StarlingX OIDC Authentication App
2194db0ac8
The oidc-auth-apps fails to apply without a timeout error if no user overrides are set. Ideally, a lifecycle check should be put in place to return an error message on the application-list status recommending that user overrides should be set. When user tries to apply oidc with 'system application-apply oidc-auth-apps' command, the lifecycle handler triggers the action 'pre-apply'(before applying the app) to search for missing overrides required to properly apply the oidc app. Once a missing override is detected, an exception will be raised setting the app status to 'apply-failed' also informing that all overrides are required as the following example: "Overrides for all helm charts are required to apply OIDC. Refer to 'Set up OIDC Auth Applications' guide to configure the application" This implementation blocks the application apply workflow to start for the oidc-auth-apps until the required overrides have been properly configured according the "Set Up OIDC Auth Applications" Documentation: https://docs.starlingx.io/security/kubernetes/configure-oidc-auth- applications.html Test Plan: PASS: Deploy a SX with master ISO. PASS: Build oidc-auth-apps tarball with this change. PASS: Update test, update the current oidc-auth-apps to the new tarball just built and check is the procedure was successfully done. PASS: Once tarball is updated, try to apply the oidc-auth-apps without any overrides, we should get status 'apply-failed' with the progress message: "Overrides for all helm charts are required to apply OIDC. Refer to 'Set up OIDC Auth Applications' guide to configure the application" PASS: Once oidc-client overrides are setted according OIDC documentation try to apply the oidc-auth-apps without dex overrides, we should similar status 'apply-failed' with the same progress message. PASS: Once oidc-client and dex overrides are setted try to apply the oidc-auth-apps without secret-observer overrides, we still should get similar status 'apply-failed' with the same progress message. PASS: Once all oidc-client, dex and secret-observer overrides are properly configured according the setup guide, try to apply the oidc-auth-apps, we should get oidc-auth-apps successfully applied as expected. PASS: Once oidc-auth-apps in applied status, perform oidc-auth-apps test by creating a user, apply rolebiding and authenticate it using oidc-auth command, check if the new user can send k8s commands based on its roles. Closes-Bug: 2071469 Change-Id: I771552d5231088de5d3549e0ff95075e590310c2 Signed-off-by: Joaci Morais <joaci.demorais@windriver.com> |
||
|---|---|---|
| helm-charts | ||
| oidc-auth-tools | ||
| python3-k8sapp-oidc | ||
| stx-oidc-auth-helm | ||
| stx-oidc-client/debian | ||
| .gitignore | ||
| .gitreview | ||
| .zuul.yaml | ||
| bindep.txt | ||
| debian_build_layer.cfg | ||
| debian_iso_image.inc | ||
| debian_pkg_dirs | ||
| debian_stable_docker_images.inc | ||
| requirements.txt | ||
| test-requirements.txt | ||
| tox.ini | ||