konflux-ui: dynamic dex SA token for production (ring-1)#13042
konflux-ui: dynamic dex SA token for production (ring-1)#13042mshaposhnik wants to merge 1 commit into
Conversation
…1, stone-prod-p02, kflux-prd-rh02, kflux-prd-rh03) Promote the projected SA token approach (validated in staging via redhat-appstudio#12694 and redhat-appstudio#13008) to production ring 1. Introduces production/base/dex-dynamic/ with the new dex image and run-dex.sh; ring 1 clusters reference it while ring 2/3 clusters continue using the existing production/base/dex/ unchanged. Changes: - Add production/base/dex-dynamic/ with quay.io/konflux-ci/dex:5b89b24e image, run-dex.sh entrypoint, projected SA token (600s TTL) - Remove dex from production/base/kustomization.yaml; ring 2/3 clusters explicitly reference ../base/dex (no-op for them) - Ring 1 clusters: reference ../base/dex-dynamic, update dex connector clientID to $OPENSHIFT_OAUTH_CLIENT_ID, redirect set-redirect-uri patch to dex SA, remove obsolete dex-client SA and static token Secret - Update hack/new-cluster/templates to use $OPENSHIFT_OAUTH_CLIENT_ID and target dex SA for oauth-redirecturi Authored-by: Claude Sonnet 4.6 (Cursor) Co-authored-by: Cursor <cursoragent@cursor.com>
|
Skipping CI for Draft Pull Request. |
Kustomize Render DiffComparing
Total: 4 components, +221 -105 lines 📋 Full diff available in the workflow summary and as a downloadable artifact. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #13042 +/- ##
=======================================
Coverage 57.11% 57.11%
=======================================
Files 23 23
Lines 1455 1455
=======================================
Hits 831 831
Misses 548 548
Partials 76 76
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
PR Summary by Qodokonflux-ui: use projected SA token for Dex OAuth in production ring-1
AI Description
Diagram
High-Level Assessment
Files changed (27)
|
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: filariow, mshaposhnik The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What
Clusters affected: stone-prod-p01, stone-prod-p02, kflux-prd-rh02, kflux-prd-rh03
Why
Replace static long-lived `dex-client` SA token with an auto-rotating projected SA token (600s TTL). Eliminates manual secret rotation; token refresh and dex restart are handled automatically by `run-dex.sh`.
Validation
Risk Assessment
Risk Level: Low
What could go wrong: If the projected SA token is not accepted as a valid OpenShift OAuth client secret for the `dex` SA, dex will fail to authenticate with OpenShift and users won't be able to log in. Mitigated by staging validation across two clusters.
Rollback: Revert PR. dex will restart with the old static token within one ArgoCD sync cycle.
Blast radius: 4 production clusters (ring 1). Ring 2/3 clusters unaffected.
Made with Cursor