" |
There was a problem hiding this comment.
Feels like we could TODO this one, get this in, then come back and fix. We're still in experimental territory.
Co-authored-by: Nick Young <[email protected]>
Co-authored-by: Nick Young <[email protected]>
There was a problem hiding this comment.
@robinfoe could you rebase on main so the set of changed files is smaller?
The pod was OOMKilled with 30 Mi, so increase the limit to 90 Mi. Signed-off-by: Suraj Deshmukh <[email protected]>
Signed-off-by: Steve Sloka <[email protected]>
|
Hey, @robinfoe do you think you'd like to finish this PR up? Happy to help out getting this pushed through, or if not, could we pick up where you left off to get this complete? |
Signed-off-by: robinfoe <[email protected]>
Signed-off-by: robinfoe <[email protected]>
Signed-off-by: robinfoe <[email protected]>
Signed-off-by: robinfoe <[email protected]>
Signed-off-by: robinfoe <[email protected]>
Signed-off-by: robinfoe <[email protected]>
Signed-off-by: robin foe <[email protected]> Signed-off-by: robinfoe <[email protected]>
Co-authored-by: Nick Young <[email protected]>
Co-authored-by: Nick Young <[email protected]>
|
hi @stevesloka I did the rebase on this, do you mind checking and see if it's good to go? |
There was a problem hiding this comment.
Sorry to take so long to review this @robinfoe.
I think this is looking pretty good, but needs a couple of tracking issues for TODOs (which I will add).
For those, can you put a comment that looks like:
// TODO(robinfoe) #issuenumber : descriptionThat tells us what issue to check, who has the most context, and a rough idea of what to do.
| auth-svr-config.yaml: | | ||
| address: ":9443" | ||
| issuerURL: "http://dex.auth.app.192.168.10.134.nip.io:9080" | ||
| redirectURL: "https://echo.oidc.app.local:9443" |
There was a problem hiding this comment.
I think this is okay for the first version, but it will need a TODO issue. I'll log one and update here. Once I do, @robinfoe, can you please drop a comment in here and in the docs for the command?
| return false | ||
| } | ||
|
|
||
| return true |
There was a problem hiding this comment.
This one needs an issue for tracking as well.
pkg/cli/oicd_connect.go
Outdated
| return ExitError{EX_CONFIG, err} | ||
| } | ||
|
|
||
| if cfg == nil { |
There was a problem hiding this comment.
I think that in the version I'm reviewing it's not possible for this to be nil here? It will always have at least the defaults? If so, this check will never be used.
pkg/store/state.go
Outdated
| StatusTokenReady | ||
| ) | ||
|
|
||
| // NewState .... create new state to store token for OIDC |
There was a problem hiding this comment.
Can you please update these comments to be of the following form?
// XFunc does the thing that it does.I agree that a bunch of them are pretty simple, but it doesn't hurt to explain what they do and are used for regardless.
|
Hey @robin-mbg thanks for the work on this! Going to merge and add some more PRs to follow-up, but this a great start! 🎉 |
|
@stevesloka I think the thanks belongs to @robinfoe as I have honestly never heard of this project, nor have I actively contributed, despite the commit history. It seems like @robinfoe is using an email address for his commits that GitHub attributes to my account. Looks quite interesting though and will definitely take a closer look at this project from now on. |
|
Huh? Sorry for the mixup @robin-mbg. I assumed @robinfoe starting using a new github handle for some reason. 🙃 |
|
@stevesloka , thx for the merge, not too sure what's going on with my Github account but thx for spotting that , will get it fixed :) |
OIDC module for contour-authserver