Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include dex secrets only when oidc is non tigera or nil #3670

Merged
merged 2 commits into from
Dec 20, 2024

Conversation

vara2504
Copy link
Contributor

@vara2504 vara2504 commented Dec 20, 2024

Include dex secrets only when oidc is non tigera or nil

vara@vara:~/bzprofiles/Clusters/tc_dex$ ts authentication -oyaml
apiVersion: operator.tigera.io/v1
kind: TigeraStatus
metadata:
  creationTimestamp: "2024-12-20T17:47:23Z"
  generation: 1
  managedFields:
  - apiVersion: operator.tigera.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:spec: {}
    manager: operator
    operation: Update
    time: "2024-12-20T17:47:23Z"
  - apiVersion: operator.tigera.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:status:
        .: {}
        f:conditions: {}
    manager: operator
    operation: Update
    subresource: status
    time: "2024-12-20T17:47:48Z"
  name: authentication
  resourceVersion: "19993"
  uid: 4af74605-7363-4a5e-bf9a-2cb6ffb37ccf
spec: {}
status:
  conditions:
  - lastTransitionTime: "2024-12-20T17:47:48Z"
    message: All objects available
    observedGeneration: 2
    reason: AllObjectsAvailable
    status: "True"
    type: Available
  - lastTransitionTime: "2024-12-20T17:47:28Z"
    message: All Objects Available
    observedGeneration: 2
    reason: AllObjectsAvailable
    status: "False"
    type: Progressing
  - lastTransitionTime: "2024-12-20T17:47:48Z"
    message: All Objects Available
    observedGeneration: 2
    reason: AllObjectsAvailable
    status: "False"
    type: Degraded

Description

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • kind/bug if this is a bugfix.
    • kind/enhancement if this is a a new feature.
    • enterprise if this PR applies to Calico Enterprise only.

@@ -138,11 +138,10 @@ func (c *dexComponent) Objects() ([]client.Object, []client.Object) {
// TODO the RequiredSecrets in the dex condig to not pass back secrets of this type.
if !c.cfg.DeleteDex {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rene-dekker DeleteDex is set to true only when (authentication.Spec.OIDC != nil && authentication.Spec.OIDC.Type == operatorv1.OIDCTypeTiger) here, which is logically equivalent to !(authentication.Spec.OIDC == nil || authentication.Spec.OIDC.Type != operatorv1.OIDCTypeTiger). Therefore, it should be ok to included under the same if condition.

Copy link
Member

@rene-dekker rene-dekker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR is imperfect in some cases that I believe are not worth solving:

  • If someone first does regular OIDC, then OIDC type=tigera, it won't properly clean everything.

I think this is a use case that shouldn't/won't happen in the wild, since oidc type tigera should only be used in cloud. The worst case is that a user needs to delete some resources by kubectl if it affects them.

Therefore, LGTM.

@rene-dekker rene-dekker merged commit 2c868aa into tigera:master Dec 20, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants