Add events to SA as OAuth client flow

[enj]

Add warning events for service account OAuth configuration errors to aid in troubleshooting. Display these events when describing service accounts.

Name:           proxy                                                 
Namespace:      myproject                                                      
Labels:         <none>                                                         
Annotations:    serviceaccounts.openshift.io/oauth-bogus-annotation.primary={"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"
proxy"}}                                                                                                                                                      
                                                                               
Image pull secrets:     proxy-dockercfg-5wzxb                  
                                                                                                                                                              
Mountable secrets:      proxy-token-p8fd7                                                                   
                        proxy-dockercfg-5wzxb                                                                    
                                                                                                                              
Tokens:                 proxy-token-frfsj                                                                                
                        proxy-token-p8fd7                                                              
                                                                                                          
Events:                                                                                                   
  FirstSeen     LastSeen        Count   From                                    SubObjectPath   Type            Reason                  Message               
  ---------     --------        -----   ----                                    -------------   --------        ------                  -------
  10s           10s             1       service-account-oauth-client-getter                     Warning         NoSAOAuthRedirectURIs   system:serviceaccount:
myproject:proxy has no redirectURIs; set serviceaccounts.openshift.io/oauth-redirecturi.<some-value>=<redirect> or create a dynamic URI using serviceaccounts.
openshift.io/oauth-redirectreference.<some-value>=<reference>             

https://trello.com/c/oRkv75dy/15-5-add-api-events-for-using-sa-as-oauth-clients

[openshift-bot]

Evaluated for origin test up to c8c6237

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/560/) (Base Commit: f0670df)

[smarterclayton]

Is this using events as validation?

[smarterclayton]

You're sending one event per oauth login to the master? That's... probably going to eat into our write budget.

[enj]

@smarterclayton

Is this using events as validation?

Sort of? We cannot do validation on SA annotations. This lets the user know if something looks off.

You're sending one event per oauth login to the master? That's... probably going to eat into our write budget.

Based on some offline discussions with Jordan, I plan to change this to send a single warning event when something looks incorrect. That event would contain a sorted list of problems noticed. Thus if the user goes through the same error flow multiple times, the same event should just have its counter incremented. No events will be generated when everything is working as expected.

[openshift-bot]

Origin Action Required: Pull request cannot be automatically merged, please rebase your branch from latest HEAD and push again

[deads2k]

/assign liggitt

Thus if the user goes through the same error flow multiple times, the same event should just have its counter incremented. No events will be generated when everything is working as expected.

incrementing a counter is still an etcd write.

[smarterclayton]

We need some mechanism for sure. But it has to be no more than O(0) writes measured over 5s-1m. On Jul 31, 2017, at 9:00 AM, David Eads <notifications@github.com> wrote: /assign liggitt Thus if the user goes through the same error flow multiple times, the same event should just have its counter incremented. No events will be generated when everything is working as expected. incrementing a counter is still an etcd write. — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#13621 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_px3GUYLyKmkPvL64jKpx_Dftm3O7ks5sTc_RgaJpZM4MzFl0> .

[spadgett]

@benjaminapetersen Might be best to stop trying to humanize these and display the reason as-is

[enj]

@liggitt what do you expect to happen when non-fatal errors are encountered in a GetClient flow? I am mostly envisioning a scenario where a user has annotation for redirect uris X and Y, but only Y is "broken." Thus GetClient will succeed and the user could encounter an OAuth error if Y is used. I feel like we have forcibly limited the events from spamming enough that it should be OK to always create an event for any errors encountered (and rely on the event rate limiting to prevent us from ever doing more than one event per minute).

[mrogers950]

flake #16144

[mrogers950]

/retest

[mrogers950]

I've rebased and excluded the event limit configuration patch (in lieu of further developments upstream) - should be all set here. @enj @smarterclayton PTAL

[enj]

I would expect coreClient.Events("") or if that does not work then:

coreV1Client, err := corev1.NewForConfig(c.CoreAPIServerClientConfig) + coreV1Client.Events("")

[enj]

Same comments.

[enj]

You may not need this if you can reuse coreClient

[enj]

See https://github.com/openshift/origin/pull/13621/files#r141110811

[enj]

Call the sub methods on this to get the specific interfaces you need.

[mrogers950]

This did not seem possible with coreClient, are you suggesting a change in NewServiceAccountOAuthClientGetter() argument types as well?

[enj]

Lets make sure we really need this per above comments.

[enj]

Use Event since you do not need the format.

[enj]

I think you want a select statement with a default to prevent this from ever dead locking.

[enj]

Don't ignore the errors.

[enj]

Don't ignore the errors.

[enj]

Don't ignore the errors.

[enj]

fix

[enj]

Add an events client directly in this config and build it in NewOAuthServerConfig

[mrogers950]

/lgtm

[enj]

/approve

I am happy with this (it's not my PR anymore).

[openshift-merge-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: enj, mrogers950
We suggest the following additional approver: deads2k

Assign the PR to them by writing /assign @deads2k in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these OWNERS Files:

• pkg/oauth/OWNERS [enj]
• pkg/serviceaccounts/OWNERS [enj]
• vendor/k8s.io/kubernetes/pkg/printers/OWNERS

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[enj]

/retest

[enj]

xref #16568

Still need issue for the core client events problem.

[openshift-merge-robot]

Automatic merge from submit-queue