Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: make oidc discovery url configurable #8145

Merged
merged 5 commits into from
Oct 15, 2024

Conversation

Cali0707
Copy link
Member

@Cali0707 Cali0707 commented Aug 9, 2024

Fixes #8121

Proposed Changes

  • Add feature flag for OIDC discovery base url
  • Use feature flag in token verifier when building discovery config

Release Note

The OIDC discovery url is now configurable with the oidc-discovery-base-url feature flag in the config-features configmap.

@knative-prow knative-prow bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Aug 9, 2024
@knative-prow knative-prow bot requested review from creydr and Leo6Leo August 9, 2024 16:48
@knative-prow knative-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 9, 2024
@Cali0707
Copy link
Member Author

Cali0707 commented Aug 9, 2024

/cc @pierDipi @creydr

Should we also backport this at all to make OIDC work on EKS in previous releases?

@knative-prow knative-prow bot requested a review from pierDipi August 9, 2024 16:49
Copy link

codecov bot commented Aug 9, 2024

Codecov Report

Attention: Patch coverage is 13.69863% with 63 lines in your changes missing coverage. Please review.

Project coverage is 66.47%. Comparing base (e79f3b6) to head (e5b9e23).
Report is 13 commits behind head on main.

Files with missing lines Patch % Lines
pkg/auth/verifier.go 0.00% 42 Missing ⚠️
cmd/jobsink/main.go 0.00% 8 Missing ⚠️
pkg/apis/feature/features.go 55.55% 2 Missing and 2 partials ⚠️
cmd/broker/filter/main.go 0.00% 3 Missing ⚠️
cmd/broker/ingress/main.go 0.00% 3 Missing ⚠️
...econciler/inmemorychannel/dispatcher/controller.go 62.50% 2 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8145      +/-   ##
==========================================
- Coverage   67.47%   66.47%   -1.01%     
==========================================
  Files         371      371              
  Lines       18036    18318     +282     
==========================================
+ Hits        12169    12176       +7     
- Misses       5088     5351     +263     
- Partials      779      791      +12     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@@ -57,14 +53,14 @@ type IDToken struct {
AccessTokenHash string
}

func NewOIDCTokenVerifier(ctx context.Context) *OIDCTokenVerifier {
func NewOIDCTokenVerifier(ctx context.Context, features feature.Flags) *OIDCTokenVerifier {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason, for not getting the feature store from the given context?

Copy link
Member Author

@Cali0707 Cali0707 Aug 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This made it easier to re-create the verifier in the callback functions when the config-features cm changes

@Cali0707
Copy link
Member Author

/cc @creydr

@knative-prow knative-prow bot requested a review from creydr August 16, 2024 14:28
@knative-prow-robot knative-prow-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Aug 16, 2024
@Cali0707
Copy link
Member Author

/cc @creydr @pierDipi

@pierDipi
Copy link
Member

/assign @creydr

Can you take a look?

@Cali0707
Copy link
Member Author

/cc @creydr @pierDipi

@pierDipi
Copy link
Member

@creydr can you take a look?

@creydr
Copy link
Member

creydr commented Sep 16, 2024

/cc

@creydr creydr force-pushed the add-oidc-discovery-config branch from 6ff7de7 to 3f2dfa6 Compare September 17, 2024 09:56
@creydr
Copy link
Member

creydr commented Sep 17, 2024

Rebased after #8195

Signed-off-by: Calum Murray <cmurray@redhat.com>
@creydr creydr force-pushed the add-oidc-discovery-config branch from 3f2dfa6 to 837d926 Compare September 17, 2024 10:14
@knative-prow knative-prow bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Sep 17, 2024
@creydr
Copy link
Member

creydr commented Sep 17, 2024

@Cali0707, on testing with oidc-discovery-base-url: "https://oidc.eks.eu-west-1.amazonaws.com/id/1", I saw

Get \"https://oidc.eks.eu-west-1.amazonaws.com/id/1/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate signed by unknown authority}

This was because the used HTTP client of the TokenVerifier (now only Verifier) only took the CA certs from the API server. I addressed this in eee1320 (which should support Trustbundles too).

@creydr
Copy link
Member

creydr commented Sep 17, 2024

I can also check on #8145 (comment) and get the features from the ctx in auth.NewVerifier()

@Cali0707
Copy link
Member Author

I can also check on #8145 (comment) and get the features from the ctx in auth.NewVerifier()

Would this work if the features were updated to have a new url?

@creydr
Copy link
Member

creydr commented Sep 17, 2024

I can also check on #8145 (comment) and get the features from the ctx in auth.NewVerifier()

Would this work if the features were updated to have a new url?

When we make sure we pass a context, which has the features (e.g. featureStore.ToContext(ctx)), I'd guess so

Anyhow not totally sure about it, as having it as a parameter shows directly, that this is required for the function call 🤔

@creydr
Copy link
Member

creydr commented Sep 18, 2024

@pierDipi As I also committed to this PR, could you give it a quick review from your side too?

cmd/jobsink/main.go Outdated Show resolved Hide resolved
… of feature flags

Signed-off-by: Cali0707 <calumramurray@gmail.com>
@Cali0707
Copy link
Member Author

/cc @creydr @pierDipi

@knative-prow knative-prow bot requested a review from pierDipi September 23, 2024 00:22
pkg/auth/verifier.go Outdated Show resolved Hide resolved
Signed-off-by: Cali0707 <calumramurray@gmail.com>
@Cali0707
Copy link
Member Author

Cali0707 commented Oct 5, 2024

/cc @creydr

@knative-prow knative-prow bot requested a review from creydr October 5, 2024 16:23
@creydr
Copy link
Member

creydr commented Oct 7, 2024

JobSink does not come up

        message: "{\"level\":\"info\",\"ts\":\"2024-10-05T16:42:12.130Z\",\"logger\":\"job-sink\",\"caller\":\"jobsink/main.go:112\",\"msg\":\"Starting
          the JobSink Ingress\",\"commit\":\"dcc5539\"}\npanic: runtime error: invalid
          memory address or nil pointer dereference\n[signal SIGSEGV: segmentation
          violation code=0x1 addr=0x0 pc=0x47f0d8]\n\ngoroutine 1 [running]:\nsync.(*RWMutex).Lock(0x21fd838?)\n\tsync/rwmutex.go:146
          +0x18\nknative.dev/eventing/pkg/auth.(*Verifier).initOIDCProvider(0xc0003e2640,
          {0x21fd838, 0xc000431830}, 0x0)\n\tknative.dev/eventing/pkg/auth/verifier.go:267
          +0x351\nknative.dev/eventing/pkg/auth.NewVerifier({0x21fd838, 0xc000431830},
          {0x21e9488, 0xc00034f8e0}, {0x21e9690, 0xc0004c79a0}, {0x21e41e8, 0xc000184c60})\n\tknative.dev/eventing/pkg/auth/verifier.go:88
          +0x5b5\nmain.main()\n\tknative.dev/eventing/cmd/jobsink/main.go:129 +0xc53\n"

I guess this is because https://github.com/knative/eventing/pull/8145/files#diff-09c972dc18a7eba8ddf0c27c3a5629ea43289af799f5af6aaf67b5a6848665c7R58 does not need to be a pointer / is unitialized

Edit: addressed in e5b9e23

Copy link
Member

@pierDipi pierDipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Oct 15, 2024
Copy link

knative-prow bot commented Oct 15, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Cali0707, pierDipi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@creydr
Copy link
Member

creydr commented Oct 15, 2024

/test unit-tests

@creydr
Copy link
Member

creydr commented Oct 15, 2024

/retest

@knative-prow knative-prow bot merged commit 33a9027 into knative:main Oct 15, 2024
35 of 36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Make OIDC Discovery URL configurable
4 participants