Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Use ServiceAccount to generate token #10

Merged
merged 8 commits into from
Jul 20, 2023
Merged

feat: Use ServiceAccount to generate token #10

merged 8 commits into from
Jul 20, 2023

Conversation

akrejcir
Copy link
Collaborator

What this PR does / why we need it:
This PR adds an alternate implementation of the proxy.

  • Tokens are generated by kubernetes
  • Tokens can be used with /vnc subreosurce on Kubevirt VirtualMachineInstance.

Release note:

Added another proxy implementation, that uses ServiceAccounts to generate tokens.

@kubevirt-bot kubevirt-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Mar 14, 2023
@openshift-ci
Copy link

openshift-ci bot commented Mar 14, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@akrejcir akrejcir force-pushed the use-sa-for-token branch 2 times, most recently from c89d272 to b39a234 Compare April 25, 2023 13:19
@akrejcir akrejcir force-pushed the use-sa-for-token branch 2 times, most recently from c79d26d to 77a1fd5 Compare April 28, 2023 12:38
@akrejcir akrejcir changed the title WIP: feat: Use ServiceAccount to generate token feat: Use ServiceAccount to generate token Apr 28, 2023
@akrejcir akrejcir marked this pull request as ready for review April 28, 2023 12:38
@kubevirt-bot kubevirt-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 28, 2023
@akrejcir
Copy link
Collaborator Author

/cc @0xFelix @ksimon1 @codingben

@kubevirt-bot kubevirt-bot requested a review from ksimon1 April 28, 2023 12:39
codingben
codingben reviewed May 4, 2023
View reviewed changes
pkg/console/service/kubevirt-proxy.go Outdated
}

namespace := request.PathParameter("namespace")
name := request.PathParameter("name")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd change it to vmName.

codingben
codingben reviewed May 4, 2023
View reviewed changes
Copy link
Member

@codingben codingben left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a few comments. I'll review again next week.

@kubevirt-bot kubevirt-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 11, 2023
@akrejcir akrejcir added this to the v0.3.0 milestone Jul 18, 2023
akrejcir added 5 commits July 19, 2023 13:16
@akrejcir
chore: move service to separate package
35b5aa1 
Created a new package for the service files.

Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
@akrejcir
refactor: move test code to BeforeSuite()
7c1daa1 
The same setup will be useful for new tests added in a future commit.

Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
@akrejcir
refactor: tests: extract ConfigMap update to methods.
af300a6 
This will be useful in a future commit.

Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
@akrejcir
refactor: excract /token parameter reading to method
2188d93 
Moved parameter reading to a method.

Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
@akrejcir
feat: Use ServiceAccounts to generate tokens
e71efbd 
The tokens are generated by kubernetes API server, and
they are bound to a service account.
They can be used to access VMI/vnc subresource.

/vnc endpoint was removed.

Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
@akrejcir akrejcir marked this pull request as ready for review July 19, 2023 14:48
@kubevirt-bot kubevirt-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 19, 2023
@akrejcir
Copy link
Collaborator Author

@0xFelix, I have removed one commit from this PR to make it simpler. I will post the changes that you requested as a future PR.
Can you take another look?

0xFelix
0xFelix reviewed Jul 20, 2023
View reviewed changes
pkg/console/service/service.go

authToken := getAuthToken(request)
if authToken == "" {
_ = response.WriteError(http.StatusUnauthorized, fmt.Errorf("authenticating token cannot be empty"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO we should not give more info on 401. We could potentially log internally, but over the API I would not return more information to a potential attacker than necessary.

pkg/console/service/service.go

err = s.checkVncRbac(request.Request.Context(), authToken, params.name, params.namespace)
if err != nil {
_ = response.WriteError(http.StatusUnauthorized, err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same.

pkg/console/service/service.go Outdated Show resolved Hide resolved
pkg/console/service/service.go
Get(ctx context.Context, name string, opts metav1.GetOptions) (PT, error)
}

func createOrUpdate[PT interface {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this and L332 be part of a library? I see those kind of functions duplicated a lot across our projects.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The retryOnConflict() function is nearly a copy of this one from k8s.io/client-go: https://github.com/kubernetes/client-go/blob/64a35f6a46ec8a791d437495fd91c87bcd01a5b5/util/retry/util.go#L48-L66

Where are they duplicated?

0xFelix
0xFelix reviewed Jul 20, 2023
View reviewed changes
Copy link
Member

@0xFelix 0xFelix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm okay with this in general, but please address the comments in follow ups.

/approve

@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 0xFelix

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 20, 2023
akrejcir added 3 commits July 20, 2023 16:21
@akrejcir
chore: Remove /vnc endpoint
eb7a431 
The /vnc endpoint functionality was removed.

Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
@akrejcir
docs: Update README.md and API documentation
e021a9b 
Changed documentation according to the new implementation.

Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
@akrejcir
fix: Update example-client to use VMI/vnc endpoint
a99b0f2 
The example client connects to the kubevirt VMI/vnc endpoint.

Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
@akrejcir akrejcir mentioned this pull request Jul 20, 2023
Closed
3 tasks
@akrejcir
Copy link
Collaborator Author

Thanks!
I've created an issue to track it: #20

codingben
codingben approved these changes Jul 20, 2023
View reviewed changes
Copy link
Member

@codingben codingben left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Jul 20, 2023
@kubevirt-bot kubevirt-bot merged commit ea3ebe3 into kubevirt:main Jul 20, 2023
@akrejcir akrejcir deleted the use-sa-for-token branch July 21, 2023 07:02
@akrejcir akrejcir mentioned this pull request Aug 4, 2023
Open
@fabiand
Copy link
Member

fabiand commented Aug 9, 2023

Hooray!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@0xFelix 0xFelix 0xFelix left review comments

@codingben codingben codingben approved these changes

@ksimon1 ksimon1 Awaiting requested review from ksimon1

@lyarwood lyarwood Awaiting requested review from lyarwood

@jcanocan jcanocan Awaiting requested review from jcanocan

@opokornyy opokornyy Awaiting requested review from opokornyy

Assignees

@codingben codingben

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL
Projects
None yet
Milestone
v0.3.0
Development

Successfully merging this pull request may close these issues.
8 participants
@akrejcir @lyarwood @kubevirt-bot @fabiand @0xFelix @codingben @ksimon1 @jcanocan