Read secrets for onboarding-token validation #2790
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mrudraia1 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
needs-ok-to-test
|
Hi @mrudraia1. Thanks for your PR. I'm waiting for a red-hat-storage member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/ok-to-test |
openshift-ci
bot
added
ok-to-test
mrudraia1
force-pushed
the
onboarding1
branch
from
b8c63f3
to
fa91ba7
Compare
|
/ok-to-test |
1 similar comment
|
/ok-to-test |
services/ux-backend/main.go
Outdated
| ) | ||
|
|
||
| type serverConfig struct { | ||
| client.Client |
There was a problem hiding this comment.
removed, it is no were called
services/ux-backend/main.go
Outdated
| @@ -7,12 +7,17 @@ import ( | |||
| "os" | |||
| "strconv" | |||
|
|
|||
| "k8s.io/klog/v2" | |||
|
|
|||
| v1 "github.com/red-hat-storage/ocs-operator/api/v4/v1" | |||
There was a problem hiding this comment.
pls change to ocsv1, we generally use v1 for native apis, even that I'm not seeing lately.
controllers/util/util.go
Outdated
| @@ -5,6 +5,8 @@ import ( | |||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | |||
| ) | |||
|
|
|||
| const onboardingValidationPrivateKeySecretName = "onboarding-private-key" | |||
There was a problem hiding this comment.
could you pls move this const to the file where it is being used?
| "sigs.k8s.io/controller-runtime/pkg/client" | ||
| ) | ||
|
|
||
| func ReadPrivateKey(cl client.Client) (*rsa.PrivateKey, error) { |
There was a problem hiding this comment.
why can't this function be in existing provider.go itself?
There was a problem hiding this comment.
In Provider.go, their will be import issues for package
"crypto", "crypto/rand", "crypto/rsa". ReadPrivateKey function require "crypto/rsa", "crypto/x509". So for import conflicts, I created an new file.
There was a problem hiding this comment.
could you pls expand on this, I don't see the issue.
There was a problem hiding this comment.
Ack, deleted the onboarding_secrets.go and function called in provider.go
| "sigs.k8s.io/controller-runtime/pkg/client" | ||
| ) | ||
|
|
||
| func ReadPrivateKey(cl client.Client) (*rsa.PrivateKey, error) { |
There was a problem hiding this comment.
we aren't reading the key, we are getting it from API and parsing it as well, name GetParsedPrivateKey is more apt.
| klog.Info("Getting the Pem key") | ||
| ctx := context.Background() | ||
|
|
||
| operatorNamespace, err := GetOperatorNamespace() |
There was a problem hiding this comment.
get the namespace as param rather than reading it everytime, I see this is being used in two places where you can already have ns.
- in reconciler, already has it
- in handler, pls initialize ns once and read from it rather than reading from env everytime, ref remove rotation of keys endpoint from ux-backend #2569
| privateKey, err := util.ReadPrivateKey(r.Client) | ||
| if err != nil { | ||
| r.Log.Error(err, "Unable to get privatekey") | ||
| return reconcile.Result{}, nil |
There was a problem hiding this comment.
you might want to return an error here.
mrudraia1
force-pushed
the
onboarding1
branch
from
fa91ba7
to
9493a36
Compare
mrudraia1
changed the title
mrudraia1
force-pushed
the
onboarding1
branch
from
9493a36
to
68981e6
Compare
mrudraia1
force-pushed
the
onboarding1
branch
from
68981e6
to
05a2905
Compare
mrudraia1
changed the title
openshift-ci
bot
added
bugzilla/severity-medium
|
@mrudraia1: This pull request references Bugzilla bug 231102, which is valid. No validations were run on this bugIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
We add |
mrudraia1
changed the title
mrudraia1
changed the title
openshift-ci
bot
removed
bugzilla/severity-medium
|
@mrudraia1: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
mrudraia1
force-pushed
the
onboarding1
branch
from
05a2905
to
5da770f
Compare
While adding the fields the description of the fields were directly lifted off from rook-operator. The values of NearFull, BackfillFull & Full in rook are 0.85, 0.90 & 0.95 respectively. But in OCS Operator we set these values to 0.75, 0.80 & 0.85 respectively with the help of the rook-config-override ConfigMap. So the description of the fields in the API should reflect the actual values that are set in OCS. Signed-off-by: Malay Kumar Parida <[email protected]>
Earlier the cluster utilization alert rules (CephClusterNearFull, CephClusterCriticallyFull, CephClusterReadOnly) and the osd alert rules (CephOSDNearFull, CephOSDCriticallyFull) were hardcoded to use the nearFullRatio 0.75, criticallyFullRatio 0.80, and fullRatio 0.85 values. But these values are now configurable on the storageCluster CR. So the prometheus rules for these alerts will now be updated to use the specified values if provided in the storageCluster CR. This also includes the refactor of the changing the prometheus rule process. The function is now easier to read, maintain & expand. Also add tests for prometheus rule changing process. Signed-off-by: Malay Kumar Parida <[email protected]>
The PR does the following: 1. add role to the onboarding ticket 2. add a new endpoint for peer-onboarding-tokens Signed-off-by: Rewant Soni <[email protected]>
The commit does the following: 1. Create service, deployment, onboarding job for both modes 2. Update the variable from watchnamespace to podnamespace 3. Remove hardcoded name for storagecluster 4. Move client configmap in storageclient Signed-off-by: Rewant Soni <[email protected]>
Signed-off-by: Rewant Soni <[email protected]>
Signed-off-by: Rewant Soni <[email protected]>
Signed-off-by: Kaustav Majumder <[email protected]>
Signed-off-by: Mrudraia1 <[email protected]>
mrudraia1
force-pushed
the
onboarding1
branch
from
5da770f
to
75c8e1b
Compare
|
@mrudraia1: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
reopened new PR 2827. closing this PR due to some conflicting files and commits |
This PR is a copy PR of #2715
I faced git account issues, I was not able to recover my account, so created a new PR with new account
This PR reads the secrets instead of reading the secrets from the volume mounts.
whenever the new onboarding secrets are created, it takes more time to read the secrets from the volume mounts,
The user clicks the rotate onboarding keys, the kubernetes still uses the old public, private keys , the new keys are mounted later, So this PR will read the secrets directly from the kubernetes secrets.