-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add mTLS auth credential support #175
Conversation
Add support for mtls-auth credentials. ingestMtlsAuths is currently faked. Tests related to fetching an existing mtls-auth credential without access to its ID fail because of this.
This is a bit better. However, I'm not sure how to fix the codegen stuff that makes that CI test fail (doesn't look like there's a generator script) and there's some oddness with the error printing, as discussed below. Given https://gist.github.com/rainest/7ba9bc610d8b7a2bf663feb11cc0304f#file-bad-yaml (which contains a no-ID mtls-auth) deck prints:
I'm missing something though. https://github.com/rainest/deck/blob/275bffc/file/builder.go#L397-L412 should print the username if present, custom ID if not, and ID if neither (which shouldn't happen--it's invalid). However, this apparently gives us a consumer with neither a username nor custom ID:
That is indeed what we get in code, but I'm not sure why:
|
Run
Trace the path from start to the point where you get in the code. It is a little round about.
At this point in writing this comment, I realized that I was explaining the wrong thing to you. You are looking for https://github.com/rainest/deck/blob/275bffc/file/builder.go#L256. That line sets the consumer on the mtls-auth entity and as we see, that only contains an ID. praise: I am so happy to see you make the effort to provide a helpful error to the end user in such cases, but this is a little difficult to do so right now with the approach you are taking. Try generating the schema and then run the bad.yaml through that. It will error out with some more context and that should be better. It is not perfect but should be okay. |
Didn't see any differences after schema generation (other than clearing the CI failure) but it's easy enough, if a bit cumbersome, to just pass the consumer details in, complain about them if needed, and strip them after when actually creating the resource. With that I think we're good to go (famous last words)! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed half the code, will continue again as I find time. This is looking pretty good overall.
go.mod
Outdated
@@ -9,7 +9,7 @@ require ( | |||
github.com/hashicorp/go-immutable-radix v1.2.0 // indirect | |||
github.com/hashicorp/go-memdb v1.1.2 | |||
github.com/hashicorp/golang-lru v0.5.4 // indirect | |||
github.com/hbagdi/go-kong v0.11.0 | |||
github.com/hbagdi/go-kong v0.11.1-0.20200520215447-05279344daa9 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll do a go-kong release before a final deck release to take care of this. This works as it is for this change set.
I'm missing something in the tests/deck code around handling around handling no-tag entities. The actual want definition has no tag: https://github.com/rainest/deck/blob/feat/mtls-auth/file/builder_test.go#L962-L967 However, that runs into this issue:
So I'm guessing something related to https://github.com/rainest/deck/blob/feat/mtls-auth/file/builder_test.go#L970-L972 adds it, but I'm not sure how to correctly remove that--I can probably find it eventually but figure it will be quicker to ask in this case. cfa281b makes the test pass, but is almost certainly not the correct way to do so. |
It took me longer than I would like to admit to track this down: Following patch on top of your branch fixes the issue: diff --git a/file/builder_test.go b/file/builder_test.go
index a6b5744..025f2fb 100644
--- a/file/builder_test.go
+++ b/file/builder_test.go
@@ -1052,7 +1052,6 @@ func Test_stateBuilder_consumers(t *testing.T) {
Consumer: &kong.Consumer{
ID: kong.String("4bfcb11f-c962-4817-83e5-9433cf20b663"),
},
- Tags: kong.StringSlice("tag1"),
},
},
},
@@ -1193,8 +1192,6 @@ func Test_stateBuilder_consumers(t *testing.T) {
},
},
}
- var empty []*string
- tests[3].want.MTLSAuths[0].Tags = empty
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
b := &stateBuilder{ |
I applied the above patch and a bunch others and I was ready to merge but the code didn't work when I tested manually. The test I performed had two mtls-auth creds configured:
When I run deck dump, it fails with:
I've pushed the updated patch here: 9097da7 Please base your work on top of that patch now (force push on this PR) and also resolve the problem described above. |
mtls-auth's lack of unique fields strikes again. the fix in b9b5c54 is silly, but whatever, it works 🤷 |
Merged manually b1b6633 |
Add support for mTLS auth to decK.
The mtls-auth credentials don't have unique identifiers other than the ID, so we cannot find existing matching resources. Although not great, the simplest strategy I can think of to handle this is to tack CA Certificates in the controller: we just require that you provide an ID for all mtls-auth credentials. It's not particularly user-friendly, but is probably the best option barring major changes in the DAO to allow multi-field uniques. That isn't in this PR yet, as I think we should review other options as a team before moving on. Draft as such.