-
Notifications
You must be signed in to change notification settings - Fork 580
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Console Google SSO support in operator #6282
Conversation
5ea26e4
to
b1064da
Compare
b1064da
to
a2a5d19
Compare
5e83353
to
41fc799
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good Job Left comments.
@@ -0,0 +1,43 @@ | |||
package v1alpha1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NIT: commit message shouldn't have dot at the end.
wrong
operator: Support Google SSO Enterprise feature.
good
operator: Support Google SSO Enterprise feature
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
commit lacks of more context like cover letter have. It could be easier for future ppl to read commit message instead of going to github to read the context.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 I updated the commits
// SecretKeyRef contains enough information to inspect or modify the referred Secret data | ||
// REF https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference | ||
type SecretKeyRef struct { | ||
Name string `json:"name"` | ||
Namespace string `json:"namespace"` | ||
|
||
// +optional | ||
// Key in Secret data to get value from | ||
Key string `json:"key,omitempty"` | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could this be more generic and works for config map too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can. But I'm thinking if it is better to have a static mount path for files referenced by configmaps (e.g. Google SA file will always be in /etc/console/enterprise/google/sa.json
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
mount path is different thing from key path from configmap. As far as I saw Key is used to point the key inside secret.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose we can do that. Although it feels a little off 😅 that the key is different from the mounted path. We already have validating/defaulting webhook for this though. If possible I'd like to keep this change simple 🙏
src/go/k8s/pkg/console/configmap.go
Outdated
loginConfig, err := cm.genLogin(ctx) | ||
if err != nil { | ||
return "", err | ||
} | ||
if loginConfig != nil { | ||
consoleConfig.Login = *loginConfig | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The genLogin
could return the real type, so that you would not need to support second if statement. I would return real type not pointer from genLogin
loginConfig, err := cm.genLogin(ctx) | |
if err != nil { | |
return "", err | |
} | |
if loginConfig != nil { | |
consoleConfig.Login = *loginConfig | |
} | |
consoleConfig.Login, err := cm.genLogin(ctx) | |
if err != nil { | |
return "", err | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
Name string `json:"name"` | ||
Namespace string `json:"namespace"` | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add godoc?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Key field has comment. This is pointed to a newline, do you mean for Namespace, Name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No this comment points on lines 14-16 where Name
and Namespace
is not documented in openAPI spec when CRD is generated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 Updated
c06ec16
to
61e7828
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if webhook is correctly implemented as it reverse the order how webhooks should be called
61e7828
to
5f06b0c
Compare
Support adding SSO in Console using Google as provider This feature requires license and is specified in the Console spec as a SecretKeyRef REF https://docs.redpanda.com/docs/console/single-sign-on/identity-providers/google/
5f06b0c
to
a827be5
Compare
fbed6e7
to
3860214
Compare
Creating a new certificate from cert-manager takes a long time and sometimes fail Use existing Cluster certificate that has wildcard SANs since we are using "console.<rp-subdomain>"
- Add new mutating webhook that defaults fields for Console - Refactor required keys used for validating/mutating to vars
…jectReference - Rename ClusterKeyRef to ClusterRef - Use the NamespaceNameRef for ClusterRef, Google SSO ClientCredentialsRef - REF https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference
…ttl tests. Default namespace doesn't get cleaned up on succeeding tests But no way to reference the auto-generated kuttl namespace in Console clusterKeyRef spec
3860214
to
62be321
Compare
Cover letter
Support Enterprise Google SSO in Console controller as described here.
Fixes #2760
Backport Required
UX changes
This PR introduces Enterprise fields configurable in the Console CR. Note that Enterprise fields are ignored by Console app if License is not set:
By design, referenced resources (i.e.
ConfigMap
Secret
) are not watched because they are not owned by the controller. That means updating them requires a manual reload of the Console app (e.g. changes to RBAC file)Release notes
Features
NamespaceNameRef
type instead of using the full glory ofcorev1.ObjectReference
SecretKeyRef
type to reference Secret objectsImprovements
https://console.<rp-subdomain>
ClusterKeyRef
toClusterRef
ClusterRef