sharing artifacts between pipeline tasks using bucket #444
Conversation
|
/test pull-knative-build-pipeline-build-tests |
|
/test pull-knative-build-pipeline-unit-tests |
|
/test pull-knative-build-pipeline-integration-tests |
1 similar comment
|
/test pull-knative-build-pipeline-integration-tests |
|
/retest |
73b06a1 to
0d2385f
Compare
| } | ||
|
|
||
| // NewArtifactBucketConfigFromConfigMap creates a Bucket from the supplied ConfigMap | ||
| func NewArtifactBucketConfigFromConfigMap(configMap *corev1.ConfigMap) (*v1alpha1.ArtifactBucket, error) { |
There was a problem hiding this comment.
There is no path that returns error in this function so this function declaration can be updated to
func NewArtifactBucketConfigFromConfigMap(configMap *corev1.ConfigMap) *v1alpha1.ArtifactBucket {
There was a problem hiding this comment.
it has to implement interface definition in pkg
|
@shashwathi @dlorenc comments addressed, Thank you for the review |
| } | ||
|
|
||
| func NewStore(logger configmap.Logger) *Store { | ||
| store := &Store{ |
There was a problem hiding this comment.
I think we can return directly without assigning to store variable here.
| } | ||
| } | ||
|
|
||
| func TestAddStepsToBuild_WithBucketFromConfigMap(t *testing.T) { |
There was a problem hiding this comment.
In this test we can simplify by only testing build spec instead of build. I don't see build metadata being changed here. Also wantErr is not used in this test so we can remove that too
test/README.md
Outdated
| @@ -115,6 +115,8 @@ permissions inside the TaskRun to run the Kaniko e2e test and GCS taskrun test. | |||
| `KANIKO_SECRET_CONFIG_FILE` is used to generate Kubernetes secret to access | |||
| GCS bucket. This e2e test requires valid service account configuration json | |||
| but it does not require any role binding. | |||
| - In Storage artifact bucket, GCP service account JSON key file at path | |||
| `KANIKO_SECRET_CONFIG_FILE` is used to create/delete a bucket. | |||
There was a problem hiding this comment.
I think we need to refactor/reword this paragraph. It might not be in the scope of this PR. We can leave TODO here. We need to break down "GCP serviceaccount JSON key file" . One suggestion would be the following
In the Storage artifact bucket test, the JSON key file for the GCP service account stored at path KANIKO_SECRET_CONFIG_FILE is used to create/delete a GCS bucket.
There was a problem hiding this comment.
now that we're using KANIKO_SECRET_CONFIG_FILE for the bucket test as well, would it make sense to rename KANIKO_SECRET_CONFIG_FILE to something more general?
There was a problem hiding this comment.
renamed to GCP_SERVICE_ACCOUNT_KEY_PATH and reworded the readme
| v1alpha1.BucketServiceAccountSecretName: bucketSecretName, | ||
| v1alpha1.BucketServiceAccountSecretKey: bucketSecretKey, | ||
| } | ||
| c.KubeClient.UpdateConfigMap(systemNamespace, v1alpha1.BucketConfigName, configMapData) |
There was a problem hiding this comment.
Just a small doubt. Are we updating config map after e2e test execution to its original state? Sorry if I missed this code
There was a problem hiding this comment.
adding login to reset config map to original values
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: pivotal-nader-ziada, shashwathi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Looks great!!! Just some minor comments from me and a couple questions:
- Just curious, did you notice in your experiments, is it faster to use GCS instead of PVCs?
- looks like there's a bit of coverage missing in gcs_resource.go that might be worth adding?
| - bucket.service.account.secret.name: the name of the secret that will contain the credentials for the service account | ||
| with access to the bucket | ||
| - bucket.service.account.secret.key: the key in the secret with the required service account json | ||
| The bucket is configured with a retention policy of 24 hours after which files will be deleted |
There was a problem hiding this comment.
could we put the docs on how to configure this ConfigMap with these other docs on how to configure the entrypoint configmap?
might even make sense to put in a separate doc e.g. install.md (could be a starting point for #385 :D)
There was a problem hiding this comment.
I can do the install.md in a separate pr :D
There was a problem hiding this comment.
kk sounds great @pivotal-nader-ziada :D
docs/using.md
Outdated
| - location: the address of the bucket (for example gs://mybucket) | ||
| - bucket.service.account.secret.name: the name of the secret that will contain the credentials for the service account | ||
| with access to the bucket | ||
| - bucket.service.account.secret.key: the key in the secret with the required service account json |
There was a problem hiding this comment.
might be a bit easier to read with `` around the values, e.g.:
bucket.service.account.secret.key: the key in the secret with the required service account json
| limitations under the License. | ||
| */ | ||
|
|
||
| package v1alpha1 |
There was a problem hiding this comment.
what do you think about putting the implementations of the artifacts interface into package artifacts ?
There was a problem hiding this comment.
I originally had the code in the artifacts package, but had to move it to be able to use existing variables (such as gsutilImage) which are defined in the api package. I would get a circular dependency. This will probably need a bigger refactor which I didn't want to do here since this PR is big already
There was a problem hiding this comment.
kk no worries, hopefully we'll refactor it later :D
| GetSecretsVolumes() []corev1.Volume | ||
| GetType() string | ||
| StorageBasePath(pr *v1alpha1.PipelineRun) string | ||
| } |
There was a problem hiding this comment.
nice!!!!!! i like the interface :D
test/README.md
Outdated
| @@ -115,6 +115,8 @@ permissions inside the TaskRun to run the Kaniko e2e test and GCS taskrun test. | |||
| `KANIKO_SECRET_CONFIG_FILE` is used to generate Kubernetes secret to access | |||
| GCS bucket. This e2e test requires valid service account configuration json | |||
| but it does not require any role binding. | |||
| - In Storage artifact bucket, GCP service account JSON key file at path | |||
| `KANIKO_SECRET_CONFIG_FILE` is used to create/delete a bucket. | |||
There was a problem hiding this comment.
now that we're using KANIKO_SECRET_CONFIG_FILE for the bucket test as well, would it make sense to rename KANIKO_SECRET_CONFIG_FILE to something more general?
test/artifact_bucket_test.go
Outdated
| // TestStorageBucketPipelineRun is an integration test that will verify a pipeline | ||
| // can use a bucket for temporary storage of artifacts shared between tasks | ||
| func TestStorageBucketPipelineRun(t *testing.T) { | ||
| configFilePath := os.Getenv("KANIKO_SECRET_CONFIG_FILE") |
There was a problem hiding this comment.
quick question: do we know if KANIKO_SECRET_CONFIG_FILE is defined in our automated tests?
There was a problem hiding this comment.
the user that is used to run the e2e tests doesn't have high permissions, so it would be able to execute the gcs and artifact_bucket tests anyways
- using gcp buckets only for now - bucket information configured using a config map - refactor of pvc implementation for the same feature to use same interface - artifact bucket and artifact pvc return the container spec to execute the upload and download steps - issue tektoncd#384
- use getType on artifactStorageInterface instead of isPVC - refactor go files - add unit tests
|
/assign @bobcatfish |
|
@bobcatfish On GKE, the pvc is pretty fast, even faster if its a huge number of files |
- addressed comments from pr tektoncd#444 review
|
The following is the coverage report on pkg/.
|
| @@ -136,7 +139,7 @@ gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$EMAI | |||
| # create the JSON key | |||
| gcloud iam service-accounts keys create config.json --iam-account $EMAIL | |||
|
|
|||
| export KANIKO_SECRET_CONFIG_FILE="$PWD/config.json" | |||
| export GCP_SERVICE_ACCOUNT_KEY_PATH="$PWD/config.json" | |||
|
whew, awesome work @pivotal-nader-ziada !! Looks great :D /lgtm |
|
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Fixes #384
Proposed changes
KANIKO_SECRET_CONFIG_FILEwith the path to a service json file that has enough access to create a bucketStill to be implemented
The recommendation is to use a retention policy to get the files deleted after a fixed small number of hours which is more efficient then deleting a folder with a large number of files