allow webconsole to discover cluster information #18075
Conversation
openshift-ci-robot
requested review from
bparees,
coreydaley,
jim-minter and
liggitt
openshift-ci-robot
added
the
approved
openshift-ci-robot
added
the
size/L
|
@jpeeler are clusterservicebrokers safe for most people to see |
|
@sdodson I'm working on corresponding openshift-ansible changes for this |
|
This to me seems ok since the authInfo only contains secret references: https://github.com/kubernetes-incubator/service-catalog/blob/605c9520f0713771ca8df4887652aa0bc30d5148/pkg/apis/servicecatalog/v1beta1/types.go#L112:6 |
|
interesting... the web console server is doing live lookup to build config now? |
Seems more reliable than having a set config for fully discoverable things. And the versions really have to be live look up'ed I didn't set up watches. |
|
/retest |
| name: web-console-server-rbac | ||
| parameters: | ||
| - name: NAMESPACE | ||
| # This namespace cannot be changed. Only `openshift-web-console` is supported. |
There was a problem hiding this comment.
Why make it a parameter then?
Template processing will clear them unless you explicitly set it using the variable. This just makes all paramaters for all templates the same.
|
Works for me: |
|
A related question - does running the console in a pod allow us to make it's OAuth client private now like the request token endpoint? IIRC it already supports the code flow? That would leave oc as the only remaining public OAuth client, which is expected since it cannot protect any embedded secret, and it already uses PKCE. |
That would require adding server side oauth handling to the web console, which isn't really worth it if the end goal is to hand the access token over to the user. |
|
@enj OK with this change? It's required for several other PRs |
|
/retest |
Yup, just forgot to tag. /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, enj The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest |
|
flake #16994 /retest |
Automatic merge from submit-queue. Add console RBAC template Required for openshift/origin-web-console-server#18 Origin changes: openshift/origin#18075 /assign @sdodson /cc @deads2k
|
/retest |
1 similar comment
|
/retest |
|
This blocks a chain of coordinated pulls across three repos. bumping priority. |
|
/retest |
5 similar comments
|
/retest |
|
/retest |
|
/retest |
|
/retest |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
/retest |
|
@deads2k: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Automatic merge from submit-queue (batch tested with PRs 18075, 17725, 16766, 18070, 18113). |
|
only 19 retests? That was too easy 🎉 |
|
It is funny to laugh about (sort of), but shouldn't this be considered a pretty big problem? It seems the test_pull_request_origin_extended_conformance_crio in particular is extremely problematic - https://openshift-gce-devel.appspot.com/pr/18075 |
Yes, it should be being treated as at least a p1 issue (which is a blocker) if it is something that is occurring all the time. The referenced flake is marked as p1, @mrunalp would have to comment on any progress there. |
|
If you look through the failures, it's a generally a different flake each time. We should do a better job of linking to a flake issue for each, but it's a bit disheartening doing it 20 times (multiplied by how many PRs you have open). And it's difficult to track down if you're trying to re-kick the tests from your phone in the evening. I also wonder if there's not an infrastructure issue since jobs fail consistently, but usually on different tests. Fighting a similar problem now for #18114 |
Adds permissions to the webconsole to inspect what clusterservicebrokers are present.
@pmorie please confirm this is a non-escalating resource which can be generally viewed.
@openshift/sig-security
@spadgett @jwforres you'll need this before merging openshift/origin-web-console-server#18