helmrepo: add .spec.certSecretRef for specifying TLS auth data
#1160
Conversation
aryan9600
force-pushed
the
helm-cert-secret
branch
from
0604550
to
b91bf8e
Compare
aryan9600
changed the title
.spec.certSecrtRef for specifing TLS auth data.spec.certSecretRef for specifing TLS auth data
aryan9600
force-pushed
the
helm-cert-secret
branch
2 times, most recently
from
1cf26b2
to
8170986
Compare
hiddeco
added
enhancement
aryan9600
force-pushed
the
helm-cert-secret
branch
from
8170986
to
fdbd09e
Compare
|
|
aryan9600
force-pushed
the
helm-cert-secret
branch
from
fdbd09e
to
7a4621f
Compare
aryan9600
force-pushed
the
helm-cert-secret
branch
from
7a4621f
to
d45e90e
Compare
aryan9600
force-pushed
the
helm-cert-secret
branch
2 times, most recently
from
9b6d4bf
to
09fcb2e
Compare
aryan9600
force-pushed
the
helm-cert-secret
branch
from
09fcb2e
to
7450787
Compare
aryan9600
force-pushed
the
helm-cert-secret
branch
from
7450787
to
39e68d7
Compare
| r.Event(obj, "Warning", "DeprecationWarning", | ||
| "specifying TLS authentication data via `.spec.secretRef` is deprecated, please use `.spec.certSecretRef` instead") |
There was a problem hiding this comment.
This seems to be the first usage of just event in any reconciler.
When it's about deprecation warning, shouldn't it be logged as well using eventLogf()?
But this makes me think of https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/1693-warnings/README.md . This KEP provides ideas about surfacing the deprecation warning to users and cluster admins. I think we can learn from it and think about how to handle such things in flux as we'll have more such needs in the future as we change the APIs.
There was a problem hiding this comment.
i am not logging it because as far as a i understand, it'll be logged every reconciliation, which will just populate the logs with unnecessary deprecation warnings
There was a problem hiding this comment.
Wouldn't we'll be filling etcd instead with warning events? IMO DDOS-ing etcd is way way worse than log spam.
There was a problem hiding this comment.
We had this discussion before fluxcd/notification-controller#435 (comment) .
There was a problem hiding this comment.
Based on the ideas from the aforementioned KEP, I think we can also provide a flag to disable such warning events and logs.
Also, based on the KEP, I was thinking maybe we should provide some metric about which objects use deprecated configuration. As mentioned in https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/1693-warnings/README.md#risks-and-mitigations , keeping the cardinality in control.
There was a problem hiding this comment.
I think this wasn't really resolved. Discussion about a flag to silencing warnings and metrics about deprecated API usage wasn't discussed at all.
There was a problem hiding this comment.
i don't think we can ever suppress warning events, since that's the event type used for all failed operations.
this is the first usage of a warning log (in this controller, unaware about other controllers). i doubt that there'll be more and even this is a temporary thing. so practically, we'd be introducing a flag to silence one log message, which seems overkill? but then again, i don't have any other ideas on how to silence it and prevent it from filling up the controller's logs so maybe its necessary.
There was a problem hiding this comment.
A new feature/flag can pave the way for more usage of it in the future. A lot of kubernetes components have this feature, even if it's for one log line. It's a very basic feature to ask.
Suppressing in this case is about just not checking what it is checking. Just don't check for deprecated usage and there won't be any associated log or event.
I believe this is an opportunity to discuss how do we handle such things every time we deprecate certain APIs without breaking things, and how to convey such things more visibly to the users.
I just noticed that the implementation is different from the conclusion that I understood. It's only logging without any event. I pointed out above that emitting events is not a problem. The event recorder client has the capability to rate limit too many events. So, we could just continue using eventLogf() with EventTypeWarning. Also noticed that it's an info log now. I think this was discussed based on image-reflector's similar log to be an error log.
There was a problem hiding this comment.
i'm not saying i'm against the flag, if we think we do need such a thing, i'm totally for it. i didn't use eventLogf(), because i thought we decided to log it for now, based on discussions offline as i noted here #1160 (comment). i logged it on an info level instead of warning because this is what the upstream kubernetes folks did: go-logr/logr#151 (comment)
There was a problem hiding this comment.
I think it's subjective based on the context. I'm aware of the simplification to just have error and info log. It may depend on the authors of a project if they want user's attention on certain things. I don't know what's better, but it'd be good to have consistency. Update this to be error or update image-reflector's log to be info.
In terms of events, since there are only Normal and Warning event types, we use warnings for error events. But if log is normal, should event also be normal? Then how do we highlight that this is something users need to pay attention to. Based on our usage, I'd incline towards consistency with our current usage of considering warnings as errors. But that's just me.
I don't think we ever discussed about removing events as I pointed above that it's not a problem. May be a misunderstanding.
aryan9600
force-pushed
the
helm-cert-secret
branch
from
39e68d7
to
762dcec
Compare
aryan9600
force-pushed
the
helm-cert-secret
branch
from
762dcec
to
8024d23
Compare
aryan9600
force-pushed
the
helm-cert-secret
branch
from
8024d23
to
d5c5dfc
Compare
aryan9600
changed the title
.spec.certSecretRef for specifing TLS auth data.spec.certSecretRef for specifying TLS auth data
aryan9600
force-pushed
the
helm-cert-secret
branch
2 times, most recently
from
4c86440
to
73d39b4
Compare
aryan9600
force-pushed
the
helm-cert-secret
branch
from
73d39b4
to
8c24767
Compare
Add `.spec.certSecretRef` to HelmRepository for specifying TLS auth data in a secret using the `certFile`, `caFile` and `keyFile` keys. Mark support for these keys in the secret specified in `.spec.secretRef` as deprecated. Signed-off-by: Sanskar Jaiswal <[email protected]>
Add support for specifying TLS auth data via `.spec.certSecretRef` in HelmRepository and log a deprecation warning if TLS is configured via `.spec.secretRef`. Introduce (and refactor) Helm client builder and auth helpers to reduce duplicated code and increase uniformity and testability. Signed-off-by: Sanskar Jaiswal <[email protected]>
Signed-off-by: Sanskar Jaiswal <[email protected]>
aryan9600
force-pushed
the
helm-cert-secret
branch
from
8c24767
to
4a55ce2
Compare
Add
.spec.certSecretReffor specifying TLS authentication data using thecertFile,keyFileandcaFilekeys. Deprecate the usage of these keys in the secret specified by.spec.secretRef.Introduce (and refactor) Helm client builder and auth helpers to reduce duplicated code and increase uniformity and testability.
Fixes: #1131
Prerequisite to: #1097