upstreamwatcher: preserve oidc discovery error
Signed-off-by: Mo Khan <mok@vmware.com>
This commit is contained in:
parent
a08a28d67b
commit
7ece196893
@ -269,11 +269,17 @@ func (c *controller) validateIssuer(ctx context.Context, upstream *v1alpha1.OIDC
|
|||||||
|
|
||||||
discoveredProvider, err = oidc.NewProvider(oidc.ClientContext(ctx, httpClient), upstream.Spec.Issuer)
|
discoveredProvider, err = oidc.NewProvider(oidc.ClientContext(ctx, httpClient), upstream.Spec.Issuer)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
const klogLevelTrace = 6
|
||||||
|
c.log.V(klogLevelTrace).WithValues(
|
||||||
|
"namespace", upstream.Namespace,
|
||||||
|
"name", upstream.Name,
|
||||||
|
"issuer", upstream.Spec.Issuer,
|
||||||
|
).Error(err, "failed to perform OIDC discovery")
|
||||||
return &v1alpha1.Condition{
|
return &v1alpha1.Condition{
|
||||||
Type: typeOIDCDiscoverySucceeded,
|
Type: typeOIDCDiscoverySucceeded,
|
||||||
Status: v1alpha1.ConditionFalse,
|
Status: v1alpha1.ConditionFalse,
|
||||||
Reason: reasonUnreachable,
|
Reason: reasonUnreachable,
|
||||||
Message: fmt.Sprintf("failed to perform OIDC discovery against %q", upstream.Spec.Issuer),
|
Message: fmt.Sprintf("failed to perform OIDC discovery against %q:\n%s", upstream.Spec.Issuer, truncateErr(err)),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -419,3 +425,14 @@ func computeScopes(additionalScopes []string) []string {
|
|||||||
sort.Strings(scopes)
|
sort.Strings(scopes)
|
||||||
return scopes
|
return scopes
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func truncateErr(err error) string {
|
||||||
|
const max = 100
|
||||||
|
msg := err.Error()
|
||||||
|
|
||||||
|
if len(msg) <= max {
|
||||||
|
return msg
|
||||||
|
}
|
||||||
|
|
||||||
|
return msg[:max] + fmt.Sprintf(" [truncated %d chars]", len(msg)-max)
|
||||||
|
}
|
||||||
|
@ -370,7 +370,7 @@ func TestController(t *testing.T) {
|
|||||||
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
|
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
|
||||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||||
Spec: v1alpha1.OIDCIdentityProviderSpec{
|
Spec: v1alpha1.OIDCIdentityProviderSpec{
|
||||||
Issuer: "invalid-url",
|
Issuer: "invalid-url-that-is-really-really-long",
|
||||||
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
|
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
|
||||||
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
|
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
|
||||||
},
|
},
|
||||||
@ -382,9 +382,10 @@ func TestController(t *testing.T) {
|
|||||||
}},
|
}},
|
||||||
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
|
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
|
||||||
wantLogs: []string{
|
wantLogs: []string{
|
||||||
|
`upstream-observer "msg"="failed to perform OIDC discovery" "error"="Get \"invalid-url-that-is-really-really-long/.well-known/openid-configuration\": unsupported protocol scheme \"\"" "issuer"="invalid-url-that-is-really-really-long" "name"="test-name" "namespace"="test-namespace"`,
|
||||||
`upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
|
`upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
|
||||||
`upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to perform OIDC discovery against \"invalid-url\"" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded"`,
|
`upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to perform OIDC discovery against \"invalid-url-that-is-really-really-long\":\nGet \"invalid-url-that-is-really-really-long/.well-known/openid-configuration\": unsupported protocol [truncated 9 chars]" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded"`,
|
||||||
`upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="failed to perform OIDC discovery against \"invalid-url\"" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded"`,
|
`upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="failed to perform OIDC discovery against \"invalid-url-that-is-really-really-long\":\nGet \"invalid-url-that-is-really-really-long/.well-known/openid-configuration\": unsupported protocol [truncated 9 chars]" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded"`,
|
||||||
},
|
},
|
||||||
wantResultingCache: []provider.UpstreamOIDCIdentityProviderI{},
|
wantResultingCache: []provider.UpstreamOIDCIdentityProviderI{},
|
||||||
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
|
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
|
||||||
@ -404,7 +405,8 @@ func TestController(t *testing.T) {
|
|||||||
Status: "False",
|
Status: "False",
|
||||||
LastTransitionTime: now,
|
LastTransitionTime: now,
|
||||||
Reason: "Unreachable",
|
Reason: "Unreachable",
|
||||||
Message: `failed to perform OIDC discovery against "invalid-url"`,
|
Message: `failed to perform OIDC discovery against "invalid-url-that-is-really-really-long":
|
||||||
|
Get "invalid-url-that-is-really-really-long/.well-known/openid-configuration": unsupported protocol [truncated 9 chars]`,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -34,10 +34,11 @@ func TestSupervisorUpstreamOIDCDiscovery(t *testing.T) {
|
|||||||
Message: `secret "does-not-exist" not found`,
|
Message: `secret "does-not-exist" not found`,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Type: "OIDCDiscoverySucceeded",
|
Type: "OIDCDiscoverySucceeded",
|
||||||
Status: v1alpha1.ConditionFalse,
|
Status: v1alpha1.ConditionFalse,
|
||||||
Reason: "Unreachable",
|
Reason: "Unreachable",
|
||||||
Message: `failed to perform OIDC discovery against "https://127.0.0.1:444444/issuer"`,
|
Message: `failed to perform OIDC discovery against "https://127.0.0.1:444444/issuer":
|
||||||
|
Get "https://127.0.0.1:444444/issuer/.well-known/openid-configuration": dial tcp: address 444444: in [truncated 10 chars]`,
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
Loading…
Reference in New Issue
Block a user