Broker should extract credentials from secret #555
Conversation
djzager
added
3.8
do-not-merge
openshift-ci-robot
added
the
size/L
djzager
force-pushed
the
bind-creds
branch
2 times, most recently
from
6d94c42
to
f25784d
Compare
|
Changes Unknown when pulling f25784d on djzager:bind-creds into ** on openshift:master**. |
|
Changes Unknown when pulling f25784d on djzager:bind-creds into ** on openshift:master**. |
|
Changes Unknown when pulling bda09b1 on djzager:bind-creds into ** on openshift:master**. |
|
Note to reviewers: This will fail CI until all the deps are merged. |
|
I'm a little concerned with bumping the APB spec version. The versioning doc explains how that version should be bumped. It is meant to track changes to the spec file itself and not meant to track dependency changes. I've raised the concern with David but I cannot think of a better way to track dependency changes that will break broker functionality unless we strive to be backwards compatible. In that case I would like to see the broker support the old mechanism of execing in if the secret doesn't exist or simply read from the secret if we are using the newest asb_encode_binding. |
|
@dymurray I tend to agree with you that the version is for the spec. This PR isn't changing the spec definition. |
|
At one point I suggested we remain backwards compatible, but we seemed to have dropped that for some reason. @djzager do you remember why we stopped being compatible? |
|
The lesson learned here for me is that I should have included @dymurray on the original proposal. My bad. |
|
The reason we stopped the backwards compatibility train @jmrodri was @shawn-hurley wise intervention about 1-off if statements that change behavior and I think that remains true. I tend to agree with @dymurray's point(s), we'll have to do a meaningful rework of the |
|
@djzager ok i'm not afraid of some if statements, unless of course they are EVERYWHERE. Then let's re-evaluate the ExecuteApb then to see how to best handle this new requirement. I seriously think we're going to piss people off if we don't allow old APBs to work. Thanks for the summary. |
|
Based on comments in scrum I think this would be a good approach:
|
|
@jmrodri What I was very concerned with was that for now, 2-3 if statements are not bad but will be hard to maintain in the future. If we did not have to support backwards compatibility my point was we should not complicate the code. I agree that we should support backwards compatibility after talking to everyone. I think that we should make it so that future changes to this code path are not fraught with code paths that suddenly change drastically with an if statement deep in the function. I find this just as hard to figure out what is going on as the interface redirection of other projects. All: I think the concept that we choose to go with here should be applied to the multiple spec version parsing. |
|
Changes Unknown when pulling c700798 on djzager:bind-creds into ** on openshift:master**. |
|
Changes Unknown when pulling 072490e on djzager:bind-creds into ** on openshift:master**. |
|
Changes Unknown when pulling ab5dcc3 on djzager:bind-creds into ** on openshift:master**. |
|
Changes Unknown when pulling 0069ffb on djzager:bind-creds into ** on openshift:master**. |
|
@dymurray @shawn-hurley @jmrodri @eriknelson A bunch of changes have been made for the sake of 1) introducing a new APB runtime version (now at version TestingSetupNOTE Started with catasb to bring up cluster.
$ oc edit configmap broker-config
+ - type: "dockerhub"
+ name: "dz"
+ url: "docker.io"
+ org: "djzager"
+ tag: "latest"
+ white_list:
+ - ".*rhscl-postgresql-apb$"
$ oc edit dc asb
- image: docker.io/ansibleplaybookbundle/origin-ansible-service-broker:latest
+ image: docker.io/djzager/origin-ansible-service-broker:latestTest
|
There was a problem hiding this comment.
I think that we should continue to use the pattern of trying to fit methods declarations on 1 line, if you have to break it up because it goes beyond ~95 characters then we break it up on the last parameter. I thought that is what we had all decided to go with moving forward?
pkg/apb/ext_creds.go
Outdated
| podname string, | ||
| namespace string, | ||
| log *logging.Logger, | ||
| k8s *clients.KubernetesClient, |
There was a problem hiding this comment.
Why are we passing in the k8s client? I think the right thing to do here is getting it from the method.
There was a problem hiding this comment.
I understand this to mean why pass it when you can just ask for a reference to the client with k8s, err := clients.Kubernetes(log). Is that right?
There was a problem hiding this comment.
yes, that is exactly what I was thinking
There was a problem hiding this comment.
I hate it that I agree with you b/c then I have to change it. 😎
There was a problem hiding this comment.
I'm going to wait to push this change until there are thoughts on the method declarations.
There was a problem hiding this comment.
I'm fine with either. I leave it up to the writer to choose as long as the function wouldn't normally fit on one line.
There was a problem hiding this comment.
I don't think we need to block on this since we haven't really established a style here. And we would have to change it everywhere to match the style we go with. We can discuss in a separate issue if we want to pursue it.
|
@shawn-hurley I've got the feeling that I missed that discussion about breaking up method declarations. Before I start, let me just say this...I may be a little OCD (just ask me about scratches on my sunglasses) and may need to just get over myself. Personally, I would prefer either break them up in the way I had done it or shove it all on one line regardless of length. I say that because one dangling parameter + return list + I'll do whatever is agreed on.
Should have done this on the first try: adding @eriknelson @jmrodri @rthallisey since I trust they'll have an opinion. |
|
Changes Unknown when pulling 55cf1cc on djzager:bind-creds into ** on openshift:master**. |
Wrote my comments in the wrong place. |
|
Changes Unknown when pulling e14bdda on djzager:bind-creds into ** on openshift:master**. |
djzager
removed
the
do-not-merge
|
Changes Unknown when pulling 91fd234 on djzager:bind-creds into ** on openshift:master**. |
This change makes it so the broker can handle secrets that are created by APBs when using the `asb_encode_binding` module. - Update the broker so that it can handle secrets generated by the APB when `asb_encode_binding` module is used from the asb-modules. - Update `executor::ExecuteApb` to wait for pod to complete, since the pod is no longer kept alive for credential extraction. - Clean up some of the log messages and code format related to apb actions. Fixes openshift#544 Fixes openshift#553 Implements the proposal openshift#550 Depends on the following PRs: - [ansible-asb-modules#8](ansibleplaybookbundle/ansible-asb-modules#8) This is how the secret gets generated. - [apb-base#7](ansibleplaybookbundle/apb-base#7) Remove scripts related to extracting credentials from the containers filesystem. - [ansible-playbook-bundle#163](ansibleplaybookbundle/ansible-playbook-bundle#163) Bump the APB versions so freshly built APBs will pass version validation checks.
Update the broker to evaluate the `com.redhat.apb.runtime` label on APBs (default to `1` when there is no label). Add version checking of this new min/max apb runtime version and update associated tests.
Update apb execution to be handle multiple apb runtime versions.
Secrets retrieved using client-go are already decoded. So the extract credentials function has been updated to only attempt to decode the credentials if they need it. Also changed the `log.Error` when the APB completed to a `log.Notice` since it is not a failure.
djzager
force-pushed
the
bind-creds
branch
2 times, most recently
from
2a5c0f2
to
34fe506
Compare
|
Changes Unknown when pulling 34fe506 on djzager:bind-creds into ** on openshift:master**. |
|
Changes Unknown when pulling 34fe506 on djzager:bind-creds into ** on openshift:master**. |
scripts/broker-ci/setup-cluster.sh
Outdated
| @@ -13,6 +13,7 @@ function cluster-setup () { | |||
| dockerhub_org: ansibleplaybookbundle | |||
| broker_tag: latest | |||
| broker_kind: ClusterServiceBroker | |||
| apbtab: canary | |||
| EOF | |||
There was a problem hiding this comment.
You can remove this. It doesn't get used by the gate.
* Broker should extract credentials from secret This change makes it so the broker can handle secrets that are created by APBs when using the `asb_encode_binding` module. - Update the broker so that it can handle secrets generated by the APB when `asb_encode_binding` module is used from the asb-modules. - Update `executor::ExecuteApb` to wait for pod to complete, since the pod is no longer kept alive for credential extraction. - Clean up some of the log messages and code format related to apb actions. Fixes openshift#544 Fixes openshift#553 Implements the proposal openshift#550 Depends on the following PRs: - [ansible-asb-modules#8](ansibleplaybookbundle/ansible-asb-modules#8) This is how the secret gets generated. - [apb-base#7](ansibleplaybookbundle/apb-base#7) Remove scripts related to extracting credentials from the containers filesystem. - [ansible-playbook-bundle#163](ansibleplaybookbundle/ansible-playbook-bundle#163) Bump the APB versions so freshly built APBs will pass version validation checks. * Add APB runtime version to our APB Spec object Update the broker to evaluate the `com.redhat.apb.runtime` label on APBs (default to `1` when there is no label). Add version checking of this new min/max apb runtime version and update associated tests. * Handle bind credential extraction based on runtime Update apb execution to be handle multiple apb runtime versions. * Fixing log statements * Only decode bind creds if encoded Secrets retrieved using client-go are already decoded. So the extract credentials function has been updated to only attempt to decode the credentials if they need it. Also changed the `log.Error` when the APB completed to a `log.Notice` since it is not a failure. * Pull k8s API call to get pod status into k8s client * Cleanup extract credentials based on comments * Update proposal based on what is implemented * Improve adapter log info on apb runtime eval * Fixes after rebase * Address review comments and fix unit tests * Ask for the k8s client when we need it * Use canary APB images
This change makes it so the broker can handle secrets that are created
by APBs when using the
asb_encode_bindingmodule.when
asb_encode_bindingmodule is used from the asb-modules.executor::ExecuteApbto wait for pod to complete, since thepod is no longer kept alive for credential extraction.
actions.
Fixes #544
Fixes #553
Implements the proposal #550
Depends on the following PRs: