-
Notifications
You must be signed in to change notification settings - Fork 589
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(creds) remove kongCredType field support #5856
Conversation
81f1cd0
to
0559be0
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5856 +/- ##
=======================================
- Coverage 68.9% 68.0% -1.0%
=======================================
Files 179 179
Lines 18308 18309 +1
=======================================
- Hits 12627 12451 -176
- Misses 4693 4885 +192
+ Partials 988 973 -15 ☔ View full report in Codecov by Sentry. |
0559be0
to
73ee99b
Compare
73ee99b
to
60f790f
Compare
Tentative TODOs pending approval of the design for plugin Secret configuration validation:
Please weigh in on whether you think the design as proposed is good and whether you think we need the no filter test and future support removal. I'll create issues for the above if we decide to move forward with the current approach in the PR. |
0b63bb3
to
65ad4c3
Compare
Unfortunately, kubebuilder cannot handle webhook rules with The accepted workaround for this is to roll your own rules and patch them in. This requires changing the envtest runner so it can invoke kustomize. We'll need to note that the chart hook should be generated from |
90df090
to
79a43bc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we think we'd want to set up a separate envtest run for TestAdmissionWebhook_KongPlugins only with a special no-filter copy of the manifest?
Yeah, I think this would make sense to have this covered properly given we're going to support this mode of operation for some time still. I suggest making this a separate PR though.
I think that as a part of #5856 we should also make sure that the Helm chart generates the webhook config with label filters and also that docs.konghq.com articles for KIC 3.2 that create Secrets already use the labels.
I've created a KIC 4.0 issue to track making the labels required for reconciliation as the next step in improving performance: #5876
If there is a breaking change that was not deprecated in the previous minor version (which it wasn't, as it didn't exist) I don't think we can make it the default in the chart. My proposal is to keep the old blanket ingest in the chart as the default, and if anyone raises questions we can let me know how to change it. We can also encourage the preferred way via docs |
1d8decc
to
97185d3
Compare
@mheap I'd still advocate for doing it in one go, since this one is a bit unusual. Main questions are:
I wouldn't expect most users to go looking for the filter toggle, as it's not something you'd expect to exist even if you do hit the performance/UX problems with unrelated Secrets, and I think adoption would be low as such. We're not strictly deprecating anything yet, more changing a default (with the caveat that there wasn't previously an option to change). I'm not even sure we'd ever fully remove the blanket handling, since AFAIK the cost of keeping it is low. If we don't expect to have it as the default in 3.2 or 3.3 (it's not clear what the timeline would be after/if we can have one version where the label exists but isn't required by default), I'd want something like 97185d3 to call it out, and that'd be annoying if you are intentionally leaving the filter off. There's unfortunately no way to distinguish between intentional omissions and new installs that just neglected to include the label. We do still load referenced plugins without labels in the reconciler and parser--unlike the webhook, their Secret ingest is triggered by the reference. We can check if a referenced Secret lacks a label there and log a warning for it. |
I agree we can expect low adoption if we just provide a default-off option in the Helm chart to filter Secrets on labels. But I think that's the best we can do:
|
@czeslavo's plan makes a lot of sense to me. I'm not afraid of spamming in the logs about users not using the label as that's our means of communicating to the users relevant information (which, this one is IMHO). |
I'm comfortable with the steps that @czeslavo outlined too. I have a small preference to not change defaults in the existing charts (but we can change the default in the next-gen charts) but don't feel strongly enough to say that we can't change the default in future once we've had a release or two with warning logs attached |
Remove support for the kongCredType field in credential Secrets. Only honor the konghq.com/credential label. Add a konghq.com/plugin-config label. This label indicates that a Secret contains plugin configuration and should be validated against its referrers when updated. Add objectSelectors to the Secret blocks in the admission webhook definition. Admission will skip any Secrets without a label indicating they should be used by KIC.
Discard the logger argument to kongstate.FillConsumersAndCredentials(). It is not currently used, but removing it from the signature would require a breaking change, with a decent chance we'd re-add it in the future.
Split the webhook manifest into the generated manifest and additional rule patches. Kubebuilder limitations require writing your own rules to use objectSelectors. Remove the kubebuilder Secret hook generation directive and document the workaround. Refactor the envtest runner to build a webhook manifest via Kustomize, rather than reading a static manifest.
6994119
to
6e8f685
Compare
6e8f685
to
06ed355
Compare
Test gymnastics required to run again without the filter are pretty messy, but whatever. Only added it to the KongPlugin test because there's no difference in Secret ingest for the webhook; KongClusterPlugin doesn't change anything about that. |
I started doubting if my advocating for using |
Should we actually need this for reconciliation? I think that was unintended scope creep in the #5876 writeup. AFAIK the reference exists predicate there is already fine for that. It is, however, impossible to do for the webhook, which isn't smart enough to understand references. We should only need label-based filters there for Secrets that are fully independent, such as CA certificates. Credentials using the label instead is something of a lazy hack because something was broken and we didn't want to debug it. I'd still say keep the single
In retrospect, perhaps we should have left |
My main goal here was to make sure KIC can perform well in environments that have a huge volume of Secrets and not all of them should be reconciled by KIC. We had reports where users were complaining about KIC crash looping because of cache synchronization timeouts in such cases (slack thread). We could solve that by caching only labeled Secrets (using SelectorsByObject in controller-runtime). That can also be kinda worked around by making KIC watch only a single namespace (where only KIC-related secrets and resources would live), but that may be a constraint someone wouldn't like to have (e.g. if they use Gateway API and use different namespaces per team or something else). |
We could probably use It's good in that it's already set on a bunch of resources and can share the same key and value across everything, but bad in that it doesn't make sense on GWAPI resources. We could use some new key that's functionally equivalent (i.e. instances ignore anything that doesn't have whatever value they're configured to recognize) and explicitly call it out as a low-level optimization below the usual rules. While it would filter out, for example, an HTTPRoute without the label, we would not parse the HTTPRoute on the basis of the label alone, and would still require it to match a Gateway of the appropriate class. |
Do you mind creating an issue for KIC 4.0 that would track this? We can discuss later whether it will be |
What this PR does / why we need it:
Remove support for the kongCredType field in credential Secrets. Only honor the konghq.com/credential label.
Add a konghq.com/plugin-config label. This label indicates that a Secret contains plugin configuration and should be validated against its referrers when updated.
Add objectSelectors to the Secret blocks in the admission webhook definition. Admission will skip any Secrets without a label indicating they should be used by KIC.
Which issue this PR fixes:
Fix #4853
Special notes for your reviewer:
Found during this that we were kinda abusing the blanket Secret ingest for updates to plugin config also. Those Secrets did not have any label to filter them in.
Per chat discussion the approach I've taken here is to leave the existing blanket code in place while changing the webhook configuration to filter on either the credential or new
konghq.com/validate
label. The latter is a simpleexists
check in the webhook configuration, and code uses the value (currently onlyplugin
) to select the validation path.Users that do not wish to update plugin Secrets will need to remove the filter from their webhook manifest. We will need to add a Helm chart toggle for this.
Although the
validate
key only has the oneplugin
value at present I felt it best to leave it open-ended because it's difficult (breaking change that requires users update resources) to transition from a plugin-specific label key to something else in the future if we add additional validated Secret types that don't need further hint info (conversely,credential
is a dedicated label because we can't determine which validation to apply without the value to indicate it's specificallykey-auth
or whatever).Tests check only the fully filtered variant, as we only have the one copy of the webhook manifest that they use.
My manual check for the no-filter case was that envtest still passes with no-label.diff.txt (and fails that doesn't have the webhook manifest diff). Do we think we'd want to set up a separate envtest run for
TestAdmissionWebhook_KongPlugins
only with a special no-filter copy of the manifest?PR Readiness Checklist:
Complete these before marking the PR as
ready to review
:CHANGELOG.md
release notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR