Skip to content

VC-35630: User can now omit the server field in config when using the Venafi Connection mode #566

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Sep 3, 2024
Merged

VC-35630: User can now omit the server field in config when using the Venafi Connection mode #566

merged 8 commits into from
Sep 3, 2024

Conversation

maelvls
Copy link
Member

@maelvls maelvls commented Aug 30, 2024
edited
Loading

Source: VC-35630

Problem

EU customers need to change the URL of the VCP API to point to https://api.venafi.eu/. To do that, and imagining that they are using the VenafiConnection authentication, they may try to use the spec.vcp.url field on their VenafiConnection resource and find that this field doesn’t do anything because the Helm chart's config.server is set to https://api.venafi.cloud/ by default.

Another possible scenario is that EU customers may end up with a VenafiConnection configured with the spec.vcp.url field set to https://api.venafi.eu/. This VenafiConnection will have been already working well with venafi-enhanced-issuer and approver-policy-enterprise. Once they try to switch the Agent to the VenafiConnection auth method, they will see that it doesn’t work because the Agent picks up the default value in the Agent’s helm chart, i.e.,

config:
  server: https://api.venafi.cloud/.

Solution

In this PR, I propose to ignore the server field specified in the config file in Venafi Connection mode. By default, the Helm chart sets server to https://api.venafi.cloud, which means the user may get confused as to what this field does.

To avoid confusion, the logs now show the following message when server isn't empty:

Ignoring the server field specified in the config file. In Venafi Connection mode, this field is not needed. Use the VenafiConnection's spec.vcp.url field instead.

This way, the user will know that what they need to do in case they see the server field and think "is that what I need to change?".

I've also clarified in the Helm chart that server is only used for Jetstack Secure OAuth, Jetstack Secure API Token, and Venafi Cloud Keypair authentication.

maelvls added 7 commits August 30, 2024 08:04
@maelvls
disable the config.server field when using --venafi-connection
1487f36 
For context, EU customers need to change the URL of the VCP API to point
to https://api.venafi.eu. To do that, and imagining that they are using
the VenafiConnection authentication, they may try to use the
`spec.vcp.url` field on their VenafiConnection resource and find that
this field doesn’t do anything because the Helm chart's `config.server`
is set to https://api.venafi.cloud by default.

Another possible scenario is that EU customers may end up with a
VenafiConnection configured with the `spec.vcp.url` field set to
`https://api.venafi.eu`. This VenafiConnection will have been already
working well with venafi-enhanced-issuer and approver-policy-enterprise.
Once they try to switch the Agent to the VenafiConnection auth method,
they will see that it doesn’t work because the Agent picks up the
default value in the Agent’s helm chart, i.e.,

```
config:
  server: https://api.venafi.cloud.
```
@maelvls
venconn: bug: the err from NewVenConnClient was shadowed by a local copy
f326423 
I caught this thanks to golangci-lint's ineffassign which showed the
warning "ineffectual assignment to err".
@maelvls
keypair_auth: remove ineffective err != nil
726bb7e 
golangci-lint had been showing this warning for a while... The actual
warning is "impossible condition: nil != nil" from gopls' nilness
linter.
@maelvls
undent: last line's tabs weren't stripped
14ec08e
@maelvls
config: rest.Config's rest package wasn't being imported
57492b6
@maelvls
venconn_tests: forgot to use testutil
fc82e00
@maelvls
venconn: test that venconn's url is used, not server field
8a34fcf
maelvls
maelvls commented Aug 30, 2024
View reviewed changes
pkg/client/client_venconn_test.go
@@ -269,186 +259,3 @@ func run(test testcase) func(t *testing.T) {
assert.Equal(t, test.expectReadyCondMsg, got.Status.Conditions[0].Message)
}
}

func fakeVenafiCloud(t *testing.T) (*httptest.Server, *x509.Certificate) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I moved this to the testutil.go package.

maelvls
maelvls commented Aug 30, 2024
View reviewed changes
pkg/client/client_venafi_cloud.go
Comment on lines -291 to -293
if err != nil {
return err
}
Copy link
Member Author

@maelvls maelvls Aug 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've removed this because the linter was complaining. Looks like an error checked left over during a refactoring.

@maelvls maelvls requested a review from wallrj August 30, 2024 07:37
maelvls
maelvls commented Aug 30, 2024
View reviewed changes
pkg/testutil/testutil.go Outdated
Comment on lines 194 to 200
var assertFn AssertRequest
assertFnMu := sync.Mutex{}
setAssert = func(setAssert AssertRequest) {
assertFnMu.Lock()
defer assertFnMu.Unlock()
assertFn = setAssert
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I needed to make sure that the request's host was correct, that's why I wrote this clunky code to set an assertion... I'd like to have a clearer way of doing that, or even better: not have to assert the host on the request...

@maelvls maelvls force-pushed the disable-config-server-field branch from 55b08d8 to d03c705 Compare August 30, 2024 08:06
wallrj
wallrj approved these changes Sep 3, 2024
View reviewed changes
Copy link
Member

@wallrj wallrj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @maelvls

The changes look good to me and the tests pass on my laptop.

Additionally, I rebased #562 on this branch and re-ran the e2e/test.sh script and observed the new log message and the agent successfully posted the data to the EU API.

$ ./hack/e2e/test.sh
...
+ grep -q 'Data sent successfully'
2024/09/03 08:22:13 Preflight agent version: development ()
2024/09/03 08:22:13 ignoring the server field specified in the config file. In Venafi Connection mode, this field is not needed. Use the VenafiConnection's spec.vcp.url field instead.
2024/09/03 08:22:13 Venafi Connection mode was specified, using Venafi Connection authentication.
2024/09/03 08:22:13 ignoring venafi-cloud.upload_path. In Venafi Connection mode, this field is not needed.
2024/09/03 08:22:13 ignoring venafi-cloud.uploader_id. In Venafi Connection mode, this field is not needed.
2024/09/03 08:22:13 Prometheus was enabled.
Running prometheus server on port :8081
2024/09/03 08:22:58 Posting data to: https://api.venafi.eu/
2024/09/03 08:22:59 Data sent successfully.

@maelvls maelvls merged commit 7eb1575 into master Sep 3, 2024
8 checks passed
@maelvls maelvls deleted the disable-config-server-field branch September 3, 2024 09:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wallrj wallrj wallrj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@maelvls @wallrj