-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(kubernetes,google): Support retrieving config files from config server. #3812
feat(kubernetes,google): Support retrieving config files from config server. #3812
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great! A few localized comments inline, but in general this looks really good.
clouddriver-core/src/main/groovy/com/netflix/spinnaker/clouddriver/data/ConfigFileService.java
Outdated
Show resolved
Hide resolved
...river-core/src/test/groovy/com/netflix/spinnaker/clouddriver/data/ConfigFileServiceTest.java
Outdated
Show resolved
Hide resolved
clouddriver-web/src/test/groovy/com/netflix/spinnaker/clouddriver/MainSpec.java
Outdated
Show resolved
Hide resolved
...groovy/com/netflix/spinnaker/clouddriver/kubernetes/v2/security/KubernetesV2Credentials.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Latest changes look good, except one comment below.
...r-core/src/main/groovy/com/netflix/spinnaker/clouddriver/cache/CloudConfigRefreshConfig.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
This PR adds support for reading files from an external Spring Cloud Config Server backend (e.g. a git repository) for the purposes of keeping account secrets out of Spinnaker configuration files. See the design document for more information: https://docs.google.com/document/d/1Y7SIgobc8_CCFmFZLRUGl-76sfHWlprFYGy992S5U4A/edit#heading=h.sai17pl3aws8.
The following fields have external configuration enabled with these changes:
kubernetes
account fieldkubeconfig
google
account fieldsjson-path
anduser-data-file
If these fields have a value that starts with
configserver:
then the value following the prefix will be loaded as a resource from a Config Server. Without the prefix the value will be used as an absolute path to a file on the filesystem as before.The
google
account fields are read from the Config Server backend into memory on the clouddriver pod, and are never written to the filesystem. Thekubernetes
kubeconfig
must be read from Config Server and stored as a temp file on the pod filesystem because the Fabric8 API used by the v1 provider and thekubectl
commands used by the v2 provider both require a local file. This is an incremental improvement over storing kubernetes context info as a persistent file on the pod filesystem, as the temp file is more obfuscated and ephemeral, but we should investigate a way to remove this need for a temp file.