Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[OCI] Static credentials should take precedence over the OIDC provider #884

Merged
merged 1 commit into from
Sep 9, 2022
Merged

[OCI] Static credentials should take precedence over the OIDC provider #884

merged 1 commit into from
Sep 9, 2022

Conversation

souleb
Copy link
Member

@souleb souleb commented Sep 1, 2022

fixes #874

If spec.SecretRef or spec.ServiceAccountName is provided, the controller will use the static credentials from the referenced secret.

Otherwise, if a non-generic provider is present in the definition, the controller will try to resolve credentials from the provider.

Signed-off-by: Soule BA soule@weave.works

@souleb souleb added bug Something isn't working area/oci OCI related issues and pull requests labels Sep 1, 2022
@souleb souleb changed the title secretRef take precedence over provider [OCI] secretRef take precedence over provider Sep 1, 2022
@souleb souleb changed the title [OCI] secretRef take precedence over provider [OCI] secretRef should take precedence over provider Sep 1, 2022
@stefanprodan stefanprodan changed the title [OCI] secretRef should take precedence over provider [OCI] Static credentials should take precedence over the OIDC provider Sep 1, 2022
stefanprodan
stefanprodan approved these changes Sep 1, 2022
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @souleb

@souleb
Copy link
Member Author

souleb commented Sep 1, 2022
edited
Loading

This has been tested on eks:

  • validate that a helmrepo/release with both spec.secretRef and provider, uses the spec.secretRef
  • validate that a helmrepo/release with only provider set to aws login successfully
  • validate that a helmrepo/release with provider not set, reconcile successfully for public registries.
  • validate that a ocirepository with both spec.secretRef and provider, uses the spec.secretRef
  • validate that a ocirepository with only provider set to aws login successfully
  • validate that a ocirepository with provider not set, reconcile successfully for public registries.

@stefanprodan
Copy link
Member

Thanks @souleb for all the testing 🥇

darkowlzz
darkowlzz reviewed Sep 1, 2022
View reviewed changes
internal/util/auth.go Outdated Show resolved Hide resolved
controllers/ocirepository_controller.go Show resolved Hide resolved
@souleb
Copy link
Member Author

souleb commented Sep 5, 2022

please don't merge this. I have to to add the tests for the HelmChartReconciler.

darkowlzz
darkowlzz reviewed Sep 5, 2022
View reviewed changes
controllers/suite_test.go Outdated Show resolved Hide resolved
@darkowlzz darkowlzz added the hold Issues and pull requests put on hold label Sep 5, 2022
@souleb souleb force-pushed the fix-874 branch 2 times, most recently from eaab1a0 to 473b546 Compare September 7, 2022 21:54
@souleb souleb removed the hold Issues and pull requests put on hold label Sep 7, 2022
@souleb
Copy link
Member Author

souleb commented Sep 8, 2022
edited
Loading

@darkowlzz this is ready now.

Note that the helmChart reconciler return *conditions.TrueCondition(sourcev1.FetchFailedCondition, "Unknown", "unknown build error: failed to login to OCI registry"), when we have an authentication error. This is due to observeChartBuild(obj *sourcev1.HelmChart, build *chart.Build, err error) returning an Reason: chart.ErrUnknown when the error is not a *chart.BuildError. We will have to change that to give more context to the user.

@pjbgf pjbgf added this to the GA milestone Sep 8, 2022
darkowlzz
darkowlzz reviewed Sep 9, 2022
View reviewed changes
controllers/helmrepository_controller_oci_test.go Outdated Show resolved Hide resolved
controllers/helmrepository_controller_oci_test.go Outdated Show resolved Hide resolved
controllers/helmchart_controller_test.go Outdated Show resolved Hide resolved
controllers/helmchart_controller_test.go Outdated Show resolved Hide resolved
@darkowlzz
Copy link
Contributor

darkowlzz commented Sep 9, 2022
edited
Loading

Note that the helmChart reconciler return *conditions.TrueCondition(sourcev1.FetchFailedCondition, "Unknown", "unknown build error: failed to login to OCI registry"), when we have an authentication error. This is due to observeChartBuild(obj *sourcev1.HelmChart, build *chart.Build, err error) returning an Reason: chart.ErrUnknown when the error is not a *chart.BuildError. We will have to change that to give more context to the user.

For the tests and the scenarios that result in unknown build error and Unknown reason with auth failure, it happens when HelmChart build is attempted when the associated HelmRepository isn't ready because of the auth failure. Around

source-controller/controllers/helmchart_controller.go

Line 388 in e22a664

// Assert source has an artifact
we have a check for non-OCI charts to ensures that the HelmRepo has artifact before proceeding further. We can add a similar check for OCI where we make sure that the HelmRepo is ready before proceeding to build it. That way, we can avoid such Unknown errors and show better status conditions.
I think it's not a big concern to be addressed in this PR. We can do it separately later.

@souleb
Copy link
Member Author

souleb commented Sep 9, 2022

@darkowlzz I put your comment in an issue: #894.

@souleb
secretRef take precedence over provider
869c73d 
if secretRef is provided, we do not attempt to resolve oidc

Signed-off-by: Soule BA <soule@weave.works>
darkowlzz
darkowlzz approved these changes Sep 9, 2022
View reviewed changes
Copy link
Contributor

@darkowlzz darkowlzz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!
I suspect that the CI failure may be due to the existence of AWS secrets in the env vars that were added in github actions recently. The contextual login tries to use the credentials to actually log into a non-existing repository and fails.

@stefanprodan stefanprodan merged commit cf0e9ac into fluxcd:main Sep 9, 2022
@souleb souleb deleted the fix-874 branch September 9, 2022 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

@darkowlzz darkowlzz darkowlzz approved these changes

Assignees
No one assigned
Labels
area/oci OCI related issues and pull requests bug Something isn't working
Projects
Maintainers' Focus
Status: Done
Milestone
Helm GA
Development

Successfully merging this pull request may close these issues.

Make sure secretRef take precedence over provider for OCI repositories
4 participants
@souleb @stefanprodan @darkowlzz @pjbgf