chore: converge on go-jose

[RTann]

github.com/dgrijalva/jwt-go is old and archived in favor of github.com/golang-jwt/jwt

gopkg.in/square/go-jose.v2 is old and archived in favor of github.com/go-jose/go-jose

Honestly wasn't sure which one to pick, so I opted for go-jose because it seemed like it had the nicer interface. The stackrox/stackrox repo also uses both, but mostly go-jose so that helps with this decision, too.

If anyone knows a good way to test this, please let me know

[rhacs-bot]

A single node development cluster (infra-pr-1297) was allocated in production infra for this PR.

CI will attempt to deploy quay.io/rhacs-eng/infra-server:0.10.1-2-g2585dc3d1c to it.

🔌 You can connect to this cluster with:

gcloud container clusters get-credentials infra-pr-1297 --zone us-central1-a --project acs-team-temp-dev

🛠️ And pull infractl from the deployed dev infra-server with:

nohup kubectl -n infra port-forward svc/infra-server-service 8443:8443 &
make pull-infractl-from-dev-server

🚲 You can then use the dev infra instance e.g.:

bin/infractl -k -e localhost:8443 whoami

⚠️ Any clusters that you start using your dev infra instance should have a lifespan shorter then the development cluster instance. Otherwise they will not be destroyed when the dev infra instance ceases to exist when the development cluster is deleted. ⚠️

Further Development

☕ If you make changes, you can commit and push and CI will take care of updating the development cluster.

🚀 If you only modify configuration (chart/infra-server/configuration) or templates (chart/infra-server/{static,templates}), you can get a faster update with:

make install-local

Logs

Logs for the development infra depending on your @redhat.com authuser:

• authuser=0
• authuser=1
• authuser=2

Or:

kubectl -n infra logs -l app=infra-server --tail=1 -f

[tommartensen]

If anyone knows a good way to test this, please let me know

IMO if you can connect to the cluster created in this PR (if it expired, re-run the GH workflows), port-forward and login, see a token on https:/localhost:8443/downloads and your initials in the top-right corner, the auth should work.

[RTann]

I am testing the dev server, and I found it seems ok until I run make pull-infractl-from-dev-server. This command fails every time and, more-or-less, kills the server. It's still up, but it's essentially useless.

$ make pull-infractl-from-dev-server
set -o pipefail; \
	curl --retry 3 --insecure --silent --show-error --fail --location https://localhost:8443/v1/cli/darwin/amd64/upgrade \
          | jq -r ".result.fileChunk" \
          | base64 -d \
          > bin/infractl
/usr/bin/base64: I/O error on input
curl: (23) Failure writing output to destination
make: *** [pull-infractl-from-dev-server] Error 141

Anyone know why this may be?

Otherwise, I can see my auth token (different from my prod one)

[tommartensen]

$ make pull-infractl-from-dev-server
set -o pipefail; \
	curl --retry 3 --insecure --silent --show-error --fail --location https://localhost:8443/v1/cli/darwin/amd64/upgrade \
          | jq -r ".result.fileChunk" \
          | base64 -d \
          > bin/infractl
/usr/bin/base64: I/O error on input
curl: (23) Failure writing output to destination
make: *** [pull-infractl-from-dev-server] Error 141

Anyone know why this may be?

No, but it works for me™. i/o error could be because the curl or jq are failing. If you want to debug this, check if you can see any error from curl or jq.

[RTann]

Since I ran into issues locally but Tom didn't, I'd like to get at least one more reviewer to take a look and try testing this, if possible. Thank!

[RTann]

Also, when I tested it, I noticed the token differed from my prod token, so I think when/if this is merged, we'll have to inform everyone they may need to update their tokens locally

[tommartensen]

Also, when I tested it, I noticed the token differed from my prod token, so I think when/if this is merged, we'll have to inform everyone they may need to update their tokens locally

The token on the /downloads page or infractl token is regenerated every time you open the page or run the command. There is no need to update every token or something.

[gavin-stackrox]

make pull-infractl-from-dev-server

works for me also.