OCPBUGS-33060: enable audit log for oauth-openshift #3994
Conversation
openshift-ci-robot
added
jira/severity-important
|
@heliubj18: This pull request references Jira Issue OCPBUGS-33060, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
do-not-merge/needs-area
do-not-merge/work-in-progress
openshift-ci
bot
added
the
area/control-plane-operator
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: heliubj18 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
heliubj18
force-pushed
the
enable-oauth-openshift-audit-logs
branch
from
a54adbd
to
19f0cd2
Compare
✅ Deploy Preview for hypershift-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
heliubj18
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/jira refresh |
|
@heliubj18: This pull request references Jira Issue OCPBUGS-33060, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@heliubj18: This pull request references Jira Issue OCPBUGS-33060, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
| tc.serverParams.AvailabilityProberImage, tc.serverParams.NamedCertificates(), tc.serverParams.Socks5ProxyImage, tc.serverParams.NoProxy, &tc.configParams, hyperv1.IBMCloudPlatform) | ||
| g.Expect(err).To(BeNil()) | ||
| g.Expect(expectedMinReadySeconds).To(Equal(oauthDeployment.Spec.MinReadySeconds)) | ||
| for _, container := range oauthDeployment.Spec.Template.Spec.Containers { | ||
| if container.Name == oauthContainerMain().Name { |
There was a problem hiding this comment.
Is it a lot of work to move any of this to golden files? Test cases that do this are hard to reason about, getting a specific expectation on output per test case would be great.
There was a problem hiding this comment.
Do you mean to create a testdata directory to store the expected parameters? I don't find any existing testdata in the repo. I'm not sure if it's necessary to include such parameter tests in the e2e testing. I could also remove them if it's okay to ignore them. Thanks!
There was a problem hiding this comment.
We have a number of test fixtures - see uses of CompareWithFixture. This is a unit test, so it may be easy and quick to get those integrated instead of conditional validation logic. If you'd rather not do that, could you please refactor the unit test so that each test declares the validations it needs, instead of having a loosely-coupled conditional validation that applies to all in theory but only one in practice? Once you have expected-data-per-test, I think using CompareWithFixture() will be the fastest way to assert it.
| return func(c *corev1.Container) { | ||
| c.Image = image | ||
| c.Args = []string{ | ||
| "osinserver", | ||
| fmt.Sprintf("--config=%s", path.Join(volumeMounts.Path(c.Name, oauthVolumeConfig().Name), OAuthServerConfigKey)), | ||
| "--audit-log-format=json", |
There was a problem hiding this comment.
Do we have provenance for these specific flags?
There was a problem hiding this comment.
They are used in the oauth-openshift repo here: https://github.com/openshift/cluster-authentication-operator/blob/b415439ebab2829c8da1ea17c05f2ac75fe5dbe8/bindata/oauth-apiserver/deploy.yaml#L68
And I also checked a real oauth-openshift pod in the standalone OCP
$ oc get deploy -n openshift-authentication oauth-openshift -oyaml
...
- args:
- |
if [ -s /var/config/system/configmaps/v4-0-config-system-trusted-ca-bundle/ca-bundle.crt ]; then
echo "Copying system trust bundle"
cp -f /var/config/system/configmaps/v4-0-config-system-trusted-ca-bundle/ca-bundle.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
fi
exec oauth-server osinserver \
--config=/var/config/system/configmaps/v4-0-config-system-cliconfig/v4-0-config-system-cliconfig \
--v=2 \
--audit-log-format=json \
--audit-log-maxbackup=10 \
--audit-log-maxsize=100 \
--audit-log-path=/var/log/oauth-server/audit.log \
--audit-policy-file=/var/run/configmaps/audit/audit.yaml
command:
- /bin/bash
- -ec
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9c5863100af97f244bc0af6c727785a7487eb8514ee549a41089bf6b06315e0f
...
name: oauth-openshift
The only difference is --audit-log-maxbackup=1. Because in hypershift codes, it is set to 1 for the existing audit components (kas, oapi).
There was a problem hiding this comment.
Awesome, thanks for the explanation!
heliubj18
force-pushed
the
enable-oauth-openshift-audit-logs
branch
from
19f0cd2
to
5db4b5a
Compare
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@heliubj18: This pull request references Jira Issue OCPBUGS-33060, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@heliubj18: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@stevekuznetsov I checked the Konflux failed tasks, and I don't think they are related to my changes. The failures seem to be related to image builds (pp64le) |
|
Yep, those are fairly common and not actionable other than to /retest |
|
/lgtm |
|
/label qe-approved |
openshift-ci
bot
added
the
qe-approved
|
@stevekuznetsov could you approve it? thanks! |
|
@heliubj18 You may want to rebase to pull in #3972 |
| {Name: "admin-kubeconfig", VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "service-network-admin-kubeconfig", DefaultMode: utilpointer.Int32(0640)}}}, | ||
| {Name: "konnectivity-proxy-cert", VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: manifests.KonnectivityClientSecret("").Name, DefaultMode: utilpointer.Int32(0640)}}}, | ||
| {Name: "konnectivity-proxy-ca", VolumeSource: corev1.VolumeSource{ConfigMap: &corev1.ConfigMapVolumeSource{LocalObjectReference: corev1.LocalObjectReference{Name: manifests.KonnectivityCAConfigMap("").Name}, DefaultMode: utilpointer.Int32(0640)}}}, | ||
| }, | ||
| } | ||
|
|
||
| if auditConfig.Data[auditPolicyProfileMapKey] != string(configv1.NoneAuditProfileType) { | ||
| deployment.Spec.Template.Spec.Containers = append(deployment.Spec.Template.Spec.Containers, corev1.Container{ |
There was a problem hiding this comment.
Please update this PR based on #3972
What this PR does / why we need it:
It enables audit logs for
oauth-openshift.Currently, hypershift only supports audit logs for
kube-apiserver,openshift-apiserver, andopenshift-oauth-apiserver. However,oauth-openshiftalso supports audit logs in standalone OCP.Which issue(s) this PR fixes (optional, use
fixes #<issue_number>(, fixes #<issue_number>, ...)format, where issue_number might be a GitHub issue, or a Jira story:Fixes # OCPBUGS-33060
Checklist