IP Whitelisting as part of App Model #240
Comments
Hello ! I'm the guy who did the PR deis/deis#4333. The initial goal was that the router could access the whitelist configuration for an app using Etcd. Since Now that Deis v2 is being built, my take on this is that we could have an endpoint dedicated for configurations that need to be exposed in Etcd and an endpoint for configurations that need to end up as environment variables. This way we could stop exposing sensible things like DB passwords in Etcd and stop exposing configuration details like whitelists inside the app. I don't have an exact proposal but I think we should clarify on that before we start adding too much stuff inside the App Model. |
@laurrentt, we're actually attempting to eliminate etcd wherever we can and hoping to eventually eliminate it entirely. |
Any chance this feature will make it into 2.0? This was possible in v1, and would block us from upgrading to v2. |
And I stand correct. The svc is only initially created. You can patch the svc.
|
Perhaps for other annotations (whitelist, connectTimeout, tcpTimeout, domains, routable) we should add a top-level command like |
Just to add so clarification to this ticket, whitelists already are implemented and work perfectly... this ticket is about refactoring how that is done to make it a bit cleaner. |
As a note for anyone who patches the Deis application RCs. If you migrate between K8S clusters these RCs will be recreated from scratch so they will lose the patched whitelists that are added. |
Perhaps the upgrade procedure needs to take into account saving & restoring annotations like this. |
feat(storage): modify docs for configuring storage using env vars
@sgoings asked me to weigh in on a potential UX here. Responding to @bacongobbler's suggestion, I can see the appeal in something as generic as Compare this first to other cases where the CLI, via the controller, effects changes to a routable service's annotations. A great example is the management of domains and certificates. The fact that the CLI exposes well-defined, interactively documented subcommands for managing these things means that app operators don't need to posses detailed knowledge of how to configure the router using annotations-- that thankless task is left to the controller. Exposing something as generic as A secondary concern:
I'm not sure if the word "directly" in the above implies an implementation that bypasses the controller, but bypassing the controller wouldn't be a good idea. In "real world" k8s clusters, I am hoping that cluster admins have locked down permissions on the apiserver more significantly than we tend to (i.e. on our test clusters, we do no such thing). In such a cluster, the The alternative I would recommend a UX that is suggested by the following help:
This would require complementary API endpoints to be added to the controller, with the underlying models modified accordingly as well. |
@krancour you might want to take a look at #966 and give your opinion there, because that model directly relates to router config. So far Coming back to the OP, I agree and I think IP Whitelists should be a separate object as @krancour described in his recommendation. |
From @krancour via #197
The text was updated successfully, but these errors were encountered: