Skip to content
This repository has been archived by the owner on Jun 19, 2022. It is now read-only.

Authentication check running inside the Pod for Source and BrokerCell Fanout and Retry #1982

Merged
merged 6 commits into from
Dec 17, 2020
Merged

Authentication check running inside the Pod for Source and BrokerCell Fanout and Retry #1982

merged 6 commits into from
Dec 17, 2020

Conversation

grac3gao-zz
Copy link
Contributor

@grac3gao-zz grac3gao-zz commented Dec 7, 2020
edited
Loading

Fixes #

Proposed Changes

  • Phase one for the Second step to add the authentication check
  1. Environment variable to differentiate authentication mode
  2. Authentication check running inside the Pod(<-this one)
  3. Additional k8s Event check for Secret absence

Note This PR only adds authentication check in Pod of Source and BrokerCell Fanout and Retry.
For Pods using kncloudevent library like Ingress, it is blocked by #1973

  • Functionality includes:
  1. Running authentication check inside the Pod
  2. Writing Termination log into Pod once authentication check failed
  3. Remark upper-level resource with authentication related Reason and Message
  • Needs to add more UTs.

Release Note

🎁 Authentication check running inside the Pod for Source and BrokerCell Fanout and Retry

Docs

@google-cla google-cla bot added the cla: yes (override cla status due to multiple authors bug) label Dec 7, 2020
@knative-prow-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: grac3gao

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@grac3gao-zz grac3gao-zz changed the title Authentication check running inside the Pod for Source and BrokerCell Fanout and Retry [WIP]Authentication check running inside the Pod for Source and BrokerCell Fanout and Retry Dec 7, 2020
@grac3gao-zz grac3gao-zz requested review from Harwayne, grantr and AlexandraRoatis and removed request for tommyreddad and danyinggu December 7, 2020 17:24
@grac3gao-zz grac3gao-zz force-pushed the podcheck branch 3 times, most recently from 320185d to 325a695 Compare December 8, 2020 21:11
@grac3gao-zz grac3gao-zz force-pushed the podcheck branch 2 times, most recently from 933b210 to 31527c0 Compare December 8, 2020 21:28
@grac3gao-zz grac3gao-zz changed the title [WIP]Authentication check running inside the Pod for Source and BrokerCell Fanout and Retry Authentication check running inside the Pod for Source and BrokerCell Fanout and Retry Dec 8, 2020
@grac3gao-zz
Copy link
Contributor Author

/test pull-google-knative-gcp-conformance-tests

2 similar comments
@grac3gao-zz
Copy link
Contributor Author

/test pull-google-knative-gcp-conformance-tests

@grac3gao-zz
Copy link
Contributor Author

/test pull-google-knative-gcp-conformance-tests

Harwayne
Harwayne reviewed Dec 9, 2020
View reviewed changes
pkg/apis/intevents/v1/pullsubscription_lifecycle.go Outdated Show resolved Hide resolved
pkg/apis/intevents/v1beta1/pullsubscription_lifecycle.go Show resolved Hide resolved
pkg/broker/handler/pool.go Outdated
@@ -80,6 +84,9 @@ func (c *probeChecker) ServeHTTP(w http.ResponseWriter, req *http.Request) {
w.WriteHeader(http.StatusNotFound)
return
}
// Perform Authentication check.
authcheck.AuthenticationCheck(req.Context(), c.logger, c.authType, w)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this return under some condition? Such as if the auth check fails.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It only write statue into the response, which I included in the authcheck.AuthenticationCheck previously. Based on your comment, I'll do:

if err := authcheck.AuthenticationCheck; err != nil {
			pc.logger.Error("authentication check failed", zap.Error(err))
			w.WriteHeader(http.StatusUnauthorized)
                         return
}

pkg/broker/handler/pool_test.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/authcheck.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/list.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/list.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/list.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/probechecker.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/probechecker_test.go Outdated Show resolved Hide resolved
grac3gao-zz
grac3gao-zz commented Dec 10, 2020
View reviewed changes
pkg/utils/authcheck/authcheck_test.go Outdated
name: "authentication check failed, using empty authType",
authType: "empty",
statusCode: http.StatusUnauthorized,
wantError: true,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was trying to use specific errors, however, in Prow and local, it returns different errors. In local, it can't write error into termination file (no such file), but in Prow, it can. Tried to create file, error showed no permission to do so. Thus, I just verify whether there is an error or not.

yolocs
yolocs reviewed Dec 11, 2020
View reviewed changes
Copy link
Member

@yolocs yolocs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the late comments

pkg/broker/handler/pool.go Outdated Show resolved Hide resolved
pkg/apis/intevents/v1beta1/pullsubscription_lifecycle_test.go Outdated Show resolved Hide resolved
cmd/broker/fanout/main.go Outdated Show resolved Hide resolved
pkg/broker/ingress/handler.go Show resolved Hide resolved
@grac3gao-zz grac3gao-zz force-pushed the podcheck branch 2 times, most recently from 5b119af to dcf36fd Compare December 16, 2020 03:54
yolocs
yolocs reviewed Dec 16, 2020
View reviewed changes
pkg/utils/authcheck/authcheck.go Outdated Show resolved Hide resolved
pkg/broker/handler/pool_test.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/probechecker_test.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/probechecker_test.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/probechecker_test.go Outdated Show resolved Hide resolved
yolocs
yolocs reviewed Dec 16, 2020
View reviewed changes
pkg/utils/authcheck/fake.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/authcheck_test.go Outdated Show resolved Hide resolved
yolocs
yolocs reviewed Dec 16, 2020
View reviewed changes
Copy link
Member

@yolocs yolocs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold for others to take a look

Harwayne
Harwayne reviewed Dec 16, 2020
View reviewed changes
pkg/reconciler/brokercell/brokercell.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/probechecker_test.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/fake.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/authtype.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/authcheck.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/authcheck.go Outdated Show resolved Hide resolved
Harwayne
Harwayne reviewed Dec 16, 2020
View reviewed changes
pkg/utils/authcheck/probechecker_test.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/probechecker_test.go Outdated Show resolved Hide resolved
Harwayne
Harwayne reviewed Dec 16, 2020
View reviewed changes
Copy link
Contributor

@Harwayne Harwayne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@Harwayne
Copy link
Contributor

/unhold

I think only @yolocs and myself were commenting.

@knative-metrics-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-google-knative-gcp-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/intevents/v1/pullsubscription_lifecycle.go 93.5% 94.3% 0.7
pkg/apis/intevents/v1alpha1/brokercell_lifecycle.go 92.5% 94.5% 2.0
pkg/broker/handler/pool.go 82.1% 81.0% -1.1
pkg/pubsub/adapter/adapter.go 66.7% 67.5% 0.9
pkg/reconciler/brokercell/brokercell.go 95.0% 80.7% -14.4
pkg/reconciler/intevents/pullsubscription/keda/pullsubscription.go 72.7% 64.0% -8.7
pkg/reconciler/intevents/pullsubscription/static/pullsubscription.go 100.0% 70.0% -30.0
pkg/utils/authcheck/authcheck.go Do not exist 68.4%
pkg/utils/authcheck/authtype.go 85.7% 86.5% 0.8
pkg/utils/authcheck/fake.go Do not exist 100.0%
pkg/utils/authcheck/list.go Do not exist 84.6%
pkg/utils/authcheck/probechecker.go Do not exist 80.0%

@knative-prow-robot knative-prow-robot merged commit 980eb70 into google:master Dec 17, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Harwayne Harwayne Harwayne left review comments

@yolocs yolocs yolocs left review comments

@grantr grantr Awaiting requested review from grantr

@AlexandraRoatis AlexandraRoatis Awaiting requested review from AlexandraRoatis

Assignees

@Harwayne Harwayne

@yolocs yolocs

Labels
approved cla: yes (override cla status due to multiple authors bug) lgtm size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@grac3gao-zz @knative-prow-robot @Harwayne @knative-metrics-robot @yolocs @grac3gao