-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secret API resource #4514
Secret API resource #4514
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -178,6 +178,8 @@ type VolumeSource struct { | |
GCEPersistentDisk *GCEPersistentDisk `json:"persistentDisk"` | ||
// GitRepo represents a git repository at a particular revision. | ||
GitRepo *GitRepo `json:"gitRepo"` | ||
// Secret represents a secret that should populate this volume. | ||
Secret *SecretSource `json:"secret"` | ||
} | ||
|
||
// HostPath represents bare host directory volume. | ||
|
@@ -228,6 +230,12 @@ type GitRepo struct { | |
// TODO: Consider credentials here. | ||
} | ||
|
||
// Adapts a Secret into a VolumeSource | ||
type SecretSource struct { | ||
// Reference to a Secret | ||
Target ObjectReference `json:"target"` | ||
} | ||
|
||
// Port represents a network port in a single container | ||
type Port struct { | ||
// Optional: If specified, this must be a DNS_LABEL. Each named port | ||
|
@@ -1309,3 +1317,27 @@ type ResourceQuotaList struct { | |
// Items is a list of ResourceQuota objects | ||
Items []ResourceQuota `json:"items"` | ||
} | ||
|
||
// Secret holds secret data of a certain type | ||
type Secret struct { | ||
TypeMeta `json:",inline"` | ||
ObjectMeta `json:"metadata,omitempty"` | ||
|
||
Data map[string][]byte `json:"data,omitempty"` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This needs a bit more comments to describe the string format? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I see a subsequent comment here about DNS_SUBDOMAIN. Is that flexible enough for producing arbitrary secrets' filenames? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If the value of the map must be base64 encoded, why is this []byte rather than string? Alternately, why the base64 rule? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @thockin DNS_SUBDOMAIN isn't flexible enough. I expect to make a new format for filenames and/or adapt names in There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sorry, commenting late. First of all: All fields in v1beta1 and v1beta2 need description tags. This will also soon be true for v1beta3. The Travis check was broken, but was fixed today. Please ensure future fields have descriptions. As discussed in the recent PR to update api-conventions.md, it is acceptable for an object to not distinguish Spec and Status if we're confident it will only support one or the other, as in this case. As discussed in #1627 and #1553, we will want a very similar object for dynamic configuration distribution. But, similar to the distinction between labels and annotations, I agree that it's useful to separate the two use cases. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ahh, I see. The comment led me astray. I though people you were taking strings and base64ing them and then storing that in []byte. But you're storing arbitrary secret data in []byte, and JSON serializes it to base64. I'm going to update the comments in my PR, see if it is any better when I am done. :) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Also, @bgrant0607 This uses a map - more fodder for maps being the OBVIOUS api for things like environment variables. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @thockin @bgrant0607, I was thinking about the type SecretCell struct {
Name string
Value string
Binary bool I don't think you should have to base64 encode everything - it makes for On Mon, Feb 23, 2015 at 1:54 PM, Tim Hockin notifications@github.com
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not sure that the "always base64" crumminess is worse than the "sometimes base64" crumminess :) Anyway, I'd like to get #4653 in before any significant retool, please. I just want it off the balance sheet, and it fixes many of the concerns here. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @thockin go for it, I was not proposing that you address that in #4653 On Mon, Feb 23, 2015 at 2:25 PM, Tim Hockin notifications@github.com
|
||
Type SecretType `json:"type,omitempty"` | ||
} | ||
|
||
type SecretType string | ||
|
||
const ( | ||
SecretTypeOpaque SecretType = "opaque" // Default; arbitrary user-defined data | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should follow Go-style caps - Opaque There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ack There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. +1 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @bgrant0607 @thockin will collect these i to a PR soon (might not be until
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @pmorie /cc me on the PR if it modifies the API that is checked in. I am working on something that uses this already so I would need to update. Sent from my iPhone
|
||
) | ||
|
||
type SecretList struct { | ||
TypeMeta `json:",inline"` | ||
ListMeta `json:"metadata,omitempty"` | ||
|
||
Items []Secret `json:"items"` | ||
} | ||
|
||
const MaxSecretSize = 1 * 1024 * 1024 |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -103,6 +103,8 @@ type VolumeSource struct { | |
GCEPersistentDisk *GCEPersistentDisk `json:"persistentDisk" description:"GCE disk resource attached to the host machine on demand"` | ||
// GitRepo represents a git repository at a particular revision. | ||
GitRepo *GitRepo `json:"gitRepo" description:"git repository at a particular revision"` | ||
// Secret represents a secret to populate the volume with | ||
Secret *SecretSource `json:"secret" description:"secret to populate volume with"` | ||
} | ||
|
||
// HostPath represents bare host directory volume. | ||
|
@@ -153,6 +155,12 @@ type GitRepo struct { | |
Revision string `json:"revision" description:"commit hash for the specified revision"` | ||
} | ||
|
||
// Adapts a Secret into a VolumeSource | ||
type SecretSource struct { | ||
// Reference to a Secret | ||
Target ObjectReference `json:"target"` | ||
} | ||
|
||
// Port represents a network port in a single container | ||
type Port struct { | ||
// Optional: If specified, this must be a DNS_LABEL. Each named port | ||
|
@@ -1091,3 +1099,22 @@ type ResourceQuotaList struct { | |
// Items is a list of ResourceQuota objects | ||
Items []ResourceQuota `json:"items"` | ||
} | ||
|
||
type Secret struct { | ||
TypeMeta `json:",inline"` | ||
|
||
Data map[string][]byte `json:"data,omitempty"` | ||
Type SecretType `json:"type,omitempty"` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Everywhere else in the API, we use "Kind". For example: Could we please change this to There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Also, please put the kind above the Data field. |
||
} | ||
|
||
type SecretType string | ||
|
||
const ( | ||
SecretTypeOpaque SecretType = "opaque" // Default; arbitrary user-defined data | ||
) | ||
|
||
type SecretList struct { | ||
TypeMeta `json:",inline"` | ||
|
||
Items []Secret `json:"items"` | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -72,6 +72,8 @@ type VolumeSource struct { | |
GCEPersistentDisk *GCEPersistentDisk `json:"persistentDisk" description:"GCE disk resource attached to the host machine on demand"` | ||
// GitRepo represents a git repository at a particular revision. | ||
GitRepo *GitRepo `json:"gitRepo" description:"git repository at a particular revision"` | ||
// Secret is a secret to populate the volume with | ||
Secret *SecretSource `json:"secret" description:"secret to populate volume"` | ||
} | ||
|
||
// HostPath represents bare host directory volume. | ||
|
@@ -81,6 +83,12 @@ type HostPath struct { | |
|
||
type EmptyDir struct{} | ||
|
||
// Adapts a Secret into a VolumeSource | ||
type SecretSource struct { | ||
// Reference to a Secret | ||
Target ObjectReference `json:"target"` | ||
} | ||
|
||
// Protocol defines network protocols supported for things like conatiner ports. | ||
type Protocol string | ||
|
||
|
@@ -1094,3 +1102,23 @@ type ResourceQuotaList struct { | |
// Items is a list of ResourceQuota objects | ||
Items []ResourceQuota `json:"items"` | ||
} | ||
|
||
// Secret holds secret data of a certain type | ||
type Secret struct { | ||
TypeMeta `json:",inline"` | ||
|
||
Data map[string][]byte `json:"data,omitempty"` | ||
Type SecretType `json:"type,omitempty"` | ||
} | ||
|
||
type SecretType string | ||
|
||
const ( | ||
SecretTypeOpaque SecretType = "opaque" // Default; arbitrary user-defined data | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please capitalize. All constants in the API are CamelCase. Please tell me if api-conventions.md is not clear. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @bgrant0607 I hadn't read it prior to your comment, but it's not clear. There's no treatment given to constants or casing (viz: 'CamelCase' and 'constant' don't appear in the text of the doc). I'll make an issue to clarify. |
||
) | ||
|
||
type SecretList struct { | ||
TypeMeta `json:",inline"` | ||
|
||
Items []Secret `json:"items"` | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a minor thing, but it would really be nice to have a comment here explaining why this is sufficient. It took me a while to think about it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually I don't think it IS sufficient. I'll accumulate fixups in a PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thockin Agree, this is a gap. It needs to fuzz the data map too.