[DO NOT MERGE] secrets enhancements #18586
Conversation
|
Labelling this PR as size/XL |
k8s-github-robot
added
kind/api-change
|
GCE e2e test build/test passed for commit 60145451ec23be6b41679669ebcb2a84edfba4cd. |
|
GCE e2e test build/test passed for commit 68efb8c. |
k8s-github-robot
added
the
needs-rebase
|
GCE e2e test build/test passed for commit 68efb8c. |
| // SecretVolumeFile represents a single secret key projected into a file. | ||
| type SecretVolumeFile struct { | ||
| // A reference to the secret key to project into the volume. | ||
| SecretKeySelector `json:",inline"` |
There was a problem hiding this comment.
Two observations on this for discussion.
-
This allows multiple Secrets to project into a single mount. I don't have a problem with this.
-
This makes the case of projecting multiple keys from a single Secret harder in that you have to name the Secret over and over. I feel like this would be a common case, especially for ConfigMap which should probably follow the same pattern as Secret.
How bad would it be for the volume to look like:
name: MySecrets
secret:
secretName: app-secret
items:
- key: username
path: username.txt
- key: password
path: password.txt
(note this breaks the multi-secret-in-one-mount property)
and the env to look like:
- name: USERNAME
valueFrom:
secretRef:
secretName: app-secret
key: username
(note that this means they use different structs)
There was a problem hiding this comment.
How bad would it be for the volume to look like:
name: MySecrets
secret:
secretName: app-secret
items:
- key: username
path: username.txt
- key: password
path: password.txt
I like this better from a stylistic standpoint, actually. It feels really chatty having to specify the secret name for each file. You are correct, the current state of this PR does make it possible to mount multiple secrets into a volume. I have no problem with using different structs to implement your API though from a class standpoint it seems a little fine-grained to have to split types, I don't think it's a huge deal.
We wanted the config map and secrets to be similar from an API standpoint, and what you suggest is a change from what we agreed to for config map in https://github.com/kubernetes/kubernetes/blob/master/docs/proposals/configmap.md#consuming-configmap-as-volumes. So, do we want to consider whether the API for configmap volumes should also change? From a user standpoint, I guess the question is whether people need to be able to compose a single volume from multiple instances of a resource, or whether volume plugins should deal with a single instance of a resource only.
Thinking about API compatibility, the current state of this PR does seem a little dicey to me now. An older client would always have to submit valid pods with secretName set, but older clients would see a secret volume without secretName set, which are invalid. @bgrant0607 is that an issue?
There was a problem hiding this comment.
You're right that this looks like an API break. I think my proposal avoids that, too.
I do think we should use the same model for ConfigMap and Secrets, and I think the linked proposal should be changed.
If we eventually need to compose multiple ConfigMaps or Secrets into a single directory, we could pluralize and have a list of {name, items[]}, leaving the singular one as the first instance. It's a little clunky but it gives us a compatible API that can be fixed in v2.
There was a problem hiding this comment.
Alt model: a single "managed data volume source" that covers downward api, config map, and secret:
name: my-mega-dir
items:
- configMapName: my-config-map
files:
- key: config
file: myapp.conf
- secretName: my-secret
files:
- key: password
file: path/passwd.txt
- dowardAPI:
apiVersion: v1
fieldPath: metadata.name
file: myapp.name.txt
I am not sure this is better, but it's an idea.
There was a problem hiding this comment.
@thockin we are getting 10 replies deep to a comment on a commit, breaking this discussion out to the main PR.
There was a problem hiding this comment.
@pmorie We cannot change fields from required to optional or vice versa, since the former breaks readers and the latter breaks writers. We have fixed the specification of omitempty to match the existing behavior a few times, but that's different than changing the observed behavior.
k8s-github-robot
removed
the
needs-rebase
|
@thockin thanks for the review comments -- I've just rebased this and noticed your comments in between meetings, will think on them. I'm not opposed to changing this around a bit. |
|
GCE e2e build/test failed for commit 9596d3cb33beb3abc8c84d5bd6097bd664647d3d. |
|
@sdminonne This is also relevant to your interests |
k8s-github-robot
added
the
needs-rebase
|
Replying on main PR to comment on commit at #18586 (comment) @thockin @smarterclayton @bgrant0607 @erictune
I was thinking about that possibility this weekend. Here's where I eventually wound up on it after some digestion today. TL;DR might be an efficient way to combine these concerns in a way that users like.
Now, let me submit some additional brain damage for consideration. I think what users want in addition to |
|
@pmorie @thockin Re. an all-in-one volume source: As long as it's possible to have multiple ManagedDataVolumeSources, I guess that would be ok. People will want to automatically inject new such volume sources. For instance, for servicing linking, I'd imagine automatically injecting environment variables, downward API, secret, and configmap data. I totally agree that people will want to map config files into /etc and other standard linux directories. Do you think anyone would want service link info in the form of files, or only env vars? I would like to move to explicit downward API for service links at some point. |
I would guess that most web developers are used to env vars. That doesn't mean they couldn't switch to using files, but env vars are fairly common. |
I don't see a reason not to make the information available in volume form, especially if it's a matter of adding a new thing to the all-in-one-volume |
|
Rebase is just to recut #18298 from this before I close it out and open a new PR for the all-in-one volume. |
k8s-github-robot
removed
the
needs-rebase
|
GCE e2e build/test failed for commit 5ae0da33df8f74c2dd3168cfac3e7b8ef088c9c9. |
k8s-github-robot
added
the
needs-rebase
|
Injecting files into directories requires a) making a null file as a On Wed, Jan 13, 2016 at 8:24 AM, Brian Grant notifications@github.com
|
|
Whether we do an all-in-one should derive from use-cases. Have we heard I think least resistance path is to do a single dir, with multiple Projecting individual files is a whole different topic that certainly On Fri, Jan 15, 2016 at 10:44 AM, Tim Hockin thockin@google.com wrote:
|
|
@thockin I'm inclined to agree with you about this:
I'll proceed for configMap with the agreed upon design, and peel off issues for all-in-one volume and projecting individual files into container FS. |
k8s-github-robot
removed
needs-rebase
|
Labelling this PR as size/XXL |
k8s-github-robot
added
the
size/XXL
|
GCE e2e test build/test passed for commit a8d1f5545a6f77fd07884cf90ab3cc8a85c7f17e. |
|
Once again, I am in a situation where the codecgen generates changes, and verify-codecgen rejects them. Currently on Golang 1.4. I'll switch to 1.5 and see what happens. In this specific situation, the exact behavior is that verify-codecgen.sh fails on my dev machine, jenkins, and travis. In the past there have been other permutations. |
|
#19768 seems to have fixed the issues I was having earlier. |
k8s-github-robot
removed
the
size/XXL
|
Labelling this PR as size/XL |
k8s-github-robot
added
the
size/XL
|
GCE e2e test build/test passed for commit d7ce434. |
k8s-github-robot
added
the
needs-rebase
| - name: secret-volume | ||
| secret: | ||
| items: | ||
| - name: test-secret |
There was a problem hiding this comment.
I thought we had agreed that the design would move to:
volumes:
- name: secret-volume
secret:
secretName: test-secret
items:
- key: data-1
path: special/path/__special_thing-1.dat
- key: data-2
path: special/path/__special_thing-2.dat
for all of the examples, showing 2 keys makes the YAML much clearer.
There was a problem hiding this comment.
as per a comment in a different PR, this might want to change to:
volumes:
- name: secret-volume
secret:
name: test-secret # an embedded LocalObjectRef
items:
- key: data-1
path: special/path/__special_thing-1.dat
- key: data-2
path: special/path/__special_thing-2.dat
|
I'm closing this PR out and will open a new one with changes to the secret volume plugin as a follow-up. |
|
Closing; will open a new PR for secrets volume changes. |
Forking from #18298 to consider together with WIP on #4789. Currently includes #18580 to get unit tests working.
This WIP adds secrets in envs and fine-grained control over the location of secret data within secret volumes.
@erictune @thockin @bgrant0607 @liggitt @deads2k @smarterclayton
Known issues at this time (will fix in next pass):