-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(k8s): dynamic account config #3824
feat(k8s): dynamic account config #3824
Conversation
@scottfrederick @ezimanyi submitting a new PR for feedback. It was easier to implement @scottfrederick suggestions on a wholly new branch. Per his feedback, I've implemented credential synchronization on the 2 provider config classes to prevent the circular dependency between the synchronizer and I'm still not sure what the |
Oh, one more thing I forgot to mention - each time credentials are refreshed we go through the whole check permissions process unless |
Me too! Aside from some cleanup (which I assume is why it's still WIP), this looks like it should work. It looks like you'll need |
@scottfrederick I started working on that in the next commit but got distracted by something else. I'll either have it up today or next week. |
I ran into a bit of a blocker while implementing the cc @ezimanyi |
With respect to the above comment - while the initialization of credentials is a performance problem it isn't necessarily a blocker to implementing this functionality (dynamic accounts) but more of a tradeoff that can be addressed in a subsequent PR. I'll ensure that this PR is cleaned up and ready to merge before addressing that issue. |
8256d87
to
e639263
Compare
@ezimanyi @scottfrederick I think this is ready for an official review! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ethanfrogers I ran into something when testing this. When kubeconfigFile
is a reference to an external file like configserver:kubeconfig
(after the PR to support that was merged), KubernetesV2Credentials#equals()
will never return true
, and therefore KubernetesNamedAccountCredentials#equals()
will never return true
, and therefore the account sync logic sees the account as "changed" on each refresh.
The root cause of this is that in this scenario each new KubernetesNamedAccountCredentials
results in a new temp file being generated with a unique name.
It seems like it would be important for the account sync to know if the kubeconfigFile
value were changed on refresh. Maybe ConfigFileService
should create a file with a known name in the system tmp dir instead of generating a random file name each time? Kubernetes provider is the only thing using the code path through ConfigFileService
that writes the config server file contents to a local file in the container.
AccountCredentialsRepository accountCredentialsRepository, | ||
KubernetesV1CachingAgentDispatcher kubernetesV1CachingAgentDispatcher) { | ||
this.kubernetesV1Provider = new KubernetesV1Provider(kubernetesCloudProvider, Collections.newSetFromMap(new ConcurrentHashMap<Agent, Boolean>())) | ||
class KubernetesV1ProviderConfig implements CredentialsInitializerSynchronizable { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A name like KubernetesV1ProviderSynchronizable
would be better, since this is no longer an @Configuration
class.
@DependsOn("kubernetesNamedAccountCredentials") | ||
KubernetesV2Provider kubernetesV2Provider( | ||
KubernetesCloudProvider kubernetesCloudProvider, | ||
public class KubernetesV2ProviderConfig implements CredentialsInitializerSynchronizable { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
KubernetesV2ProviderSynchronizable
would be better
See #3833 to fix the issue of temp files on refresh. |
e639263
to
567c91e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall this looks really good! I left a number of inline comments about specific things.
One more general thing is I'd like to see some more tests validating this; at a minimum the tests that were deleted should be recreated in the right place to ensure the logic they were testing is not broken.
.../main/groovy/com/netflix/spinnaker/clouddriver/kubernetes/security/KubeconfigFileHasher.java
Outdated
Show resolved
Hide resolved
.../main/groovy/com/netflix/spinnaker/clouddriver/kubernetes/security/KubeconfigFileHasher.java
Outdated
Show resolved
Hide resolved
...com/netflix/spinnaker/clouddriver/kubernetes/security/KubernetesNamedAccountCredentials.java
Outdated
Show resolved
Hide resolved
...tflix/spinnaker/clouddriver/kubernetes/v1/provider/KubernetesV1ProviderSynchronizable.groovy
Outdated
Show resolved
Hide resolved
this.kubernetesSpinnakerKindMap = kubernetesSpinnakerKindMap | ||
this.catsModule = catsModule | ||
|
||
ScheduledExecutorService poller = Executors.newSingleThreadScheduledExecutor(new NamedThreadFactory(KubernetesV1ProviderSynchronizable.class.getSimpleName())) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this being used at all? It looks like we just create it and let it go out of scope.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's something I was confused about. We were doing this in the previous version of this file but I could not figure out what it was actually used for.
...groovy/com/netflix/spinnaker/clouddriver/kubernetes/v2/security/KubernetesV2Credentials.java
Outdated
Show resolved
Hide resolved
...groovy/com/netflix/spinnaker/clouddriver/kubernetes/v2/security/KubernetesV2Credentials.java
Outdated
Show resolved
Hide resolved
...groovy/com/netflix/spinnaker/clouddriver/kubernetes/v2/security/KubernetesV2Credentials.java
Outdated
Show resolved
Hide resolved
...groovy/com/netflix/spinnaker/clouddriver/kubernetes/v2/security/KubernetesV2Credentials.java
Outdated
Show resolved
Hide resolved
...groovy/com/netflix/spinnaker/clouddriver/kubernetes/v2/security/KubernetesV2Credentials.java
Outdated
Show resolved
Hide resolved
60c999f
to
6a2be6d
Compare
@ezimanyi I've addressed most of the feedback so far. I only need to address the bit about the |
ab26920
to
68bdb72
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look good! Three tiny comments inline.
The only remaining question from the first review is if we can remove the poller
objects...I'm pretty sure they're not needed (unless they are doing something crazy that I don't understand) but also am fine leaving them if they were there before and we don't want to add to this change.
@@ -66,12 +67,17 @@ class KubernetesConfigurationProperties { | |||
} | |||
|
|||
@ToString(includeNames = true) | |||
@EqualsAndHashCode(onlyExplicitlyIncluded = true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For something like this where you're going to include everything, might be easier to leave out the onlyExplicitlyIncluded
(though this may just be leftover from when you were testing this as I think you said this class was behaving strangely).
|
||
@Getter private boolean metrics; | ||
@Getter private final boolean debug; | ||
@Include @Getter private boolean metrics; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we could remove the @Getter
on the metrics
now to make it more clear that consumers shouldn't care. (I think it's used in one test, but that test should probably just check the computed one.)
@@ -0,0 +1,126 @@ | |||
/* | |||
* Copyright 2019 Netflix, Inc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/Netflix/Armory/
7125fa1
to
89e12e1
Compare
implement credential synchronization for kubernetes accounts. defines `CredentialsInitializerSynchronizable` on the `KubernetesV*ProviderConfig` classes. Each of these classes is responsible for handling accounts for each provider version.
renames provider config classes to synchronizable since there is no longer an `@Configuration` annotation.
adds a `kubeconfigFileHash` property which enables us to determine if the file contents of the kubeconfig file changed even if the path hasn't changed. this kind of change warrants an account refresh becuase the credentials used by the account may have possibly changed.
previously, we were modifying omitKinds when an account was initialized. this caused calls to `equals` to fail because they didn't match configured omitKinds. this change defers to `omitKindsComputed` so that checking new and existing credentials is accurate according to how the account it configured. this allows us to only initialize modified or new accounts rather than every credential.
addressing PR feedback
89e12e1
to
00c7d65
Compare
implement credential synchronization for kubernetes accounts. defines
CredentialsInitializerSynchronizable
on theKubernetesV*ProviderConfig
classes. Each of these classes isresponsible for handling accounts for each provider version.