-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create and populate OIDC blob store for the cluster #3564
base: master
Are you sure you want to change the base?
Conversation
58d9129
to
1b8076a
Compare
/azp run ci,e2e |
Azure Pipelines successfully started running 2 pipeline(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not a full review, just a few questions as you're working through the draft and testing. looks great!
Please rebase pull request. |
/azp run e2e |
Pull request contains merge conflicts. |
1b8076a
to
52b785b
Compare
pkg/api/openshiftcluster.go
Outdated
ResourceGroupID string `json:"resourceGroupId,omitempty"` | ||
FipsValidatedModules FipsValidatedModules `json:"fipsValidatedModules,omitempty"` | ||
OIDCIssuer OIDCIssuer `json:"oidcIssuer,omitempty"` | ||
BoundServiceAccountSigningKey SecureString `json:"boundServiceAccountSigningKey,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we're not going to populate this on older clusters, correct? So this field should only be set on WI clusters?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes this value will only be generated and populated for MIWI clusters as part of OIDC blob creations for the clusters.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want to make it a pointer then?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed it SecureBytes now.
) | ||
|
||
func CreateKeyPair() (encPrivateKey []byte, encPublicKey []byte, err error) { | ||
bitSize := 4096 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this the bit size & recommendation of OpenShift for SA private keys?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Creation of jwks is mostly copied from Cloud-credential-operator same as ROSA STS
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
4096 should be ok for FIPS compliance as well: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also - would it be possible to have the cloud credential operator folks publish functions for generating key pairs, so that way ROSA and ARO can consume those directly instead of repeating the same code?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@niontive they do actually: https://github.com/openshift/cloud-credential-operator/blob/master/docs/ccoctl.md#creating-rsa-keys-1 It's a CLI tool though, it's a bit different for us since we own the OIDC stuff.
Please rebase pull request. |
52b785b
to
feb76f9
Compare
feb76f9
to
c145d49
Compare
d684aeb
to
a067322
Compare
/azp run ci |
Azure Pipelines successfully started running 1 pipeline(s). |
@@ -261,6 +273,19 @@ func (p *prod) ACRDomain() string { | |||
return p.acrDomain | |||
} | |||
|
|||
func (p *prod) OIDCStorageAccountName() string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My main concern is we'll have to maintain the storage account name in two separate places. Ex: https://msazure.visualstudio.com/AzureRedHatOpenShift/_git/ARO-Pipelines?path=/rp/oidc/Region/Templates/modules/storage.bicep
Would you be good if we:
- Define the storage account names in
rp-config
- Have ARO-Pipelines and ARO-RP consume that name from
rp-config
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @gouthamMN
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Nic for raising this, I agree and back your idea for the consistency. It was hard anyways to get the container naming using the assumption present in the function.
Although I would like to get the consensus on the this.
cc: @cadenmarchese
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As per discussion, this is going to be handle as a separate issue after the PR is merged. I will post the Jira story for the same here when created.
pkg/util/oidcbuilder/jwks.go
Outdated
"fmt" | ||
|
||
"github.com/pkg/errors" | ||
"gopkg.in/square/go-jose.v2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like Square deprecated this and it's maintained here now: https://github.com/go-jose/go-jose/blob/main/go.mod
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Avoided the direct dependency on square but the github.com/coreos/go-oidc
still uses it indirectly.
/azp run e2e |
Azure Pipelines successfully started running 1 pipeline(s). |
pkg/cluster/cluster.go
Outdated
@@ -169,6 +176,11 @@ func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database | |||
return nil, err | |||
} | |||
|
|||
rpBlob, err := azblob.NewManager(_env, _env.SubscriptionID(), msiCredential) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why pass sub & _env if they're both part of env?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed it to rpBlob, err := azblob.NewManager(_env.Environment(), _env.SubscriptionID(), msiCredential)
Haven't passed _env
directly as there can be a use case where different SubscriptionID is needed.
Please rebase pull request. |
a067322
to
5bffb1a
Compare
5bffb1a
to
9149938
Compare
/azp run ci,e2e |
Azure Pipelines successfully started running 2 pipeline(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work! I just made some small suggestions here and there.
blobContainerName := env.OIDCBlobContainerPrefix + m.doc.ID | ||
|
||
publicAccess := azstorage.PublicAccessNone | ||
// Public access on OIDC Container needed for development environments because of no AFD avaialbility |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Super nitpicky: avaialbility
-> availability
if !bloberror.HasCode(err, bloberror.ContainerNotFound) { | ||
return err | ||
} | ||
needToCreateBlobContainer = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can simplify this by removing needToCreateBlobContainer
and returning nil
on this line.
"github.com/Azure/ARO-RP/pkg/util/azureclient" | ||
) | ||
|
||
type BlobContainersClient interface { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this being used? I couldn't find any references to it. Could it be removed?
@@ -1394,3 +1399,214 @@ func TestNewPublicLoadBalancer(t *testing.T) { | |||
}) | |||
} | |||
} | |||
|
|||
func TestCreateOIDC(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could consider adding two more test cases:
- Fail to create
OIDCBuilder
OIDCBuilder
fails to populate OIDC blob
Bytes: x509.MarshalPKCS1PrivateKey(privateKey), | ||
}) | ||
|
||
// Generate public key from private keypair |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would reword this comment for clarity's sake. IIUC what's happening here is that the keypair has already been generated and you are simply putting the public key data into a byte array.
// Generate public key from private keypair | |
// Serialize public key into a byte array to prepare to store it in the OIDC storage blob |
// Generate public key from private keypair | ||
pubKeyBytes, err := x509.MarshalPKIXPublicKey(&privateKey.PublicKey) | ||
if err != nil { | ||
return nil, nil, errors.Wrapf(err, "failed to generate public key from private") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return nil, nil, errors.Wrapf(err, "failed to generate public key from private") | |
return nil, nil, errors.Wrapf(err, "failed to serialize public key") |
See my comment a few lines above this for the reasoning behind this suggestion.
// Copyright (c) Microsoft Corporation. | ||
// Licensed under the Apache License 2.0. | ||
|
||
func TestEnsureOIDCDocs(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could consider adding a few more test cases here to cover some other ways in which the code could fail:
Public key is not of type RSA
(thedefault
case in theswitch
)Failed to fetch key ID from public key
JSON encoding of web key set failed
(if you can - I'm not sure if you can easily test this)
Which issue this PR addresses:
Jira issue :- ARO-4373
Related Docs:-
https://msazure.visualstudio.com/AzureRedHatOpenShift/_wiki/wikis/AzureRedHatOpenShift.wiki/603739/OIDC-Traffic-Flow
Similar Implementation:-
https://gitlab.cee.redhat.com/service/uhc-clusters-service/-/tree/master/pkg/aws/cloudcredentialbuilder
What this PR does / why we need it:
Test plan for issue:
Is there any documentation that needs to be updated for this PR?
How do you know this will function as expected in production?
Testing the implementation in all the environments.