-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-33060: enable audit log for oauth-openshift #3994
base: main
Are you sure you want to change the base?
OCPBUGS-33060: enable audit log for oauth-openshift #3994
Conversation
@heliubj18: This pull request references Jira Issue OCPBUGS-33060, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: heliubj18 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
a54adbd
to
19f0cd2
Compare
✅ Deploy Preview for hypershift-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
/jira refresh |
@heliubj18: This pull request references Jira Issue OCPBUGS-33060, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/jira refresh |
@heliubj18: This pull request references Jira Issue OCPBUGS-33060, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
tc.serverParams.AvailabilityProberImage, tc.serverParams.NamedCertificates(), tc.serverParams.Socks5ProxyImage, tc.serverParams.NoProxy, &tc.configParams, hyperv1.IBMCloudPlatform) | ||
g.Expect(err).To(BeNil()) | ||
g.Expect(expectedMinReadySeconds).To(Equal(oauthDeployment.Spec.MinReadySeconds)) | ||
for _, container := range oauthDeployment.Spec.Template.Spec.Containers { | ||
if container.Name == oauthContainerMain().Name { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it a lot of work to move any of this to golden files? Test cases that do this are hard to reason about, getting a specific expectation on output per test case would be great.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean to create a testdata directory to store the expected parameters? I don't find any existing testdata in the repo. I'm not sure if it's necessary to include such parameter tests in the e2e testing. I could also remove them if it's okay to ignore them. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have a number of test fixtures - see uses of CompareWithFixture
. This is a unit test, so it may be easy and quick to get those integrated instead of conditional validation logic. If you'd rather not do that, could you please refactor the unit test so that each test declares the validations it needs, instead of having a loosely-coupled conditional validation that applies to all in theory but only one in practice? Once you have expected-data-per-test, I think using CompareWithFixture()
will be the fastest way to assert it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done, thanks!
return func(c *corev1.Container) { | ||
c.Image = image | ||
c.Args = []string{ | ||
"osinserver", | ||
fmt.Sprintf("--config=%s", path.Join(volumeMounts.Path(c.Name, oauthVolumeConfig().Name), OAuthServerConfigKey)), | ||
"--audit-log-format=json", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have provenance for these specific flags?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They are used in the oauth-openshift repo here: https://github.com/openshift/cluster-authentication-operator/blob/b415439ebab2829c8da1ea17c05f2ac75fe5dbe8/bindata/oauth-apiserver/deploy.yaml#L68
And I also checked a real oauth-openshift pod in the standalone OCP
$ oc get deploy -n openshift-authentication oauth-openshift -oyaml
...
- args:
- |
if [ -s /var/config/system/configmaps/v4-0-config-system-trusted-ca-bundle/ca-bundle.crt ]; then
echo "Copying system trust bundle"
cp -f /var/config/system/configmaps/v4-0-config-system-trusted-ca-bundle/ca-bundle.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
fi
exec oauth-server osinserver \
--config=/var/config/system/configmaps/v4-0-config-system-cliconfig/v4-0-config-system-cliconfig \
--v=2 \
--audit-log-format=json \
--audit-log-maxbackup=10 \
--audit-log-maxsize=100 \
--audit-log-path=/var/log/oauth-server/audit.log \
--audit-policy-file=/var/run/configmaps/audit/audit.yaml
command:
- /bin/bash
- -ec
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9c5863100af97f244bc0af6c727785a7487eb8514ee549a41089bf6b06315e0f
...
name: oauth-openshift
The only difference is --audit-log-maxbackup=1
. Because in hypershift codes, it is set to 1 for the existing audit components (kas, oapi).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thanks for the explanation!
19f0cd2
to
5db4b5a
Compare
/jira refresh |
@heliubj18: This pull request references Jira Issue OCPBUGS-33060, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
@heliubj18: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
@stevekuznetsov I checked the Konflux failed tasks, and I don't think they are related to my changes. The failures seem to be related to image builds (pp64le) |
Yep, those are fairly common and not actionable other than to /retest |
/lgtm |
/label qe-approved |
@stevekuznetsov could you approve it? thanks! |
@heliubj18 You may want to rebase to pull in #3972 hypershift/control-plane-operator/controllers/hostedcontrolplane/kas/deployment.go Lines 970 to 986 in 82df7b3
hypershift/control-plane-operator/controllers/hostedcontrolplane/kas/deployment.go Lines 239 to 247 in 82df7b3
|
{Name: "admin-kubeconfig", VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "service-network-admin-kubeconfig", DefaultMode: utilpointer.Int32(0640)}}}, | ||
{Name: "konnectivity-proxy-cert", VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: manifests.KonnectivityClientSecret("").Name, DefaultMode: utilpointer.Int32(0640)}}}, | ||
{Name: "konnectivity-proxy-ca", VolumeSource: corev1.VolumeSource{ConfigMap: &corev1.ConfigMapVolumeSource{LocalObjectReference: corev1.LocalObjectReference{Name: manifests.KonnectivityCAConfigMap("").Name}, DefaultMode: utilpointer.Int32(0640)}}}, | ||
}, | ||
} | ||
|
||
if auditConfig.Data[auditPolicyProfileMapKey] != string(configv1.NoneAuditProfileType) { | ||
deployment.Spec.Template.Spec.Containers = append(deployment.Spec.Template.Spec.Containers, corev1.Container{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please update this PR based on #3972
What this PR does / why we need it:
It enables audit logs for
oauth-openshift
.Currently, hypershift only supports audit logs for
kube-apiserver
,openshift-apiserver
, andopenshift-oauth-apiserver
. However,oauth-openshift
also supports audit logs in standalone OCP.Which issue(s) this PR fixes (optional, use
fixes #<issue_number>(, fixes #<issue_number>, ...)
format, where issue_number might be a GitHub issue, or a Jira story:Fixes # OCPBUGS-33060
Checklist