Allow Secret & ConfigMap keys to contain caps, dots, and underscores #25458
Conversation
|
Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test". This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry. Otherwise, if this message is too spammy, please complain to ixdy. |
2 similar comments
|
Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test". This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry. Otherwise, if this message is too spammy, please complain to ixdy. |
|
Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test". This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry. Otherwise, if this message is too spammy, please complain to ixdy. |
k8s-github-robot
added
size/M
| @@ -2340,12 +2340,15 @@ func ValidateServiceAccountUpdate(newServiceAccount, oldServiceAccount *api.Serv | |||
| return allErrs | |||
| } | |||
|
|
|||
| const SecretKeyFmt string = "\\.?" + validation.DNS1123LabelFmt + "(\\." + validation.DNS1123LabelFmt + ")*" | |||
| const DNSSecretKeyFmt string = "\\.?" + validation.DNS1123LabelFmt + "(\\." + validation.DNS1123LabelFmt + ")*" | |||
There was a problem hiding this comment.
I see you defined regexes, but I don't see where you actually use them?
There was a problem hiding this comment.
They get combined with a | on line 2345
There was a problem hiding this comment.
Ohk yeah they didn't need to be const
|
Rather than allowing DNS names or env var names, can we just loosen the regex to |
|
That probably makes sense... we would also need to allow underscores... |
|
@thockin I have pushed something based on the suggestion, its a little more complex than you suggested as there are some tests checking that we don't allow keys with double dots through. I am not sure why that would be an issue though... |
|
Is there a reason that you need the keys to be in a different format? We are adding control over the path and filename within the secret volume, and you have to specify an env var name if you consume a secret as an env var. See #25285 |
|
In #23722 the usecase was that it is harder to build tooling that is targeting environment variables if everything has to have two names. Clearly it is possible to work around this by encoding the names somehow. But I don't know of a good reason why the keys should be limited this much? I just think it would be a good thing to make the interface simple to folks building tooling on bash and such. At the moment in my tool the we are hex encoding keys where they are env var names, but that has the downside that they get longer and are totally unreadable by someone using kubectl or whatnot. |
|
I merely found it annoying an without actual benefit that I couldn't use the same names as env vars. Specifically I was taking a doc that someone had written about what env vars their app needed and putting it in a config map and I had to double-name everything. foo-bar-bat and FOO_BAR_BAT. Blech. Is there a reason? I can't think of one. |
|
What is the progress of this? I cherry-pick the PR and test, underscore still not a valid key for ConfigMap. |
|
Thanks for trying this @liyimeng, I will take a look at this later today... |
|
Thanks @errm! Here is how I test: [liyi@K8s-builder ~]$ kubectl create configmap ssh-config --from-file /etc/kolla/nova-ssh/id_rsa.pub |
|
sorry @errm, that was a fault alarm. Totally my fault, I forget to update kubectl in my test node. The validation is actually also done in kubectl. |
|
@liyimeng It won't be in for 1.3. I would really prefer to see a proposal for changing the key format, since I think it will be a little more complicated than 'allow underscores'. |
|
@pmorie I can create a proposal for this... It just seemed like such a small change. I do see the point of view that once we loosen some validation we can never tighten it up again, so I guess it should be something to have a wider discussion about... Is there some documentation on how to write a proposal properly somewhere? |
|
Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test". This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry. Otherwise, if this message is too spammy, please complain to ixdy. |
|
I'm trying to create a configmap for a Caddyfile (https://caddyserver.com/) and getting burned by the fact that the standard container images expect the name "Caddyfile". Config files starting with a capital letter seems somewhat common (I can think of Gemfile and Cargo.toml off the top of my head). Is there any reason this supports dns names and env vars rather than linux file names, as @thockin mentioned? |
|
@cgag It does support file names . . . just not keys in the configMap that are non dns. When you add the map to a container you are able to map to file names. |
|
@thockin is there any way I can help to move this forward? |
|
@errm, Woops, you're right, I see now that I can mount the keys to custom paths, thanks. I'd gotten used to just using the keys as the filenames. Still, it'd be nice to not have to do that, so it'd be cool to see this go forward. |
|
Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test". This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry. Otherwise, if this message is too spammy, please complain to ixdy. |
k8s-github-robot
added
the
needs-rebase
errm
force-pushed
the
env-var-style-config-keys
branch
from
e77d113 to
ddf3b65
Compare
k8s-github-robot
removed
the
needs-rebase
This makes environment variable style keys (uppercase with underscores) valid in Secrets and ConfigMap.
errm
force-pushed
the
env-var-style-config-keys
branch
from
e5f73e3 to
d4969ff
Compare
|
@thokin nits squashed . . . |
| @@ -6300,7 +6300,7 @@ func TestValidateConfigMap(t *testing.T) { | |||
| invalidName = newConfigMap("NoUppercaseOrSpecialCharsLike=Equals", "validns", nil) | |||
| emptyNs = newConfigMap("validname", "", nil) | |||
| invalidNs = newConfigMap("validname", "NoUppercaseOrSpecialCharsLike=Equals", nil) | |||
| invalidKey = newConfigMap("validname", "validns", map[string]string{"a..b": "value"}) | |||
There was a problem hiding this comment.
i think that two dots next to one another should still be invalid.
There was a problem hiding this comment.
Why? What value does it provide or what does it protect against?
On Mon, Aug 1, 2016 at 2:39 PM, Paul Morie notifications@github.com wrote:
In pkg/api/validation/validation_test.go
#25458 (comment)
:@@ -6300,7 +6300,7 @@ func TestValidateConfigMap(t *testing.T) {
invalidName = newConfigMap("NoUppercaseOrSpecialCharsLike=Equals", "validns", nil)
emptyNs = newConfigMap("validname", "", nil)
invalidNs = newConfigMap("validname", "NoUppercaseOrSpecialCharsLike=Equals", nil)
invalidKey = newConfigMap("validname", "validns", map[string]string{"a..b": "value"})i think that two dots next to one another should still be invalid.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/kubernetes/kubernetes/pull/25458/files/d4969ff03230e61fcd18fef778debd83e896ed6a#r73057977,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFVgVFYXhORgQ3rm51RN1dSuuwcTYTlCks5qbmd8gaJpZM4IbwmI
.
There was a problem hiding this comment.
I talked myself out of it, carry on
|
For simple auto-expansion into file projections, I can now express a much Next, expect someone to suggest a streamlined form of env vars that don't On Mon, Aug 1, 2016 at 2:38 PM, Paul Morie notifications@github.com wrote:
|
|
Yes ultimately I would like to be able to say project all the keys from this configMap and/or secret to environment variables. In my usecase: Then we need to loop over each key and build a valid config for the env section. This at the moment involves looking at each variable we want, then mapping it's name to something valid. At the moment if we start with an environment variable name, say |
|
Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test". This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry. Otherwise, if this message is too spammy, please complain to ixdy. |
1 similar comment
|
Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test". This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry. Otherwise, if this message is too spammy, please complain to ixdy. |
I'm expecting it -- already thinking about how I want the API to look :) |
pmorie
added
the
lgtm
|
@errm LGTM. Sorry for the latency on this, I've been out a lot recently and have been seriously underwater / bankrupt on github notifications. |
|
GCE e2e build/test passed for commit d4969ff. |
errm
changed the title
|
Thanks for the patch! |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e build/test passed for commit d4969ff. |
|
Automatic merge from submit-queue |
|
GCE e2e build/test passed for commit d4969ff. |
|
@pmorie could you please promote this patch into the v1.3.6 release? |
|
This doesn't meet the bar for a patch release to 1.3, I think On Aug 12, 2016 6:57 AM, "kayrus" notifications@github.com wrote:
|
|
Agreed, while this certainly shouldn't break anything currently using secrets or configMap, it is certainly a change to API and should wait for the next minor version. |
Bug 1874251: UPSTREAM: 94204: Add impersonated user to system:authenticated group Origin-commit: b0068a868c4996f2a5c2a35c1bb54d700545da34
Re: #23722
This makes loosens the regex used in in Secrets and ConfigMap,
in order to make environment variable style keys valid