Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move RequestAuthentication policy creation to iap-enabler for gitops friendliness #364

Merged
merged 3 commits into from
Jul 4, 2022
Merged

Move RequestAuthentication policy creation to iap-enabler for gitops friendliness #364

merged 3 commits into from
Jul 4, 2022

Conversation

fabito
Copy link
Contributor

@fabito fabito commented Apr 12, 2022
edited
Loading

Problem

In my gitops setup I was facing a race condition between Fluxcd and iap-enabler where they were both updating the ingress-jwt RequestAuthentication resource:

  • Fluxcd creates/updates the ingress-jwt RequestAuthentication resource without the audience (TO_BE_PATCHED)
  • iap-enabler resolves the backend id and patches the ingress-jwt audience

Solution

Move ingress-jwt RequestAuthentication creation logic to iap-enabler.

  • Move policy.yaml from Kustomize resources list to envoy-config ConfigMap
  • Refactor setup_backend.sh to replace TO_BE_PATCHED with the correct audience and apply policy.yaml to create/update ingress-jwt

@google-oss-prow
Copy link

Hi @fabito. Thanks for your PR.

I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Arhell
Arhell reviewed Apr 12, 2022
View reviewed changes
Copy link

@Arhell Arhell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test

@zijianjoy
Copy link
Collaborator

Thank you @fabito , will this change make policy.yaml out of the control from gitops Fluxcd? Also, should we use more specific placeholder than TO_BE_PATCHED since we use sed to replace the value now? Previously we specify the yaml path for the JWT_AUDIENCE replacement.

@fabito
Copy link
Contributor Author

fabito commented Apr 12, 2022
edited
Loading

Thank you @fabito , will this change make policy.yaml out of the control from gitops Fluxcd?

Yep, solely managed by iap-enabler now

Also, should we use more specific placeholder than TO_BE_PATCHED since we use sed to replace the value now?

Sure!

@zijianjoy zijianjoy mentioned this pull request May 31, 2022
Closed
25 tasks
@gkcalat
Copy link
Contributor

gkcalat commented Jul 3, 2022

/lgtm
/approve

@google-oss-prow google-oss-prow bot added the lgtm label Jul 3, 2022
@gkcalat
Copy link
Contributor

gkcalat commented Jul 3, 2022

/assign @zijianjoy

@zijianjoy
Copy link
Collaborator

/lgtm
/approve

@google-oss-prow
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fabito, gkcalat, zijianjoy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit dd1bdbb into GoogleCloudPlatform:master Jul 4, 2022
@gkcalat gkcalat mentioned this pull request Jul 6, 2022
Merged
gkcalat pushed a commit that referenced this pull request Jul 8, 2022
@fabito @gkcalat
Move RequestAuthentication policy creation to iap-enabler for git…
698eca8 
…ops friendliness (#364)

* Move RequestAuthentication policy creation to iap-enabler for gitops friendliness

* Use config map generator

* rename variable substitution placeholder
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Arhell Arhell Arhell left review comments

@zijianjoy zijianjoy Awaiting requested review from zijianjoy

Assignees

@gkcalat gkcalat

@zijianjoy zijianjoy

Labels
approved lgtm ok-to-test size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fabito @zijianjoy @gkcalat @Arhell