-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add command to generate Kubernetes Secrets #202
Conversation
b7f4f96
to
3226cf1
Compare
Signed-off-by: versilis <versilis@akitasoftware.com>
Signed-off-by: versilis <versilis@akitasoftware.com>
Signed-off-by: versilis <versilis@akitasoftware.com>
Signed-off-by: versilis <versilis@akitasoftware.com>
7202b3f
to
10ad02d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks pretty good.
The must-fix items: let's add the ability to write to stdout, and use the default namespace. (And the redundant code in addAgentToECS.)
I would like to see us tackle YAML output with a library here on an easy case before we have to tackle parsing and rewriting a Deployment resource. Unless you were planning on using just string manipulation? But I don't insist on it.
cmd/internal/kube/secret.go
Outdated
) | ||
_ = secretCmd.MarkFlagRequired("namespace") | ||
|
||
secretCmd.Flags().StringVarP(&output, "output", "o", "akita-secret.yml", "File to output the generated secret.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should have come up in the design review -- sorry. I think the correct default, which is most idiomatic to Kubernetes tools, is to print to standard output.
The idiomatic usage we are aiming for is something like "akita kube secret | kubectl apply -f -"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cmd/internal/kube/secret.go
Outdated
func init() { | ||
var err error | ||
|
||
secretTemplate, err = template.ParseFS(templateFS, "template/akita-secret.tmpl") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm mostly OK with using a template here. But, I think this will be much harder to pull off for the next command, and I would like the two implementations to be consistent. If we have to have YAML parsing and output, let's start here with the easy case. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently, there's a discrepancy between the Kubernetes openapi spec and the Go packages API model representation. Here's a link to the issue that covers it: kubernetes/kubernetes#109427
I've opened a separate PR to address using the Kubernetes API for generating secrets: #204
Co-authored-by: Mark Gritter <mgritter@akitasoftware.com>
This provides a workaround to remove all telemetry info logs during a command's initialization. This is needed by the kube secret command because only the raw YAML output should be printed to stdout.
cmd/internal/kube/secret.go
Outdated
// Output the generated secret to the console | ||
printer.RawOutput(output) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I think I was unclear. The two uses cases are:
-
Apply directly
akita kube secret | kubectl apply -f - -
Apply via a file (convenience, they could always pipe to a file.)
akita kube secret -f mysecret.yaml
kubectl apply -f mysecret.yaml
In case #2 we should not print to standard output as well, it should be one or the other. We can support this in a few different ways, I don't much care whether (a) standard out is the default if -f
not specified, or (b) -f -
writes to standard output..
I kind of think like in case #1 we should not write the file that was not asked for as well.
Come talk to me if what should happen in these two cases are still unclear.
cmd/internal/kube/secret.go
Outdated
} | ||
|
||
// Creates a file at the give path to be used for storing of the generated Secret config | ||
// If any child dicrectories do not exist, it will be created. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this comment correct? I think you mean "it will not be created".
pcap/stream_test.go
Outdated
@@ -127,6 +128,7 @@ func runTCPFlowTestCase(c tcpFlowTestCase) error { | |||
} | |||
|
|||
func TestTCPFlow(t *testing.T) { | |||
telemetry.Init(false) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I understand the need here and in pase_http_test since the error functions in parsing send telemetry.
Is there a fix to telemetry that checks whether uninitialized instead? If it's not easy to do, we can keep this, it just seems a bit odd to be initializing telemetry in a situation where we don't really want it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
This adds two new commands, `akita kube inject` and `akita kube secret`, for simplifying the process of installing Akita as a sidecar in Kubernetes Deployments. Changes include: - #202 - #207 - #206 --------- Signed-off-by: versilis <versilis@akitasoftware.com> Co-authored-by: Mark Gritter <mgritter@akitasoftware.com> Co-authored-by: Jed Liu <liujed@users.noreply.github.com>
This adds a new command
akita kube secret
which generates a Kubernetes secret configuration file that stores a user's base-64 encoded Akita API credentials.To simplify file generation, I've used go's built-in templating utilities;
akita-secret.tmpl
is used as the template for creating the secret.Example usage: