Add template.openshift.io/expose annotation for use with tsb bind #14486
Conversation
|
[test][testextended][extended:core(templates)] |
|
@openshift/api-review @pmorie @bparees @jwforres ptal - addition of annotation "template.openshift.io/expose" (name and semantics) as well as template service broker bind response. A sample tsb bind response follows: {
"credentials": {
"Route.route.openshift.io.cakephp-mysql-example.host": "cakephp-mysql-example-demo.router.default.svc.cluster.local",
"Route.route.openshift.io.cakephp-mysql-example.path": "",
"Secret.cakephp-mysql-example.database-password": "TkJXRWtUVmdRc1N3ZklKUQ==",
"Secret.cakephp-mysql-example.database-user": "Y2FrZXBocA==",
"Service.cakephp-mysql-example.clusterIP": "172.30.113.152",
"Service.cakephp-mysql-example.port": 8080,
"Service.cakephp-mysql-example.port.web": 8080
}
} |
|
Separation between resource and name is questionable. If that's our whole
API surface we have a problem of both expressiveness and future proofing.
This looks like we are abusing the credentials api
On Jun 6, 2017, at 8:23 AM, Jim Minter <notifications@github.com> wrote:
@openshift/api-review <https://github.com/orgs/openshift/teams/api-review>
@pmorie <https://github.com/pmorie> @bparees <https://github.com/bparees>
@jwforres <https://github.com/jwforres> ptal - addition of annotation "
template.openshift.io/expose" (name and semantics) as well as template
service broker bind response. A sample tsb bind response follows:
{
"credentials": {
"Route.route.openshift.io.cakephp-mysql-example.host":
"cakephp-mysql-example-demo.router.default.svc.cluster.local",
"Route.route.openshift.io.cakephp-mysql-example.path": "",
"Secret.cakephp-mysql-example.database-password": "TkJXRWtUVmdRc1N3ZklKUQ==",
"Secret.cakephp-mysql-example.database-user": "Y2FrZXBocA==",
"Service.cakephp-mysql-example.clusterIP": "172.30.113.152",
"Service.cakephp-mysql-example.port": 8080,
"Service.cakephp-mysql-example.port.web": 8080
}
}
—
You are receiving this because you are on a team that was mentioned.
Reply to this email directly, view it on GitHub
<#14486 (comment)>,
or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p7bpxAtBB_hJUILgzl5_R_riyw_Fks5sBUSmgaJpZM4NxQgx>
.
|
jim-minter
force-pushed
the
trello133-tsb-bind
branch
2 times, most recently
from
e96f64c
to
2f22b2d
Compare
you mean the lack of separation? the way we concatenated the resource type and the key name? Our problem is the limitations of the service broker bind credentials api. If we want our credential object to be easily consumed by applications, we really need to stick to flat key/value structures. Otherwise applications are going to be forced to parse json to extract configs/credentials/service-addresses
how so? because these things are not all credentials? because we're not creating a more sophisticated structure? @pmorie do we have examples of what other brokers are returning for bind credential objects? |
That's how I read it and mirrors the comment I was going to post about the key-space. You have no reliable way to know where the end of the group is (dots and dashes are legal in may resource names) so generic parsing is impossible (ambiguous) leading to specific whitelists. Another issue is that you're choosing your favorite part of the API object and returning back a format tailored for that. If you used a generic format (something like json path from the root for instance), you'd face fewer problems if you later wanted to allow pulling a different value back and the behavior would be generic across any future resource type. |
yeah i anticipated this concern(at least that we might have to choose a different separator), but do you have an alternate suggestion? Again we strongly prefer a flat structure because otherwise we're putting a high burden on the applications that consume this content.
if i'm understanding you correctly, this is a complaint about the annotation scheme used for selecting the keys, not the format of the key/value pairs being returned in the credential object. it's a fair point, but it's also going to make it even harder to sensibly define a key for the content the jsonpath extracts (and of course make life harder for the template authors who have to craft jsonpath expressions now). |
There was a problem hiding this comment.
couple nits otherwise lgtm, @smarterclayton and @deads2k's concerns about the annotation syntax and credential key/value format notwithstanding.
| "name": "${NAME}", | ||
| "annotations": { | ||
| "template.openshift.io/expose": "" | ||
| } |
There was a problem hiding this comment.
I clearly need to find a way to make this readme more visible :(
https://github.com/openshift/origin/blob/master/examples/quickstarts/README.md
Files in this directory are automatically pulled down, do not modify/add files to this directory.
There was a problem hiding this comment.
Snort. How about a file called CONTENT_IN_THIS_DIRECTORY_IS_GENERATED_ELSEWHERE (or whatever)?
There was a problem hiding this comment.
OK, I'm going to leave these changes in the PR for now as one of them is required for the extended test to work. After api-review and before merge I'll send PRs to the upstream repos and run hack/update-external-examples.sh. Can't wait.
| "Route.route.openshift.io.myroute.host": route.Spec.Host, | ||
| "Route.route.openshift.io.myroute.path": route.Spec.Path, | ||
| }, | ||
| }, |
There was a problem hiding this comment.
no test for "bad" on this one?
There was a problem hiding this comment.
no, because as things stand the value of expose is currently ignored on routes.
|
@bparees @openshift/api-review thanks for the feedback, I was psyched that no-one took issue with the annotation name. Anyway, please take another look. I've reworked this to use JSON path and I think the whole thing is better as a result. Sample input: On a route: Sample bind result: (c.f. contents of "credentials" in spec example bind result: https://github.com/openservicebrokerapi/servicebroker/blob/master/spec.md#response-4) |
|
ping @openshift/api-review is there any chance of feedback on this today? |
|
Can you update the result of the bind call in your first comment? It still looks like you may be suffering from an inconsistent parse problem in those keys. |
Ah, I see you did it in a later comment. That did come out quite a bit nicer. |
|
@deads2k @smarterclayton but can it get the approved label? The two points I'd highlight on my side:
|
|
For 2, wouldn't that mean that we lose data? UTF -> JSON -> raw is lossy. |
there's no guarantee the byte data can be represented as a non-base64 encoded string. I can put a binary secret into my secret object. I don't see how we can expect to reliably decode the field. from the Secret api doc: |
|
I don't even think you can safely encode \x00 for instance. |
|
I'm just putting out on the table the idea of losing the ability to pass through arbitrary raw binary, for the benefit of people not worrying about their password xyzzy coming through in base64, in what is somewhat an entry level technology anyway. Feel free to say no. The loss is when the binary can't be decoded into a UTF-8 string. @smarterclayton I think anything UTF-8 is then representable in json including \x00 - Go marshals it to "\u0000", right? |
i don't suppose there's a way to encode into the jsonpath extraction, whether we want the base64 encoded form, or the string form. Potentially it could be encoded into the annotation key itself. (default to strings, but if the annotation key is something like "template.openshift.io/expose-binary-mysecret", then we do a base64 encode instead?) Barring that, both choices feel bad. Making app developers base64 decode their passwords is bad. Letting people create binary secrets and then not supporting them in the template broker is bad. |
|
Right now, I'm hearing "base64-encode anything thats []byte under the covers because it's the least worst option that offers fidelity." BTW, did I say I'd love to have api approval on this before Monday UK time so that this has a chance to merge? 😄 |
i like my secondary annotation option that allows users to choose base64 or string encoding. |
|
@openshift/api-review please sign off on the concept of this annotation(with key suffix)+jsonpath extraction scheme. We can iterate on:
as a follow up. |
|
Approved. |
|
@jim-minter squash it and i'll merge. we can negotiate the binary-content behavior on monday. |
jim-minter
force-pushed
the
trello133-tsb-bind
branch
from
6d95eba
to
51abb59
Compare
|
@bparees updated, ptal. |
|
The following PRs have been opened which should hopefully mean that this PR is mergeable as is, at least from an examples/quickstarts point of view: sclorg/cakephp-ex#72 |
pkg/template/servicebroker/bind.go
Outdated
| for _, r := range results { | ||
| switch len(r) { | ||
| case 0: | ||
| // shouldn't happen |
There was a problem hiding this comment.
do we not want to at least log an error indicating what the jsonpath was and the object we searched, if this happens then?
pkg/template/servicebroker/bind.go
Outdated
|
|
||
| default: | ||
| // we don't permit individual JSONPath expressions which return | ||
| // multiple objects as we haven't decided how these should be output |
There was a problem hiding this comment.
this should be part of the api doc for the annotation. (that the jsonpath expression must select non-compound fields)
jim-minter
force-pushed
the
trello133-tsb-bind
branch
from
51abb59
to
56917d4
Compare
|
@bparees nits addressed, please merge |
|
[merge] @jim-minter we need follow up discussion with @openshift/api-review to finalize agreement on:
Probably best to open that as a fresh issue and have the discussion there. |
|
at least one of these failures is legit: |
jim-minter
force-pushed
the
trello133-tsb-bind
branch
from
56917d4
to
6db9d38
Compare
|
oops, forgot to update error message in unit test - fixed and pushed |
|
@bparees tests passed please rehit merge |
|
[merge][severity:blocker] |
openshift-bot
added
the
needs-rebase
|
continuous-integration/openshift-jenkins/merge Waiting: You are in the build queue at position: 10 |
|
Weird [test] |
jim-minter
force-pushed
the
trello133-tsb-bind
branch
from
6db9d38
to
a8b2dba
Compare
jim-minter
removed
the
needs-rebase
|
rebased. [test] |
|
Evaluated for origin testextended up to a8b2dba |
|
re[merge][severity:blocker] |
|
Evaluated for origin merge up to a8b2dba |
|
continuous-integration/openshift-jenkins/testextended SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_extended/638/) (Base Commit: 967d057) (PR Branch Commit: a8b2dba) (Extended Tests: core(templates)) |
|
[test]
…On Fri, Jun 16, 2017 at 11:40 AM, OpenShift Bot ***@***.***> wrote:
continuous-integration/openshift-jenkins/test FAILURE (
https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/2307/)
(Base Commit: 967d057
<967d057>)
(PR Branch Commit: a8b2dba
<a8b2dba>
)
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#14486 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AEvl3hSepvmjeUcEzaDbeVmTXCXbzaXHks5sEqHngaJpZM4NxQgx>
.
--
Ben Parees | OpenShift
|
|
[test]
…On Fri, Jun 16, 2017 at 2:08 PM, OpenShift Bot ***@***.***> wrote:
continuous-integration/openshift-jenkins/test FAILURE (
https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/2316/)
(Base Commit: 4aa3720
<4aa3720>)
(PR Branch Commit: a8b2dba
<a8b2dba>
)
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#14486 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AEvl3mIPaYYj5BqI6FkRGP_AE1M0FNoiks5sEsSagaJpZM4NxQgx>
.
--
Ben Parees | OpenShift
|
|
Evaluated for origin test up to a8b2dba |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/2326/) (Base Commit: d40783e) (PR Branch Commit: a8b2dba) |
https://trello.com/c/PFfBJOsO