Conversation
esposem
force-pushed
the
new
branch
2 times, most recently
from
a35009d to
2c80477
Compare
|
@bpradipt please take a look now. deploy and apply are still there, just inverted. Rest are just improvements here and there |
esposem
force-pushed
the
new
branch
2 times, most recently
from
68a5d51 to
238c60d
Compare
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
…erate the files Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
…aded when needed by sidecar Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
… flag is defaulted to the opposite
…d to the opposite
…e ns Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
|
||
| fmt.Println() | ||
| fmt.Printf("Using provided RuntimeClass: %s\n", cfg.RuntimeClass) | ||
| } |
There was a problem hiding this comment.
this makes sense
/lgtm
P.S. I'm reviewing individual commits
| } else { | ||
| fmt.Printf(" ✓ Successfully added %d imagePullSecret(s) to Trustee\n", len(imagePullSecretRefs)) | ||
| } | ||
| fmt.Printf(" ✓ Successfully added %d imagePullSecret(s) to Trustee\n", len(imagePullSecretRefs)) |
| sidecarNamespace = trusteeNamespace | ||
| if sidecarNamespace == "" { | ||
| sidecarNamespace = "default" | ||
| sidecarNamespace = config.DefaultTrusteeNamespace |
There was a problem hiding this comment.
Let's park this commit on default Trustee namespace for now. Need to think few things around this.
| { | ||
| name: "external URL - should default to default", | ||
| trusteeServer: "https://trustee.example.com:8080", | ||
| name: "external URL - should default to trustee-operator-system", |
There was a problem hiding this comment.
Let's park this commit on default Trustee namespace for now. Need to think few things around this.
| if cfg.Sidecar.CertDir == "" { | ||
| cfg.Sidecar.CertDir, _ = GetDefaultCertDir() | ||
| } | ||
| if cfg.Sidecar.Image == "" { |
There was a problem hiding this comment.
/lgtm.
Having a certDir option to store keys is good. It can be populated out-of-band as well
| applyCmd.Flags().BoolVar(&sidecarSkipAutoSANs, "sidecar-skip-auto-sans", false, "Skip auto-detection of SANs (node IPs and service DNS)") | ||
| applyCmd.Flags().IntVar(&sidecarPortForward, "sidecar-port-forward", 0, "Port to forward from primary container (requires --sidecar)") | ||
| applyCmd.Flags().StringVarP(&namespaceFlag, "namespace", "n", "", "Namespace for operations (overrides manifest and kubeconfig)") | ||
| applyCmd.Flags().StringVar(&overrideCertDir, "cert-dir", "", "Override the cert directory used to load/store sidecar certificates and keys") |
There was a problem hiding this comment.
@esposem I didn't understand the need for this commit ?
| configPath string | ||
| convertSecrets bool | ||
| enableSidecar bool | ||
| enableInitData bool |
There was a problem hiding this comment.
I understand enableInitData is a toggle to decide whether to add initData during apply. I would say just have this toggle in this commit with a short description in the commit message on the reasoning.
Remove trusteeURL config from this commit. Let's think through the trusteeURL a bit more. Why it's needed for apply and what workflow are we trying to achieve.
Too many options to override is a recipe for both end-user confusion and maintenance headache
|
|
||
| fmt.Println(" - Injecting secure access sidecar container") | ||
| if err := sidecar.Inject(m, cfg, appName, namespace); err != nil { | ||
| // default the namespace to "default" as Trustee operator currently only supports that |
There was a problem hiding this comment.
Let's drop this commit for now. The client tool must not be dictated by the capabilities of specific Trustee deployment option.
Also this is not entirely true. You can check with vault for example.
| if err := trustee.UploadResource(ctx, clientset, trusteeNamespace, clientCAPath, clientCA.CertPEM); err != nil { | ||
| return fmt.Errorf("failed to upload client CA to KBS: %w", err) | ||
| var clientCAPath string | ||
| if cfg.TrusteeServer != "" { |
There was a problem hiding this comment.
Wondering if cert upload should be dictated by TrusteeURL or an explicit bool.
Personally having an explicit bool during init is clear and self-explanatory.
2 participants
init: move runtimeclass setup in a separate function: just refactoringapply: get rid of getTrusteeNamespace in favor of cfg.GetTrusteeNamespace: looks like they are the same functioninit: skip CA cert upload if the Trustee URL is not defined, just generate the files: I believe this was a bug, if we don't want to deploy we shouldn't uploadUse right default Trustee namespace: default to "trustee-operator-system" instead of "default"init/apply: add certDir to customize where certificates are stored/loaded when needed by sidecar: custom location useful especially to default existing certs to be loaded later by the apply command.apply: introduce cert-dir that overrides the --cert-dir of init: this is used in apply if the user wants to use another location to load (and store) the certs folderapply: add enableinitdata and trusteeurl, to add the initdata annotation: allow not to add any initdata, and override trustee-url when doing applyinit: trustee-url is now optional, only needed for initdatainit: rename skip-trustee-deploy with trustee-deploy. Same effect but flag is defaulted to the oppositeapply: rename skip-apply with apply. Same effect but flag is defaulted to the oppositeapply: change the sidecar certs URI to be in the kbs://default Trustee ns: fix this as Trustee operator defaults with "default" ns.fix various tests failling because of this change