-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API for immutable Secrets and ConfigMaps #86377
API for immutable Secrets and ConfigMaps #86377
Conversation
80e0e76
to
12c10ea
Compare
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
@@ -5354,6 +5354,10 @@ | |||
"description": "Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use the BinaryData field. The keys stored in Data must not overlap with the keys in the BinaryData field, this is enforced during validation process.", | |||
"type": "object" | |||
}, | |||
"immutable": { | |||
"description": "Immutable field, if set, ensures that data stored in the configmap cannot be updated (only object metadata can be modified). This is an alpha field enabled by ImmutableEphemeralVolumes feature gate.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit, capitalization
"description": "Immutable field, if set, ensures that data stored in the configmap cannot be updated (only object metadata can be modified). This is an alpha field enabled by ImmutableEphemeralVolumes feature gate.", | |
"description": "Immutable field, if set, ensures that data stored in the ConfigMap cannot be updated (only object metadata can be modified). This is an alpha field enabled by ImmutableEphemeralVolumes feature gate.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
12c10ea
to
333845a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Kubelet part is not yet implemented (those this part itself solve the first user problem being ability to protect from accidental bad pushes).
Is the plan to get the kubelet changes in this release as well?
Yes - I have them as part of my POC - just need to clean them up. Re other comments - thanks, will address them. |
333845a
to
79dd940
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@saad-ali - thanks for the review.
Comments addressed or responded to. PTAL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Thanks @saad-ali ! |
/assign @thockin |
@@ -5424,6 +5424,12 @@ type Secret struct { | |||
// +optional | |||
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` | |||
|
|||
// Immutable field, if set, ensures that data stored in the Secret cannot |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since comments become docs...
"Immutable ensures that data ..." (basically drop 'field')
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Document the default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this field updatable or only set at creation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this field change from false to true?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed all (here and in configmap).
pkg/registry/core/secret/strategy.go
Outdated
} | ||
|
||
func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList { | ||
return validation.ValidateSecretUpdate(obj.(*api.Secret), old.(*api.Secret)) | ||
} | ||
|
||
func dropDisabledFields(secret *api.Secret, oldSecret *api.Secret) { | ||
if !utilfeature.DefaultFeatureGate.Enabled(features.ImmutableEphemeralVolumes) && oldSecret == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Most times I see this call an "is in use" funtion that encapsulates both old == nil and old.field == nil.
@@ -5005,6 +5005,16 @@ func ValidateSecretUpdate(newSecret, oldSecret *core.Secret) field.ErrorList { | |||
} | |||
|
|||
allErrs = append(allErrs, ValidateImmutableField(newSecret.Type, oldSecret.Type, field.NewPath("type"))...) | |||
if oldSecret.Immutable != nil && *oldSecret.Immutable { | |||
if !reflect.DeepEqual(newSecret.Immutable, oldSecret.Immutable) { | |||
allErrs = append(allErrs, field.Forbidden(field.NewPath("immutable"), "field is immutable when immutable is set")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree with @wojtek-t
field names in errors should be back-quoted: "when immutable
is set"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thockin - comments addressed; PTAL
@@ -5005,6 +5005,16 @@ func ValidateSecretUpdate(newSecret, oldSecret *core.Secret) field.ErrorList { | |||
} | |||
|
|||
allErrs = append(allErrs, ValidateImmutableField(newSecret.Type, oldSecret.Type, field.NewPath("type"))...) | |||
if oldSecret.Immutable != nil && *oldSecret.Immutable { | |||
if !reflect.DeepEqual(newSecret.Immutable, oldSecret.Immutable) { | |||
allErrs = append(allErrs, field.Forbidden(field.NewPath("immutable"), "field is immutable when immutable is set")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed (both here, below and for configmap)
pkg/registry/core/secret/strategy.go
Outdated
} | ||
|
||
func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList { | ||
return validation.ValidateSecretUpdate(obj.(*api.Secret), old.(*api.Secret)) | ||
} | ||
|
||
func dropDisabledFields(secret *api.Secret, oldSecret *api.Secret) { | ||
if !utilfeature.DefaultFeatureGate.Enabled(features.ImmutableEphemeralVolumes) && oldSecret == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done (both here and in configmap)
@@ -5424,6 +5424,12 @@ type Secret struct { | |||
// +optional | |||
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` | |||
|
|||
// Immutable field, if set, ensures that data stored in the Secret cannot |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed all (here and in configmap).
79dd940
to
7cc3971
Compare
/retest |
2 similar comments
/retest |
/retest |
@thockin - this is now ready for the second pass (test failures are unrelated flakes) /retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Last bit can be a followup
Thanks!
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: thockin, wojtek-t The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Review the full test history for this PR. Silence the bot with an |
2 similar comments
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
Fixed typo. related PR: kubernetes/kubernetes#86377
API for immutable Secrets and ConfigMaps Kubernetes-commit: 37d9c22
This implements the API part of the KEP (allow for marking secrets/configmaps as immutable + necessary bits to enforce that and e2e tests for it).
The Kubelet part is not yet implemented (those this part itself solve the first user problem being ability to protect from accidental bad pushes).
Part of kubernetes/enhancements#1412