OSDOCS#7581,7582: Add token auth via CCO for Operator authors (AWS STS)#64808
OSDOCS#7581,7582: Add token auth via CCO for Operator authors (AWS STS)#64808adellape merged 1 commit intoopenshift:mainfrom
Conversation
openshift-ci
Bot
added
the
size/L
adellape
force-pushed
the
sts
branch
4 times, most recently
from
afe878c to
24fc761
Compare
adellape
changed the title
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
adellape
force-pushed
the
sts
branch
5 times, most recently
from
7761cf1 to
a4279dd
Compare
|
🤖 Updated build preview is available at: Build log: https://circleci.com/gh/ocpdocs-previewbot/openshift-docs/28138 |
adellape
force-pushed
the
sts
branch
7 times, most recently
from
1df809b to
3187deb
Compare
openshift-ci
Bot
added
size/XL
adellape
changed the title
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
adellape
changed the title
adellape
force-pushed
the
sts
branch
2 times, most recently
from
3221224 to
86eff83
Compare
openshift-ci
Bot
removed
the
peer-review-needed
|
Hi! I had a few comments. My biggest difficulty: every time the word "multitenancy" appeared, I read it as "multi-lieutenancy" which confused me as it didn't make sense. :-) |
|
/remove-label peer-review-in-progress |
openshift-ci
Bot
added
peer-review-done
| <11> The `resources` parameter defines resource constraints for all the containers in the pod created by OLM. | ||
| <12> The `nodeSelector` parameter defines a `NodeSelector` for the pod created by OLM. | ||
|
|
||
| . If the cluster is in STS mode, include the following fields in the `Subscription` object: |
There was a problem hiding this comment.
Would it help to spell STS out?
| * Use the CCO utility (`ccoctl`) to generate the `Secret` YAML object from the `CredentialsRequest` object | ||
| * Apply the `Secret` object to the cluster in the appropriate namespace | ||
|
|
||
| The Operator still must be able to consume the resulting secret to communicate with cloud APIs. Because in this case the secret will be created by the user before the Operator is installed, the Operator can do either of the following: |
There was a problem hiding this comment.
Replace "will be created" with "is created."
From the Red Hat supplemental style guide:
| webIdentityTokenPath := "/var/run/secrets/openshift/serviceaccount/token" | ||
| ---- | ||
|
|
||
| .. Ensure you have a `CredentialsRequest` object, if one does not already exist, ready to be patched and applied. For example: |
There was a problem hiding this comment.
Suggestion: Delete "if one does not already exist" and it's accompanying commas. The "ensure" portion of this sentence carries the same meaning, rending these extra words as merely extra words. This deletion also brings the opening and closing phrases together, strengthening the message.
|
@fxierh Applied additional changes per suggestions in a separate commit: Could you PTAL to verify, as well as see my remaining question in comment reply: #64808 (comment) ? Thank you! |
gallettilance
left a comment
gallettilance
left a comment
There was a problem hiding this comment.
just realize the credReq used as an example is outdated
| ServiceAccountNames: []string{ | ||
| "<service_account_name>", | ||
| }, | ||
| CloudTokenPath: "", |
There was a problem hiding this comment.
There was a problem hiding this comment.
Is it the whole var CredentialsRequestTemplate that needs addressing or just the CloudTokenPath line here?
openshift-merge-robot
added
the
needs-rebase
|
@fxierh @gallettilance Thank you for helping get these in shape. I've attempted to interpret/combine your latest comments into some changes but I don't believe I've fully addressed Lance's #64808 (review) about the outdated credReq. I've added a few clarification questions in-line or in replies. PTAL at the latest changes, which are in an additional separate commit: |
|
Also @fxierh @gallettilance - Release notes for this feature are here: #66133 |
| case <-timeout: | ||
| // timeout is exceeded, return an error | ||
| return nil, fmt.Errorf("timed out waiting for secret %s in namespace %s", name, namespace) | ||
| // add to this error with a pointer to instructions for following a manual path to a Secret that will work on STS |
There was a problem hiding this comment.
Is this comment for the line that follows ?
There was a problem hiding this comment.
I assumed the line before it; adjusted the indentation for the comment to look more like the others.
| // apply credentialsRequest on install | ||
| credReq := credreq.CredentialsRequestTemplate |
|
LGTM for the rest. |
adellape
changed the title
openshift-merge-robot
removed
the
needs-rebase
|
/cherrypick enterprise-4.14 |
|
@adellape: new pull request created: #66818 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
13 participants
https://issues.redhat.com/browse/OSDOCS-7581 (Concept)
https://issues.redhat.com/browse/OSDOCS-7582 (Procedure)
4.14 only
Preview:
TODO: