[TEP-0089] - Spire Package #5039
Conversation
tekton-robot
added
do-not-merge/release-note-label-needed
tekton-robot
added
the
needs-ok-to-test
|
Hi @pxp928. Thanks for your PR. I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
tekton-robot
added
ok-to-test
|
The following is the coverage report on the affected files.
|
tekton-robot
added
release-note
pkg/spire/controller.go
Outdated
| func NewSpireControllerAPIClient(c spireconfig.SpireConfig) ControllerAPIClient { | ||
| if c.MockSpire { | ||
| return &MockClient{} | ||
| } | ||
| return &spireControllerAPIClient{ | ||
| config: c, | ||
| } | ||
| } |
There was a problem hiding this comment.
I would prefer to have two different factories here, one the tests and one for the actual usage, instead of embedding a MockSpire attribute in the client struct spireControllerAPIClient, it would be more consistent with all the other clients used in the controllers, like Tekton API clients, cloudevents client and cache client.
For instance, if you look at the https://github.com/tektoncd/pipeline/tree/main/pkg/reconciler/events/cache package, there are two clients defined there, the regular one and the mock one.
The knative/pkg injection machinery makes sure that the correct client (regular or mock) is injected into the context, so that when you get the client from the context you get a different one, depending on whether it's unit tests or actual running code.
There was a problem hiding this comment.
@mattmoor may want to have a say on this too 🙏
There was a problem hiding this comment.
Hmm I see. I might need some help setting this up.
There was a problem hiding this comment.
If you don't want to deal with client injection, you could just pass a client rather than the config options in for the reconciler options.
Or since this client creation isn't actually doing too much, test clients could also just override this after the reconciler is created.
There was a problem hiding this comment.
seems do-able, does this look about right? https://github.com/pxp928/pipeline/pull/26/files
There was a problem hiding this comment.
Thanks @lumjjb - that's definitely in the right direction!
The only question I have is whether we could get the config from the context, so that when the client are setup the config is added directly, and we don't need to add it later on. Ideally we should add the client config once, unless we need to support reloading configuration changes at run time. Wdyt?
There was a problem hiding this comment.
Thanks @afrittoli ! It's in a weird spot with the initialization of the TaskRun reconciler, since some of the options come in as CLI arguments. Do you have any recommendations to handle this?
|
Thanks @pxp928 for moving this to a separate PR! I'm reviewing the PR, but I find the module structure and test strategy not 100% clear:
The structure I would expect for this is something like a mock client, that implements only functions that already exists in the original client, something like dial, close, get resource, list resources, create resource, delete resource. The /cc @tektoncd/core-maintainers thoughts? |
Let's setup a meeting and to go through this. @lumjjb and I can talk through the intent for each component of the spire package and determine what changes need to be done. |
|
The following is the coverage report on the affected files.
|
|
/kind feature |
tekton-robot
added
the
kind/feature
pkg/spire/controller.go
Outdated
| func NewSpireControllerAPIClient(c spireconfig.SpireConfig) ControllerAPIClient { | ||
| if c.MockSpire { | ||
| return &MockClient{} | ||
| } | ||
| return &spireControllerAPIClient{ | ||
| config: c, | ||
| } | ||
| } |
There was a problem hiding this comment.
If you don't want to deal with client injection, you could just pass a client rather than the config options in for the reconciler options.
Or since this client creation isn't actually doing too much, test clients could also just override this after the reconciler is created.
pkg/spire/verify.go
Outdated
| return nil, err | ||
| } | ||
| trustPool := x509.NewCertPool() | ||
| for _, c := range x509Bundle[0].X509Authorities() { |
There was a problem hiding this comment.
Should we be looping over all bundles? Would also help protect if len(x509Bundle) == 0
There was a problem hiding this comment.
A trust bundle is a collection of one or more CA root certificates that the workload should consider trustworthy. So it depends on how the spire server is configured. Hence the looping. Added the len(x509Bundle) check
There was a problem hiding this comment.
I could have phrased that better - I meant should we be looping over x509Bundle (as opposed to just the authorities in first one) i.e.
trustPool := x509.NewCertPool()
for _, bundle := range x509Bundle {
for _, c := range bundle.X509Authorities() {
trustPool.AddCert(c)
}
return trustPool, nil
}
There was a problem hiding this comment.
Agreeing with @wlynch and @afrittoli, in term of code organization especially for test.
pkg/spire/config/config.go
Outdated
| } | ||
| if len(unset) > 0 { | ||
| sort.Strings(unset) | ||
| return fmt.Errorf("found unset image flags: %s", unset) |
There was a problem hiding this comment.
I don't think the error is correct here (no image involevd)
There was a problem hiding this comment.
This is part of the phase 1 PR. This PR is missing this context as this is just the breakout for the spire package. The flags are coming from the pipeline controller when its image is initialized.
flag.StringVar(&opts.SpireConfig.TrustDomain, "spire-trust-domain", "example.org", "Experimental: The SPIRE Trust domain to use.")
flag.StringVar(&opts.SpireConfig.SocketPath, "spire-socket-path", "/spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
flag.StringVar(&opts.SpireConfig.ServerAddr, "spire-server-addr", "spire-server.spire.svc.cluster.local:8081", "Experimental: The SPIRE server address for workload/node registration.")
flag.StringVar(&opts.SpireConfig.NodeAliasPrefix, "spire-node-alias-prefix", "/tekton-node/", "Experimental: The SPIRE node alias prefix to use.")
There was a problem hiding this comment.
I think it will be great to make this error more descriptive. This error will be met when SpireConfig is missing all four required flags which in turn means no image initialized 🤔
There was a problem hiding this comment.
changed to "found unset spire configuration flags"
|
The following is the coverage report on the affected files.
|
pxp928
force-pushed
the
package-spire
branch
2 times, most recently
from
f58c601
to
5a536d4
Compare
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
/retest |
1 similar comment
|
/retest |
tekton-robot
added
the
needs-rebase
|
Hi @pritidesai we've made your requested! Can you take a look at the PR again - would like to get this across the line! Thanks! |
Signed-off-by: pxp928 <parth.psu@gmail.com>
tekton-robot
removed
the
needs-rebase
|
The following is the coverage report on the affected files.
|
There was a problem hiding this comment.
/lgtm
@pritidesai can you take another look at this for approval? 👀
There was a problem hiding this comment.
/hold
@pritidesai @afrittoli one last review before removing the hold 🙏🏼
tekton-robot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester, wlynch The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
|
Since this PR already has an LGTM from me and has been sitting without additional feedback for weeks, I'm going to go ahead and remove the hold to let this submit. Nothing in this PR is a one-way door decision and is not wired up to the controller yet, so there's not much risk in submitting this even if there is additional feedback. Feel free to continue to leave feedback on this PR - we can follow up with additional PRs if needed! /remove-hold |
tekton-robot
removed
the
do-not-merge/hold
|
Great to see this moving forward! I'm sorry I wasn't able to re-review before, but I'm glad to see progress. |
Signed-off-by: pxp928 parth.psu@gmail.com
Changes
Spire package separated out from #4759 as requested. It includes the spire interface with a mocked spire for testing. As requested by @afrittoli.
/kind feature
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
(if there are no user facing changes, use release note "NONE")