add a secret ref for webhook secrets by bparees · Pull Request #10 · openshift/api

bparees · 2017-11-28T20:02:38Z

bug 1504819

https://bugzilla.redhat.com/show_bug.cgi?id=1504819

bparees · 2017-11-28T20:03:03Z

@deads2k ptal/merge. needed for openshift/origin#17314

deads2k · 2017-11-28T21:06:30Z

build/v1/types.go


+// SecretLocalReference contains information that points to the local secret being used
+type SecretLocalReference struct {
+	// Name is the name of the resource being referenced


"name of the secret in the same namespace being reference"

deads2k · 2017-11-28T21:11:12Z

Lifting my comments from the earlier thread:

General thoughts:

This prescribes the key, but doesn't add a type. Adding types (but not requiring them) can help users categorize their secrets. That could happen as a later step.
Being prescriptive to reduce choice simplifies the API, but as you noted it can make discoverability harder. If you created a secretKey which defaulted to WebHookSecretKey would be a backwards compatible change that allows people to avoid specifying if they wish, but may help discoverability. This could happen later if we actually do have problems. I personally like being prescriptive.
It is now possible to have a webhook configuration which is invalid at runtime. With other resources, we use controllers to reflect this in status. A similar approach could be taken here or you could write-back status from the rest handler.

This looks like a good starting point to me. We can grow on this in a few directions if we end up needing to.

@bparees any thoughts on how to manage the status aspect? A small controller seems like an option.

@smarterclayton how do you generally feel about controllers watching the validity of references over time and updating status in general? It seems consistent with other approaches and reasonably discoverable. It would simplify status reporting the CLI and the webconsole too.

deads2k · 2017-11-28T21:11:55Z

@deads2k ptal/merge. needed for openshift/origin#17314

Travis seems stuck. I'll see if it unsticks or if we must summon @stevekuznetsov and get some real CI.

bparees · 2017-11-28T21:46:30Z

@bparees any thoughts on how to manage the status aspect? A small controller seems like an option.

we already have secret refs (And imagestream refs) elsewhere in the buildconfig that aren't validated. A general buildconfig controller that validated all the refs in the buildconfig and provided status(or events?) isn't a bad idea, but won't be part of this specific refactor.

bug 1504819 https://bugzilla.redhat.com/show_bug.cgi?id=1504819

bparees · 2017-11-28T22:16:51Z

seems to have passed travis after my update.

bparees · 2017-11-29T17:58:41Z

@deads2k anything else?

bparees · 2017-11-29T17:58:55Z

/assign @deads2k

bparees · 2017-11-29T17:59:17Z

(I suppose expecting we have bots setup for this repo would be too much)

deads2k · 2017-11-29T18:26:59Z

we already have secret refs (And imagestream refs) elsewhere in the buildconfig that aren't validated. A general buildconfig controller that validated all the refs in the buildconfig and provided status(or events?) isn't a bad idea, but won't be part of this specific refactor.

I agree. Just wanted to know about general general concept.

/lgtm

openshift-ci-robot · 2017-11-29T18:27:02Z

@deads2k: changing LGTM is restricted to assignees, and assigning you to the PR failed.

Details

In response to this:

we already have secret refs (And imagestream refs) elsewhere in the buildconfig that aren't validated. A general buildconfig controller that validated all the refs in the buildconfig and provided status(or events?) isn't a bad idea, but won't be part of this specific refactor.

I agree. Just wanted to know about general general concept.

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

deads2k · 2017-11-29T18:27:20Z

(I suppose expecting we have bots setup for this repo would be too much)

Welcome to the wild west. I'll fix that :)

stevekuznetsov · 2017-11-29T19:13:45Z

Yeah there is no way to give the bots access to all repos, and they need write access to a repo to do anything meaningful to it, so just ask me or someone else who can edit those configs to add them.

Automatic merge from submit-queue. add a secretref for webhook secrets fixes bug https://bugzilla.redhat.com/show_bug.cgi?id=1504819 api changes are now here: openshift/api#10

bparees mentioned this pull request Nov 28, 2017

add a secretref for webhook secrets openshift/origin#17314

Merged

deads2k reviewed Nov 28, 2017

View reviewed changes

add a secret ref for webhook secrets

1d38d42

bug 1504819 https://bugzilla.redhat.com/show_bug.cgi?id=1504819

bparees force-pushed the webhook_secrets branch from 0ad1d00 to 1d38d42 Compare November 28, 2017 21:47

deads2k merged commit e27edf8 into openshift:master Nov 29, 2017

bparees deleted the webhook_secrets branch January 2, 2018 16:38

Conversation

bparees commented Nov 28, 2017

Uh oh!

bparees commented Nov 28, 2017

Uh oh!

deads2k Nov 28, 2017

Choose a reason for hiding this comment

Uh oh!

bparees Nov 28, 2017

Choose a reason for hiding this comment

Uh oh!

deads2k commented Nov 28, 2017

Uh oh!

deads2k commented Nov 28, 2017

Uh oh!

bparees commented Nov 28, 2017

Uh oh!

bparees commented Nov 28, 2017

Uh oh!

bparees commented Nov 29, 2017

Uh oh!

bparees commented Nov 29, 2017

Uh oh!

bparees commented Nov 29, 2017

Uh oh!

deads2k commented Nov 29, 2017

Uh oh!

openshift-ci-robot commented Nov 29, 2017

Uh oh!

deads2k commented Nov 29, 2017

Uh oh!

stevekuznetsov commented Nov 29, 2017

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants