Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: [datadog metricprovider] Allow Datadog API and APP keys to be c… #1073

Merged
merged 2 commits into from
Apr 27, 2021
Merged

feat: [datadog metricprovider] Allow Datadog API and APP keys to be c… #1073

merged 2 commits into from
Apr 27, 2021

Conversation

jzyeezy
Copy link
Contributor

@jzyeezy jzyeezy commented Apr 8, 2021
edited

Why

My organization has a pattern where keys are stored in a secret cloud provider which get auto-synced as generic k8s secrets across regions. Rather than duplicate these keys in their own datadog k8s-secret, it would be much more convenient for us to mount the original secret values as environment variables for argo-rollouts. This also eliminates the need for granting the argo-rollouts pod the API permission to access the datadog k8s-secret.

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this is a chore.
  • The title of the PR is (a) conventional, (b) states what changed, and (c) suffixes the related issues number. E.g. "fix(controller): Updates such and such. Fixes #1234".
  • I've signed my commits with DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My builds are green. Try syncing with master if they are not.
  • My organization is added to USERS.md.

jessesuen
jessesuen requested changes Apr 20, 2021
View reviewed changes
Copy link
Member

@jessesuen jessesuen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jzyeezy the feature is a good improvement, but we'll need to reduce the API calls to k8s API server when getting each secret value.

Also, do you mind signing off for the DCO on your commit for us to accept this PR?

git commit --amend -s
git push -f

metricproviders/datadog/datadog.go Outdated
Comment on lines 170 to 199
func getSecretValue(key, ns string, kubeclientset kubernetes.Interface, emptyValueOk bool) (string, error) {
envKey := strings.ToUpper(strings.ReplaceAll(key, "-", "_"))
if value, ok := os.LookupEnv(fmt.Sprintf("DD_%s", envKey)); ok {
return value, nil
}
secret, err := kubeclientset.CoreV1().Secrets(ns).Get(context.TODO(), DatadogTokensSecretName, metav1.GetOptions{})
if err != nil {
return "", err
}
_, valueMaybe := secret.Data[key]
if emptyValueOk && !valueMaybe {
return "", nil
}

return string(secret.Data[key]), nil
}

func NewDatadogProvider(logCtx log.Entry, kubeclientset kubernetes.Interface) (*Provider, error) {
ns := defaults.Namespace()
secret, err := kubeclientset.CoreV1().Secrets(ns).Get(context.TODO(), DatadogTokensSecretName, metav1.GetOptions{})
apiKey, err := getSecretValue("api-key", ns, kubeclientset, false)
if err != nil {
return nil, err
}

apiKey := string(secret.Data["api-key"])
appKey := string(secret.Data["app-key"])
address := ""
if _, hasAddress := secret.Data["address"]; hasAddress {
address = string(secret.Data["address"])
appKey, err := getSecretValue("app-key", ns, kubeclientset, false)
if err != nil {
return nil, err
}
address, err := getSecretValue("address", ns, kubeclientset, true)
if err != nil {
return nil, err
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change will result in three API calls to k8s instead of the previous one. Could you refactor such that it still only makes a single API call for when we need to get the secret from the API server?

feat: [datadog metricprovider] Allow Datadog API and APP keys to be c…
6aad40f 
…onsumed from env vars

Signed-off-by: Joyce Yee <jzyee@paypal.com>
@jzyeezy
Copy link
Contributor Author

jzyeezy commented Apr 21, 2021

Okie @jessesuen I've addressed your comments. Thanks for the review!

@codecov
Copy link

codecov bot commented Apr 21, 2021
edited

Codecov Report

Merging #1073 (1308004) into master (959a4a5) will increase coverage by 0.26%.
The diff coverage is 90.90%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1073      +/-   ##
==========================================
+ Coverage   81.02%   81.28%   +0.26%     
==========================================
  Files         103      104       +1     
  Lines        9174     9460     +286     
==========================================
+ Hits         7433     7690     +257     
- Misses       1246     1259      +13     
- Partials      495      511      +16
Impacted Files Coverage Δ
metricproviders/datadog/datadog.go 80.61% <90.90%> (+3.50%) ⬆️
utils/json/json.go 44.44% <0.00%> (-55.56%) ⬇️
rollout/canary.go 78.87% <0.00%> (-4.61%) ⬇️
rollout/trafficrouting.go 88.15% <0.00%> (-3.63%) ⬇️
utils/defaults/defaults.go 87.03% <0.00%> (-0.72%) ⬇️
rollout/controller.go 75.91% <0.00%> (-0.27%) ⬇️
pkg/kubectl-argo-rollouts/info/rollout_info.go 79.04% <0.00%> (-0.18%) ⬇️
utils/conditions/conditions.go 78.72% <0.00%> (ø)
pkg/kubectl-argo-rollouts/cmd/cmd.go 100.00% <0.00%> (ø)
pkg/kubectl-argo-rollouts/info/info.go 100.00% <0.00%> (ø)
... and 16 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 959a4a5...1308004. Read the comment docs.

jessesuen
jessesuen reviewed Apr 22, 2021
View reviewed changes
metricproviders/datadog/datadog.go Outdated
Comment on lines 186 to 189
secret, err := kubeclientset.CoreV1().Secrets(ns).Get(context.TODO(), DatadogTokensSecretName, metav1.GetOptions{})
if err != nil {
return nil, err
}
Copy link
Member

@jessesuen jessesuen Apr 22, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that by leaving the logic to fetch the secret here, it does not satisfy your previous benefit:

This also eliminates the need for granting the argo-rollouts pod the API permission to access the datadog k8s-secret.

Not sure if you care about this as a feature, but I just wanted to call out the fact that it does not really eliminate the RBAC necessary to get the datadog secret, because this call would fail.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow you are right about that. 🤦🏻‍♀️ Thanks for catching that!

Let me address this one more time, properly.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alrighty pushed up 1308004, 3rd time's a charm?

Only retrieve k8s secrets if all DD ENV vars are not set
1308004 
Signed-off-by: Joyce Yee <jzyee@paypal.com>
@sonarcloud
Copy link

sonarcloud bot commented Apr 22, 2021

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@jessesuen jessesuen merged commit 304cb39 into argoproj:master Apr 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jessesuen jessesuen jessesuen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jzyeezy @jessesuen