OCPBUGS-24987, OCPBUGS-30319: bump lib-go to fix SAs acting as OAuth2 clients #142
Conversation
|
/hold proof PR |
openshift-ci
bot
added
the
do-not-merge/hold
liouk
force-pushed
the
prove-kubernetes-apiserver-56
branch
2 times, most recently
from
d03fda9 to
db5c362
Compare
|
/retest-required |
5 similar comments
|
/retest-required |
|
/retest-required |
|
/retest-required |
|
/retest-required |
|
/retest-required |
liouk
force-pushed
the
prove-kubernetes-apiserver-56
branch
4 times, most recently
from
1c53e75 to
f731bf2
Compare
|
Updated PR to point to |
|
/retest-required |
|
/retitle OCPBUGS-30319: Bump openshift/kubernetes-apiserver to openshift-apiserver-4.16-kubernetes-1.29.2 |
openshift-ci
bot
changed the title
openshift-bot
added
jira/severity-important
|
@liouk: This pull request references Jira Issue OCPBUGS-30319, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retitle OCPBUGS-30319: bump lib-go to fix SAs acting as OAuth2 clients |
openshift-ci
bot
changed the title
| @@ -1,4 +1,4 @@ | |||
| FROM registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.19-openshift-4.14 AS builder | |||
There was a problem hiding this comment.
maybe also update the runner image?
There was a problem hiding this comment.
You can't change the base image to RHEL 9 without also changing the build image to RHEL 9, because RHEL 8 and 9 have different versions of OpenSSL. This change has broken all FIPS clusters.
pkg/server/headers/oauthbasic.go
Outdated
| func WithPreserveAuthorizationHeader(handler http.Handler) http.Handler { | ||
| var oauthHeaders = []string{ | ||
| "Authorization", | ||
| "X-Remote-User", |
There was a problem hiding this comment.
Should we keep all the authentication headers the default handler chain removes?
The requestheader provider won't work properly in case any of the headers configured in https://github.com/openshift/api/blob/master/config/v1/types_oauth.go#L415-L424 match any headers that are being removed in the kube default handler chain.
liouk
force-pushed
the
prove-kubernetes-apiserver-56
branch
from
f731bf2 to
4a5a3dc
Compare
|
Proof PR updated and can now be used to perform the actual bump. /hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
pkg/oauthserver/oauth_apiserver.go
Outdated
| preservedHeaders := make([]string, 0) | ||
| for _, identityProvider := range c.ExtraOAuthConfig.Options.IdentityProviders { | ||
| switch provider := identityProvider.Provider.Object.(type) { | ||
| case *osinv1.RequestHeaderIdentityProvider: | ||
| preservedHeaders = append(preservedHeaders, provider.Headers...) | ||
| preservedHeaders = append(preservedHeaders, provider.PreferredUsernameHeaders...) | ||
| preservedHeaders = append(preservedHeaders, provider.NameHeaders...) | ||
| preservedHeaders = append(preservedHeaders, provider.EmailHeaders...) | ||
| } | ||
| } |
There was a problem hiding this comment.
extract into a function, shove into the With*() call
| ) | ||
|
|
||
| func WithPreserveAuthorizationHeader(handler http.Handler) http.Handler { | ||
| func WithPreserveOAuthHeaders(handler http.Handler, preservedHeaders []string) http.Handler { | ||
| return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
There was a problem hiding this comment.
build the complete headers slice ahead of time, not during HTTP handling
liouk
force-pushed
the
prove-kubernetes-apiserver-56
branch
from
4a5a3dc to
c0803c4
Compare
images/Dockerfile.rhel
Outdated
| WORKDIR /go/src/github.com/openshift/oauth-server | ||
| COPY . . | ||
| ENV GO_PACKAGE github.com/openshift/oauth-server | ||
| RUN make build --warn-undefined-variables | ||
|
|
||
| FROM registry.ci.openshift.org/ocp/4.14:base | ||
| FROM registry.ci.openshift.org/ocp/4.16:base |
There was a problem hiding this comment.
FROM registry.ci.openshift.org/ocp/4.16:base-rhel9
liouk
force-pushed
the
prove-kubernetes-apiserver-56
branch
from
c0803c4 to
bacdbd8
Compare
|
/lgtm |
|
/retitle OCPBUGS-24987, OCPBUGS-30319: bump lib-go to fix SAs acting as OAuth2 clients |
openshift-ci
bot
changed the title
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liouk, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@liouk: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@liouk: Jira Issue OCPBUGS-30319: Some pull requests linked via external trackers have merged: The following pull requests linked via external trackers have not merged:
These pull request must merge or be unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-30319 has not been moved to the MODIFIED state. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[ART PR BUILD NOTIFIER] This PR has been included in build oauth-server-container-v4.16.0-202404121812.p0.g396c1ff.assembly.stream.el9 for distgit oauth-server. |
|
Fix included in accepted release 4.16.0-0.nightly-2024-04-15-184947 |
Pulls openshift/kubernetes-apiserver#56