feat: implements aws oidc backendSecurityPolicy API #306
Conversation
Signed-off-by: Aaron Choo <[email protected]>
Signed-off-by: Aaron Choo <[email protected]>
Signed-off-by: Aaron Choo <[email protected]>
Signed-off-by: Aaron Choo <[email protected]>
Signed-off-by: Aaron Choo <[email protected]>
Signed-off-by: Aaron Choo <[email protected]>
Signed-off-by: Aaron Choo <[email protected]>
|
I think you are missing two things (not serious):
otherwise, looking good |
|
One scenario I realize that needs to be address is:
We may need to cache the oidc credentials and aws specific fields to compare. Else users will have to wait til expiration time (ie 1 hour for AWS or however long for OIDC) |
Signed-off-by: Aaron Choo <[email protected]>
Signed-off-by: Aaron Choo <[email protected]>
| for _, backendSecurityPolicy := range backendSecPolicyList.Items { | ||
| if isBackendSecurityPolicyAuthOIDC(backendSecurityPolicy.Spec) { | ||
| backendSecurityPolicy.Annotations["refresh"] = refreshTime | ||
| } | ||
| err = b.client.Update(ctx, &backendSecurityPolicy) | ||
| if err != nil { | ||
| b.logger.Error(err, "failed to trigger refresh for existing backendSecPolicy resource", "name", backendSecurityPolicy.Name) | ||
| } | ||
| } |
There was a problem hiding this comment.
you can use Patch instead of Update for less heavy operation https://github.com/envoyproxy/ai-gateway/blob/d31f4ef633dad79c56f0728a8fa50a54fd7bad0d/internal/controller/sink.go#L454C80-L454C85
Signed-off-by: Aaron Choo <[email protected]>
Signed-off-by: Aaron Choo <[email protected]>
Signed-off-by: Aaron Choo <[email protected]>
| var backendSecPolicyList aigv1a1.BackendSecurityPolicyList | ||
| err = b.client.List(ctx, &backendSecPolicyList) | ||
| if err != nil { | ||
| b.logger.Error(err, "failed to trigger refresh for existing backendSecPolicy resources") |
There was a problem hiding this comment.
| b.logger.Error(err, "failed to trigger refresh for existing backendSecPolicy resources") | |
| b.logger.Error(err, "failed to list existing backendSecPolicy resources") |
| if err != nil { | ||
| b.logger.Error(err, "failed to trigger refresh for existing backendSecPolicy resources") | ||
| } else { | ||
| for _, backendSecurityPolicy := range backendSecPolicyList.Items { |
There was a problem hiding this comment.
This looks a bit odd to trigger the reconciliation for all security policies on a single resource reconciliation function. Controller runtime might have a way to resync all the resources periodically.
There was a problem hiding this comment.
Controller runtime might have a way to resync all the resources periodically.
ha! if there's a way, then that should be much better
There was a problem hiding this comment.
@aabchoo sorry it seems like i was misunderstanding the default behavior
operator-framework/operator-sdk#6035 (comment)
you can delete this all patching stuff!
There was a problem hiding this comment.
wait, this is operator-sdk... not sure about controller-runtime (operator-sdk using it under the hood?)
There was a problem hiding this comment.
yeah i think this applies to controller-runtime as well, let's delete this startup patching stuff
| func isBackendSecurityPolicyAuthOIDC(spec aigv1a1.BackendSecurityPolicySpec) bool { | ||
| if spec.AWSCredentials != nil { | ||
| return spec.AWSCredentials.OIDCExchangeToken != nil | ||
| } | ||
| return false | ||
| } | ||
|
|
||
| func getBackendSecurityPolicyAuthOIDC(spec aigv1a1.BackendSecurityPolicySpec) *egv1a1.OIDC { | ||
| if isBackendSecurityPolicyAuthOIDC(spec) { | ||
| if spec.AWSCredentials.OIDCExchangeToken != nil { | ||
| return &spec.AWSCredentials.OIDCExchangeToken.OIDC | ||
| } | ||
| } | ||
| return nil | ||
| } |
There was a problem hiding this comment.
think carefully.... you won't need these two functions ...
| ) | ||
|
|
||
| // ClientCredentialsProvider implements the standard OAuth2 client credentials flow | ||
| type ClientCredentialsProvider struct { |
There was a problem hiding this comment.
Client credential is a grant type for oauth not provider
| return nil, fmt.Errorf("failed to create request: %w", err) | ||
| } | ||
|
|
||
| req.Header.Set("Content-Type", "application/x-www-form-urlencoded") |
There was a problem hiding this comment.
Should we use the oauth client library instead of the raw curl request?
| } | ||
|
|
||
| // OIDCMetadata represents the OpenID Connect provider metadata | ||
| type OIDCMetadata struct { |
There was a problem hiding this comment.
We can use this type from go-oidc
https://github.com/coreos/go-oidc/blob/v3/oidc/oidc.go#L181
| "sigs.k8s.io/controller-runtime/pkg/client" | ||
| ) | ||
|
|
||
| // BaseProvider implements common OAuth functionality |
There was a problem hiding this comment.
It is not clear to me for the relationship between BaseProvider and OidcProvider. If it is common OAuth functions it is better to be defined as util functions.
internal/controller/oauth/types.go
Outdated
| } | ||
|
|
||
| // Provider defines the interface for OAuth token providers | ||
| type Provider interface { |
There was a problem hiding this comment.
@missBerg I think the Provider interface is confusing, from the code we are not actually implementing different oauth2/oidc providers like GitHub, google etc if that was what this is meant. It is implementing the OIDC protocol itself.
Signed-off-by: Dan Sun <[email protected]>
Signed-off-by: Dan Sun <[email protected]>
Signed-off-by: Dan Sun <[email protected]>
Commit Message
The PR implements the backendSecurityPolicy API for AWS's OIDC credentials.
Related Issues/PRs (if applicable)
Special notes for reviewers (if applicable)
I've tested the implementation with our SSO (oauth2), and was able to query bedrock.
Checklist (you don't need to keep in your PR description):
make precommit testpasses locally.