Allow reading configuration from Kubernetes secrets #10939
Conversation
boring-cyborg
bot
added
area/dependencies
|
Ah, and one more important thing that also needs a bit of a discussion: this PR contains an SPI breaking change. I renamed (Also, I originally envisioned a generic build item that would carry arbitrary Kubernetes resources, but that would require exposing Dekorate as public SPI. Which is probably a bad idea at this point. So I went with adding a build item for the one Kubernetes resource type I needed, which is a role.) |
|
Cool, thanks @Ladicek ! I'll have a look tomorrow |
|
Although breaking the SPI is obviously something we don't want to do, I think in this case it's warranted. The new names make perfect sense and furthermore it's very unlikely that any piece of code outside this extension depends on the changed build item. |
...s/kubernetes/spi/src/main/java/io/quarkus/kubernetes/spi/KubernetesRoleBindingBuildItem.java
Show resolved
Hide resolved
extensions/kubernetes/spi/src/main/java/io/quarkus/kubernetes/spi/KubernetesRoleBuildItem.java
Show resolved
Hide resolved
| @@ -732,11 +736,16 @@ private void applyBuildItems(Session session, | |||
| .forEach(p -> session.configurators().add(new AddPort(p))); | |||
|
|
|||
| //Handle RBAC | |||
| // TODO why this condition? | |||
There was a problem hiding this comment.
I don't remember TBH... To me it doesn't seem reasonable (it might have made sense in the past?).
@iocanel do you remember?
There was a problem hiding this comment.
The condition seems wrong. The actual condition should be when kubernetes-client is added to the project or something like that.
extensions/kubernetes/spi/src/main/java/io/quarkus/kubernetes/spi/KubernetesRoleBuildItem.java
Show resolved
Hide resolved
...runtime/src/main/java/io/quarkus/kubernetes/client/runtime/KubernetesConfigSourceConfig.java
Show resolved
Hide resolved
...kus-standard-way/src/test/java/io/quarkus/it/kubernetes/KubernetesConfigWithSecretsTest.java
Show resolved
Hide resolved
bom/application/pom.xml
Outdated
| @@ -145,7 +145,7 @@ | |||
| <aws-alexa-sdk.version>2.30.0</aws-alexa-sdk.version> | |||
| <azure-functions-java-library.version>1.3.0</azure-functions-java-library.version> | |||
| <kotlin.version>1.3.72</kotlin.version> | |||
| <dekorate.version>0.12.6</dekorate.version> | |||
| <dekorate.version>0.12-SNAPSHOT</dekorate.version> | |||
There was a problem hiding this comment.
Let's not forget to change this one :P
There was a problem hiding this comment.
Yea. Hopefully dekorateio/dekorate#594 will get some attention :-)
| import io.dekorate.kubernetes.decorator.ResourceProvidingDecorator; | ||
| import io.quarkus.kubernetes.spi.KubernetesRoleBuildItem; | ||
|
|
||
| class AddRoleResourceDecorator extends ResourceProvidingDecorator<KubernetesListBuilder> { |
There was a problem hiding this comment.
LGTM, but this is one that @iocanel will have to give the OK for
Ladicek
force-pushed
the
kubernetes-config-secrets
branch
from
9ffc17d to
74eb333
Compare
| && !buildTimeConfig.secretsEnabled) { | ||
| log.warn("Configuration is read from Secrets " + config.secrets.get() | ||
| + ", but quarkus.kubernetes-config.secrets.enabled is false." | ||
| + " Check if your application's service account has enough permissions to read secrets."); |
There was a problem hiding this comment.
Is it just me, or does the last sentence seem out of place?
There was a problem hiding this comment.
I wanted to say that what the user ultimately needs to do is not setting our config property, but make sure that the app's service account has access to secrets.
Obviously quarkus.kubernetes-config.secrets.enabled is the easiest way, if people use the Kubernetes extension. But that doesn't always have to be the case.
Ladicek
force-pushed
the
kubernetes-config-secrets
branch
from
74eb333 to
dfc1f6e
Compare
|
Added docs. |
Ladicek
force-pushed
the
kubernetes-config-secrets
branch
from
dfc1f6e to
412d10a
Compare
|
@iocanel can you please take a look at this? It would be nice to have it in for 1.7 |
|
Will look later today |
gsmet
changed the title
|
We'll obviously need a dekorate release and a rebase to fix the confict. |
|
If we can get a Dekorate release, I think this can go into 1.7, yea. |
Ladicek
force-pushed
the
kubernetes-config-secrets
branch
from
412d10a to
a19aab0
Compare
|
Rebased and resolved the conflict. |
|
Great, so all we need is a dekorate release and we're good |
|
Excellent, thank you both for driving this one home! |
Ladicek
force-pushed
the
kubernetes-config-secrets
branch
from
a19aab0 to
29c6d11
Compare
|
Updated PR, will let CI run in my fork and then un-WIP. |
This reverts commit 0c71c47 and adds a couple of cleanups. Most importantly, the issue which caused this functionality to be removed remains: the application by default runs under a role that doesn't have access to secrets. This is marked with one TODO in the code and will be addressed in a subsequent commit.
The `kubernetes` extension automatically generates a RoleBinding that refers to the `view` ClusterRole. This ClusterRole doesn't allow access to secrets. This commit therefore adds a configuration property which, when enabled, makes the `kubernetes` extension generate a special Role `view-secrets` and a second RoleBinding referring to that role. This configuration property is build-time only and has no other effect. With this configuration in place, there's nothing preventing the application from reading Secrets directly from the API server. For convenience, a warning is printed at runtime if configuration is read from Secrets yet the property is disabled.
Ladicek
force-pushed
the
kubernetes-config-secrets
branch
from
c33bc0c to
571aaef
Compare
|
Fixed a failing unit test (I didn't run it locally before, just the integration tests) and un-WIP-ed. |
|
There is a weird CI failure that is almost certainly a system failure, but because it happened on the Kubernetes tests, I want to avoid any surprises, so I'll restart CI |
|
And merged! Thanks! |
|
🎉 |
@geoand, @iocanel, this is a follow-up to #8644 as discussed in https://quarkusio.zulipchat.com/#narrow/stream/187030-users/topic/Using.20k8s.20secrets.20as.20a.20configuration.20source. See commit messages for details.
I'm creating this as a draft so that CI can run in my fork, and also because:
TODOin the code that I'd like to discuss with you guys;