OCPBUGS-34373: routes/custom-host permission update for externalCertificate

[chiragkyal]

• “create” is required to set spec.tls.externalCertificate on route creation

• either “create” or “update” is required to update spec.tls.externalCertificate

• Note: since the state of the external secret cannot be verified, even keeping the secret name unchanged, requires permission check.

• NO PERMISSION is required to remove spec.tls.externalCertificate

• EP changes OCPBUGS-34373: routes/custom-host permission update for externalCertificate enhancements#1652

The decision was taken based on openshift/origin#18177 (comment) discussion on custom-host permission and keep it identical with the existing spec.tls.Certificate field.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@chiragkyal: This pull request references Jira Issue OCPBUGS-34373, which is invalid:

• expected the bug to target the "4.17.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

• “create” is required to set spec.tls.externalCertificate on route creation

• either “create” or “update” is required to update spec.tls.externalCertificate

• Note: since the state of the external secret cannot be verified, even keeping the secret name unchanged, requires permission check.

• NO PERMISSION is required to remove spec.tls.externalCertificate

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[chiragkyal]

/assign @alebedev87 @Miciah

[lihongan]

/jira refresh

[openshift-ci-robot]

@lihongan: This pull request references Jira Issue OCPBUGS-34373, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.17.0) matches configured target version for branch (4.17.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[alebedev87]

Do we need these tests for the change you did or you just wanted to enhance the unit tests for other cases?

[chiragkyal]

These tests are unrelated to the changes I made related to externalCertificate; I just wanted to enhance different test scenarios.

[alebedev87]

Same question.

[chiragkyal]

Same as #1754 (comment)

[alebedev87]

Which unit test covers this change?

[chiragkyal]

"external-certificate-unchanged-denied"

		{
			name:           "external-certificate-unchanged-denied",
			host:           "host",
			expected:       "host",
			oldHost:        "host",
			tls:            &routev1.TLSConfig{Termination: routev1.TLSTerminationEdge, ExternalCertificate: &routev1.LocalObjectReference{Name: "a"}},
			oldTLS:         &routev1.TLSConfig{Termination: routev1.TLSTerminationEdge, ExternalCertificate: &routev1.LocalObjectReference{Name: "a"}},
			wildcardPolicy: routev1.WildcardPolicyNone,
			allow:          false,
			// permission is required even if referenced secret name remains unchanged
			errs: 1,

			opts: route.RouteValidationOptions{AllowExternalCertificates: true},
		},

We need to remove the immutability check to catch the externalCertificate unchanged scenario, without having necessary permissions.

[alebedev87]

I suppose this change is responsible for the note from the PR description:

Note: since the state of the external secret cannot be verified, even keeping the secret name unchanged, requires permission check.

I think this code deserves a comment with similar description.

[chiragkyal]

The function godoc has a similar description. Let me know if we need to include anything else.

// Note: If (newer/updated) route uses externalCertificate, this function always returns true, as we cannot definitively verify if
// the content of the referenced secret has been modified. Even if the secret name remains the same,
// we must assume that the secret content is changed, necessitating authorization.

[alebedev87]

/approve

Can I (doubt)?

[alebedev87]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: alebedev87, chiragkyal
Once this PR has been reviewed and has the lgtm label, please ask for approval from miciah. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• pkg/route/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[chiragkyal]

/cc @Miciah
for approval

[chiragkyal]

/jira refresh

[openshift-ci-robot]

@chiragkyal: This pull request references Jira Issue OCPBUGS-34373, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.18.0) matches configured target version for branch (4.18.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Miciah]

Since ValidateHostExternalCertificate is used in openshift-apiserver, removing its definition now could cause difficulties if someone else needs a change from library-go in openshift-apiserver and tries to bump it before you update openshift-apiserver not to use ValidateHostExternalCertificate. That is:

1. You remove ValidateHostExternalCertificate from library-go.
2. You don't have time to post the openshift-apiserver PR right away, or reviews get delayed.
3. Meanwhile, someone else adds function xyz to library-go and bumps openshift-apiserver to get xyz.
4. Building openshift-apiserver fails because ValidateHostExternalCertificate is not defined.

It would be safer to do the following:

1. Update logic in library-go, but keep ValidateHostExternalCertificate (maybe add a // Deprecated comment) so library-go can be bumped in openshift-apiserver without breaking anything.
2. Update code in openshift-apiserver not to use ValidateHostExternalCertificate.
3. Remove ValidateHostExternalCertificate from library-go.

[chiragkyal]

Thanks for the suggestion, and I agree that we should be doing the way you suggested above.

However, even if we keep ValidateHostExternalCertificate definition, the unit tests present in the openshift-apiserver will complain due to the changes in validateTLSExternalCertificate function because we are dropping custom-host permission check from that function as well. There are fair amount of unit tests overlap between openshift-apiserver and library-go, so updating logic in library-go requires immediate intervention (bump) in openshift-apiserver as well.

If these weren't any unit tests in openshift-apiserver, then it could have been much easier.

[Miciah]

Need to resolve openshift/enhancements#1652 (comment).

[openshift-ci]

@chiragkyal: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.