-
Notifications
You must be signed in to change notification settings - Fork 470
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dbless secret support #695
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To avoid needing to keep the two settings aligned, can you remove the kind
field and make the mount use the ConfigMap if it's set, the Secret if it's set, or fail the config if both are set?
i guess the current schema is confusing. the intent is to preserve backwards compatibility by having all fields behave the same as before. as written now, cleanest way forward i see is to break backwards compatibility by replacing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I forgot about dblessConfig.config
, I thought it was only available through a user-created ConfigMap.
I think some breakage is fine here since it'd only affect values.yaml configurations that shouldn't really exist. Right now you can define both configMap
and config
, and the chart will ultimately use the configMap
version because that's how the if
clause is written in the Deployment.
There's no reason to ever define both since you can only use one, so I think it's entirely reasonable to add validation that fails if more than one of config
, configMap
, or the new secret
field are set. If anyone has an ambiguous configuration, they'll only need a simple change to remove whichever variant they're not actually using.
For config
, I'd say only support the existing ConfigMap storage: if you want to use a Secret, you need to create it independently. We generally want to discourage storing sensitive information within values.yaml.
the request to add validation to prevent both I understand discouraging storing secrets in chart values in general, but there are use cases where that's very handy and its risks are mitigated; for example we use yaml-crypt to manage secret values safely and efficiently; even without such a specialized tool, cascading values files can be used to section off secret data from the main values. I'm not advocating this be a recommended workflow, but I think it's reasonable enough to support it. I can certainly add a disclaimer to the docs to make it clear this is not a recommended configuration, but I don't see any harm in surfacing the option. If this is a firm policy I'll stop pushing back on this; this feature is less crucial since I can always work around it with a wrapper chart on my end. Note, the breakage I'm describing would also affect non-ambiguous configurations, since it would move the Current format
Option 1: No breakage
Option 2: Breakage, but clearer
Option 3: Even more breakage, but even clearer
I think option 3 is the nicest, but option 1 makes the most sense if a major version chart release isn't planned anytime soon |
I've implemented Option 3 since it seems like the cleanest option, I added a disclaimer to the |
I'm pretty firm on not wanting to populate Secrets from values.yaml as standard functionality, so I'd still want the version where the options are mutually exclusive and both the You can, as an alternative to an umbrella chart, use the catch-all additional resource creator to create a Secret directly from this chart. |
alright, I've removed the |
Yeah, basically option 1 minus the create type switch, so
and then stricter template logic to require that you only set one of the three. |
Checking on this, do you know if you'd be able to make the changes in the next few days? We plan to release KIC 2.8 on the coming Monday, 2022-12-19, and will release the next chart version shortly after. I'd love to get this in if possible, so if you have time to complete it and #696 next week, we can hold the chart release for a bit to complete this. |
191ce3a
to
89f59ba
Compare
sorry, I just saw this reply now, looks like i missed the release. I've rebased against main and cleared the merge conflicts, and have reverted to the schema you described. as requested, the mutual exclusion logic is in line 481 of |
just checking in, I think all the outstanding issues are addressed now, anything else need another look? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We were just all out for the past week or so for the holidays. Looks good now aside from the stupid linter issue.
88ff025
to
86b4d84
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And then I got sick after the holidays
Not sure what's making CI upset and not running/not letting me approve the run, but I ran ct lint-and-install
locally and it ran into an issue trying to mount the config volume even though it shouldn't be enabled:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 5m default-scheduler Successfully assigned kong-muc3xwk61w/kong-muc3xwk61w-kong-84b6fb847b-ckq7c to kind-control-plane
Warning FailedMount 50s (x10 over 5m) kubelet MountVolume.SetUp failed for volume "kong-custom-dbless-config-volume" : configmap "kong-muc3xwk61w-kong-custom-dbless-config" not found
Warning FailedMount 40s (x2 over 2m57s) kubelet Unable to attach or mount volumes: unmounted volumes=[kong-custom-dbless-config-volume], unattached volumes=[kong-muc3xwk61w-kong-prefix-dir kong-muc3xwk61w-kong-tmp kong-custom-dbless-config-volume tmpdir]: timed out waiting for the condition
@alice-sawatzky are you able to determine what's making it attempt to mount when it shouldn't? Opening a PR on your fork from the PR branch to your main should make GitHub Actions run CI if you prefer that over running it locally (or if you do want to run it locally, installing chart-testing and setting up a KIND instance should let you run ct lint-and-install
from the repo dir to run the tests).
looks like the behavior is correct; the conditions for dblessConfig are present, therefore it should attempt to mount a dblessConrfig volume. The problem is that the test values file has a invalid config, and the chart doesn't create a sensible error message for that invalid config. The values file enables dblessConfig but does not set any of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the new fail for DB-less but no config provided means CI 4 needs a test configuration, e.g.
diff --git a/charts/kong/ci/test4-values.yaml b/charts/kong/ci/test4-values.yaml
index d4a2dd3..8d912a0 100644
--- a/charts/kong/ci/test4-values.yaml
+++ b/charts/kong/ci/test4-values.yaml
@@ -24,3 +24,20 @@ proxy:
- ssl
ingress:
enabled: true
+dblessConfig:
+ config: |
+ _format_version: "3.0"
+ _transform: true
+ services:
+ - name: my-service
+ url: https://example.com
+ plugins:
+ - name: key-auth
+ routes:
+ - name: my-route
+ paths:
+ - /
+ consumers:
+ - username: my-user
+ keyauth_credentials:
+ - key: my-key
With that in place the test
@alice-sawatzky checking in again, are you able to make the CI change? |
got it! |
dblessConfig requires a config source to be set, and now that dblessConfig.config is unset by default, all dblessConfig configurations must explicitly set a source in their values. Practically this isn't a breaking change since no real-world usecase should ever need to enable dblessConfig without also configuring it.
05b73e5
to
cdf8be5
Compare
What this PR does / why we need it:
Add the option to use Secrets for
dblessConfig
, instead of ConfigMaps.Special notes for your reviewer:
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]
main
branch.