Delimiter annotation #664
Delimiter annotation #664
Conversation
|
|
|
fix hashicorp/vault-helm#348 as well |
|
The original pull request talks a bit about handling templates included in a Helm chart. I wonder if we could recommend escaping the template instead of adding support for specifying alternate template delimiters? We are suggesting that approach here: hashicorp/vault-secrets-operator#619 (comment) |
Humm, this helm approache is a workaround, not something to fix the real issue, currently it's a hassle to use go templating inside vault templates in kubernetes, if you want to make templating over templating over termplating, it becomes impossible to use if you don't know beforehand how many times the template will be templated, so escaping it is not a solution in this case. Why not simply adding this delim annotations to make it convenient and be able to differentiate the default go templating from the one for the vault agent? |
There was a problem hiding this comment.
Thanks for updating this! It tested good locally for me; just left a couple thoughts.
Something else I think may be useful here is a way to set the default template delimiters for all the templates in a Pod, instead of per-template. Perhaps the delimiter annotations by themselves (without the secret suffix) could be used for this? Just something I was thinking about while reviewing this, but we can do it in a follow-up PR too.
| secret.LeftDelimiter = a.annotationsSecretValue(AnnotationAgentInjectTemplateLeftDelim, secret.RawName, "") | ||
| secret.RightDelimiter = a.annotationsSecretValue(AnnotationAgentInjectTemplateRightDelim, secret.RawName, "") |
There was a problem hiding this comment.
Seems like we might as well set the default delimiter here?
| secret.LeftDelimiter = a.annotationsSecretValue(AnnotationAgentInjectTemplateLeftDelim, secret.RawName, "") | |
| secret.RightDelimiter = a.annotationsSecretValue(AnnotationAgentInjectTemplateRightDelim, secret.RawName, "") | |
| secret.LeftDelimiter = a.annotationsSecretValue(AnnotationAgentInjectTemplateLeftDelim, secret.RawName, DefaultLeftDelim) | |
| secret.RightDelimiter = a.annotationsSecretValue(AnnotationAgentInjectTemplateRightDelim, secret.RawName, DefaultRightDelim) |
There was a problem hiding this comment.
The thing is, we can then makes the default delimiters handled by the config, which is where the templating will be done, it was done this way in the previous pull request, I did it the way you say in the first place but I think it's better/less error prone to let the config handle that, no?
There was a problem hiding this comment.
Not sure I follow about it being better/less error prone? Since the delimiter annotations are set directly in the corresponding Agent config options (i.e. nothing is changing them in between parsing the annotations and writing the Agent config), seems like they can be set as soon as they are known.
If the delimiter settings end up empty in the Agent config because an annotation sets them to "", that's actually ok too since they aren't required Agent config parameters.
(I don't think it matters too much either way, so I'll leave it up to you and not hold it up over this.)
Diliz
force-pushed
the
delimiter-annotation
branch
from
7beb30b
to
2528e4d
Compare
|
Just stumbled over this and it is exactly what i need as well. Doing the escaping kinda gets easily a hell if you want to have parts replaced by helm template and parts by vault. Any ETA for this PR? |
Waiting for @tvoran and @benashz comments and approval, I'm still following this case as I need it implemented as well 👍 |
| secret.LeftDelimiter = a.annotationsSecretValue(AnnotationAgentInjectTemplateLeftDelim, secret.RawName, "") | ||
| secret.RightDelimiter = a.annotationsSecretValue(AnnotationAgentInjectTemplateRightDelim, secret.RawName, "") |
There was a problem hiding this comment.
Not sure I follow about it being better/less error prone? Since the delimiter annotations are set directly in the corresponding Agent config options (i.e. nothing is changing them in between parsing the annotations and writing the Agent config), seems like they can be set as soon as they are known.
If the delimiter settings end up empty in the Agent config because an annotation sets them to "", that's actually ok too since they aren't required Agent config parameters.
(I don't think it matters too much either way, so I'll leave it up to you and not hold it up over this.)
Diliz
force-pushed
the
delimiter-annotation
branch
from
2e1441b
to
0b1833d
Compare
|
Made the requested changes, it should be good now :)
|
| // AnnotationAgentInjectToken is the annotation key for injecting the | ||
| // auto-auth token into the secrets volume (e.g. /vault/secrets/token) |
There was a problem hiding this comment.
| // AnnotationAgentInjectToken is the annotation key for injecting the | |
| // auto-auth token into the secrets volume (e.g. /vault/secrets/token) |
| @@ -134,6 +139,10 @@ func TestNewConfig(t *testing.T) { | |||
| if template.Contents != "template foo" { | |||
| t.Errorf("expected template contents to be %s, got %s", "template foo", template.Contents) | |||
| } | |||
|
|
|||
| if template.LeftDelim != DefaultLeftDelim || template.RightDelim != DefaultRightDelim { | |||
| t.Errorf("expected default delimiters to be %s (left) and %s (right), got %s (left) and %s (right)", template.LeftDelim, template.RightDelim, DefaultLeftDelim, DefaultRightDelim) | |||
There was a problem hiding this comment.
Looks like the "got" and "expected" values are flipped:
| t.Errorf("expected default delimiters to be %s (left) and %s (right), got %s (left) and %s (right)", template.LeftDelim, template.RightDelim, DefaultLeftDelim, DefaultRightDelim) | |
| t.Errorf("expected default delimiters to be %s (left) and %s (right), got %s (left) and %s (right)", DefaultLeftDelim, DefaultRightDelim, template.LeftDelim, template.RightDelim) |
| @@ -170,6 +179,10 @@ func TestNewConfig(t *testing.T) { | |||
| if template.Destination != "/vault/secrets/just-template-file" { | |||
| t.Errorf("expected template destination to be %s, got %s", "/vault/secrets/just-template-file", template.Destination) | |||
| } | |||
| } else if strings.Contains(template.Destination, "baz") { | |||
| if template.LeftDelim != "[[" || template.RightDelim != "]]" { | |||
| t.Errorf("expected default delimiters to be %s (left) and %s (right), got %s (left) and %s (right)", template.LeftDelim, template.RightDelim, "[[", "]]") | |||
There was a problem hiding this comment.
| t.Errorf("expected default delimiters to be %s (left) and %s (right), got %s (left) and %s (right)", template.LeftDelim, template.RightDelim, "[[", "]]") | |
| t.Errorf("expected default delimiters to be %s (left) and %s (right), got %s (left) and %s (right)", "[[", "]]", template.LeftDelim, template.RightDelim) |
Rebased @cailtlinelfring annotations branch with delimiter annotations feature
rebased content of #226 instead of making my own (I was using leftdelim and rightdelim annotations in my version, nearly the same as @caitlinelfring version