search

ory / hydra-maester

Kuberenetes CRD Controller for Ory Hydra. :warning: Maintained by the community, not an official Ory project!
Apache License 2.0
33 stars 38 forks source link

Reconcile does not discriminate client per namespace #63

Closed fjvierap closed 3 years ago

fjvierap commented 3 years ago

Hi,

We have a situation where we have all non prod environments in the same cluster but in different namespaces. We have set in every namespaces an hydra and hydra maester instance. The idea we have is when we add/update a client in hydra maester in namespace development then reconciliation should also happen only in hydra in development namespace.

But we found that OAuth2Client event seems to be pick in other namespaces not only in the ones where it was created and we don't know if it is possible to configure hydra controller manager to only process OAuth2Client with for some namespace.

In our client definition we configure the namespace:

apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
  name: oidc-client5
  namespace: demo

For now we have workaround the issue by using long domain name in client definition instead of the sort one.

hydraAdmin:
    url: https://hydra-admin.demo.svc.cluster.local
    port: 4445
    endpoint: /clients
    forwardedProto: https

With that we got an erro when the controller tries to reconcile a client from a different namespace.

ERROR   controller-runtime.controller   Reconciler error        {"controller": "oauth2client", "request": "sandbox-
authentication-management/oidc-client6", "error": "Get \"https://hydra-admin.sandbox-authentication-management.svc.cluster.local:4445/clients/oidc-
client6\": x509: certificate signed by unknown authority"}

We would like to know if it is posible to configure the controller in some what to only accept OAuth2Client from certain namespace.

Thanks in adavance.

Demonsthere commented 3 years ago

Hello there, this is a bigger issue, as the k8s CRD concept expects controllers to react on all namespaces. We may need to do some internal hacking in the controller and expose a config parameter observedNamespace and implement logic that if set, other namespaces are ignored. This may allow a setup of multiple controllers, each watching on all namespaces (k8s design), but ignoring all namespaces but one.

aeneasr commented 3 years ago

Thank you @Demonsthere ! Have you seen the proposed changes for https://github.com/ory/hydra-maester/pull/64/files ?

Demonsthere commented 3 years ago

@aeneasr @fjvierap I have took some time to tinker around the problem, and the result is in #65. This allows a scenario:

Namespace: Dev1 Hydra: hydra-dev1 Hydra-maester: hydra-maester-dev1

Namespace: Dev2 Hydra: hydra-dev2 Hydra-maester: hydra-maester-dev2

Create 2 clients: dev1 in dev1 and dev2 in dev2

Client dev1 is picked up by hydra-maester-dev1 and existis only in hydra-dev1 Client dev2 is picked up by hydra-maester-dev2 and existis only in hydra-dev2

fjvierap commented 3 years ago

@Demonsthere great thanks

piotrmsc commented 3 years ago

@Demonsthere @fjvierap so is the #64 still relevant or I should take a look at #65 directly? I would like to start making a review :)

fjvierap commented 3 years ago

I think #65 will solve this problem