CNTRLPLANE-367: Update Authentication API GoDoc for OIDC-related fields #2314
Conversation
|
Hello @everettraven! Some important instructions when contributing to openshift/api: |
openshift-ci
bot
added
the
size/L
everettraven
changed the title
|
@everettraven: This pull request references CNTRLPLANE-367 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
config/v1/types_authentication.go
Outdated
| // name configures the unique human-readable identifier | ||
| // associated with the identity provider. | ||
| // name is used to distinguish between multiple identity providers. | ||
| // name has no impact on token validation or authentication mechanics. | ||
| // name is required. | ||
| // name must not be an empty string (""). |
There was a problem hiding this comment.
Instead of repeating name ... in the beginning of every sentence, would it make sense to make it a bit more natural, such as:
| // name configures the unique human-readable identifier | |
| // associated with the identity provider. | |
| // name is used to distinguish between multiple identity providers. | |
| // name has no impact on token validation or authentication mechanics. | |
| // name is required. | |
| // name must not be an empty string (""). | |
| // Name configures the unique human-readable identifier | |
| // associated with the identity provider. | |
| // Used to distinguish between multiple identity providers and | |
| // has no impact on token validation or authentication mechanics. | |
| // It is required and must not be an empty string (""). |
Also, we should probably match case in the doc comments.
This also seems to agree with our API conventions. This applies to various places in this diff.
There was a problem hiding this comment.
Yeah, looking back at this I went a little overboard with the repetition there 😅 - updating.
There was a problem hiding this comment.
Also, we should probably match case in the doc comments.
It's API convention to match the serialized name, not the field name in the Go type
There was a problem hiding this comment.
For additional context on the serialized name matching, see: #2314 (comment)
config/v1/types_authentication.go
Outdated
| // issuer configures how the platform interacts | ||
| // with the identity provider and how tokens issued | ||
| // from the identity provider are evaluated by the | ||
| // Kubernetes API Server. |
There was a problem hiding this comment.
This looks like a more suitable comment for the type TokenIssuer instead of the field.
There was a problem hiding this comment.
Comments on top level types do not get included in the generated OpenAPI spec field documentation that is shown to end users for fields of that type. This comment is here so that it appears for the end-user and explains what this field is used for if they run something like oc explain ...
config/v1/types_authentication.go
Outdated
| ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"` | ||
| } | ||
|
|
||
| // +kubebuilder:validation:MinLength=1 | ||
| type TokenAudience string | ||
|
|
||
| type TokenIssuer struct { | ||
| // URL is the serving URL of the token issuer. | ||
| // Must use the https:// scheme. | ||
| // issuerURL configures the URL that is used to issue tokens |
There was a problem hiding this comment.
issuerURL is the serialized name which we prefer to use for GoDoc on the OpenShift APIs because it is what end-users will be familiar with. The serialized field name is what the documentation, generated by the GoDoc, will be attached to when users do something like oc explain ... on the field
config/v1/types_authentication.go
Outdated
| // configuration namespace. The .data of the configMap must contain | ||
| // the "ca-bundle.crt" key. | ||
| // If unset, system trust is used instead. | ||
| // issuerCertificateAuthority configures the certificate authority, |
There was a problem hiding this comment.
See explanation here: #2314 (comment)
config/v1/types_authentication.go
Outdated
| // | ||
| // +kubebuilder:validation:MinLength=1 | ||
| // +kubebuilder:validation:MaxLength=63 | ||
| // +required | ||
| ComponentNamespace string `json:"componentNamespace"` | ||
|
|
||
| // clientID is the identifier of the OIDC client from the OIDC provider | ||
| // clientID configures the identifier, from the identity provider, that the platform |
There was a problem hiding this comment.
| // clientID configures the identifier, from the identity provider, that the platform | |
| // clientID configures the client identifier, from the identity provider, that the platform |
| @@ -195,74 +195,109 @@ const ( | |||
| ) | |||
|
|
|||
| type OIDCProvider struct { | |||
| // name of the OIDC provider | |||
| // name is a required field that configures the unique human-readable identifier | |||
There was a problem hiding this comment.
Should all of these references to the field name be capitalized throughout? Per the guidelines you linked to in slack, it seems like the examples there are capitalizing.
I poked around the API docs now and it is a little mixed in that some do lowercase, but quite a lot of them capitalized
| // name is a required field that configures the unique human-readable identifier | |
| // Name is a required field that configures the unique human-readable identifier |
I can see why an argument could be made for keeping them lowercase, I think it'd be better to be consistent (especially if that's how the guidelines shows them). And for what it's worth, it looks better when looking at the actual docs if they're capitalized (like here), as opposed to lowercase (like here). And I'm sure it looks better when getting the details via the CLI too.
There was a problem hiding this comment.
I think the convention used to be capitalizing the field names because that is what is in the Kubernetes API Conventions upstream, but we have an explicit deviation from that here: https://github.com/openshift/enhancements/blob/master/dev-guide/api-conventions.md#use-json-field-names-in-godoc
I think some of the examples in the conventions doc could use some updating - I can take an action item to do that to reduce confusion.
I'm happy to have a more nuanced discussion on whether or not that is the right approach, but I'd prefer if we moved that discussion to a different avenue than this PR - mostly because a discussion like that is beyond the scope of this PR
config/v1/types_authentication.go
Outdated
| // When not specified, the system trust is used. | ||
| // | ||
| // When specified, it must reference a ConfigMap in the openshift-config | ||
| // namespace containing the PEM encoded CA certificates under the 'ca-bundle.crt' |
There was a problem hiding this comment.
| // namespace containing the PEM encoded CA certificates under the 'ca-bundle.crt' | |
| // namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' |
config/v1/types_authentication.go
Outdated
| // by the identity provider. | ||
| // When referencing a claim, if the claim is present in the JWT | ||
| // token, its value must be list of groups separated by a comma (','). | ||
| // For example - '"foo"' and '"foo", "bar", "baz"' are valid claim values. |
There was a problem hiding this comment.
Any chance we could update these to use different values than 'foo' and 'bar'? Per the style guidelines we follow, we try to avoid having them in the docs, and if there are other example values that could get the same thing across, that would be better.
We usually go with things like "example1", "example2", and so on.
There was a problem hiding this comment.
TIL - Will make an update
config/v1/types_authentication.go
Outdated
| // | ||
| // By default, claims other than `email` will be prefixed with the issuer URL to | ||
| // prevent naming clashes with other plugins. | ||
| // When set to Prefix, the value specifed in the prefix field will be |
There was a problem hiding this comment.
Single or double quotes around the literal values. Not sure if one is preferred over the other
| // When set to Prefix, the value specifed in the prefix field will be | |
| // When set to 'Prefix', the value specified in the prefix field will be |
config/v1/types_authentication.go
Outdated
| // | ||
| // By default, no prefixing occurs. | ||
| // When omitted, no prefix is applied to the cluster identity attribute. | ||
| // | ||
| // Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains |
There was a problem hiding this comment.
I know this was already here, but it looks like there is an extra quote here. Should it be this?
| // Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains | |
| // Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains |
There was a problem hiding this comment.
Ah yeah, I missed that - will update. Thanks!
config/v1/types_authentication.go
Outdated
| // prefixPolicy is an optional field that configures how a prefix should be | ||
| // applied to the value of the JWT claim specified in the 'claim' field. | ||
| // | ||
| // Allowed values are Prefix, NoPrefix, and omitted. |
There was a problem hiding this comment.
Is "omitted" a literal value, or is that supposed to mean that it can be empty? I'd clarify - maybe by putting quotes around the literal allowed values
config/v1/types_authentication.go
Outdated
| // prevent naming clashes with other plugins. | ||
| // When set to Prefix, the value specifed in the prefix field will be | ||
| // prepended to the value of the JWT claim. | ||
| // The prefix field must be set when prefixPolicy is Prefix. |
There was a problem hiding this comment.
| // The prefix field must be set when prefixPolicy is Prefix. | |
| // The prefix field must be set when prefixPolicy is 'Prefix'. |
config/v1/types_authentication.go
Outdated
| // | ||
| // Set to "NoPrefix" to disable prefixing. | ||
| // When set to NoPrefix, no prefix will be prepended to the value |
There was a problem hiding this comment.
| // When set to NoPrefix, no prefix will be prepended to the value | |
| // When set to 'NoPrefix', no prefix will be prepended to the value |
config/v1/types_authentication.go
Outdated
| // (a) "username": the mapped value will be "https://myoidc.tld#userA" | ||
| // (b) "email": the mapped value will be "[email protected]" | ||
| // When omitted, this means no opinion and the platform is left to choose | ||
| // any prefixes that are applied - which may be subject to change over time. |
There was a problem hiding this comment.
| // any prefixes that are applied - which may be subject to change over time. | |
| // any prefixes that are applied - which might be subject to change over time. |
config/v1/types_authentication.go
Outdated
| // | ||
| // Allowed values are RequiredClaim and omitted. | ||
| // | ||
| // When set to RequiredClaim, the Kubernetes API Server |
There was a problem hiding this comment.
I didn't point out every instance, but I'd do a quick check that literal values have some quotes
| // When set to RequiredClaim, the Kubernetes API Server | |
| // When set to 'RequiredClaim', the Kubernetes API Server |
openshift-ci
bot
added
size/XXL
| // | ||
| // +kubebuilder:validation:Enum={"", "NoPrefix", "Prefix"} | ||
| // +optional | ||
| // +unionDiscriminator |
There was a problem hiding this comment.
Add +union to the struct
There was a problem hiding this comment.
Should be done in the latest push
everettraven
force-pushed
the
chore/update-auth-oidc-field-godoc
branch
from
13aa77c to
bb2a662
Compare
|
Botched the rebase 🤦 /hold |
openshift-ci
bot
added
the
do-not-merge/hold
Signed-off-by: Bryce Palmer <[email protected]>
everettraven
force-pushed
the
chore/update-auth-oidc-field-godoc
branch
from
bb2a662 to
fc7af95
Compare
|
Rebase issues fixed /hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: everettraven, JoelSpeed The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@everettraven: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
openshift-merge-bot
bot
merged commit 6a97aca
into
openshift:master
|
[ART PR BUILD NOTIFIER] Distgit: ose-cluster-config-api |
I had noticed that the GoDoc for the OIDC-related fields was a bit sparse and needed to be brought up to date with the OpenShift API conventions.
This PR attempts to improve the GoDoc for only the OIDC-related fields as part of the GA criteria for the BYO OIDC feature.