Skip to content

WIP: AUTH-543: OIDC/OAuth resource configuration #740

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 23 commits into
base: master
Choose a base branch
from
Open

WIP: AUTH-543: OIDC/OAuth resource configuration #740

wants to merge 23 commits into from
+1,287 −56

Conversation

liouk
Copy link
Member

@liouk liouk commented Nov 14, 2024

This PR adjusts all OAuth related controllers to remove (or not) their operands depending on whether authentication is external OIDC or not.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 14, 2024
edited by openshift-ci bot
Loading

@liouk: This pull request references AUTH-543 which is a valid jira issue.

In response to this:

This PR adjusts all OAuth related controllers to remove (or not) their operands depending on whether authentication is external OIDC or not.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Nov 14, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 14, 2024
@openshift-ci openshift-ci bot requested review from frobware and ibihim November 14, 2024 16:54
@liouk liouk force-pushed the oidc-oauth-cleanup branch 22 times, most recently from e99d56a to 46287b6 Compare November 21, 2024 14:59
@liouk liouk force-pushed the oidc-oauth-cleanup branch from 46287b6 to ae635c0 Compare November 22, 2024 11:03
@liouk liouk changed the title WIP: AUTH-543: OIDC/OAuth resource configuration AUTH-543: OIDC/OAuth resource configuration Nov 22, 2024
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 22, 2024
@liouk liouk mentioned this pull request Dec 3, 2024
Open
@liouk
Copy link
Member Author

liouk commented Dec 5, 2024
edited by openshift-ci bot
Loading

Pre-merge testing has revealed some issues with this PR; turning this into WIP until fixed.

/retitle WIP: AUTH-543: OIDC/OAuth resource configuration

@openshift-ci openshift-ci bot changed the title AUTH-543: OIDC/OAuth resource configuration WIP: AUTH-543: OIDC/OAuth resource configuration Dec 5, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 5, 2024
liouk added 23 commits February 12, 2025 12:09
@liouk
common: add helper func to determine whether OIDC is enabled on KAS pods
e096a11
@liouk
operator: set number of replicas of workloads with a custom wrapper
7ba38b8 
If OIDC is available then set replicas to 0, otherwise fall back
to the default behaviour of counting nodes.
@liouk
deployment: bypass precondition checks if OIDC is available
50646a7 
This allows the controller to proceed with the sync and
eventually scale down the deployment to 0 replicas.
@liouk
endpointaccessible: disable controller checks upon specific conditions
fae7129
@liouk
proxyconfig: disable proxy checks when external OIDC config is available
7505c22
@liouk
ingressnodesavailable: disable checks when external OIDC config is av…
a3ed6d7 
…ailable
@liouk
ingressstate: disable checks when external OIDC config is available
018e8f0
@liouk
readiness: disable checks when external OIDC config is available
435990f
@liouk
oauthclientscontroller: remove operands when external OIDC config is …
7b646ba 
…available
@liouk
metadata: remove operands if external OIDC config is available
587c31d
@liouk
operator: configure static resources that depend on oidc
687641d
@liouk
routercerts: remove operands if external OIDC config is available
98c5092
@liouk
serviceca: remove operands if external OIDC config is available
e80d6a2
@liouk
payload: remove operands if external OIDC config is available
a24c190
@liouk
customroute: remove operands and clear custom route ingress status if…
fab276c 
… external OIDC config is available
@liouk
operator: enable or disable API services depending on whether OIDC is…
86647ec 
… enabled
@liouk
controllers: add switchable informer controller
37841a3
@liouk
oauthclientscontroller: use a switched informer for oauthclients
0a81630 
So that it can be stopped when auth type is OIDC.
@liouk
fixup! readiness: disable checks when external OIDC config is available
7a11fe6
@liouk
fixup! customroute: remove operands and clear custom route ingress st…
ad63ec6 
…atus if external OIDC config is available
@liouk
fixup! controllers: add switchable informer controller
a379d88
@liouk
fixup! oauthclientscontroller: use a switched informer for oauthclients
641d1dd
@liouk
fixup! common: add helper func to determine whether OIDC is enabled o…
de9f965 
…n KAS pods
@liouk liouk force-pushed the oidc-oauth-cleanup branch from a1cf995 to de9f965 Compare February 12, 2025 11:09
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 12, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: liouk
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 12, 2025

@liouk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-agnostic de9f965 link true /test e2e-agnostic
ci/prow/verify de9f965 link true /test verify
ci/prow/unit de9f965 link true /test unit
ci/prow/e2e-agnostic-upgrade de9f965 link true /test e2e-agnostic-upgrade
ci/prow/test-operator-integration de9f965 link false /test test-operator-integration
ci/prow/okd-scos-e2e-aws-ovn de9f965 link false /test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ibihim ibihim ibihim left review comments

@frobware frobware Awaiting requested review from frobware

Assignees
No one assigned
Labels
do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@liouk @openshift-ci-robot @ibihim