New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNM: Move secret retrieval to hiveutil for AWS prov/deprov #1872
DNM: Move secret retrieval to hiveutil for AWS prov/deprov #1872
Conversation
Pods created by hive-controllers require information from secrets and configmaps (for example, cloud credentials) in order to function. Today these are passed into the pods from the hive-controllers side via environment variables and volumes. Working on HIVE-1862, it's looking like we're going to need that same business logic -- which parts of which objects are needed in what form -- on the hiveutil side when running in scale mode. In order to avoid duplication of that logic, we're considering moving it *all* to the hiveutil side, even for non-scale mode. This experiment is a proof of this concept for provision and deprovision paths on AWS. The cloud credentials secret contents are no longer passed through via the pod spec. Instead, the hiveutil command itself uses a local client to load that secret and set up the same environment variables and files that were previously passed through on the pod. Spike related to HIVE-1862
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 2uasimojo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold |
@2uasimojo: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Codecov Report
@@ Coverage Diff @@
## master #1872 +/- ##
==========================================
- Coverage 41.89% 41.80% -0.10%
==========================================
Files 364 364
Lines 34096 34087 -9
==========================================
- Hits 14286 14251 -35
- Misses 18609 18635 +26
Partials 1201 1201
|
This works. I'm going to do it for real via #1874. |
Pods created by hive-controllers require information from secrets and
configmaps (for example, cloud credentials) in order to function. Today
these are passed into the pods from the hive-controllers side via
environment variables and volumes. Working on HIVE-1862, it's looking
like we're going to need that same business logic -- which parts of
which objects are needed in what form -- on the hiveutil side when
running in scale mode. In order to avoid duplication of that logic,
we're considering moving it all to the hiveutil side, even for
non-scale mode.
This experiment is a proof of this concept for provision and deprovision
paths on AWS. The cloud credentials secret contents are no longer passed
through via the pod spec. Instead, the hiveutil command itself uses a
local client to load that secret and set up the same environment
variables and files that were previously passed through on the pod.
Spike related to HIVE-1862