Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: implements aws oidc backendSecurityPolicy API #306

Draft
wants to merge 23 commits into
base: main
Choose a base branch
from
+1,482 −14
Draft

feat: implements aws oidc backendSecurityPolicy API #306

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
21a9757
oauth providers to access oidc and related functions
aabchoo Feb 6, 2025
975c038
add aws oidc sts fetch
aabchoo Feb 6, 2025
0f40360
linting
aabchoo Feb 6, 2025
740b59b
enable proxy for aws and mounted cm
aabchoo Feb 6, 2025
bc86391
update go packages
aabchoo Feb 6, 2025
b4bd924
Merge remote-tracking branch 'origin/main' into aaron/oidc-revisited
aabchoo Feb 6, 2025
cbf234a
precommit test
aabchoo Feb 6, 2025
3739f50
remove comment
aabchoo Feb 6, 2025
b3000aa
set up index for aws oidc
aabchoo Feb 6, 2025
7d44ec0
trigger refresh on controller start up
aabchoo Feb 7, 2025
71f537a
backend security policy tests
aabchoo Feb 7, 2025
45634e1
patch reconcile annotation
aabchoo Feb 7, 2025
f6cee6a
testing
aabchoo Feb 7, 2025
1d346ac
Refactor oauth2 code
yuzisun Feb 9, 2025
af1353b
Add AWS rotator test
yuzisun Feb 9, 2025
924f43c
Mock token source
yuzisun Feb 9, 2025
08b0ad9
remove patch and fix duplicate code
aabchoo Feb 10, 2025
661394f
add test and remove unused functions
aabchoo Feb 10, 2025
246f41a
updates
aabchoo Feb 10, 2025
476ba40
fix accidental refactor
aabchoo Feb 10, 2025
ed75b84
testing
aabchoo Feb 10, 2025
980fc1e
remove reconcile all
aabchoo Feb 10, 2025
b2e0302
check result of reconcile
aabchoo Feb 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 30 additions & 9 deletions internal/controller/backend_security_policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,23 +19,44 @@ import (
//
// This handles the BackendSecurityPolicy resource and sends it to the config sink so that it can modify configuration.
type backendSecurityPolicyController struct {
client client.Client
kube kubernetes.Interface
logger logr.Logger
eventChan chan ConfigSinkEvent
client client.Client
kube kubernetes.Interface
logger logr.Logger
eventChan chan ConfigSinkEvent
reconcileAll bool
}

func newBackendSecurityPolicyController(client client.Client, kube kubernetes.Interface, logger logr.Logger, ch chan ConfigSinkEvent) *backendSecurityPolicyController {
return &backendSecurityPolicyController{
client: client,
kube: kube,
logger: logger,
eventChan: ch,
client: client,
kube: kube,
logger: logger,
eventChan: ch,
reconcileAll: true,
}
}

// Reconcile implements the [reconcile.TypedReconciler] for [aigv1a1.BackendSecurityPolicy].
func (b backendSecurityPolicyController) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, err error) {
func (b *backendSecurityPolicyController) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, err error) {
if b.reconcileAll {
var backendSecPolicyList aigv1a1.BackendSecurityPolicyList
err = b.client.List(ctx, &backendSecPolicyList)
if err != nil {
b.logger.Error(err, "failed to trigger refresh for existing backendSecPolicy resources")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
b.logger.Error(err, "failed to trigger refresh for existing backendSecPolicy resources")
b.logger.Error(err, "failed to list existing backendSecPolicy resources")

} else {
refreshTime := time.Now().String()
for _, backendSecurityPolicy := range backendSecPolicyList.Items {
aabchoo marked this conversation as resolved.
Show resolved Hide resolved
if isBackendSecurityPolicyAuthOIDC(backendSecurityPolicy.Spec) {
backendSecurityPolicy.Annotations["refresh"] = refreshTime
}
err = b.client.Update(ctx, &backendSecurityPolicy)
if err != nil {
b.logger.Error(err, "failed to trigger refresh for existing backendSecPolicy resource", "name", backendSecurityPolicy.Name)
}
}
aabchoo marked this conversation as resolved.
Show resolved Hide resolved
b.reconcileAll = false
}
}
var backendSecurityPolicy aigv1a1.BackendSecurityPolicy
if err = b.client.Get(ctx, req.NamespacedName, &backendSecurityPolicy); err != nil {
if errors.IsNotFound(err) {
Expand Down
3 changes: 2 additions & 1 deletion internal/controller/controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,8 +181,9 @@ func backendSecurityPolicyIndexFunc(o client.Object) []string {
awsCreds := backendSecurityPolicy.Spec.AWSCredentials
if awsCreds.CredentialsFile != nil {
key = getSecretNameAndNamespace(awsCreds.CredentialsFile.SecretRef, backendSecurityPolicy.Namespace)
} else if awsCreds.OIDCExchangeToken != nil {
key = fmt.Sprintf("%s.%s", backendSecurityPolicy.Name, backendSecurityPolicy.Namespace)
}
// TODO: OIDC.
}
return []string{key}
}
Expand Down
Loading