-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support passing credentials to composition functions #5543
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me @negz, thanks for iterating on this support for credentials! I like where it landed 💪
Just a couple small questions from me, nothing blocking at all.
internal/controller/apiextensions/composite/composition_functions_test.go
Outdated
Show resolved
Hide resolved
test/e2e/manifests/apiextensions/composition/functions/setup/composition.yaml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a few minor comments, otherwise lgtm 🙏 thanks @negz!
In future we might support other sources, but for now I think secrets will be a good start. I've designed both the Kubernetes and protobuf APIs to support adding other credential sources / shapes in future. Signed-off-by: Nic Cope <nicc@rk0n.org>
These are all fairly obvious, but we try to add comments for all fields. The only exceptions I've left are wrapper messages with singleton fields (e.g. MatchLabels, Resources, CredentialData). Signed-off-by: Nic Cope <nicc@rk0n.org>
We think it's likely that a function will need more than one credential. In particular, a function could need credentials from different sources. Signed-off-by: Nic Cope <nicc@rk0n.org>
Signed-off-by: Nic Cope <nicc@rk0n.org>
Description of your changes
Fixes #3718
Some functions need credentials to talk to an external system, like AWS or a git repository. Today you can only pass credentials to a function by using a
DeploymentRuntimeConfig
to inject them as files or environment variables. This isn't ideal, as you probably want per-caller credentials, not credentials that are available to all callers.This PR allows you to tell Crossplane what credentials to give a function when you write a Composition.
Here's an example:
The
credentials
block uses the same schema as aProviderConfig.
For now, it only supports loading credentials from a Kubernetes secret (i.e.source: Secret
).In future we might support other sources, but for now I think secrets will be a good start. I've designed both the Kubernetes and protobuf APIs to support adding other credential sources / shapes in future. I'm not sure what other sources we might support. Perhaps IRSA, if we ever relax the function spec:
Given that we intend to remove support for external secret stores per #5522, I don't expect we'll ever have to expand this API to support loading from a secret store like Vault. Instead we'd expect people to use https://external-secrets.io (or similar) to load credentials into a Kubernetes secret.
Reading credentials looks like this in Go:
In Python (I think) it looks like this:
This is just the "bare" protobuf-generated code. We could add wrappers to the function SDKs if we think they'd add a better UX.
I have:
make reviewable
to ensure this PR is ready for review.Addedbackport release-x.y
labels to auto-backport this PR.Need help with this checklist? See the cheat sheet.