Fixed applying OIDC without overrides

The oidc-auth-apps fails to apply without a timeout error if no user overrides are set. Ideally, a lifecycle check should be put in place to return an error message on the application-list status recommending that user overrides should be set. When user tries to apply oidc with 'system application-apply oidc-auth-apps' command, the lifecycle handler triggers the action 'pre-apply'(before applying the app) to search for missing overrides required to properly apply the oidc app. Once a missing override is detected, an exception will be raised setting the app status to 'apply-failed' also informing that all overrides are required as the following example: "Overrides for all helm charts are required to apply OIDC. Refer to 'Set up OIDC Auth Applications' guide to configure the application" This implementation blocks the application apply workflow to start for the oidc-auth-apps until the required overrides have been properly configured according the "Set Up OIDC Auth Applications" Documentation: https://docs.starlingx.io/security/kubernetes/configure-oidc-auth- applications.html Test Plan: PASS: Deploy a SX with master ISO. PASS: Build oidc-auth-apps tarball with this change. PASS: Update test, update the current oidc-auth-apps to the new tarball just built and check is the procedure was successfully done. PASS: Once tarball is updated, try to apply the oidc-auth-apps without any overrides, we should get status 'apply-failed' with the progress message: "Overrides for all helm charts are required to apply OIDC. Refer to 'Set up OIDC Auth Applications' guide to configure the application" PASS: Once oidc-client overrides are setted according OIDC documentation try to apply the oidc-auth-apps without dex overrides, we should similar status 'apply-failed' with the same progress message. PASS: Once oidc-client and dex overrides are setted try to apply the oidc-auth-apps without secret-observer overrides, we still should get similar status 'apply-failed' with the same progress message. PASS: Once all oidc-client, dex and secret-observer overrides are properly configured according the setup guide, try to apply the oidc-auth-apps, we should get oidc-auth-apps successfully applied as expected. PASS: Once oidc-auth-apps in applied status, perform oidc-auth-apps test by creating a user, apply rolebiding and authenticate it using oidc-auth command, check if the new user can send k8s commands based on its roles. Closes-Bug: 2071469 Change-Id: I771552d5231088de5d3549e0ff95075e590310c2 Signed-off-by: Joaci Morais <joaci.demorais@windriver.com>
2024-09-18 14:56:14 -03:00 · 2024-09-18 14:56:14 -03:00 · 2194db0ac8
commit 2194db0ac8
parent 7b954edc5e
3 changed files with 63 additions and 0 deletions
--- a/python3-k8sapp-oidc/k8sapp_oidc/k8sapp_oidc/lifecycle/init.py
+++ b/python3-k8sapp-oidc/k8sapp_oidc/k8sapp_oidc/lifecycle/init.py
--- a/python3-k8sapp-oidc/k8sapp_oidc/k8sapp_oidc/lifecycle/lifecycle_oidc.py
+++ b/python3-k8sapp-oidc/k8sapp_oidc/k8sapp_oidc/lifecycle/lifecycle_oidc.py
@ -0,0 +1,60 @@
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# All Rights Reserved.
+#
+
+""" System inventory App lifecycle operator."""
+
+from k8sapp_oidc.common import constants as app_constants
+from oslo_log import log as logging
+from sysinv.common import constants
+from sysinv.helm import lifecycle_base as base
+from sysinv.helm import common
+from sysinv.db import api as dbapi
+
+LOG = logging.getLogger(__name__)
+OVERRIDES_REQUIRED_MSG = "Overrides for all helm charts are required to apply \
+OIDC. Refer to 'Set up OIDC Auth Applications' guide to configure the \
+application"
+
+
+class OidcAppLifecycleOperator(base.AppLifecycleOperator):
+    def app_lifecycle_actions(self, context, conductor_obj, app_op, app,
+                              hook_info):
+
+        """Perform lifecycle actions for an operation"""
+
+        if hook_info.lifecycle_type == constants.APP_LIFECYCLE_TYPE_RESOURCE:
+            if hook_info.operation == constants.APP_APPLY_OP and \
+               hook_info.relative_timing == constants.APP_LIFECYCLE_TIMING_PRE:
+                return self.pre_apply(app_op, app, hook_info)
+
+        super(OidcAppLifecycleOperator, self).app_lifecycle_actions(
+            context, conductor_obj, app_op, app, hook_info)
+
+    def pre_apply(self, app_op, app, hook_info):
+        """
+        Pre Apply action
+
+        Search for required overrides before apply the application. If at least
+        one of the mandatory overrides doesn't exists, raise an 'apply-failed'
+        status in the application-list informing the user about the required
+        overrides.
+        """
+        dbapi_instance = dbapi.get_instance()
+        db_app = dbapi_instance.kube_app_get(constants.HELM_APP_OIDC_AUTH)
+
+        for helm_chart in [app_constants.HELM_CHART_OIDC_CLIENT,
+                           app_constants.HELM_CHART_DEX,
+                           app_constants.HELM_CHART_SECRET_OBSERVER]:
+
+            helm_override = dbapi_instance.helm_override_get(
+                app_id=db_app.id,
+                name=helm_chart,
+                namespace=common.HELM_NS_KUBE_SYSTEM)
+
+            if helm_override.user_overrides is None:
+                raise Exception(OVERRIDES_REQUIRED_MSG)
--- a/python3-k8sapp-oidc/k8sapp_oidc/setup.cfg
+++ b/python3-k8sapp-oidc/k8sapp_oidc/setup.cfg
@ -35,5 +35,8 @@ systemconfig.helm_plugins.oidc_auth_apps =
    002_oidc-client = k8sapp_oidc.helm.oidc_client:OidcClientHelm
    003_secret-observer = k8sapp_oidc.helm.secret_observer:SecretObserverHelm

+systemconfig.app_lifecycle =
+    oidc-auth-apps = k8sapp_oidc.lifecycle.lifecycle_oidc:OidcAppLifecycleOperator
+
 [bdist_wheel]
 universal = 1