Implement a way to time out tokens based on (in)activity#17161
Closed
simo5 wants to merge 350 commits intoopenshift:masterfrom
Closed
Implement a way to time out tokens based on (in)activity#17161simo5 wants to merge 350 commits intoopenshift:masterfrom
simo5 wants to merge 350 commits intoopenshift:masterfrom
Conversation
Having two different types internally and externally was not useful, and made it harder to keep the types in sync and reason about their conversions.
A test deployment is a deployment that is scaled to zero when it is not running. Once the deployment reaches a terminal state its RC is scaled to zero, and any pods are deleted. This allows the deployment to be a test or validation environment - triggering each time a new image is created, and ensuring that everything goes smoothly. Hooks can be added to test function, or can pause for arbitrary periods of time in order give the user time to test the function. The scale number on the deployment config is considered primary - during reconciliation of test deployment configs any changes to individual RCs are ignored.
The 90% case for hooks is running a migration - if that requires the service to be down, that won't work for either pre or post deployments. Add a "mid" deployment hook that runs on recreate strategy while all containers are stopped.
The recreate strategy did not previously use readiness checks. This commit adds support for them in order to make the new mid check pass (failing-dc-mid.yaml relies on recreate readiness failing in order to fail the deployment).
When a router sees a route, it should make a decision about the name it wishes to assign to that route (based on its override-hostname or own settings) and then write the decision back to the route status with an effective host value (so clients can see what the actual route value is). If multiple routers attempt to make conflicting writes, have them remember the conflict so as to avoid battles as they race to the new value. Errors due to route uniqueness are also written back to the status. Each route has an array of RouteIngress structs, which contain an array of conditions, the routerName (passed via --name to the router), and the effective host. Add printers and describers, make ingress empty be a special case.
Also return the latest spec/conditions/generations for the tag. Add validation to the appropriate code.
The lifecycle hook in the deploy api can be used to tag the image used in a deployment to another image stream tag. Requires that the image stream already exist. May not be specified at the same time as execNewPod.
This is meant to be used for running project unit tests as part of a build. Changes: - Add utility to run containers and stream logs - Add build spec API field for post commit actions Includes a common-case API for running a shell script and an kapi.Container-like API for more sophisticated use cases. A good deal of this was done pair programming with @PI-Victor.
We need either `/bin/bash -c` or `/bin/sh -ic` to make our supported SCL-powered images to work properly. That's due to a hack to auto-enable SCLs: https://github.com/openshift/sti-base/blob/8d95148/Dockerfile#L23-L29 In CentOS and RHEL images, `/bin/sh` is a symlink to `/bin/bash`. In that case, the ENV environment variable is only evaluated when the shell is started in interactive mode, which happens when there's and attached tty (not the case for post build hook) or when the `-i` argument is passed explicitly. Making the shell interactive with `-i` is ugly, but is the only solution we know so far without requiring Bash.
Formatting changed to read better in generated docs.
Add generation numbers to deploymentconfigs. Helpful for decoupling latestVersion from oc
Add a separete call for updating the status of a deploymentconfig. Use it where it makes sense (controllers should be responsible for updating the status). Also make spec updates tolerate status detail updates in case the updates originates from the image change controller.
Update api for changes needed to make it work
…e optional, other fields too
… because users is nil
Api changes
openshift-merge-robot
added
the
needs-rebase
add a secret ref for webhook secrets
update documentation on SCCs
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: simo5 Assign the PR to them by writing The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these OWNERS Files:You can indicate your approval by writing |
openshift-merge-robot
added
vendor-update
Adds Timeout interval configuration for Oauth clients.
openshift-ci-robot
added
size/L
|
@simo5: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Contributor
Author
|
Ok so github decided to tombstone this PR after an accidental push of mine, so will have to open a new PR. |
openshift-merge-robot
added a commit
that referenced
this pull request
Jan 9, 2018
Automatic merge from submit-queue. Implement a way to time out tokens based on (in)activity When OAuthClient is configure with accessTokenTimeoutSeconds then tokens obtained with the specific client get a TimeoutsIn field that marks when the token is to be considered timed out. The timeout is in seconds since token CreationTimestamp As the token is used it is pushed into a bucket which is regularly flushed (for now). This replaces #17161 which github inexplicably and unilaterally decided to close after a wrong push (can't be reopened)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When OAuthClient is configure with accessTokenTimeoutSeconds then tokens obtained with the specific client get a TimeoutsIn field that marks when the token is to be considered timed out.
The timeout is in seconds since token CreationTimestamp
As the token is used it is pushed into a bucket which is regularly flushed (for now).