Skip to content

feat: support CA bundle and identity cert/key authentication #361

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zhiying-lin merged 4 commits into from
Apr 10, 2023
Merged

feat: support CA bundle and identity cert/key authentication #361

zhiying-lin merged 4 commits into from
Apr 10, 2023

Conversation

@Teng-Jiao-Chen
Copy link
Contributor

@Teng-Jiao-Chen Teng-Jiao-Chen commented Apr 5, 2023
edited
Loading

Description of your changes

Provide an solution for community to support CA auth

I have:

  • Run make reviewable to ensure this PR is ready for review.

How has this code been tested

  • Kind Cluster e2e workflow on README is verified working, no existing workflow get affected.
  • Integ test is performed in LinkedIn environment
  • Helm yaml generation is verified
The default behavior has no changes.

For the yamls with CA info enabled
==================================================

helm template member-agent ./charts/member-agent/ \
--set useCAAuth=true \
--set config.identityKey="identity-key-path" \
--set config.identityCert="identity-cert-path" \
--set config.CABundle="ca-bundle-path" \
--set config.hubURL=hub-cluster-api-url \
--set image.repository=member-agent-image-url \
--set image.tag=0.0.1 \
--set refreshtoken.repository=refresh-token-url \
--set refreshtoken.tag=0.0.1 \
--set image.pullPolicy=IfNotPresent --set refreshtoken.pullPolicy=IfNotPresent \
--set config.memberClusterName="member-cluster-name" \
--set logVerbosity=5 \
--set namespace=fleet-system \
| awk -vout=/tmp/member-agent-with-ca -F": " '$0~/^# Source: /{file=out"/"$2; print "Creating "file; system ("mkdir -p $(dirname "file"); echo "" > "file)} $0!~/^#/ && $0!="---"{print $0 >> file}'

deployment.yaml is verified with the right arguments and there is no refresh token generated
==================================================
...
          args:
            - --leader-elect=true
            - --use-ca-auth=true
            - --v=5
            - -add_dir_header
          env:
...
          - name: IDENTITY_KEY
            value:  "identity-key-path"
          - name: IDENTITY_CERT
            value:  "identity-cert-path"
          - name: CA_BUNDLE
            value:  "ca-bundle-path"
...

* Support CA bundle and identity cert/key authentication
81820d3 
* Change the helm adjust the new arguments and environment variable inputs
@Teng-Jiao-Chen
Copy link
Contributor Author

Teng-Jiao-Chen commented Apr 5, 2023

@microsoft-github-policy-service agree [company="LinkedIn"]

@Teng-Jiao-Chen
Copy link
Contributor Author

Teng-Jiao-Chen commented Apr 5, 2023

@microsoft-github-policy-service agree company="LinkedIn"

@Ealianis Ealianis requested a review from zhiying-lin April 5, 2023 19:39
Ealianis
Ealianis reviewed Apr 5, 2023
View reviewed changes
Ealianis
Ealianis reviewed Apr 5, 2023
View reviewed changes
* Address the comments from Sean
d21ff52 
  * change useCaAuth to useCAAuth
  * Edit the error msg for the token missing to reflect the CA auth logic
michaelawyu
michaelawyu previously approved these changes Apr 7, 2023
View reviewed changes
Copy link
Contributor

@michaelawyu michaelawyu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

zhiying-lin
zhiying-lin reviewed Apr 7, 2023
View reviewed changes
Copy link
Contributor

@zhiying-lin zhiying-lin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one minor comment, others LGTM

Can you change the PR title to "feat: support CA bundle and identity cert/key authentication"? i remember we have the pr title lint check and not sure why the current one did not fail.

Thank you so much!

@Ealianis
Copy link
Contributor

Ealianis commented Apr 7, 2023

one minor comment, others LGTM

Can you change the PR title to "feat: support CA bundle and identity cert/key authentication"? i remember we have the pr title lint check and not sure why the current one did not fail.

Thank you so much!

That is odd, I triggered it manually.

@Teng-Jiao-Chen Teng-Jiao-Chen changed the title * Support CA bundle and identity cert/key authentication feat: support CA bundle and identity cert/key authentication Apr 7, 2023
zhiying-lin
zhiying-lin reviewed Apr 10, 2023
View reviewed changes
@zhiying-lin zhiying-lin merged commit 3738d31 into Azure:main Apr 10, 2023
github-actions bot pushed a commit that referenced this pull request Dec 10, 2025
@michaelawyu
fix: always sort bindings in the scheduler to ensure deterministic de…
3d594cc 
…cision list output (#361)
@britaniar britaniar mentioned this pull request Jan 12, 2026
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zhiying-lin zhiying-lin zhiying-lin approved these changes

@Ealianis Ealianis Awaiting requested review from Ealianis

@michaelawyu michaelawyu Awaiting requested review from michaelawyu

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Teng-Jiao-Chen @Ealianis @michaelawyu @zhiying-lin