oidc-auth-armada-app

History

Joaci Morais 2194db0ac8 Fixed applying OIDC without overrides The oidc-auth-apps fails to apply without a timeout error if no user overrides are set. Ideally, a lifecycle check should be put in place to return an error message on the application-list status recommending that user overrides should be set. When user tries to apply oidc with 'system application-apply oidc-auth-apps' command, the lifecycle handler triggers the action 'pre-apply'(before applying the app) to search for missing overrides required to properly apply the oidc app. Once a missing override is detected, an exception will be raised setting the app status to 'apply-failed' also informing that all overrides are required as the following example: "Overrides for all helm charts are required to apply OIDC. Refer to 'Set up OIDC Auth Applications' guide to configure the application" This implementation blocks the application apply workflow to start for the oidc-auth-apps until the required overrides have been properly configured according the "Set Up OIDC Auth Applications" Documentation: https://docs.starlingx.io/security/kubernetes/configure-oidc-auth- applications.html Test Plan: PASS: Deploy a SX with master ISO. PASS: Build oidc-auth-apps tarball with this change. PASS: Update test, update the current oidc-auth-apps to the new tarball just built and check is the procedure was successfully done. PASS: Once tarball is updated, try to apply the oidc-auth-apps without any overrides, we should get status 'apply-failed' with the progress message: "Overrides for all helm charts are required to apply OIDC. Refer to 'Set up OIDC Auth Applications' guide to configure the application" PASS: Once oidc-client overrides are setted according OIDC documentation try to apply the oidc-auth-apps without dex overrides, we should similar status 'apply-failed' with the same progress message. PASS: Once oidc-client and dex overrides are setted try to apply the oidc-auth-apps without secret-observer overrides, we still should get similar status 'apply-failed' with the same progress message. PASS: Once all oidc-client, dex and secret-observer overrides are properly configured according the setup guide, try to apply the oidc-auth-apps, we should get oidc-auth-apps successfully applied as expected. PASS: Once oidc-auth-apps in applied status, perform oidc-auth-apps test by creating a user, apply rolebiding and authenticate it using oidc-auth command, check if the new user can send k8s commands based on its roles. Closes-Bug: 2071469 Change-Id: I771552d5231088de5d3549e0ff95075e590310c2 Signed-off-by: Joaci Morais <joaci.demorais@windriver.com>	2024-12-13 09:54:05 -03:00
..
debian	Application versioning based on build release	2023-12-28 18:39:47 -03:00
k8sapp_oidc	Fixed applying OIDC without overrides	2024-12-13 09:54:05 -03:00

Joaci Morais 2194db0ac8 Fixed applying OIDC without overrides

The oidc-auth-apps fails to apply without a timeout error if no user
overrides are set. Ideally, a lifecycle check should be put in place
to return an error message on the application-list status
recommending that user overrides should be set.

When user tries to apply oidc with 'system application-apply
oidc-auth-apps' command, the lifecycle handler triggers the action
'pre-apply'(before applying the app) to search for missing overrides
required to properly apply the oidc app. Once a missing override
is detected, an exception will be raised setting the app status to
'apply-failed' also informing that all overrides are required as the
following example:

"Overrides for all helm charts are required to apply OIDC. Refer to
'Set up OIDC Auth Applications' guide to configure the application"

This implementation blocks the application apply workflow to start
for the oidc-auth-apps until the required overrides have been
properly configured according the "Set Up OIDC Auth Applications"
Documentation:
https://docs.starlingx.io/security/kubernetes/configure-oidc-auth-
applications.html

Test Plan:
PASS: Deploy a SX with master ISO.
PASS: Build oidc-auth-apps tarball with this change.
PASS: Update test, update the current oidc-auth-apps to the new
      tarball just built and check is the procedure was successfully
      done.
PASS: Once tarball is updated, try to apply the oidc-auth-apps
      without any overrides, we should get status 'apply-failed' with
      the progress message: "Overrides for all helm charts are
      required to apply OIDC. Refer to 'Set up OIDC Auth Applications'
      guide to configure the application"
PASS: Once oidc-client overrides are setted according OIDC
      documentation try to apply the oidc-auth-apps without dex
      overrides, we should similar status 'apply-failed' with the
      same progress message.
PASS: Once oidc-client and dex overrides are setted try to apply the
      oidc-auth-apps without secret-observer overrides, we still
      should get similar status 'apply-failed' with the same progress
      message.
PASS: Once all oidc-client, dex and secret-observer overrides are
      properly configured according the setup guide, try to apply the
      oidc-auth-apps, we should get oidc-auth-apps successfully
      applied as expected.
PASS: Once oidc-auth-apps in applied status, perform oidc-auth-apps
      test by creating a user, apply rolebiding and authenticate it
      using oidc-auth command, check if the new user can send k8s
      commands based on its roles.

Closes-Bug: 2071469

Change-Id: I771552d5231088de5d3549e0ff95075e590310c2
Signed-off-by: Joaci Morais <joaci.demorais@windriver.com>

2024-12-13 09:54:05 -03:00

debian

Application versioning based on build release

2023-12-28 18:39:47 -03:00

k8sapp_oidc

Fixed applying OIDC without overrides

2024-12-13 09:54:05 -03:00