Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Controller reacting on EventingAuth CR #2

Closed
7 tasks done
Tracked by #1
strekm opened this issue Apr 12, 2023 · 2 comments
Closed
7 tasks done
Tracked by #1

Controller reacting on EventingAuth CR #2

strekm opened this issue Apr 12, 2023 · 2 comments
Assignees
@triffer
Labels
area/eventing Issues or PRs related to eventing area/security Issues or PRs related to security

Comments

@strekm
Copy link

strekm commented Apr 12, 2023
edited by triffer
Loading

Description

Implement first version of EventingAuth controller reacting on EventingAuth CR. Kubebuilder might be used for generating scaffolding of the controller. EventingAuth CR at this moment will not have any spec fields, the CR will contain only status info.

The controller expects following configuration to be provided:

  • IAS url
  • IAS credentials of user able to manage apps
  • target cluster ID or any other ID
  • target cluster kubeconfig

The controller will react on EventingAuth CR creation. The controller will create IAS app and secret using provided IAS url and IAS credentials. Client ID needs to be fetched using ID of created app. Token url needs to be fetched from IAS OIDC well known configuration.

Having Client ID, Client Secret and token url the controller will create a secret containing mentioned data on a target cluster that can be picked up by eventing component. Finally controller will write status in EventingAuth CR.

DoD:

  • IAS app and secret created on EventingAuth CR creation
  • IAS app can be identified by target cluster ID
  • secret containing Client ID, Client Secret and token url created on target cluster
  • read token URL from IAS well known OIDC configuration
  • read IAS credentials from secret and create issue for SRE with secret structure proposal
  • controller docu
  • EventingAuth docu

Attachments
part of: #1
@strekm strekm added area/security Issues or PRs related to security area/eventing Issues or PRs related to eventing labels Apr 12, 2023
@strekm
Copy link
Author

strekm commented Apr 12, 2023

Consider having target cluster ID and reference to target cluster kubeconfig in EventingAuth spec. IAS specific configuration should be controller configuration since it's the same for all EventingAuth CR. Any opinions @pbochynski @k15r ?

@strekm strekm mentioned this issue Apr 12, 2023
Closed
13 tasks
@triffer triffer mentioned this issue Apr 14, 2023
Merged
@k15r k15r mentioned this issue Apr 17, 2023
Closed
10 tasks
This was referenced Apr 18, 2023
Merged
Merged
Merged
Merged
This was referenced Apr 26, 2023
Merged
Merged
Merged
@triffer
Copy link
Contributor

triffer commented Apr 27, 2023
edited
Loading

The secret with the IAS credentials has been rolled out to the control-plane for all environments.

@muralov muralov closed this as completed May 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@triffer triffer

Labels
area/eventing Issues or PRs related to eventing area/security Issues or PRs related to security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@triffer @muralov @strekm