Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: TLS support for External Data Providers #226

Merged
merged 8 commits into from
Jun 21, 2022
Merged

feat: TLS support for External Data Providers #226

merged 8 commits into from
Jun 21, 2022

Conversation

chewong
Copy link
Member

@chewong chewong commented May 18, 2022

Design doc: https://docs.google.com/document/d/1GjV3WeC2bgQ3j37_mMpY9hr7YOAqzSJ6jDSu-DVrcmU/edit#

This PR adds two new fields to the Provider CRD - caBundle and insecureTLSSkipVerify. If the provider is using HTTPS scheme for their provider and presents a valid caBundle, we will inject it into our HTTP client before making an external data request. We will also inject Gatekeeper's certificate into our HTTP client in case the provider wants to establish mutual trust.

@chewong chewong requested a review from a team May 18, 2022 22:03
@codecov-commenter
Copy link

codecov-commenter commented May 18, 2022
edited
Loading

Codecov Report

Merging #226 (fb82f20) into master (36b73e1) will increase coverage by 0.82%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master     #226      +/-   ##
==========================================
+ Coverage   49.39%   50.22%   +0.82%     
==========================================
  Files          64       64              
  Lines        4154     4255     +101     
==========================================
+ Hits         2052     2137      +85     
- Misses       1866     1879      +13     
- Partials      236      239       +3
Flag Coverage Δ
unittests 50.22% <ø> (+0.82%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...nt/frameworks/constraint/pkg/externaldata/cache.go 96.34% <0.00%> (-3.66%) ⬇️
...orks/constraint/pkg/client/drivers/local/driver.go 61.48% <0.00%> (-1.12%) ⬇️
.../frameworks/constraint/pkg/externaldata/request.go 0.00% <0.00%> (ø)
...t/pkg/apis/externaldata/v1alpha1/provider_types.go 100.00% <0.00%> (ø)
...eworks/constraint/pkg/client/drivers/local/args.go 64.28% <0.00%> (+20.09%) ⬆️
...meworks/constraint/pkg/client/drivers/local/new.go 86.36% <0.00%> (+45.45%) ⬆️
...rks/constraint/pkg/client/drivers/local/builtin.go 70.00% <0.00%> (+70.00%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 36b73e1...fb82f20. Read the comment docs.

maxsmythe
maxsmythe reviewed May 19, 2022
View reviewed changes
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple comments, but mostly LGTM

constraint/pkg/client/drivers/local/builtin.go Outdated Show resolved Hide resolved
constraint/pkg/externaldata/cache.go Outdated Show resolved Hide resolved
constraint/pkg/externaldata/cache.go Show resolved Hide resolved
@chewong chewong force-pushed the external-data-provider-tls branch from a78800b to b047790 Compare May 19, 2022 16:57
@chewong chewong requested a review from maxsmythe May 19, 2022 17:30
willbeason
willbeason previously requested changes May 26, 2022
View reviewed changes
constraint/pkg/client/drivers/local/builtin.go Outdated Show resolved Hide resolved
constraint/pkg/externaldata/cache.go Show resolved Hide resolved
constraint/pkg/externaldata/cache.go Show resolved Hide resolved
constraint/pkg/externaldata/cache.go Outdated Show resolved Hide resolved
constraint/pkg/client/drivers/local/builtin.go Outdated Show resolved Hide resolved
@chewong chewong force-pushed the external-data-provider-tls branch from 67caae8 to 89774ad Compare June 1, 2022 23:23
@chewong chewong marked this pull request as draft June 2, 2022 22:20
@chewong chewong force-pushed the external-data-provider-tls branch from 8d5168d to 42a8425 Compare June 6, 2022 17:19
@chewong chewong marked this pull request as ready for review June 6, 2022 17:22
@chewong chewong requested a review from willbeason June 6, 2022 17:22
@chewong chewong force-pushed the external-data-provider-tls branch from 42a8425 to dc83a78 Compare June 7, 2022 21:02
@chewong chewong force-pushed the external-data-provider-tls branch 2 times, most recently from 44ab592 to 18159dd Compare June 8, 2022 17:43
@chewong chewong requested a review from ritazh June 8, 2022 22:25
ritazh
ritazh approved these changes Jun 9, 2022
View reviewed changes
Copy link
Member

@ritazh ritazh left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

pending failed gatekeeper tests

@chewong chewong requested a review from maxsmythe June 9, 2022 02:17
@chewong
Copy link
Member Author

chewong commented Jun 9, 2022

pending failed gatekeeper tests

the gatekeeper test won't pass because this PR contains a minor breaking change (I changed the function signature of SendRequestToProvider)

@sozercan sozercan requested a review from a team June 14, 2022 20:46
@chewong chewong mentioned this pull request Jun 15, 2022
Closed
14 tasks
Ernest Wong added 6 commits June 21, 2022 18:41
feat: TLS support for External Data Providers
2336564 
Signed-off-by: GitHub <noreply@github.com>
Address PR comments
bf317c6 
Signed-off-by: GitHub <noreply@github.com>
nolint:gosec
d908a76 
Signed-off-by: GitHub <noreply@github.com>
Address PR comments
d4d9b22 
Signed-off-by: GitHub <noreply@github.com>
Add a flag to enable external data client auth
09e1cf0 
Signed-off-by: GitHub <noreply@github.com>
Address PR comments
c228abc 
Signed-off-by: GitHub <noreply@github.com>
@chewong chewong force-pushed the external-data-provider-tls branch from b283b3a to ecd4d23 Compare June 21, 2022 20:24
Use sigs.k8s.io/controller-runtime/pkg/certwatcher
7222ec1 
Signed-off-by: GitHub <noreply@github.com>
@chewong chewong force-pushed the external-data-provider-tls branch from ecd4d23 to 7222ec1 Compare June 21, 2022 20:35
maxsmythe
maxsmythe approved these changes Jun 21, 2022
View reviewed changes
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after 1 comment nit, sorry for the slow review process

constraint/pkg/apis/externaldata/v1alpha1/provider_types.go Outdated Show resolved Hide resolved
Address PR comments
fb82f20 
Signed-off-by: GitHub <noreply@github.com>
@chewong chewong dismissed willbeason’s stale review June 21, 2022 23:18

stale review

@chewong chewong merged commit a0dd2a5 into open-policy-agent:master Jun 21, 2022
@chewong chewong deleted the external-data-provider-tls branch June 21, 2022 23:22
@chewong chewong mentioned this pull request Jun 23, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxsmythe maxsmythe maxsmythe approved these changes

@ritazh ritazh ritazh approved these changes

@willbeason willbeason Awaiting requested review from willbeason

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@chewong @codecov-commenter @ritazh @willbeason @maxsmythe