-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ROX-23709: Load token from file in fleetshard-sync #1802
Conversation
Skipping CI for Draft Pull Request. |
0064307
to
fd7a041
Compare
6629044
to
b4fd1c0
Compare
This stack of pull requests is managed by Graphite. Learn more about stacking. |
projected: | ||
sources: | ||
- serviceAccountToken: | ||
path: fleet-manager-token |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's also set a custom audience here (see also this comment) to have a) additional verification on FM side and b) avoid the token to be used to access the kube API.
# Can be either OCM, RHSSO, STATIC_TOKEN. When choosing RHSSO, make sure the clientId/secret is set. By default, uses RHSSO. | ||
authType: "RHSSO" | ||
# Can be either OCM, RHSSO, STATIC_TOKEN, TOKEN_FILE. When choosing RHSSO, make sure the clientId/secret is set. By default, uses TOKEN_FILE. | ||
authType: "TOKEN_FILE" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: might be better to use service account token? It's a bit hard to really understand what is backing the "token file" auth type.
@@ -148,3 +154,8 @@ spec: | |||
- serviceAccountToken: | |||
path: aws-token | |||
audience: sts.amazonaws.com | |||
- name: fleet-manager-token |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should only be done optional if the auth type is used (same applies for the mount + env variable).
pkg/client/fleetmanager/impl/auth.go
Outdated
@@ -94,6 +100,11 @@ func NewStaticAuth(ctx context.Context, opt StaticOption) (Auth, error) { | |||
return newAuth(ctx, staticTokenFactory.GetName(), Option{Static: opt}) | |||
} | |||
|
|||
// NewFileAuth will return Auth that uses a token file to provide authentication for HTTP requests. | |||
func NewFileAuth(ctx context.Context, opt TokenFileOption) (Auth, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: if we keep the name token file auth, this should be named appropriately then (i.e. NewTokenFileAuth
).
|
||
const ( | ||
// TokenFileAuthName is the name of the token file auth authentication method | ||
TokenFileAuthName = "TOKEN_FILE" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't need to be exposed I think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The constants of other types are public too.
It can be used in impl.NewAuth
) | ||
|
||
const ( | ||
// TokenFileAuthName is the name of the token file auth authentication method |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// TokenFileAuthName is the name of the token file auth authentication method | |
// TokenFileAuthName is the name of the token file auth authentication method. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
return TokenFileAuthName | ||
} | ||
|
||
// CreateAuth creates a new instance of Auth or returns error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// CreateAuth creates a new instance of Auth or returns error | |
// CreateAuth creates a new instance of Auth or returns error. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
func (f *tokenFileAuthFactory) CreateAuth(_ context.Context, o Option) (Auth, error) { | ||
tokenFile := o.TokenFile.File | ||
if _, err := os.Stat(tokenFile); err != nil { | ||
return nil, fmt.Errorf("failed to read token file %s: %w", tokenFile, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return nil, fmt.Errorf("failed to read token file %s: %w", tokenFile, err) | |
return nil, fmt.Errorf("failed to read token file %q: %w", tokenFile, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
|
||
// AddAuth add auth token to the request retrieved from OCM. | ||
func (o *tokenFileAuth) AddAuth(req *http.Request) error { | ||
token, err := shared.ReadFile(o.file) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a bit unfortunate that we greedily always read from file here, especially since we do send quite a few requests from fleet-sync to fleet-manager.
On the options to improve this, we can either a) use an expiring cache where the duration is a bit less than the 1 hour b) use the file watcher concept we have in stackrox to read updates on changes.
Either way, I don't think we should be reading on every request here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Expiring cache added
@@ -0,0 +1 @@ | |||
some-value |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
super nit: might make sense to just take the sample JWT from jwt.io
and paste it here to have a more "closer to reality" example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
d6f9367
to
2752423
Compare
b4fd1c0
to
e23cfa2
Compare
e23cfa2
to
32edb7f
Compare
a7a9c4c
to
44ede5a
Compare
46ccc7b
to
bbf4f42
Compare
32edb7f
to
c350c3b
Compare
c350c3b
to
bb72437
Compare
bbf4f42
to
a40721e
Compare
14eb2cd
to
c5a1af0
Compare
578da9a
to
c4e7dc6
Compare
6417b2b
to
f48b741
Compare
c4e7dc6
to
4576c4b
Compare
4576c4b
to
f54e96c
Compare
f54e96c
to
a0dc8e3
Compare
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dhaus67, kovayur The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
New changes are detected. LGTM label has been removed. |
96026d6
to
21275d8
Compare
Had to rollback the default value in the helm chart due to the issues on the local / CI environment. Will follow-up in the next PR |
Description
This change adds a new
AuthType
calledTOKEN_FILE
in order to load a service account token for authentication in Fleet Manager. This type becomes the default value in the dp-terraform helm chart instead ofRHSSO
.Checklist (Definition of Done)
Test manual
ROX-12345: ...
Test manual
TODO: Add manual testing efforts