tighten bootstrap policy #885
Conversation
deads2k
force-pushed
the
deads-tighten-bootstrap-policy
branch
from
53bbe95 to
fd18b24
Compare
|
This is post beta1 right? |
|
Yeah, beta2 |
|
Oh the lack of confidence! ;) |
| @@ -74,20 +74,21 @@ OPENSHIFT_ON_PANIC=crash openshift start --master="${API_SCHEME}://${API_HOST}:$ | |||
| OS_PID=$! | |||
|
|
|||
| if [[ "${API_SCHEME}" == "https" ]]; then | |||
| export CURL_CA_BUNDLE="${CERT_DIR}/admin/root.crt" | |||
| export CURL_CA_BUNDLE="${CERT_DIR}/system:admin/root.crt" | |||
There was a problem hiding this comment.
If you change directories, we need to make sure we update ALL the places that reference it (docs, howtos, scripts to copy things to minion vagrant images, etc). Probably easier to leave the directory alone and just add the provider name in the cert itself.
There was a problem hiding this comment.
Colons in paths break windows, let's leave directories non-provider qualified for now
|
Add a bootstrap role for deleting oAuthAccessTokens and bind it to system:authenticated, system:unauthenticated |
|
See https://github.com/liggitt/origin/commit/86ebd5e2327a69edfec764f62cb5c3c9f2434f23 for an initial stab at adding groups to certs |
deads2k
force-pushed
the
deads-tighten-bootstrap-policy
branch
from
6bbd2f4 to
c725bd7
Compare
|
I'd like to limit creep by adding groups later. There's no way to admin them now and our rule language is probably changing, so the description of the roles may still change. This just makes sure each individual piece is working. Given a working login page, I'm inclined to actually remove the |
deads2k
force-pushed
the
deads-tighten-bootstrap-policy
branch
from
c725bd7 to
4bd1255
Compare
|
Comments addressed. |
deads2k
force-pushed
the
deads-tighten-bootstrap-policy
branch
from
4bd1255 to
03dd54d
Compare
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_openshift3/1046/) |
deads2k
force-pushed
the
deads-tighten-bootstrap-policy
branch
from
85e504c to
127c188
Compare
| [vagrant@openshiftdev origin]$ export OPENSHIFT_CA_DATA=$(<$CERT_DIR/master/root.crt) | ||
|
|
||
| [vagrant@openshiftdev origin]$ hack/install-router.sh {router_id} {master_url} | ||
| [vagrant@openshiftdev origin]$ CERT_DIR=$CERT_DIR/master hack/install-router.sh {router_id} {master_url} |
There was a problem hiding this comment.
that actually should be CERT_DIR=$CERT_DIR/openshift-client, right? You can't use the master server certs as a client certificate... if that was copied from the registry readme, it needs changing there as well
deads2k
force-pushed
the
deads-tighten-bootstrap-policy
branch
from
127c188 to
a0c4851
Compare
|
Doc tweak and commits squashed. |
| OPENSHIFT_CERT_DATA="${OPENSHIFT_CERT_DATA//$'\n'/\\\\n}" | ||
| OPENSHIFT_KEY_DATA="${OPENSHIFT_KEY_DATA//$'\n'/\\\\n}" | ||
|
|
||
|
|
||
| if [[ "$OPENSHIFT_CA_DATA" == "" ]]; then | ||
| echo "Running against an HTTPS master (${MASTER_URL}) without a trusted certificate bundle." | ||
| echo "Set \$OPENSHIFT_CA_DATA to the contents of the root certificate bundle to start securely next time." |
There was a problem hiding this comment.
Oops... update this to describe the correct invocation (CERT_DIR=openshift.local.certificates/openshift-client ...)
deads2k
force-pushed
the
deads-tighten-bootstrap-policy
branch
from
a0c4851 to
a3bcddf
Compare
|
fixed up the echo. |
|
[test] |
| set +e | ||
| for i in $(seq 1 $times); do | ||
| out=$(curl -fs $url 2>/dev/null) | ||
| out=$(curl ${clientcert_args} -fs $url 2>/dev/null) |
There was a problem hiding this comment.
Also add ${clientcert_args} below to the final curl invocation so we don't surface a misleading error message
| @@ -164,23 +164,25 @@ OS_PID=$! | |||
|
|
|||
| if [[ "${API_SCHEME}" == "https" ]]; then | |||
| export CURL_CA_BUNDLE="${CERT_DIR}/master/root.crt" | |||
| export CURL_CERT="${CERT_DIR}/admin/cert.crt" | |||
There was a problem hiding this comment.
Tabs in this file are two spaces (chosen before me). You want me to change them all?
There was a problem hiding this comment.
Weird, just saw the mismatch in the github displayed indent
|
@liggitt Changed tabs in a separate commit. Do we change cruft like this? Let it live forever? Have separate formatting commits? |
|
LGTM |
|
Squash and I'll merge |
deads2k
force-pushed
the
deads-tighten-bootstrap-policy
branch
from
a770b11 to
8770bd2
Compare
|
@smarterclayton rebased and squashed |
| OPENSHIFT_KEY_DATA="$(cat "${CERT_DIR}/key.key")" | ||
| fi | ||
|
|
||
| # I don't know how to do this inline with bash and it's logically a separate step we want to remove anyway |
There was a problem hiding this comment.
Do we need this comment?
deads2k
force-pushed
the
deads-tighten-bootstrap-policy
branch
from
8770bd2 to
23e098d
Compare
deads2k
force-pushed
the
deads-tighten-bootstrap-policy
branch
from
23e098d to
466b5c3
Compare
|
finally, mostly green tests. |
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_openshift3/879/) (Image: devenv-fedora_753) |
|
Evaluated for origin up to 466b5c3 |
Merged by openshift-bot
[3.6] Pruning should keep layers referenced by other images
…hift#885) * sending the appropriate query string parameters in deprovision … and not sending a request body Fixes kubernetes-retired/service-catalog#883 * fixing fake broker server it should no longer require a request body for a DELETE request * checking the response's error before continuing * sending params in the query string as it should be!
openshift#885)" (openshift#887) This reverts commit 5ea359b.
Start separating roles for system components.
Separate role bindings for different components.
Prefix system generated users with system:
Separate out the insecure-cluster-admins
Update tests to run fully secure (no rights for system:authenticated or system:unauthenticated)
@liggitt