Introduce admission webhook settings page #590
Conversation
|
Current state with last commit:
|
c1b7c8d to
b09e87f
Compare
| @@ -11,7 +11,7 @@ $(function() { | |||
| new RegistryForm($registryForm); | |||
| } | |||
|
|
|||
| if ($systemCertificateForm.length) { | |||
| new SystemCertificateForm($systemCertificateForm); | |||
There was a problem hiding this comment.
There's no SystemCertificateForm. I let this pass on a previous PR. Removed it since it was causing a js error.
| @@ -0,0 +1,21 @@ | |||
| # AdmissionWebhookForm represents a form for AdmissionWebhookController | |||
| class AdmissionWebhookForm | |||
There was a problem hiding this comment.
The idea is to simulate a virtual model and take advantage of some nice things of a model like validation.
There was a problem hiding this comment.
This will be useful when we introduce the validation of the certificates itself.
There was a problem hiding this comment.
I am wondering if parts of what this virtual model is doing should maybe be part of the certificate class, as that handles storage of uploaded certificates?
Then we might have another class to handle the keys - as not all views need both.
There was a problem hiding this comment.
We could include Certificate. Would that be enough?
There was a problem hiding this comment.
Sorry for the late reply: I wanted to try out the implementation in #593 first.
I guess yes - including certificate and putting the validation logic for certificates in the certificate.rb model would be enough, then we don't duplicate it.
There was a problem hiding this comment.
As far as I can see the only thing that would be reused, and it would in the controller, is the Certificate.get_certificate_text method. Validation for this page has a condition and that differs from the Certificate model.
The reason for that is because the user is not forced to update both certificate and key at once. They can update one or the other or both. So I guess it's fine leaving this way, right?
We can reuse get_certificate_text after we merge #593.
There was a problem hiding this comment.
Right now you are right - so let's leave it like this.
I assume later on the verification that the certificate is actually a certificate (X509 probably) will be part of certificate.rb, then it might be useful - but I guess we can do that once we work on that feature.
b09e87f to
3567e2b
Compare
b752b14 to
1a365f8
Compare
|
@flavio This is good to be reviewed. |
1a365f8 to
fa43397
Compare
|
It looks to me, I like the workflow. However there's a bug:
Basically we don't actually delete them from the database. |
|
Also another bug: it's possible to upload empty files. The validation in place doesn't look for that |
abd4fc6 to
cd70225
Compare
|
Fixed both cases, @flavio. Thanks! |
|
|
| h2 Admission Webhook | ||
|
|
||
| p | ||
| | Enable Kubernetes ValidatingAdmissionWebhook admission controller. Once enabled |
There was a problem hiding this comment.
you need to add a space at $ or at the beginning of the next line, otherwise it reads Once enabledit is possible to...
| @key = Pillar.value(pillar: :api_admission_webhook_key) | ||
| end | ||
|
|
||
| def admission_webhook_params |
There was a problem hiding this comment.
can you still make sure to filter the cert/key from the logs in config/initializers/filter_parameter_logging.rb ?
There was a problem hiding this comment.
I thought about that but for file inputs the content doesn't appear as for text inputs. I can paste the content here if you want.
If we still think that it's necessary to filter it, I can add it.
There was a problem hiding this comment.
hmm in my case it appears, but it's the devenv. if it doesnt appear in production it's totally fine ;)
There was a problem hiding this comment.
Oh. You mean the current_cert and current_key. Yeah, you are right. I thought that it was the key and certificate inputs. 😅
cd70225 to
12f3f15
Compare
|
I cannot be the one approving the PR because I'm the one who created it. But it LGTM |
12f3f15 to
26054b7
Compare
app/controllers/setup_controller.rb
Outdated
| @@ -246,7 +246,7 @@ def proxy_enabled | |||
| end | |||
|
|
|||
| def redirect_to_dashboard | |||
| redirect_to root_path if setup_done? | |||
| # redirect_to root_path if setup_done? | |||
There was a problem hiding this comment.
Yeah... Reverted. Thanks again! 😅
26054b7 to
dd87143
Compare
| notice: "Admission webhook settings successfully saved." | ||
| else | ||
| set_instance_variables | ||
| render action: :index, status: :unprocessable_entity |
There was a problem hiding this comment.
what about possible @errors? we should show them in an alert, would be a waste to throw them away
app/forms/admission_webhook_form.rb
Outdated
| validates :key, presence: true, if: :current_key_blank? | ||
| validates :certificate, presence: true, if: :current_certificate_blank? | ||
|
|
||
| validate :cant_be_empty_file |
There was a problem hiding this comment.
should we at least validate the filetype as well?
def must_be_key
`file #{path}`.include? "private key"
end
def must_be_cert
`file #{path}`.include? "certificate"
endotherwise i'm afraid we'll have an uncaught exception
There was a problem hiding this comment.
as discussed on irc we can address this in a follow up, as we have other cert handling as well, and it should be done for all parts where we upload certs
dd87143 to
550c421
Compare
|
I guess we can proceed with the merge, right? I'll give my approval on behalf of @flavio since he created the PR and can't do that. |
7bd68ca to
115add5
Compare
|
I updated the code with with the x509 validation and added pem/der key format validation. Suggestion for wording are welcome. I also made a minor refactoring to make things more readable. Please review it again. Thanks! @flavio, could you play with this again? |
115add5 to
cd96dd8
Compare
cd96dd8 to
eb22226
Compare
|
Just a short update to fix the merge conflicts. I still intend to setup an admission webhook and actually try out the code. |
I don't see any conflicts. Is something going to change? |
|
Sorry - I just meant I repushed the changes after a rebase due to conflicts in |
| require "openssl" | ||
|
|
||
| # Verifies that an attribute is a valid PEM/DER encoded key | ||
| class PemDerKeyValidator < ActiveModel::EachValidator |
There was a problem hiding this comment.
This validator seems to fail, when trying to upload a password protected key.
I think it is not supposed to be password-protected as a mutual TLS key, but maybe we should put this in the UI.
Allow user to enable AdmissionWebhook by using a new dedicated page. feature#ValidatingAdmissionWebhook Signed-off-by: Flavio Castelli <fcastelli@suse.com>
eb22226 to
c8066a1
Compare
|
I've rebased this and should be good to be reviewed again. |
| describe AdmissionWebhookForm do | ||
| describe "validations" do | ||
| let(:cert_file) do | ||
| Rack::Test::UploadedFile.new(Rails.root.join("spec", "fixtures", "admin.crt")) |
There was a problem hiding this comment.
I think this code can just use fixture_file_upload instead of Rack::Test::UploadedFile.
|
LGTM with one small change (use However given that the salt PR is |
6d55095 to
cf73dd0
Compare
This is a follow-up from the previous commit improving the UI elements, adding more validation and adding tests for all the new components added with this new feature. feature#ValidatingAdmissionWebhook Signed-off-by: Vítor Avelino <vavelino@suse.com>
cf73dd0 to
5c93ade
Compare
|
This GitHub PR is unactive since 30. Is this GitHub PR still needed? Please close or update it accordingly. |
Allow user to enable AdmissionWebhook by using a new dedicated page.
To work this requires the following PR merged into the salt repo: SUSE/caasp-salt#555
The new UI has to be improved by @vitoravelino, right now it looks something like that:
The workflow is the following one:
Notable things missing: