Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure that the correct cluster is queried by authgate for catalog. #2038

Merged
merged 3 commits into from
Sep 16, 2020
Merged

Ensure that the correct cluster is queried by authgate for catalog. #2038

merged 3 commits into from
Sep 16, 2020

Conversation

absoludity
Copy link
Contributor

Description of the change

Updates the auth gate so that when requesting the charts available for a cluster and namespace, that it queries that cluster rather than using the incluster config.

Benefits

On TKG (or otherwise) when Kubeapps is installed on a cluster itself without OIDC but configured for OIDC for the workload clusters, enables viewing the catalog of charts.

Applicable issues

Fixes #2026

Additional information

See #2037

absoludity added a commit that referenced this pull request Sep 16, 2020
@absoludity
Update assetsvc URIs to be cluster aware. (#2031)
27e97b9 
Required to be able to verify a users access to charts in a given namespace in the authgate check.

Followed up by #2038
Base automatically changed from 2026-dashboard-chart-urls-cluster-aware to master September 16, 2020 02:07
@absoludity absoludity force-pushed the 2026-auth-gate-cluster-aware branch from 02572f6 to 7eb47e3 Compare September 16, 2020 02:49
@absoludity
Copy link
Contributor Author

Still debugging with the fix on TKG, hence draft.

@absoludity absoludity marked this pull request as ready for review September 16, 2020 03:24
@absoludity
Copy link
Contributor Author

...and verified this allows viewing the catalog and installing on TKG with the aforementioned setup :)

andresmgot
andresmgot approved these changes Sep 16, 2020
View reviewed changes
pkg/auth/auth.go Outdated
@@ -116,6 +118,7 @@ func NewAuth(token string) (*UserAuth, error) {
// ValidateForNamespace checks if the user can access secrets in the given
// namespace, as a check of whether they can view the namespace.
func (u *UserAuth) ValidateForNamespace(namespace string) (bool, error) {

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

linters wouldn't be happy with this extra line

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like I did for the frontend lint/prettier, let's enforce CI to fail if lint is found.

@absoludity absoludity merged commit e49b5ee into master Sep 16, 2020
@absoludity absoludity deleted the 2026-auth-gate-cluster-aware branch September 16, 2020 23:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andresmgot andresmgot andresmgot approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Multi-cluster] Auth to asset service fails
2 participants
@absoludity @andresmgot