ROX-23263: prepare e2e testing in CI on infra clusters (#1940)

* add begin/end.sh * set worker config in begin.sh * new logic to resolve jwks keys on infra ocp
stackrox · Jul 10, 2024 · a0fec88 · a0fec88
1 parent ed60c3c
commit a0fec88
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 0 deletions.
diff --git a/.openshift-ci/begin.sh b/.openshift-ci/begin.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+# The initial script executed for openshift/release CI jobs.
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. && pwd)"
+# shellcheck source=scripts/ci/lib.sh
+source "$ROOT/scripts/ci/lib.sh"
+
+# This file is used to fit into the ocp 4 infra cluster workflow defined in:
+# https://github.com/openshift/release/blob/master/ci-operator/step-registry/stackrox/automation-flavors/ocp-4-e2e/stackrox-automation-flavors-ocp-4-e2e-workflow.yaml
+
+log "Running stackrox OSCI workflow"
+log "Setting worker node type and count for OCP 4 jobs"
+set_ci_shared_export WORKER_NODE_COUNT 2
+set_ci_shared_export WORKER_NODE_TYPE e2-standard-8
diff --git a/.openshift-ci/end.sh b/.openshift-ci/end.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. && pwd)"
+# shellcheck source=scripts/ci/lib.sh
+source "$ROOT/scripts/ci/lib.sh"
+
+# The initial script executed for openshift/release CI jobs.
+set -euo pipefail
+
+# As of now this file is only a placeholder to make the repo fit to the
+# workflow defined for ocp infra clusters in openshift/release repository
+# https://github.com/openshift/release/blob/master/ci-operator/step-registry/stackrox/automation-flavors/ocp-4-e2e/stackrox-automation-flavors-ocp-4-e2e-workflow.yaml
+log "End of stackrox OSCI workflow"
diff --git a/pkg/client/iam/config.go b/pkg/client/iam/config.go
@@ -319,14 +319,30 @@ func (i *KubernetesIssuer) getJwksURI(client *http.Client) (string, error) {
 		return "", errors.Wrapf(err, "retrieving open-id configuration for %q", i.IssuerURI)
 	}
 	jwksURI := cfg.JwksURI
+
 	if i.isLocalCluster() {
 		// kube api-server returns an internal IP, need to override it.
 		jwksURI = i.overrideJwksURIForLocalCluster(jwksURI)
 	}
+
+	jwksURL, err := url.Parse(jwksURI)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to parse jwksURI as net/url: %s", jwksURI)
+	}
+
+	if netutil.IsIPAddress(jwksURL.Hostname()) && i.IssuerURI == kubernetesIssuer {
+		// in some cases like infra OCP the cluster internal jwks_uri in the discovery document
+		// is a private IP address of the pod running the oidc server. This breaks tls validation.
+		// This override makes sure that in those cases kubernetes.default.svc is used instead of the IP
+		glog.V(5).Infof("Configured issuer is: %s and jwks_uri contains IP, replacing host with internal kubernetes svc", i.IssuerURI)
+		jwksURI = i.overrideJwksURIForInternalCluster(jwksURL)
+	}
+
 	if cfg.Issuer != i.IssuerURI {
 		glog.V(5).Infof("Configured issuer URI does't match the issuer URI configured in the discovery document, overriding: [configured: %s, got: %s]", i.IssuerURI, cfg.Issuer)
 		i.IssuerURI = cfg.Issuer
 	}
+
 	return jwksURI, nil
 }
 
@@ -344,6 +360,14 @@ func (i *KubernetesIssuer) overrideJwksURIForLocalCluster(jwksURI string) string
 	return jwksURL.String()
 }
 
+func (i *KubernetesIssuer) overrideJwksURIForInternalCluster(url *url.URL) string {
+	k8sSvcHost := strings.TrimPrefix(kubernetesIssuer, "https://")
+	k8sSvcHost = strings.TrimPrefix(k8sSvcHost, "http://")
+	url.Host = k8sSvcHost
+
+	return url.String()
+}
+
 func (i *KubernetesIssuer) buildK8sConfig() (*rest.Config, error) {
 	// Special case for local dev environments: Fleet Manager manages local cluster, assuming kubeconfig exists
 	if i.isLocalCluster() {

diff --git a/scripts/ci/lib.sh b/scripts/ci/lib.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# A library of CI related reusable bash functions
+SCRIPTS_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")"/../.. && pwd)"
+
+# shellcheck source=scripts/lib/log.sh
+source "$SCRIPTS_ROOT/scripts/lib/log.sh"
+
+ci_export() {
+    if [[ "$#" -ne 2 ]]; then
+        die "missing args. usage: ci_export <env-name> <env-value>"
+    fi
+
+    local env_name="$1"
+    local env_value="$2"
+
+    if command -v cci-export >/dev/null; then
+        cci-export "$env_name" "$env_value"
+    else
+        export "$env_name"="$env_value"
+    fi
+}
+
+# set_ci_shared_export() - for openshift-ci this is state shared between steps.
+set_ci_shared_export() {
+    if [[ "$#" -ne 2 ]]; then
+        die "missing args. usage: set_ci_shared_export <env-name> <env-value>"
+    fi
+
+    ci_export "$@"
+
+    local env_name="$1"
+    local env_value="$2"
+
+    echo "export ${env_name}=${env_value}" | tee -a "${SHARED_DIR:-/tmp}/shared_env"
+}