tls update will be possible with 'create' permissions on custom-host #18312
Conversation
… Checks on changing host stay the same.
openshift-ci-robot
added
the
size/M
openshift-ci-robot
added
the
approved
|
@liggitt PTAL |
| @@ -214,14 +214,37 @@ func (s routeStrategy) validateHostUpdate(ctx apirequest.Context, route, older * | |||
| if hostChanged { | |||
There was a problem hiding this comment.
this isn't quite what was described in #18177 (comment):
- check update if the host has changed, and if false, disallow any changes
- if host hasn't changed but certs have, check "create", and if false, disallow changes
- allow changes
I think we should only run the update custom-host SAR (the one above) if hostChanged
There was a problem hiding this comment.
@liggitt It implements the logic as described. Although this code does an extra check for 'update' always, it is to prevent a case where someone has an 'update' permission but does not have 'create'. We should allow that case to be able to update TLS certs.
Review again please.
|
@smarterclayton can you please review this pr? (@liggitt is on pto this week) |
|
@rajatchopra We'll need to amend openshift/openshift-docs#7398 when we get this merged. |
|
Please copy the entire requirement from @smarterclayton at #18177 (comment) as a comment into this part of the code and reference it throughout the checks. No one will remember in a few months how we came to this conclusion. @openshift/sig-security |
|
this is exactly what I need to run http://github.com/tnozicka/openshift-acme as regular user (hopefully the last part) lgtm but agree with @enj to have that extended comment in code |
|
/retest |
|
/cherrypick release-3.7 |
|
@tnozicka: once the present PR merges, I will cherry-pick it on top of release-3.7 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherrypick release-3.8 |
|
@tnozicka: once the present PR merges, I will cherry-pick it on top of release-3.8 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
For posterity, the comment at #18177 (comment) by @smarterclayton that led to this approach was:
|
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: knobunc, rajatchopra The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue (batch tested with PRs 18422, 18312). |
|
@tnozicka: new pull request created: #18459 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@tnozicka: new pull request created: #18460 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Automatic merge from submit-queue. Allow users to edit route TLS if they can create custom hosts Console change for openshift/origin#18312 Closes #2699 /assign @jwforres /hold because the upstream change hasn't merged
|
@knobunc it would be helpful to actually address the comments before merging the code. |
Supercedes #18177
Fix for bz: https://bugzilla.redhat.com/show_bug.cgi?id=1524707