Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add plugin and key-cache for ExternalJWTSigner integration #128190

Merged
merged 1 commit into from
Nov 7, 2024
Merged

Add plugin and key-cache for ExternalJWTSigner integration #128190

merged 1 commit into from
Nov 7, 2024

Conversation

HarshalNeelkamal
Copy link
Contributor

@HarshalNeelkamal HarshalNeelkamal commented Oct 18, 2024
edited by liggitt
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

  1. introduces a Plugin and a Key Cache that will enable integrating with an ExternalJWTSigner.
  2. Introduces a new flag service-account-signing-endpoint that enables configuring the Cluster to use ExternalJWTSigner.
  3. Adds a new staging repo, staging/externaljwt.

Which issue(s) this PR fixes:

xref kubernetes/enhancements#740

Special notes for your reviewer:

NONE

Does this PR introduce a user-facing change?

kube-apiserver adds support for an alpha feature enabling external signing of service account tokens and fetching of public verifying keys, by enabling the alpha `ExternalServiceAccountTokenSigner` feature gate and specifying `--service-account-signing-endpoint`. The flag value can either be the location of a Unix domain socket on a filesystem, or be prefixed with an @ symbol and name a Unix domain socket in the abstract socket namespace.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/740-service-account-external-signing
- [Issue]: https://github.com/kubernetes/enhancements/issues/740
- [Discussion]: https://docs.google.com/document/d/1QVtBX8J2Tk70toefDegXMXigMFzrdQfezjlhBrKR29Y/edit?tab=t.0
- [Publish request]: https://github.com/kubernetes/org/issues/5224

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Oct 18, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @HarshalNeelkamal. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver area/dependency Issues or PRs related to dependency changes area/release-eng Issues or PRs related to the Release Engineering subproject sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/release Categorizes an issue or PR as relevant to SIG Release. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 18, 2024
@k8s-ci-robot k8s-ci-robot requested review from dchen1107, deads2k and a team October 18, 2024 20:01
@k8s-ci-robot k8s-ci-robot added the do-not-merge/invalid-owners-file Indicates that a PR should not merge because it has an invalid OWNERS file in it. label Oct 18, 2024
@HarshalNeelkamal
Copy link
Contributor Author

/cc @liggitt

@k8s-ci-robot k8s-ci-robot requested a review from liggitt October 18, 2024 20:02
@liggitt liggitt mentioned this pull request Oct 18, 2024
Open
4 tasks
@HarshalNeelkamal
Copy link
Contributor Author

/cc @ahmedtd

@k8s-ci-robot k8s-ci-robot requested a review from ahmedtd October 18, 2024 20:08
@HarshalNeelkamal HarshalNeelkamal mentioned this pull request Oct 18, 2024
Closed
liggitt
liggitt reviewed Oct 22, 2024
View reviewed changes
Copy link
Member

@liggitt liggitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

quick first pass on wiring bits

pkg/controlplane/apiserver/options/options.go Outdated Show resolved Hide resolved
pkg/controlplane/apiserver/options/options.go Outdated Show resolved Hide resolved
pkg/controlplane/apiserver/options/options.go Outdated Show resolved Hide resolved
pkg/controlplane/apiserver/options/options.go Outdated Show resolved Hide resolved
pkg/kubeapiserver/options/authentication.go Show resolved Hide resolved
pkg/kubeapiserver/options/authentication.go Outdated Show resolved Hide resolved
staging/src/k8s.io/externaljwt/go.mod Outdated Show resolved Hide resolved
@HarshalNeelkamal HarshalNeelkamal mentioned this pull request Oct 23, 2024
Merged
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 26, 2024
@liggitt
Copy link
Member

liggitt commented Nov 7, 2024
edited
Loading 

{Failed;Failed;  === RUN   TestExternalPublicKeyGetter/invalid_data_timestamp
    keycache_test.go:218: want error: invalid data timestamp: proto: invalid nil Timestamp, got error: invalid data timestamp: proto: invalid nil Timestamp
--- FAIL: TestExternalPublicKeyGetter/invalid_data_timestamp (0.00s)
;=== RUN   TestExternalPublicKeyGetter
--- FAIL: TestExternalPublicKeyGetter (0.03s)

unit test failure looks legitimate and related to this PR

the other two unit flakes are known / unrelated to this PR and being fixed elsewhere

@liggitt
Copy link
Member

liggitt commented Nov 7, 2024

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 7, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: d82c9daa3f7a804844ac2b00d06918b7d43e13e5

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: HarshalNeelkamal, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 7, 2024
@liggitt liggitt added this to the v1.32 milestone Nov 7, 2024
@liggitt
Copy link
Member

liggitt commented Nov 7, 2024

/clear

@k8s-ci-robot
Copy link
Contributor

@HarshalNeelkamal: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-publishing-bot-validate 6fdacf0 link false /test pull-publishing-bot-validate
pull-kubernetes-linter-hints 6fdacf0 link false /test pull-kubernetes-linter-hints
pull-kubernetes-e2e-gce-cos-alpha-features 6fdacf0 link false /test pull-kubernetes-e2e-gce-cos-alpha-features

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot merged commit 6cc3570 into kubernetes:master Nov 7, 2024
15 of 18 checks passed
@HarshalNeelkamal HarshalNeelkamal deleted the external-jwt branch November 7, 2024 07:01
@akhilerm
Copy link
Member

akhilerm commented Nov 7, 2024
edited
Loading

This PR adds a new https://github.com/kubernetes/externaljwt repo into staging. But that repo does not exist under the kubernetes org. This is causing the publishing to fail.

Ref: #56876 (comment)

@akhilerm
Copy link
Member

akhilerm commented Nov 7, 2024

Can you also add an entry for the new repo in https://github.com/kubernetes/publishing-bot/blob/master/hack/repos.sh and https://github.com/kubernetes/kubernetes/tree/master/staging#external-repository-staging-area

@liggitt
Copy link
Member

liggitt commented Nov 7, 2024
edited
Loading

This PR adds a new https://github.com/kubernetes/externaljwt repo into staging. But that repo does not exist under the kubernetes org. This is causing the publishing to fail.

yup, requested in kubernetes/org#5224

Can you also add an entry for the new repo in https://github.com/kubernetes/publishing-bot/blob/master/hack/repos.sh

kubernetes/publishing-bot#458

and https://github.com/kubernetes/kubernetes/tree/master/staging#external-repository-staging-area

#128668

@benluddy
Copy link
Contributor

benluddy commented Nov 7, 2024

I don't see other examples on the aggregated test results search yet, but https://prow.k8s.io/view/gs/kubernetes-ci-logs/pr-logs/pull/batch/pull-kubernetes-integration/1854558080050663424 looks like one of the integration tests may be flaky.

@liggitt
Copy link
Member

liggitt commented Nov 7, 2024
edited
Loading

hmm... I can't reproduce running with stress hundreds of times, I have a follow-up PR for this, and I'll add some more debug info into the integration test and keep an eye on it

@liggitt
Copy link
Member

liggitt commented Nov 7, 2024

followup in #128670

@Jefftree Jefftree mentioned this pull request Nov 7, 2024
Closed
@liggitt liggitt mentioned this pull request Nov 7, 2024
Merged
jm-franc pushed a commit to jm-franc/enhancements that referenced this pull request Nov 13, 2024
@HarshalNeelkamal @jm-franc
Update README.md
f22cc00 
Choice of max token lifetime was reconsidered during implementation. Documenting it accordingly. 

For ref: kubernetes/kubernetes#128190 (comment)
@richabanker
Copy link
Contributor

There might be a data race caused in the new tests added in pkg/controlplane/apiserver/options/options_test.go in this PR, one of the occurrences is here

@liggitt
Copy link
Member

liggitt commented Dec 2, 2024

There might be a data race caused in the new tests added in pkg/controlplane/apiserver/options/options_test.go in this PR, one of the occurrences is here

Thanks for reporting that, fixup at #129059

@liggitt liggitt mentioned this pull request Dec 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ahmedtd ahmedtd ahmedtd left review comments

@liggitt liggitt liggitt left review comments

@enj enj enj requested changes

@dchen1107 dchen1107 Awaiting requested review from dchen1107

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/dependency Issues or PRs related to dependency changes area/release-eng Issues or PRs related to the Release Engineering subproject area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/etcd Categorizes an issue or PR as relevant to SIG Etcd. sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Apps
Archived in project
SIG Auth
Archived in project
SIG Node CI/Test Board
Status: Done
SIG Node: code and documentation PRs
Status: Done
[sig-release] Bug Triage
Archived in project
Milestone
v1.32
Development

Successfully merging this pull request may close these issues.
9 participants
@HarshalNeelkamal @k8s-ci-robot @liggitt @fedebongio @akhilerm @benluddy @richabanker @ahmedtd @enj