Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

helmrepo: add .spec.certSecretRef for specifying TLS auth data #1160

Merged
merged 3 commits into from
Jul 31, 2023

Conversation

aryan9600
Copy link
Member

@aryan9600 aryan9600 commented Jul 7, 2023

Add .spec.certSecretRef for specifying TLS authentication data using the certFile, keyFile and caFile keys. Deprecate the usage of these keys in the secret specified by .spec.secretRef.
Introduce (and refactor) Helm client builder and auth helpers to reduce duplicated code and increase uniformity and testability.

Fixes: #1131
Prerequisite to: #1097

@aryan9600 aryan9600 changed the title helmrepo: add .spec.certSecrtRef for specifing TLS auth data helmrepo: add .spec.certSecretRef for specifing TLS auth data Jul 7, 2023
@aryan9600 aryan9600 requested review from stefanprodan and souleb July 7, 2023 08:31
@aryan9600 aryan9600 force-pushed the helm-cert-secret branch 2 times, most recently from 1cf26b2 to 8170986 Compare July 7, 2023 08:33
@hiddeco hiddeco added enhancement New feature or request area/helm Helm related issues and pull requests area/api API related issues and pull requests labels Jul 7, 2023
@souleb
Copy link
Member

souleb commented Jul 7, 2023

helmchart_controller also has to be modified has it uses the secret from the helmRepository.Spec. here:

func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *helmv1.HelmChart,

@stefanprodan stefanprodan added this to the Helm GA milestone Jul 18, 2023
api/v1beta2/helmrepository_types.go Show resolved Hide resolved
api/v1beta2/helmrepository_types.go Outdated Show resolved Hide resolved
docs/spec/v1beta2/helmrepositories.md Outdated Show resolved Hide resolved
docs/spec/v1beta2/helmrepositories.md Outdated Show resolved Hide resolved
internal/controller/helmchart_controller.go Outdated Show resolved Hide resolved
internal/helm/registry/auth.go Outdated Show resolved Hide resolved
internal/helm/repository/client_opts.go Outdated Show resolved Hide resolved
@aryan9600 aryan9600 force-pushed the helm-cert-secret branch 2 times, most recently from 9b6d4bf to 09fcb2e Compare July 20, 2023 07:01
@aryan9600 aryan9600 requested a review from souleb July 20, 2023 07:07
Copy link
Member

@souleb souleb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well done @aryan9600! LGTM.

@aryan9600 aryan9600 requested a review from hiddeco July 20, 2023 10:16
docs/spec/v1beta2/helmrepositories.md Outdated Show resolved Hide resolved
docs/spec/v1beta2/helmrepositories.md Outdated Show resolved Hide resolved
internal/controller/helmchart_controller.go Outdated Show resolved Hide resolved
internal/controller/helmrepository_controller.go Outdated Show resolved Hide resolved
Comment on lines 393 to 405
r.Event(obj, "Warning", "DeprecationWarning",
"specifying TLS authentication data via `.spec.secretRef` is deprecated, please use `.spec.certSecretRef` instead")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to be the first usage of just event in any reconciler.
When it's about deprecation warning, shouldn't it be logged as well using eventLogf()?

But this makes me think of https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/1693-warnings/README.md . This KEP provides ideas about surfacing the deprecation warning to users and cluster admins. I think we can learn from it and think about how to handle such things in flux as we'll have more such needs in the future as we change the APIs.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i am not logging it because as far as a i understand, it'll be logged every reconciliation, which will just populate the logs with unnecessary deprecation warnings

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't we'll be filling etcd instead with warning events? IMO DDOS-ing etcd is way way worse than log spam.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We had this discussion before fluxcd/notification-controller#435 (comment) .

Copy link
Contributor

@darkowlzz darkowlzz Jul 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the ideas from the aforementioned KEP, I think we can also provide a flag to disable such warning events and logs.
Also, based on the KEP, I was thinking maybe we should provide some metric about which objects use deprecated configuration. As mentioned in https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/1693-warnings/README.md#risks-and-mitigations , keeping the cardinality in control.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this wasn't really resolved. Discussion about a flag to silencing warnings and metrics about deprecated API usage wasn't discussed at all.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i don't think we can ever suppress warning events, since that's the event type used for all failed operations.
this is the first usage of a warning log (in this controller, unaware about other controllers). i doubt that there'll be more and even this is a temporary thing. so practically, we'd be introducing a flag to silence one log message, which seems overkill? but then again, i don't have any other ideas on how to silence it and prevent it from filling up the controller's logs so maybe its necessary.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A new feature/flag can pave the way for more usage of it in the future. A lot of kubernetes components have this feature, even if it's for one log line. It's a very basic feature to ask.
Suppressing in this case is about just not checking what it is checking. Just don't check for deprecated usage and there won't be any associated log or event.
I believe this is an opportunity to discuss how do we handle such things every time we deprecate certain APIs without breaking things, and how to convey such things more visibly to the users.

I just noticed that the implementation is different from the conclusion that I understood. It's only logging without any event. I pointed out above that emitting events is not a problem. The event recorder client has the capability to rate limit too many events. So, we could just continue using eventLogf() with EventTypeWarning. Also noticed that it's an info log now. I think this was discussed based on image-reflector's similar log to be an error log.

Copy link
Member Author

@aryan9600 aryan9600 Jul 31, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'm not saying i'm against the flag, if we think we do need such a thing, i'm totally for it. i didn't use eventLogf(), because i thought we decided to log it for now, based on discussions offline as i noted here #1160 (comment). i logged it on an info level instead of warning because this is what the upstream kubernetes folks did: go-logr/logr#151 (comment)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's subjective based on the context. I'm aware of the simplification to just have error and info log. It may depend on the authors of a project if they want user's attention on certain things. I don't know what's better, but it'd be good to have consistency. Update this to be error or update image-reflector's log to be info.
In terms of events, since there are only Normal and Warning event types, we use warnings for error events. But if log is normal, should event also be normal? Then how do we highlight that this is something users need to pay attention to. Based on our usage, I'd incline towards consistency with our current usage of considering warnings as errors. But that's just me.

I don't think we ever discussed about removing events as I pointed above that it's not a problem. May be a misunderstanding.

internal/controller/helmrepository_controller.go Outdated Show resolved Hide resolved
internal/helm/registry/auth.go Outdated Show resolved Hide resolved
internal/helm/registry/auth.go Outdated Show resolved Hide resolved
internal/helm/repository/client_opts.go Outdated Show resolved Hide resolved
internal/helm/repository/client_opts.go Outdated Show resolved Hide resolved
internal/helm/repository/client_opts.go Outdated Show resolved Hide resolved
internal/controller/helmchart_controller.go Outdated Show resolved Hide resolved
internal/helm/repository/client_opts.go Outdated Show resolved Hide resolved
@aryan9600 aryan9600 changed the title helmrepo: add .spec.certSecretRef for specifing TLS auth data helmrepo: add .spec.certSecretRef for specifying TLS auth data Jul 24, 2023
@aryan9600 aryan9600 force-pushed the helm-cert-secret branch 2 times, most recently from 4c86440 to 73d39b4 Compare July 26, 2023 09:22
@aryan9600 aryan9600 requested review from darkowlzz and hiddeco July 26, 2023 09:22
Add `.spec.certSecretRef` to HelmRepository for specifying TLS auth data
in a secret using the `certFile`, `caFile` and `keyFile` keys. Mark
support for these keys in the secret specified in `.spec.secretRef` as
deprecated.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Add support for specifying TLS auth data via `.spec.certSecretRef` in
HelmRepository and log a deprecation warning if TLS is configured via
`.spec.secretRef`. Introduce (and refactor) Helm client builder and
auth helpers to reduce duplicated code and increase uniformity and
testability.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
@aryan9600 aryan9600 merged commit 3840940 into main Jul 31, 2023
@aryan9600 aryan9600 deleted the helm-cert-secret branch July 31, 2023 08:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/api API related issues and pull requests area/helm Helm related issues and pull requests enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Align references to Secrets within all Source APIs
5 participants