-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move RequestAuthentication
policy creation to iap-enabler
for gitops friendliness
#364
Move RequestAuthentication
policy creation to iap-enabler
for gitops friendliness
#364
Conversation
Hi @fabito. Thanks for your PR. I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/ok-to-test
Thank you @fabito , will this change make |
Yep, solely managed by
Sure! |
/lgtm |
/assign @zijianjoy |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fabito, gkcalat, zijianjoy The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…ops friendliness (#364) * Move RequestAuthentication policy creation to iap-enabler for gitops friendliness * Use config map generator * rename variable substitution placeholder
Problem
In my gitops setup I was facing a race condition between
Fluxcd
andiap-enabler
where they were both updating theingress-jwt
RequestAuthentication resource:ingress-jwt
RequestAuthentication resource without the audience (TO_BE_PATCHED)iap-enabler
resolves the backend id and patches theingress-jwt
audienceSolution
Move
ingress-jwt
RequestAuthentication creation logic toiap-enabler
.policy.yaml
from Kustomize resources list toenvoy-config
ConfigMapsetup_backend.sh
to replaceTO_BE_PATCHED
with the correct audience and applypolicy.yaml
to create/updateingress-jwt