-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow project scoped generic kubernetes secrets #2975
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
✅ Deploy Preview for docs-kargo-io ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2975 +/- ##
==========================================
+ Coverage 51.40% 51.73% +0.32%
==========================================
Files 288 292 +4
Lines 26108 26375 +267
==========================================
+ Hits 13421 13645 +224
- Misses 11961 11973 +12
- Partials 726 757 +31 ☔ View full report in Codecov by Sentry. |
@krancour generic secret creation and listing those is ready. Till I figure out what to do for updates could you start looking at the backend code? Also do you think its better to re-use the create resource API instead of modifying the create credentials? |
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
@krancour could you start looking.. I will bring code coverage to threshold |
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
Sorry this took me so long. Overall, this looks fantastic. Test drive went really smoothly. I have some small bits of feedback, that I think are easy to address. In the screenshot above, I was initially thrown off by not seeing any kind of "Add Secret" button. It took me a while to realize that clicking "Add Credentials" would pop up a dialog that could be used for adding generic Secrets as well. I think this could potentially be less confusing if each of the two sections of this page each got their own "Add Credentials" and "Add Secret" buttons. In the same screen shot, upper right, the alt text for the tab says "Credentials". With Secrets being more broad/generic than credentials, I would suggest making the alt text there "Secrets." Credentials are a kind of Secret. (If it's not a problem, I think the URL of the page could also change to end in "/secrets". Two things tripped me up in the screenshot above. The title of the dialog is "Edit Credentials" even when I'm working on a generic Secret. Could it be at all practical to have two separate dialogs? One for creds and one for generic? When editing an existing Secret, not seeing any Last -- a weird one. If I try to add a new key "foobar" above, the new line disappears the moment I hit the second "o" in "foobar". I assume there's some real time validation that keys aren't being duplicated and after hitting that second "o", it looks like I am duplicating "foo" although I wasn't done typing. If I type any other value not staring with the characters of an existing key, everything works fine. I think/hope these are all relatively minor tweaks. As I said, overall, this worked great and did exactly what it's supposed to. |
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
Great suggestions! @krancour you might want to take a look now, except your last point (in progress) all other review points are addressed. Thanks |
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
@krancour it is ready to review again |
Credentials: kubernetesSecret, | ||
}, | ||
), nil | ||
case kargoapi.CredentialTypeLabelValueGeneric: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thinking a Secret that isn't labeled as a generic credential should just automatically be treated as such. i.e. Perhaps generic credentials is the default case?
The thing I think I want to avoid is Kargo insisting on a special label for Secret that aren't really special in any way. (The "specific" creds are special, so that doesn't bother me.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or... I bet that label was basically necessary to make the existing credential-management endpoints work for generic Secrets? This actually has got me thinking about whether separate endpoints may be in order for Secrets since credentials are special in many ways that generic Secrets aren't.
For generic Secrets, I think we need the following:
-
Get/list endpoints that redact all values and annotations. (Compare to creds, which exempts the values of certain keys from being redacted.)
Under the hood, credential and generic secret endpoints can share a common redaction func and pass the names of exempt keys.
-
Update endpoint that updates/deletes individual keys. The generic update resource endpoint cannot be used for this purpose. Since we redact a lot on the get, the client doesn't have everything it needs to send back for a full update.
This is another bit that seems it could be shared between cred update and generic secret update endpoints.
-
Delete endpoint.
-
Create can use the generic create resource endpoint since I don't see any special treatment being required.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The thing I think I want to avoid is Kargo insisting on a special label for Secret that aren't really special in any way. (The "specific" creds are special, so that doesn't bother me.)
Shading some lights on previous comments which seems in favour of explicit labels? Lets agree on either of way and I can update APIs accordingly @krancour
@Marvin9 overall, this is great. I had some suggestions about the back end parts of this. In a nutshell, the existing credential management endpoints do some very specific things that I don't think apply to generic Secrets. I'm happy to help on the new endpoints I suggested if you want me to. Just lmk. |
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
Signed-off-by: Mayursinh Sarvaiya <[email protected]>
@Marvin9 I promise I'll 👀 the latest changes tomorrow. Thank you for the hard work on this. |
This PR now allows create generic k8s secrets
TODO: