Implement AccessorID resolution and client ip propagation #19
Conversation
|
Hi @ncode, awesome! This goes definitely in the right direction! Some thoughts so far but theses are things we also could stabilise later:
I'm also currently waiting for a recommendation from the OPA communityhow to model this there |
|
Hi @mxab,
I didn't think of it but it's a pretty nice idea to pass all the available information since we've already resolved it :)
Yes. Let's use
I agree that passing the context like you describe will make things a bit more flexible, specially with the extra metadata from the token it will be cleaner. I'm only in doubt about X-FORWARD-FOR and the NACP-Nomad-Accessor-ID, these would be useful to have available as readers without the need to parse the content. What do you think?
Nice! |
|
Sorry for the late response.
Ah so if I get you correctly your "validation" part in this case is solely on the Client IP Address + Accessor ID. Yeah I guess it makes sense. Regarding the OPA part, they recommended to create an input consisting out of the context and the job. So I guess we need to update this part here and create a input struct the consists out of a caller context (client ip addr, resolved token) and the job So for the remote hooks I think it make sense to use the same structure, we could still leave the headers as well so it works for your use case |
No worries!
Deal! I will start working on it this weekend! |
|
Hi @mxab, I think at this stage we have the bare bones of how to propagate the data. Now I'm staring to add the context passing to mutators and validators. I will add those to the same PR and we can break it into different pieces if it's a too big of a PR. One thing I'm not entire sure is if we should break the api and have: type Payload struct {
Job *api.Job `json:"job"`
Context *config.RequestContext `json:"context,omitempty"`
}I will add a few extra tests and deploy a release to test this week to validate in production :) |
|
Hi, |
No worries! |
| return ip | ||
| } | ||
|
|
||
| func resolveTokenAccessor(transport http.RoundTripper, nomadAddress *url.URL, token string) (*api.ACLToken, error) { |
There was a problem hiding this comment.
I'm actual not too knowledgeable when it comes to http lib of golang, what is it we do with the transport here :)
There was a problem hiding this comment.
ah this was for the tls part right?
There was a problem hiding this comment.
Yeap. Since we have a transport coming from the upstream function call, we use the same settings to call the nomad endpoint. To ensure if we have the tls set we use it.
|
Overall I would say this looks really great. I guess it would be a good time to start CHANGELOG.md to document those breaking changes :D |
Nice! It indeed make sense to add those to a CHANGELOG.md. I'm happy to update MR the with a changelog section that details the change to help :) |
|
@mxab I've added a changelog section to the PR message. Now that I'm thinking about it, should I actually push the CHANGELOG.md file? |
|
Looks really great, if you don't mind put it in a |
Done :) |
|
Hi @ncode thanks so much for your contribution, I merged in. Will create a release asap |
|
@mxab thank you for creating this awesome tool! |
Hi @mxab,
I've started the patch last week and would like to double check the direction it's going so far :).
My idea here was to resolve the token as early as possible to propagate down. The upstream ip address is very cheap to propagate, so I thought about always passing it so we can have cidr based validators and mutators even when not resolving the token
Addresses #18
This pull request includes significant updates to the
admissionctrlpackage, focusing on refactoring theJobhandling to use a newtypes.Payloadstructure and adding support for context headers in webhook mutators. The most important changes are as follows:Refactoring to use
types.Payload:admissionctrl/controller.go: Changed method signatures and internal logic to usetypes.Payloadinstead ofapi.Job. This includes updates toJobMutator,JobValidator,JobHandler, and their respective methods. [1] [2] [3] [4]admissionctrl/controller_test.go: Updated test cases to usetypes.Payloadand modifiedTestJobHandler_ApplyAdmissionControllersto include the newresolveTokenparameter. [1] [2] [3]Adding context headers in webhook mutators:
admissionctrl/mutator/json_patch_webhook.go: Enhanced theMutatemethod to add context headers fromtypes.Payloadto the HTTP request. [1] [2]admissionctrl/mutator/webhook_mutator.go: Similar updates to add context headers fromtypes.Payloadto the HTTP request.Updates to mutator and OPA logic:
admissionctrl/mutator/opa_json_patch.go: RefactoredMutatemethod to usetypes.Payloadand updated logging and error handling accordingly. [1] [2] [3] [4]admissionctrl/opa/opa.go: ModifiedQuerymethod to accepttypes.Payloadas input.Test updates:
admissionctrl/mutator/json_patch_webhook_test.go: Updated tests to usetypes.Payload.admissionctrl/mutator/opa_json_patch_test.go: Updated tests to usetypes.Payload.admissionctrl/mutator/webhook_mutator_test.go: Updated tests to usetypes.Payload.admissionctrl/opa/opa_test.go: Updated tests to usetypes.Payload.