Skip to content

Cluster bot org auth #564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 38 commits into
base: main
Choose a base branch
from
Open

Cluster bot org auth #564

wants to merge 38 commits into from

Conversation

@hoxhaeris
Copy link
Contributor

@hoxhaeris hoxhaeris commented Jul 31, 2025

@openshift-ci openshift-ci bot requested review from bradmwilliams and jupierce July 31, 2025 14:46
@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jul 31, 2025
@bradmwilliams
Copy link
Contributor

bradmwilliams commented Aug 4, 2025

/retest-required

@hoxhaeris
Copy link
Contributor Author

hoxhaeris commented Aug 11, 2025

/retest

@hoxhaeris hoxhaeris force-pushed the cluster_bot_org_auth_poc branch 2 times, most recently from 7515bb3 to 0847735 Compare August 13, 2025 20:14
@bradmwilliams
Copy link
Contributor

bradmwilliams commented Aug 28, 2025

/label tide/merge-method-squash

@openshift-ci openshift-ci bot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Aug 28, 2025
@hoxhaeris hoxhaeris force-pushed the cluster_bot_org_auth_poc branch from 98956a7 to 01f559a Compare August 29, 2025 09:52
@hoxhaeris hoxhaeris force-pushed the cluster_bot_org_auth_poc branch 2 times, most recently from 048be25 to 5ac51f6 Compare September 30, 2025 08:30
@hoxhaeris hoxhaeris changed the title [WIP] Cluster bot org auth Cluster bot org auth Sep 30, 2025
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 30, 2025
@hoxhaeris
Copy link
Contributor Author

hoxhaeris commented Sep 30, 2025

/hold
We need to set up the cron job generating the org dump first.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 30, 2025
@hoxhaeris hoxhaeris force-pushed the cluster_bot_org_auth_poc branch from 5ac51f6 to 516fd35 Compare September 30, 2025 10:03
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 9, 2025
bradmwilliams
bradmwilliams suggested changes Oct 9, 2025
View reviewed changes
Makefile Outdated
Comment on lines 12 to 13
# Use standard GO_BUILD_FLAGS for build tags (e.g., -tags gcs)
GO_BUILD_FLAGS ?=
Copy link
Contributor

@bradmwilliams bradmwilliams Oct 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After our standup, I took a look at this again and I think that you should probably just change this line to:
GO_BUILD_FLAGS=-tags gcs -trimpath

The current issue is that GO_BUILD_FLAGS is imported directly from build-machinery and using ?= doesn't work unless passed in on the command line. That's silly when we can force the issue ourselves and then we won't have to make any changes to openshift/release.

Copy link
Contributor

@bradmwilliams bradmwilliams Oct 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Each of us will have to update our IDE specific builds to add the tags accordingly, but for production we always produce the GCS version.

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Oct 9, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 9, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hoxhaeris

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@hoxhaeris
update the AUTHORIZATION.md AI-generated readme to reflect the gcs ch…
62c7b93 
…anges
@hoxhaeris
remove references to my local paths on hack run scripts;
dc29b36 
update README to reflect the new changes (gcs) and link the new MD files
@hoxhaeris
fix lint
ceb71f7
@hoxhaeris
clean up the orgdata package, remove duplicated types definitions;
6b1a158 
improve the auth data source, use a similar pluggable approach like in the orgdata-code;
update documentation to reflect the auth config loading changes
@hoxhaeris
move orgdata-core to a new repository
1de600d 
update Makefile to use Openshift Builder
@hoxhaeris
add SOURCE_GIT_TAG on Makefile
fd81e15
@hoxhaeris
update cyborg-data
f289c02
@hoxhaeris
remove usage of deprecated LoadFromFiles, use the new LoadFromDataSou…
e76d4f6 
…rce method
@hoxhaeris
gsc stub: fail fast when gcs support is not enabled
fdf5983
@hoxhaeris
remove the unnecessary wrapper interface on the orgdata pkg
6429a1e
@hoxhaeris
update vendor, remove replace to personal fork
2f34bda
@hoxhaeris
update vendor
a9c789c
@hoxhaeris
standardize logging;
2dd3e45 
change the gcs bucket references
@hoxhaeris
Rebuild vendor directory after rebase with main
311d08f
@hoxhaeris hoxhaeris force-pushed the cluster_bot_org_auth_poc branch from 516fd35 to 41c9a9f Compare November 21, 2025 08:52
@hoxhaeris hoxhaeris force-pushed the cluster_bot_org_auth_poc branch from 41c9a9f to 11c3508 Compare November 21, 2025 09:30
@hoxhaeris
update vendor
9b42ebb
@hoxhaeris
gracefully handle missing GCS/orgdata files
6a9c91d
@hoxhaeris
update cyborg-data and remove deprecated file-based data sources
187a7b2
@hoxhaeris
fix SetupGCSDataSource to use updated cyborg-data API
b5decc6
@hoxhaeris
Add authorization to all resource-creating and resource-deleting comm…
81a4af7 
…ands

Extend authorization coverage to all commands that create or delete
resources. Previously only launch, rosa create, workflow-launch, and
mce create were protected.

Commands now protected with authorization:
- done: Deletes user's cluster resources
- test upgrade: Creates test job resources
- test: Creates test job resources
- build: Creates build job resources
- workflow-test: Creates test job resources
- workflow-upgrade: Creates upgrade job resources
- catalog build: Creates catalog build job resources
- mce delete: Deletes MCE cluster resources

Read-only commands remain unprotected:
- list, auth, lookup, version, whoami (query only)
- rosa lookup, rosa describe (query only)
- mce auth, mce list, mce lookup (query only)
- refresh (retries credentials fetch for existing cluster)
@hoxhaeris
add auth for modals
3858d7f
@hoxhaeris
clean up file mode docs
1e33ee3
@hoxhaeris hoxhaeris force-pushed the cluster_bot_org_auth_poc branch from a723403 to 1e33ee3 Compare November 21, 2025 11:47
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 21, 2025

@hoxhaeris: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security f8a2142 link false /test security
ci/prow/govulncheck f8a2142 link false /test govulncheck

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

bradmwilliams
bradmwilliams suggested changes Nov 21, 2025
View reviewed changes
cmd/ci-chat-bot/main.go
Comment on lines +100 to +102
gcsBucket string
gcsObjectPath string
gcsProjectID string
Copy link
Contributor

@bradmwilliams bradmwilliams Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add default values for these, since we know that they won't be changing. That way it keeps the command line from getting any more unwieldy.

cmd/ci-chat-bot/main.go
gcsObjectPath string
gcsProjectID string
gcsCredentialsJSON string
gcsCheckInterval time.Duration
Copy link
Contributor

@bradmwilliams bradmwilliams Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Default value

Copy link
Contributor

@bradmwilliams bradmwilliams Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment was specifically for the gcsCheckInterval variable

cmd/ci-chat-bot/main.go
Comment on lines +416 to +438
if err := orgdata.SetupGCSDataSource(ctx, gcsConfig, orgDataService); err != nil {
klog.Warningf("GCS setup failed: %v. Running without authorization data (permit all mode)", err)
orgDataService = nil // Clear the service since we couldn't load any data
}

// Initialize authorization service if config is provided
if opt.authorizationConfigPath != "" {
klog.Infof("Initializing authorization service with config: %s", opt.authorizationConfigPath)
authService = orgdata.NewAuthorizationService(orgDataService, opt.authorizationConfigPath)
if err := authService.LoadConfig(ctx); err != nil {
klog.Warningf("Failed to load authorization config: %v", err)
// Keep the authService even if config fails to load - it will allow all commands
} else {
klog.Infof("Authorization service successfully initialized with config: %s", opt.authorizationConfigPath)
}

// Start config watcher regardless of initial load success - it will detect file creation
go func() {
if err := authService.StartConfigWatcher(ctx); err != nil {
klog.Infof("Authorization config watcher stopped: %v", err)
}
}()
} else {
Copy link
Contributor

@bradmwilliams bradmwilliams Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there is no orgDataService, why bother setting up the authService at all?

config/authorization.yaml
@@ -0,0 +1,103 @@
# Authorization configuration for ci-chat-bot
Copy link
Contributor

@bradmwilliams bradmwilliams Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would make sure that this is referenced as an "Example" or "Sample" file and not the real configuration (to avoid any confusion)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jupierce jupierce Awaiting requested review from jupierce

1 more reviewer

@bradmwilliams bradmwilliams bradmwilliams requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

@bradmwilliams bradmwilliams

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hoxhaeris @bradmwilliams