Helm upgrades #1779
Helm upgrades #1779
Conversation
|
I think the question here is should this be "weave-gitops" or "gitops-server" (there're also places we refer to it as "wego-app" still). I don't mind which we go with and, yes, once one is chosen happy to update as many places as I can find.
Good catch, will go and check |
|
This work looks awesome. Assuming we are using |
| * Service, this is optional as you may want to limit access to the UI to via | ||
| port-forwarding | ||
| * Ingress | ||
| * Test User -- A test user with hard-coded username & password with minimal |
There was a problem hiding this comment.
The test user is actually a backup admin user in the case that OIDC is failing and cluster ops need to do things.
It is currently undergoing some feature realignment, see the thread here: https://weaveworks.slack.com/archives/C03244W0C8H/p1647967858091769
There was a problem hiding this comment.
Why would you have a backup admin with only read permissions?
There was a problem hiding this comment.
because those are all i added so far 🙃 , probably because that is all wego core can do right now
There was a problem hiding this comment.
from a point of least privilige I'd like to only make it a requirement/recommendation when it's actually in a position to fulfill those extended duties ;)
| username: {{ .Values.testUser.username | b64enc | quote }} | ||
| password: {{ .Values.testUser.password | b64enc | quote }} |
There was a problem hiding this comment.
do these need to be b64enc here? i think i remember that k8s will do that automagically when the secret is created
There was a problem hiding this comment.
you do (I just checked against a kind cluster with a simple helm chart). I think the auto-b64encode is only when you use kubectl
There was a problem hiding this comment.
i swear i have seen that as well when just doing like a:
secret := &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
Namespace: "bar",
},
Type: "Opaque",
Data: map[string][]byte{
"key": []byte("value"),
},
}
return yaml.Marshal(secret)even then it is encoded
o well, idk what the rules are 🙃
There was a problem hiding this comment.
bold of you to assume there're rules ;)
| replicaCount: 1 | ||
|
|
||
| image: | ||
| # FIXME check the app name |
There was a problem hiding this comment.
is this a thing you wanted to fix now?
There was a problem hiding this comment.
negotiations are on going https://weaveworks.slack.com/archives/C03244W0C8H/p1647972249151359 :p
Ideally yes but it's not a blocker on this and it may need a wider conversation
charts/gitops-server/values.yaml
Outdated
| # To enable enterprise OIDC: | ||
| # envVars: | ||
| # - name: WEAVE_GITOPS_AUTH_ENABLED | ||
| # value: true |
There was a problem hiding this comment.
this flag is also needed for the admin user login flow, just in case you wanted to note that.
i think it gates all login functionality, in core as well as ent
There was a problem hiding this comment.
Would it make more sense to turn this into a variable then, something like:
# Sets the WEAVE_GITOPS_AUTH_ENABLED environment variable to enable login
enable_login: true| # in order to work with weave-gitops enterprise | ||
| viewSecrets: [] | ||
|
|
||
| # This should not be used in production |
There was a problem hiding this comment.
this will (could optionally if they want to) be used in production, we have hijacked the current implementation for easy dev cycles, but it is not meant for that
There was a problem hiding this comment.
I'm unclear as to why this would be used in production, is there a ticket for clarifying/resolving it's use there?
There was a problem hiding this comment.
see that thread I linked. the AdminUser feature is a deliberate one for prod.
I have to write up the tickets now
There was a problem hiding this comment.
cf. above thread, is there a reason not to change this when those changes are implemented?
There was a problem hiding this comment.
you mean when #1787 is done? yep makes sense
| # capabilities: | ||
| # drop: | ||
| # - ALL | ||
| # readOnlyRootFilesystem: true |
There was a problem hiding this comment.
just for context, if users make the pod fs read only, i think the profiles mechanism will fail as it writes a disk-based cache
There was a problem hiding this comment.
Is the profiles mechanism supposed to always be available? I was unclear as to whether it was an enterprise only feature. (this is default copy but once its use is clarified I can update & fix this).
There was a problem hiding this comment.
See this thread here: https://weaveworks.slack.com/archives/C03244W0C8H/p1646387603804719
There was a problem hiding this comment.
(It has no resolution and I am still confused, but just for context)
There was a problem hiding this comment.
actually re-reading it does have a resolution, i'll create a ticket to have it behind a flag.
then we can decide what we want to do with it.
i would like it running as a separate service personally.
There was a problem hiding this comment.
I'm unsure what it does but it feels like it's separate to what the rest of the ui is (currently) doing
There was a problem hiding this comment.
yep 💯 Core v2 has no real concept of what profiles are yet. so let's shuffle it away until they come into scope
charts/gitops-server/values.yaml
Outdated
| username: not-production-worthy | ||
| password: seriously-change-me |
There was a problem hiding this comment.
we should note that these need to be bcrypted not plain-text
There was a problem hiding this comment.
is that in addition to base64 encoded to make them k8s secrets?
There was a problem hiding this comment.
yes. the code will do this: https://github.com/weaveworks/weave-gitops/blob/main/pkg/server/auth/server.go#L308-L313
There was a problem hiding this comment.
(turns out helm has a handy htpasswd function
I think waiting until the interface is a bit more stable would be best. There are a lot of environment variables and parameters that aren't currently exposed which probably should be (I've not because I'm unsure what they all do and how they interact). |
|
I've created a ticket, #1784, to cover the work in exposing the rest of the various flags & envars that are available to configure the server. @Callisto13 I think this may cover some of the stuff WRT use of the admin user as well? |
|
Yep that's fine. We can leave getting the admin user stuff "correct" until we have smoothed out exactly what it is for and what it does. |
Helm has a lot of conventions that our existing chart doesn't conform to. Create a new chart using `helm create gitops-server` that things can be ported over to
Set e.g. chart name etc based on values in previous version of the chart
As far as I can imagine the gitops-server should never be serving so much traffic that it needs to autoscale. If it does you probably want to do something custom anyway.
Make sure we have the correct permissions for the service account by default
As the gitops-server is effectively an ops tool it may be desirable to run it with no service resource with access carried out by port-forwarding or via some other mechanism.
We need a test-user. I'm not sure if this should exist in the main chart or be included as a sub-chart but their effectively equivalent and, in theory, as our testing matures this should be something we can remove.
The admin user name & secret location are hard coded into the server config and there are several questions outstanding for how it will be used so, rather than add further confusion by trying to change the name, go back to the original name and make sure that works.
|
@Callisto13 I've reverted a load of the 'admin user' bits to closer how they were previously because they're hard coded elsewhere. I've tested it all and I don't think I've broken anything |
| and specific resources that the service account can impersonate. e.g. | ||
| ```yaml | ||
| rbac: | ||
| create: true |
There was a problem hiding this comment.
It is not like users have a choice here, they must have impersonation setup otherwise nothing works. So ideally we could have some default values as impersonaionResouces and impersonationResourceNames but allow configuration of those here.
There was a problem hiding this comment.
I've improved how the defaults for impersonationResources is set in ca34285
Much as I'd love to provide defaults for impersonationResourceNames I can't think of a good way to do so. The best solution I've come up with would be to create some default groups (e.g. viewer and editor) that are then the only things to be impersonated. The problem with this is that it requires the user's k8s authentication system to be configured to support them. I suspect this is best solved via documenting common processes for it but that feels very out of the scope of this PR (I'm also not 100% sure this is the best way to do it, I'm not sure who might be the best person to cover this sort of security work).
There was a problem hiding this comment.
definitely, we can't set anything there since there is no way for us to know what groups the companies use. I'm good with that, the important bit that's allowing configuration is there, it should be enough.
Using `toJson` keeps everything on one line which improves legibility
Closes: #1778
What changed?
helm create)impersonationscope. This is important for production usage as without a limited scope on this permission the app can impersonatesystem:masterswhich is unacceptablewego-adminuser (now renamedwego-test-user) an optional creationadditionalArgsandenvVarsfor greater flexibilityWhy?
--insecurefor deployment (and handle TLS termination in the LB)... things got out of handHow did you test it?
Running
helm templatewith various settings, e.g.:$ helm template -n TEST --dry-run --debug \ --set resources.limits.cpu=320,resources.limits.memory=666 \ --set resources.requests.cpu=125,resources.requests.memory=333 \ --set additionalArgs='{a,b,c}' \ --set envVars\[0\].name=TEST,envVars\[0\].value=foo,envVars\[1\].name=bar \ --set rbac.impersonationResources='{user,group,serviceaccout}' \ --set rbac.impersonationResourceNames='{foo,bar}' test ./charts/gitops-serverDocumentation Changes
The notes from the README.md should be reflected in the main line website docs (probably in
gitops-dashboard) but those look like they need a top-to-bottom overhaul so I wasn't sure where to start.Note
Ideally the permissions granted to the service account should be further reduced. As I understand it the non-
impersonatestanzas exist to support profiles which is not a default use of the UI so should probably be removed but doing so (currently) stops the UI working. I think this should be fixed.