[Audit log forwarding] - update audit-tls secret to IM deployments for audit forwarding support #1061
Conversation
Signed-off-by: rashmi_kh <[email protected]>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rashmi43 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: rashmi_kh <[email protected]>
Signed-off-by: rashmi_kh <[email protected]>
Signed-off-by: rashmi_kh <[email protected]>
rashmi43
changed the title
Signed-off-by: rashmi_kh <[email protected]>
Signed-off-by: rashmi_kh <[email protected]>
Signed-off-by: rashmi_kh <[email protected]>
| // cluster, or an empty string when the Secret isn't found or cannot otherwise | ||
| // be retrieved. If an error other than NotFound is received when trying to get | ||
| // the Secret, that is returned as well. | ||
| func (r *AuthenticationReconciler) getAuditSecretNameIfExists(ctx context.Context, namespace string) (string, error) { |
There was a problem hiding this comment.
You should just check the Authentication CR for whether the audit values are set - that's ultimately the source of truth for the workload and makes this unnecessary.
There was a problem hiding this comment.
ok I will change this to check the Authentication CR
| @@ -228,6 +228,10 @@ spec: | |||
| type: string | |||
| providerIssuerURL: | |||
| type: string | |||
| auditURL: | |||
There was a problem hiding this comment.
These changes should also be happening in the config directory, and changes here should be generated with make bundle
| @@ -139,6 +139,8 @@ type ConfigSpec struct { | |||
| ICPPort int32 `json:"icpPort"` | |||
| FIPSEnabled bool `json:"fipsEnabled"` | |||
| ROKSEnabled bool `json:"roksEnabled"` | |||
| AuditUrl string `json:"auditUrl,omitempty"` | |||
There was a problem hiding this comment.
If these aren't required, they should be *string, and nil checks should happen on accesses.
| @@ -414,7 +414,7 @@ func buildAuthServiceContainer(instance *operatorv1alpha1.Authentication, authSe | |||
|
|
|||
| } | |||
|
|
|||
| func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, identityProviderImage string, _ string, saasCRNId string) corev1.Container { | |||
| func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, identityProviderImage string, _ string, saasCRNId string, auditSecretName string) corev1.Container { | |||
There was a problem hiding this comment.
You shouldn't need this extra parameter because the secret name should be set on the Authentication CR, right?
There was a problem hiding this comment.
I need this to mount the secret if Len > 0
| @@ -1129,16 +1087,16 @@ func buildContainers(instance *operatorv1alpha1.Authentication, authServiceImage | |||
| return []corev1.Container{authServiceContainer} | |||
| } | |||
|
|
|||
| func buildManagerContainers(instance *operatorv1alpha1.Authentication, identityManagerImage string, icpConsoleURL string) []corev1.Container { | |||
| func buildManagerContainers(instance *operatorv1alpha1.Authentication, identityManagerImage string, icpConsoleURL string, auditSecretName string) []corev1.Container { | |||
There was a problem hiding this comment.
Same here - Authentication CR should have this name set on it, correct? So no new param is needed.
| }, | ||
| }, | ||
| } | ||
| volumes = EnsureVolumePresent(volumes, auditVolume) |
There was a problem hiding this comment.
I don't think this extra function is needed; it should be possible with just an append. This function is used to build what the Operator thinks the Deployment should contain, so there's no threat of infinitely appending redundant volumes here.
There was a problem hiding this comment.
It still appears to be here?
Signed-off-by: rashmi_kh <[email protected]>
Signed-off-by: rashmi_kh <[email protected]>
Signed-off-by: rashmi_kh <[email protected]>
Co-authored-by: Robert W. Hundley <[email protected]>
| @@ -731,7 +731,7 @@ func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, i | |||
|
|
|||
| } | |||
|
|
|||
| func buildIdentityManagerContainer(instance *operatorv1alpha1.Authentication, identityManagerImage string, _ string, auditSecretName string) corev1.Container { | |||
| func buildIdentityManagerContainer(instance *operatorv1alpha1.Authentication, identityManagerImage string, _ string, auditSecretName *string) corev1.Container { | |||
There was a problem hiding this comment.
| @@ -1087,14 +1087,14 @@ func buildContainers(instance *operatorv1alpha1.Authentication, authServiceImage | |||
| return []corev1.Container{authServiceContainer} | |||
| } | |||
|
|
|||
| func buildManagerContainers(instance *operatorv1alpha1.Authentication, identityManagerImage string, icpConsoleURL string, auditSecretName string) []corev1.Container { | |||
| func buildManagerContainers(instance *operatorv1alpha1.Authentication, identityManagerImage string, icpConsoleURL string, auditSecretName *string) []corev1.Container { | |||
There was a problem hiding this comment.
|
|
||
| identityManagerContainer := buildIdentityManagerContainer(instance, identityManagerImage, icpConsoleURL, auditSecretName) | ||
|
|
||
| return []corev1.Container{identityManagerContainer} | ||
| } | ||
|
|
||
| func buildProviderContainers(instance *operatorv1alpha1.Authentication, identityProviderImage string, icpConsoleURL string, saasCrnId string, auditSecretName string) []corev1.Container { | ||
| func buildProviderContainers(instance *operatorv1alpha1.Authentication, identityProviderImage string, icpConsoleURL string, saasCrnId string, auditSecretName *string) []corev1.Container { |
There was a problem hiding this comment.
| if len(auditSecretName) > 0 { | ||
| volumeMounts = EnsureVolumeMountPresent(volumeMounts, GetAuditCertsVolumeMount()) | ||
|
|
||
| if auditSecretName != nil { |
There was a problem hiding this comment.
You still want a check on the dereferenced pointer value - an empty name isn't valid, either.
| if auditSecretName != nil { | |
| if auditSecretName != nil && *auditSecretName != "" { |
| // Check for the presence of audit-endpoint configmap | ||
| authIdpConfigMapName := "platform-auth-idp" | ||
| authIdpConfigMap := &corev1.ConfigMap{} | ||
| idpCMLogger := log.WithValues("ConfigMap.Name", authIdpConfigMapName, "ConfigMap.Namespace", namespace) | ||
| if err := r.Get(ctx, types.NamespacedName{Name: authIdpConfigMapName, Namespace: namespace}, authIdpConfigMap); k8sErrors.IsNotFound(err) { | ||
| idpCMLogger.Info("ConfigMap was not found") | ||
| return nil, nil | ||
| } else if err != nil { | ||
| idpCMLogger.Error(err, "Failed to get ConfigMap") | ||
| return nil, err | ||
| } | ||
| if authIdpConfigMap.Data == nil { | ||
| idpCMLogger.Info("Invalid ConfigMap") | ||
| return nil, nil | ||
| } | ||
| if authIdpConfigMap.Data["AUDIT_URL"] == "" { | ||
| idpCMLogger.Info("Audit URL is not specified in ConfigMap; assume no Secret to mount", "key", "AUDIT_URL") | ||
| return nil, nil | ||
| } | ||
| if authIdpConfigMap.Data["AUDIT_SECRET"] == "" { | ||
| idpCMLogger.Info("Audit Secret is not specified in ConfigMap; assume no Secret", "key", "AUDIT_SECRET") | ||
| return nil, nil | ||
| } | ||
| auditURL = authIdpConfigMap.Data["AUDIT_URL"] | ||
| auditSecretName = authIdpConfigMap.Data["AUDIT_SECRET"] | ||
| idpCMLogger.Info("Fetched audit URL and audit Secret from ConfigMap", "AUDIT_SECRET", auditSecretName, "AUDIT_URL", auditURL) |
There was a problem hiding this comment.
I apologize if I said this before - this section is unnecessary and shouldn't be here because the operating assumption is that this configuration is coming from the Authentication CR, not the ConfigMap.
That said, if the configuration is expected to be set on the ConfigMap before the Authentication CR, e.g. some previous support for this configuration in a different release stream, then the bootstrap controller needs to be updated to perform this identification so that the Authentication CR can be updated to have the correct settings on it before it hits the main Authentication controller.
There was a problem hiding this comment.
For reference, you'd add "AUDIT_URL" and "AUDIT_SECRET" and their respective Auth CR property paths to this map, which handles setting the Auth CR properties you specify using values in the platform-auth-idp ConfigMap.
There was a problem hiding this comment.
Oh, and all of the fields referenced in that map currently are kept as references, but, assuming you've changed auditUrl and auditSecret to be *string, you should be able to just do something like the following:
// Note no "&" - this property is already a pointer (assuming you've made that change)
"AUDIT_URL": authCR.Spec.Config.AuditUrl,| @@ -1032,4 +1095,42 @@ func buildIdpVolumes(ldapCACert string, routerCertSecret string) []corev1.Volume | |||
| }, | |||
| }, | |||
| } | |||
| if auditSecretName != nil { | |||
There was a problem hiding this comment.
| if auditSecretName != nil { | |
| if auditSecretName != nil && *auditSecretName != "" { |
There was a problem hiding this comment.
Though it would be better to do as I suggested here - invert this condition and return if that evaluates as true. Reduces the amount of indentation.
| @@ -345,6 +345,10 @@ func updatePlatformAuthIDP(_ common.SecondaryReconciler, _ context.Context, obse | |||
| "LDAP_CTX_POOL_PREFERREDSIZE"), | |||
| updatesValuesWhen(not(observedKeySet[*corev1.ConfigMap]("MASTER_PATH")), | |||
| "MASTER_PATH"), | |||
| updatesValuesWhen(not(observedKeySet[*corev1.ConfigMap]("AUDIT_URL")), | |||
There was a problem hiding this comment.
In conjunction with this comment, it's my feeling that these should just be added to the updatesAlways call, and, if we're trying to account for an existing setting on the ConfigMap from an upgrade, then we should account for that in the bootstrap controller.
| }, | ||
| }, | ||
| } | ||
| volumes = EnsureVolumePresent(volumes, auditVolume) |
There was a problem hiding this comment.
It still appears to be here?
Co-authored-by: Robert W. Hundley <[email protected]>
Signed-off-by: rashmi_kh <[email protected]>
Signed-off-by: rashmi_kh <[email protected]>
| MountPath: "/pgsql/clientinfo", | ||
| }, | ||
| } | ||
| if auditSecretName != nil && *auditSecretName != "" { |
There was a problem hiding this comment.
Actually, in hindsight, probably better to check if auditSecretName == nil || *auditSecretName == "" and return volumeMounts if true. Then this update to volumeMounts can happen after it without the extra indentation.
| @@ -1032,4 +1095,42 @@ func buildIdpVolumes(ldapCACert string, routerCertSecret string) []corev1.Volume | |||
| }, | |||
| }, | |||
| } | |||
| if auditSecretName != nil { | |||
There was a problem hiding this comment.
Though it would be better to do as I suggested here - invert this condition and return if that evaluates as true. Reduces the amount of indentation.
| @@ -82,7 +82,7 @@ func (r *AuthenticationReconciler) handleDeployments(ctx context.Context, req ct | |||
| samlConsoleURL = icpConsoleURL | |||
| } | |||
|
|
|||
| auditSecretName, err := r.getAuditSecretNameIfExists(ctx, req.Namespace) | |||
| auditSecretName, err := r.getAuditSecretNameIfExists(context.TODO(), req.Namespace, authCR.Spec.Config.AuditUrl, authCR.Spec.Config.AuditSecret) | |||
There was a problem hiding this comment.
This should be ctx again for the context argument. Also you could just pass the pointer to the authentication, at which point you can check both of the values within the function.
There was a problem hiding this comment.
You also get the namespace that way, so you go from four params to two.
| } | ||
| if authIdpConfigMap.Data["AUDIT_URL"] == "" { | ||
| idpCMLogger.Info("Audit URL is not specified in ConfigMap; assume no Secret to mount", "key", "AUDIT_URL") | ||
| func (r *AuthenticationReconciler) getAuditSecretNameIfExists(ctx context.Context, namespace string, auditUrl *string, auditSecretName *string) (*string, error) { |
There was a problem hiding this comment.
This function should just take two arguments, a context.Context and an *operatorv1alpha1.Authentication. Then values are obtained via dereference from there.
| //var auditURL string | ||
| reqLogger := logf.FromContext(ctx) | ||
|
|
||
| if auditUrl == nil { |
There was a problem hiding this comment.
Please also check for an empty string.
https://github.ibm.com/IBMPrivateCloud/roadmap/issues/67045
https://github.ibm.com/IBMPrivateCloud/roadmap/issues/67190 - CD