Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix mounting secrets #5063

Merged
merged 14 commits into from
Apr 11, 2024
Merged

Fix mounting secrets #5063

merged 14 commits into from
Apr 11, 2024
+26 −15

Conversation

yini7777
Copy link
Contributor

@yini7777 yini7777 commented Mar 15, 2024
edited
Loading

Tracking issue

Closes: #5053

Why are the changes needed?

Context --> we're upgrading from v1.10.6 to v1.11.0 and nothing has been changed on our end. But got the following error:

│ Error: cannot patch "flytescheduler" with kind Deployment: Deployment.apps "flytescheduler" is invalid: spec.template.spec.initContainers[0].volumeMounts[2].name: Not found: "auth"
│ 
│   with helm_release.flyte-unstable-core,
│   on flyte-unstable.tf line 1, in resource "helm_release" "flyte-unstable-core":
│    1: resource "helm_release" "flyte-unstable-core" {

we set Values.secrets.adminOauthClientCredentials.enabled to false because we don't want Flyte to create the secret, as we have created it via an ExternalSecret . In this case Flyte does not mount the secret to the flytescheduler.

Solution --> Add a new value as Values.secrets.adminOauthClientCredentials.create . We will set this to false and enabled to true.

What changes were proposed in this pull request?

How was this patch tested?

Setup process

Screenshots

Check all the applicable boxes

  • I updated the documentation accordingly.
  • All new and existing tests passed.
  • All commits are signed-off.

Related PRs

Docs link

@welcome Welcome
Copy link

welcome bot commented Mar 15, 2024

Thank you for opening this pull request! 🙌

These tips will help get your PR across the finish line:

  • Most of the repos have a PR template; if not, fill it out to the best of your knowledge.
  • Sign off your commits (Reference: DCO Guide).

@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. bug Something isn't working documentation Improvements or additions to documentation labels Mar 15, 2024
@davidmirror-ops
Copy link
Contributor

@yini7777 I think a missing conditional for flytescheduler was added in #5054. Nevertheless I guess you're still facing the same issue as the conditional logic is not met when you set the adminOauthCredentials.enabled to false which not only doesn't create the secret but doesn't mount it.
Is my understanding correct?

@codecov Codecov
Copy link

codecov bot commented Mar 15, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 59.11%. Comparing base (2528de7) to head (b256aaf).
Report is 7 commits behind head on master.

❗ Current head b256aaf differs from pull request most recent head be46ef6. Consider uploading reports for the commit be46ef6 to get more accurate results

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #5063      +/-   ##
==========================================
+ Coverage   56.82%   59.11%   +2.28%     
==========================================
  Files          34      645     +611     
  Lines        2154    55574   +53420     
==========================================
+ Hits         1224    32852   +31628     
- Misses        837    20129   +19292     
- Partials       93     2593    +2500
Flag Coverage Δ
unittests 59.11% <ø> (+2.28%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@yini7777
Copy link
Contributor Author

Nevertheless I guess you're still facing the same issue as the conditional logic is not met when you set the adminOauthCredentials.enabled to false which not only doesn't create the secret but doesn't mount it. Is my understanding correct?

Yes exactly!

@yini7777 yini7777 force-pushed the fix-mounting-secrets branch from 7e41838 to 1de6d0d Compare March 18, 2024 10:13
@yini7777 yini7777 force-pushed the fix-mounting-secrets branch from 3e1d26e to 3e61e69 Compare March 19, 2024 17:07
@yini7777
Copy link
Contributor Author

@davidmirror-ops I'm wondering if there is anything needs to be tested or modified in this PR.

@davidmirror-ops
Copy link
Contributor

davidmirror-ops commented Mar 22, 2024
edited
Loading

@yini7777 Yesterday we merged #5072 to fix the lint-and-test-charts test. Also I see the generate Helm test failing

Could you please

  1. Rebase to master and merge
  2. Run make helm and push the changes

Let me know if you have any question

Thanks!

@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. and removed size:M This PR changes 30-99 lines, ignoring generated files. labels Mar 25, 2024
@yini7777 yini7777 changed the base branch from master to move-to-monorepo/flyteplugins/dependabot/go_modules/boilerplate/flyte/golang_support_tools/github.com/prometheus/client_golang-1.11.1 March 25, 2024 10:18
@yini7777 yini7777 changed the base branch from move-to-monorepo/flyteplugins/dependabot/go_modules/boilerplate/flyte/golang_support_tools/github.com/prometheus/client_golang-1.11.1 to master March 25, 2024 10:18
@yini7777
run make helm
a17f82b 
Signed-off-by: Yini <[email protected]>
@yini7777 yini7777 force-pushed the fix-mounting-secrets branch from 25a5830 to a17f82b Compare March 25, 2024 10:48
@dosubot dosubot bot removed the size:L This PR changes 100-499 lines, ignoring generated files. label Mar 25, 2024
@yini7777
run make helm
b256aaf 
Signed-off-by: Yini <[email protected]>
@yini7777
Copy link
Contributor Author

yini7777 commented Apr 3, 2024

@wild-endeavor @davidmirror-ops Thank you for your update and explanation. I've made some modifications to align with your suggestions. Could you please review them?

davidmirror-ops
davidmirror-ops previously approved these changes Apr 4, 2024
View reviewed changes
Copy link
Contributor

@davidmirror-ops davidmirror-ops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I deployed the changes proposed here and validated the behavior is as expected:

create & mount: specify clientSecret in the values file and enabled: true
don't create, but do mount: just set enabled: true
don't do anything: set enabled: false

@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Apr 4, 2024
@yini7777
Copy link
Contributor Author

yini7777 commented Apr 5, 2024

@davidmirror-ops Thanks a lot for testing it out! Just curious about when validating don't create, but do mount: just set enabled: true, did u also overwrite the default clientSecret: foobar with clientSecret: null?

@davidmirror-ops
Copy link
Contributor

@yini7777 I commented out that line entirely tbh

@yini7777
Copy link
Contributor Author

yini7777 commented Apr 9, 2024

@davidmirror-ops Got it! I think it’s also crucial to test if overwriting with null works as expected, since from a user perspective it’s not practical to comment it out, I am also open to carry out this test myself.

The reason I’m so cautious about this is due to this issue. If you have any guidance on how to test it effectively, I’m eager to learn and contribute. Thanks!

@davidmirror-ops
Copy link
Contributor

@yini7777 you nailed it. when I set

secrets:
  adminOauthClientCredentials:
    enabled: true
    clientSecret: null

propeller fails to start:

MountVolume.SetUp failed for volume "auth" : secret "flyte-secret-auth" not found

@yini7777
Copy link
Contributor Author

yini7777 commented Apr 9, 2024

Awesome! Thanks a lot! Then I'll do a rebase and merge it!

@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. and removed size:M This PR changes 30-99 lines, ignoring generated files. labels Apr 9, 2024
@yini7777
run make helm
e4a2dea 
Signed-off-by: Yini <[email protected]>
@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. and removed size:S This PR changes 10-29 lines, ignoring generated files. labels Apr 9, 2024
wild-endeavor
wild-endeavor previously approved these changes Apr 11, 2024
View reviewed changes
wild-endeavor
wild-endeavor previously approved these changes Apr 11, 2024
View reviewed changes
@wild-endeavor wild-endeavor enabled auto-merge (squash) April 11, 2024 18:56
@yini7777
run make helm
be46ef6 
Signed-off-by: Yini <[email protected]>
auto-merge was automatically disabled April 11, 2024 20:00

Head branch was pushed to by a user without write access

@wild-endeavor wild-endeavor enabled auto-merge (squash) April 11, 2024 20:22
@wild-endeavor wild-endeavor merged commit 9955256 into flyteorg:master Apr 11, 2024
60 of 88 checks passed
@welcome Welcome
Copy link

welcome bot commented Apr 11, 2024

Congrats on merging your first pull request! 🎉

troychiu pushed a commit that referenced this pull request Jul 8, 2024
@yini7777 @andrewwdye
Fix mounting secrets (#5063)
4f6d0e1 
Signed-off-by: [email protected] <[email protected]>

Signed-off-by: Andrew Dye <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wild-endeavor wild-endeavor wild-endeavor approved these changes

@davidmirror-ops davidmirror-ops davidmirror-ops left review comments

@neverett neverett Awaiting requested review from neverett

@ppiegaze ppiegaze Awaiting requested review from ppiegaze

@eapolinario eapolinario Awaiting requested review from eapolinario

Assignees
No one assigned
Labels
bug Something isn't working documentation Improvements or additions to documentation lgtm This PR has been approved by a maintainer size:M This PR changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] flyte-secret-auth secret not mounted properly
3 participants
@yini7777 @davidmirror-ops @wild-endeavor