-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support optional secret containing only credentials but no user-data; accept Gardener secret data keys #578
Conversation
They are no longer working with the whole secret because they don't need it. All of them are evaluating the data map only.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/invite @amshuman-kr
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the quick and extensive PR @rfranzke ! LGTM
The only question I have is that while this PR retains the signature of the OOT interfaces but changes the semantics. I.e. the secret object that is passed is no longer backed by a real secret object. As long as the OOT providers do not expect the secret object to be a real one in the apiserver, this should be fine. Ideally, they shouldn't. @prashanth26 Should we make this explicit in the documentation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Agreed, good point. I stumbled across this as well, and for the sake of not changing the contract I created a new |
I agree. That way the contract will be explicit. @prashanth26 Should we consider changing the OOT signature? We need not do it in this PR, of course. |
I agree with you guys. Something I probably overlooked while making the initial interfaces. Will try to incorporate this change in the coming releases. Yes, for now, let's stick to this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Waiting for approval from @amshuman-kr
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Something I probably overlooked while making the initial interfaces.
We all did @prashanth26. Hindsight is 20-20 🙂 It is 2020 too 😉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
I shall trigger an MCM release as the new field will have to be added in all the provider migration codes |
/area open-source usability
/kind enhancement
/priority normal
What this PR does / why we need it:
This PR extends all in-tree and the out-of-tree machine classes with a new
.{spec.}credentialsSecretRef
field. It is an optional reference to a secret containing only the credentials, while today's.{spec.}secretRef
still contains the user-data.This is helpful for scenarios like Gardeners where the credentials for all machine classes are the same while only the user-data differs.
Additionally, all the secret keys used by Gardener are now also allowed as alternatives for the machine-controller-manager. This helps to not make mappings for the data keys.
Special notes for your reviewer:
The implementation is entirely backwards-compatible and optional, both for the in-tree and the out-of-tree implementations. The in-tree drivers have been simplified by only working with the secret data map instead of the whole
v1.Secret
object. The out-of-tree contract is untouched. If a credentials secret reference is provided then its content will be merged into the secret that is passed to the provider.ℹ️ For simplification of the review process the PR is split into 4 different commits that could be reviewed individually.
/assign @hardikdr @prashanth26 @AxiomSamarth
/invite @hardikdr @prashanth26 @AxiomSamarth
/cc @vpnachev @timuthy
Release note: