OLS-546: Use cluster id as user id

[onmete]

Description

Use cluster id as user id

Type of change

• New feature

[openshift-ci-robot]

@onmete: This pull request references OLS-546 which is a valid jira issue.

In response to this:

Description

Use cluster id as user id

Type of change

• New feature

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tisnik]

prob. use real UUID? will it be tested in the code btw?

[onmete]

Do you mean ensuring what we get from the cluster as id is really uuid? That seems like an overkill to me, but I can add it if you think it is reasonable.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 88.63636% with 5 lines in your changes are missing coverage. Please review.

Project coverage is 95.24%. Comparing base (de85e97) to head (a7dbbea).
Report is 12 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #882      +/-   ##
==========================================
- Coverage   95.34%   95.24%   -0.10%     
==========================================
  Files          54       54              
  Lines        2211     2252      +41     
==========================================
+ Hits         2108     2145      +37     
- Misses        103      107       +4     

Files	Coverage Δ
ols/constants.py	100.00% <100.00%> (ø)
ols/utils/auth_dependency.py	77.55% <88.09%> (+4.65%)	⬆️

... and 4 files with indirect coverage changes

[onmete]

@bparees @xrajesh The user id in the e2e CI is "system:serviceaccount:openshift-lightspeed:test-user". In order to have the feature in the PR covered by e2e test, I need to hit the /authorized endpoint as the "kube:admin". Would you know an easy way how to do it besides updating the the request model of that endpoint to allow post user (which I'm not sure if we want to do)? Another option would be to remove the e2e test.

[xrajesh]

@onmete The tests are using the test-user's token. here . You can make a API call as kubeadmin by getting the kubeadmin's token. I am thinking we are logging in as the kubeadmin. Hence kubeadmin_token=$(oc whoami -t) should give us the kubeadmin token. We will need a function just like def get_user_token(name: str) -> str: to run the oc whoami -t . If you make use of that token and make a OLS api call, it should get you "kube:admin"

[bparees]

the cluster id isn't going to change between user queries, so we should just fetch it once during OLS startup and then use that value every time we get a request from kubeadmin.

this will also help avoid anther issue you're not handling here, which is what happens if getting the cluster id fails? you log the errors in the helper, but ultimately return None to the caller.

if you fetch it during startup you can retry + refuse to start until we successfully get the cluster id.

it also removes the extra/repeated api calls.

[bparees]

we can at least have a legitimate test of the get_cluster_id helper, right? (not really an e2e test since you won't be going through the OLS server, but since we have a cluster stood up, you can test that the get_cluster_id helper gets the right value.

[onmete]

Yes, I was thinking about it too as a backup when we can't do e2e.

[onmete]

/retest

[xrajesh]

@onmete minor change proposed - otherwise - this LGTM.

[xrajesh]

/lgtm

[tisnik]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tisnik

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [tisnik]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tisnik]

/retest

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 03e4fd5 and 2 for PR HEAD a089664 in total

[onmete]

Service hiccup - {'errors': [{'status': 500, 'detail': 'Could not get the SSO public key', 'meta': {'response_by': 'gateway'}}]}

/retest

[onmete]

/retest

[tisnik]

/lgtm

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD abde71b and 2 for PR HEAD 573addf in total

[onmete]

/retest

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD dc5d14f and 1 for PR HEAD 573addf in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 272d13f and 0 for PR HEAD 573addf in total

[onmete]

/retest

[tisnik]

/lgtm

[openshift-ci]

@onmete: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.