feat(k8s): dynamic account config #3824
Conversation
ethanfrogers
changed the title
|
@scottfrederick @ezimanyi submitting a new PR for feedback. It was easier to implement @scottfrederick suggestions on a wholly new branch. Per his feedback, I've implemented credential synchronization on the 2 provider config classes to prevent the circular dependency between the synchronizer and I'm still not sure what the |
|
Oh, one more thing I forgot to mention - each time credentials are refreshed we go through the whole check permissions process unless |
Me too! Aside from some cleanup (which I assume is why it's still WIP), this looks like it should work. It looks like you'll need |
|
@scottfrederick I started working on that in the next commit but got distracted by something else. I'll either have it up today or next week. |
|
I ran into a bit of a blocker while implementing the cc @ezimanyi |
|
With respect to the above comment - while the initialization of credentials is a performance problem it isn't necessarily a blocker to implementing this functionality (dynamic accounts) but more of a tradeoff that can be addressed in a subsequent PR. I'll ensure that this PR is cleaned up and ready to merge before addressing that issue. |
ethanfrogers
force-pushed
the
kubernetes-cloud-config-2
branch
2 times, most recently
from
8256d87
to
e639263
Compare
ethanfrogers
changed the title
|
@ezimanyi @scottfrederick I think this is ready for an official review! |
There was a problem hiding this comment.
@ethanfrogers I ran into something when testing this. When kubeconfigFile is a reference to an external file like configserver:kubeconfig (after the PR to support that was merged), KubernetesV2Credentials#equals() will never return true, and therefore KubernetesNamedAccountCredentials#equals() will never return true, and therefore the account sync logic sees the account as "changed" on each refresh.
The root cause of this is that in this scenario each new KubernetesNamedAccountCredentials results in a new temp file being generated with a unique name.
It seems like it would be important for the account sync to know if the kubeconfigFile value were changed on refresh. Maybe ConfigFileService should create a file with a known name in the system tmp dir instead of generating a random file name each time? Kubernetes provider is the only thing using the code path through ConfigFileService that writes the config server file contents to a local file in the container.
| AccountCredentialsRepository accountCredentialsRepository, | ||
| KubernetesV1CachingAgentDispatcher kubernetesV1CachingAgentDispatcher) { | ||
| this.kubernetesV1Provider = new KubernetesV1Provider(kubernetesCloudProvider, Collections.newSetFromMap(new ConcurrentHashMap<Agent, Boolean>())) | ||
| class KubernetesV1ProviderConfig implements CredentialsInitializerSynchronizable { |
There was a problem hiding this comment.
A name like KubernetesV1ProviderSynchronizable would be better, since this is no longer an @Configuration class.
| @DependsOn("kubernetesNamedAccountCredentials") | ||
| KubernetesV2Provider kubernetesV2Provider( | ||
| KubernetesCloudProvider kubernetesCloudProvider, | ||
| public class KubernetesV2ProviderConfig implements CredentialsInitializerSynchronizable { |
There was a problem hiding this comment.
KubernetesV2ProviderSynchronizable would be better
|
See #3833 to fix the issue of temp files on refresh. |
ethanfrogers
force-pushed
the
kubernetes-cloud-config-2
branch
from
e639263
to
567c91e
Compare
There was a problem hiding this comment.
Overall this looks really good! I left a number of inline comments about specific things.
One more general thing is I'd like to see some more tests validating this; at a minimum the tests that were deleted should be recreated in the right place to ensure the logic they were testing is not broken.
.../main/groovy/com/netflix/spinnaker/clouddriver/kubernetes/security/KubeconfigFileHasher.java
Outdated
Show resolved
Hide resolved
.../main/groovy/com/netflix/spinnaker/clouddriver/kubernetes/security/KubeconfigFileHasher.java
Outdated
Show resolved
Hide resolved
...com/netflix/spinnaker/clouddriver/kubernetes/security/KubernetesNamedAccountCredentials.java
Outdated
Show resolved
Hide resolved
...tflix/spinnaker/clouddriver/kubernetes/v1/provider/KubernetesV1ProviderSynchronizable.groovy
Outdated
Show resolved
Hide resolved
| this.kubernetesSpinnakerKindMap = kubernetesSpinnakerKindMap | ||
| this.catsModule = catsModule | ||
|
|
||
| ScheduledExecutorService poller = Executors.newSingleThreadScheduledExecutor(new NamedThreadFactory(KubernetesV1ProviderSynchronizable.class.getSimpleName())) |
There was a problem hiding this comment.
Is this being used at all? It looks like we just create it and let it go out of scope.
There was a problem hiding this comment.
That's something I was confused about. We were doing this in the previous version of this file but I could not figure out what it was actually used for.
...groovy/com/netflix/spinnaker/clouddriver/kubernetes/v2/security/KubernetesV2Credentials.java
Outdated
Show resolved
Hide resolved
...groovy/com/netflix/spinnaker/clouddriver/kubernetes/v2/security/KubernetesV2Credentials.java
Outdated
Show resolved
Hide resolved
...groovy/com/netflix/spinnaker/clouddriver/kubernetes/v2/security/KubernetesV2Credentials.java
Outdated
Show resolved
Hide resolved
...groovy/com/netflix/spinnaker/clouddriver/kubernetes/v2/security/KubernetesV2Credentials.java
Outdated
Show resolved
Hide resolved
...groovy/com/netflix/spinnaker/clouddriver/kubernetes/v2/security/KubernetesV2Credentials.java
Outdated
Show resolved
Hide resolved
ethanfrogers
force-pushed
the
kubernetes-cloud-config-2
branch
3 times, most recently
from
60c999f
to
6a2be6d
Compare
|
@ezimanyi I've addressed most of the feedback so far. I only need to address the bit about the |
ethanfrogers
force-pushed
the
kubernetes-cloud-config-2
branch
4 times, most recently
from
ab26920
to
68bdb72
Compare
There was a problem hiding this comment.
Changes look good! Three tiny comments inline.
The only remaining question from the first review is if we can remove the poller objects...I'm pretty sure they're not needed (unless they are doing something crazy that I don't understand) but also am fine leaving them if they were there before and we don't want to add to this change.
| @@ -66,12 +67,17 @@ class KubernetesConfigurationProperties { | |||
| } | |||
|
|
|||
| @ToString(includeNames = true) | |||
| @EqualsAndHashCode(onlyExplicitlyIncluded = true) | |||
There was a problem hiding this comment.
For something like this where you're going to include everything, might be easier to leave out the onlyExplicitlyIncluded (though this may just be leftover from when you were testing this as I think you said this class was behaving strangely).
|
|
||
| @Getter private boolean metrics; | ||
| @Getter private final boolean debug; | ||
| @Include @Getter private boolean metrics; |
There was a problem hiding this comment.
I think we could remove the @Getter on the metrics now to make it more clear that consumers shouldn't care. (I think it's used in one test, but that test should probably just check the computed one.)
| @@ -0,0 +1,126 @@ | |||
| /* | |||
| * Copyright 2019 Netflix, Inc. | |||
ethanfrogers
force-pushed
the
kubernetes-cloud-config-2
branch
2 times, most recently
from
7125fa1
to
89e12e1
Compare
implement credential synchronization for kubernetes accounts. defines `CredentialsInitializerSynchronizable` on the `KubernetesV*ProviderConfig` classes. Each of these classes is responsible for handling accounts for each provider version.
renames provider config classes to synchronizable since there is no longer an `@Configuration` annotation.
adds a `kubeconfigFileHash` property which enables us to determine if the file contents of the kubeconfig file changed even if the path hasn't changed. this kind of change warrants an account refresh becuase the credentials used by the account may have possibly changed.
previously, we were modifying omitKinds when an account was initialized. this caused calls to `equals` to fail because they didn't match configured omitKinds. this change defers to `omitKindsComputed` so that checking new and existing credentials is accurate according to how the account it configured. this allows us to only initialize modified or new accounts rather than every credential.
addressing PR feedback
ethanfrogers
force-pushed
the
kubernetes-cloud-config-2
branch
from
89e12e1
to
00c7d65
Compare
implement credential synchronization for kubernetes accounts. defines
CredentialsInitializerSynchronizableon theKubernetesV*ProviderConfigclasses. Each of these classes isresponsible for handling accounts for each provider version.