-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Proposal] Generalize configuration of kaniko pod #1906
[Proposal] Generalize configuration of kaniko pod #1906
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1906 +/- ##
==========================================
+ Coverage 49.46% 52.07% +2.61%
==========================================
Files 174 179 +5
Lines 8036 7923 -113
==========================================
+ Hits 3975 4126 +151
+ Misses 3683 3415 -268
- Partials 378 382 +4
Continue to review full report at Codecov.
|
hey @venkatk-25 - can you add me as design shepherd? I'll start to have a look tomorrow and give feedback! |
@balopat updated |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you so much for putting this together, it looks great at first look.
- I would still think about generating/helping the user with the env var somehow for GCR.
- Integration testing for ECR - yeah we don't have the infrastructure for that just yet.
- secretName: e2esecret | ||
mountPath: "/secret" | ||
env: | ||
"GOOGLE_APPLICATION_CREDENTIALS" : "/secret/kaniko-secret" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this still feels like we could generate it - just because the user can make an error easily here - for example this example itself has inconsistency, the env should be: "GOOGLE_APPLICATION_CREDENTIALS" : "/secret/e2esecret"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't sure of this when I wrote it. From code this looked like a constant regardless of secret name. I guess the secret is expected to contain file kaniko-secret
skaffold/pkg/skaffold/build/kaniko/sources/sources.go
Lines 69 to 70 in 533378c
Name: "GOOGLE_APPLICATION_CREDENTIALS", | |
Value: "/secret/kaniko-secret", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- I would still think about generating/helping the user with the env var somehow for GCR.
Regardless of above comment, I agree this is an additional and error prone step for GCR or maybe other secrets. I can think of following way to solve this:
- Have one more optional field called type for secret which can be an enum of special secrets, so we can do some extra work on them when specified.
Co-Authored-By: venkatk-25 <33486836+venkatk-25@users.noreply.github.com>
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I'm thinking about it, in general I think there is merit in having a little DSL on top of the kaniko configuration in the skaffold config that take in the least possible information and generates the rest.
However, with custom artifact builders introduced - scripts might require a different path. So I think this is good, but I would keep the "helper" configs and recommend them explicitly for a better developer experience. E.g.:
build:
cluster:
secrets:
- dockerConfig: docker-config
- ecrCreds: aws-secret
- gcrCreds: gcr-secret
- secretName: my-special-builder-secret
mountPath: "/app/mysecret"
- secretName: my-special-builder-secret2
mountPath: "/app/mysecret2"
env:
"MY_SPECIAL_BUILDER_VAR" : "1234"
What do you think?
Friendly ping @venkatk-25 |
@venkatk-25 can you also add a reminder to update the docs at |
Co-Authored-By: Balint Pato <balopat@users.noreply.github.com>
@balopat sorry was travelling and couldn't respond earlier. I suggest the following changes instead to be more consistent by introducing type field to the secret. type SecretConfig struct {
LocalPath string `yaml:"localPath"`
SecretName string `yaml:"secretName,omitempty"`
MountPath string `yaml:"mountPath,omitempty"`
Type: string `yaml:"type,omitempty"`
} and yaml will look like. build:
cluster:
secrets:
- secretName: e2esecret
type: "GCR"
- secretName: e2esecret
mountPath: "/secret"
env:
"GOOGLE_APPLICATION_CREDENTIALS" : "/secret/e2esecret" |
@corneliusweig I did not understand this. Is this related to this design or you are asking me to work on docs for existing features |
@venkatk-25 Sorry for being so unclear about this. What I mean is to add a reminder in the implementation plan that the docs at this location need to be updated. Doc updates are so easily forgotten... |
No worries, I've been super busy too :)
build:
cluster:
secrets:
- docker-config: // this should be equivalent to the one below
localPath: "~/docker.json"
- name: "docker-cfg"
mountPath: "/kaniko/.docker"
localPath: "~/docker.json" |
@venkatk-25 friendly ping |
Hi @venkatk-25, I'm going to close this now as it is a bit stalled. Please resubmit if you want to keep working on it! Thank you very much! |
No description provided.