CNTRLPLANE-367: Update Authentication API GoDoc for OIDC-related fields #2314
Conversation
Signed-off-by: Bryce Palmer <[email protected]>
|
Hello @everettraven! Some important instructions when contributing to openshift/api: |
openshift-ci
bot
added
the
size/L
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: everettraven The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
everettraven
changed the title
|
@everettraven: This pull request references CNTRLPLANE-367 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
config/v1/types_authentication.go
Outdated
| ClaimMappings TokenClaimMappings `json:"claimMappings"` | ||
|
|
||
| // claimValidationRules are rules that are applied to validate token claims to authenticate users. | ||
| // claimValidationRules configures the rules to be used the Kubernetes API Server |
There was a problem hiding this comment.
| // claimValidationRules configures the rules to be used the Kubernetes API Server | |
| // claimValidationRules configures the rules to be used by the Kubernetes API Server |
config/v1/types_authentication.go
Outdated
| // type sets the type of the validation rule | ||
| // | ||
| // type configures the type of the validation rule. | ||
| // type is optional. |
There was a problem hiding this comment.
| // type sets the type of the validation rule | |
| // | |
| // type configures the type of the validation rule. | |
| // type is optional. | |
| // type configures the type of the validation rule. | |
| // type is optional. |
config/v1/types_authentication.go
Outdated
| // name configures the unique human-readable identifier | ||
| // associated with the identity provider. | ||
| // name is used to distinguish between multiple identity providers. | ||
| // name has no impact on token validation or authentication mechanics. | ||
| // name is required. | ||
| // name must not be an empty string (""). |
There was a problem hiding this comment.
Instead of repeating name ... in the beginning of every sentence, would it make sense to make it a bit more natural, such as:
| // name configures the unique human-readable identifier | |
| // associated with the identity provider. | |
| // name is used to distinguish between multiple identity providers. | |
| // name has no impact on token validation or authentication mechanics. | |
| // name is required. | |
| // name must not be an empty string (""). | |
| // Name configures the unique human-readable identifier | |
| // associated with the identity provider. | |
| // Used to distinguish between multiple identity providers and | |
| // has no impact on token validation or authentication mechanics. | |
| // It is required and must not be an empty string (""). |
Also, we should probably match case in the doc comments.
This also seems to agree with our API conventions. This applies to various places in this diff.
There was a problem hiding this comment.
Yeah, looking back at this I went a little overboard with the repetition there 😅 - updating.
There was a problem hiding this comment.
Also, we should probably match case in the doc comments.
It's API convention to match the serialized name, not the field name in the Go type
There was a problem hiding this comment.
For additional context on the serialized name matching, see: #2314 (comment)
config/v1/types_authentication.go
Outdated
| // issuer configures how the platform interacts | ||
| // with the identity provider and how tokens issued | ||
| // from the identity provider are evaluated by the | ||
| // Kubernetes API Server. |
There was a problem hiding this comment.
This looks like a more suitable comment for the type TokenIssuer instead of the field.
There was a problem hiding this comment.
Comments on top level types do not get included in the generated OpenAPI spec field documentation that is shown to end users for fields of that type. This comment is here so that it appears for the end-user and explains what this field is used for if they run something like oc explain ...
config/v1/types_authentication.go
Outdated
| ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"` | ||
| } | ||
|
|
||
| // +kubebuilder:validation:MinLength=1 | ||
| type TokenAudience string | ||
|
|
||
| type TokenIssuer struct { | ||
| // URL is the serving URL of the token issuer. | ||
| // Must use the https:// scheme. | ||
| // issuerURL configures the URL that is used to issue tokens |
There was a problem hiding this comment.
issuerURL is the serialized name which we prefer to use for GoDoc on the OpenShift APIs because it is what end-users will be familiar with. The serialized field name is what the documentation, generated by the GoDoc, will be attached to when users do something like oc explain ... on the field
config/v1/types_authentication.go
Outdated
| // configuration namespace. The .data of the configMap must contain | ||
| // the "ca-bundle.crt" key. | ||
| // If unset, system trust is used instead. | ||
| // issuerCertificateAuthority configures the certificate authority, |
There was a problem hiding this comment.
See explanation here: #2314 (comment)
config/v1/types_authentication.go
Outdated
| // | ||
| // +kubebuilder:validation:MinLength=1 | ||
| // +kubebuilder:validation:MaxLength=63 | ||
| // +required | ||
| ComponentNamespace string `json:"componentNamespace"` | ||
|
|
||
| // clientID is the identifier of the OIDC client from the OIDC provider | ||
| // clientID configures the identifier, from the identity provider, that the platform |
There was a problem hiding this comment.
| // clientID configures the identifier, from the identity provider, that the platform | |
| // clientID configures the client identifier, from the identity provider, that the platform |
Signed-off-by: Bryce Palmer <[email protected]>
|
@everettraven: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
I had noticed that the GoDoc for the OIDC-related fields was a bit sparse and needed to be brought up to date with the OpenShift API conventions.
This PR attempts to improve the GoDoc for only the OIDC-related fields as part of the GA criteria for the BYO OIDC feature.