Workload Identity reconciler integration using SPIFFE #809
Conversation
|
Hi @PrimalPimmy. Thanks for your PR. I'm waiting for a nephio-project member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
PrimalPimmy
force-pushed
the
spire-fixes
branch
from
b1b3497 to
60bb4c8
Compare
|
@PrimalPimmy I think maybe we should take another look at this in SIG-Auto. Would you be able to schedule it on the agenda for one of the upcoming meetings? |
|
Sure @liamfallon . Where do I post about this to schedule it? cc: @nyrahul |
|
Please enter an item on the agenda for a forthcoming meeting, the agenda document is here: |
|
@PrimalPimmy is this PR ready for review? |
|
/retest |
|
I'm not sure why the CI is unable to check go.sum for the latest spiffe packages, even though I had updated using go mod tidy in the controllers/pkg directory |
Some of the make targets should be executed from the root of the project. make tidy Can you run "make test" successfully on local? |
|
Thanks @efiacor , the tests pass now |
PrimalPimmy
force-pushed
the
spire-fixes
branch
from
10a28f1 to
3b9bd0c
Compare
|
/remove-approve |
|
A rough flow of how it is working now:
|
PrimalPimmy
force-pushed
the
spire-fixes
branch
from
8b1896e to
2b7ffac
Compare
| return ctrl.Result{RequeueAfter: 30 * time.Second}, errors.Wrap(err, msg) | ||
| } | ||
| if !ready { | ||
| log.Info("cluster not ready") |
There was a problem hiding this comment.
Log error instead of Info
There was a problem hiding this comment.
I was following this:
https://github.com/nephio-project/nephio/blob/main/controllers/pkg/reconcilers/bootstrap-secret/reconciler.go#L129
, and other reconcilers didn't use log.error for cluster readiness either.
There was a problem hiding this comment.
Ok, leave it at Info so.
Another quick one, I see that most of the following steps we only log the error but continue on. Should we be exiting if any of the "logged" errors below occur?
There was a problem hiding this comment.
Yep, I think we should exit them. Do we exit with return ctrl.Result{}, errors.Wrap(err, msg)?
There was a problem hiding this comment.
Not sure tbh. That would be down to the design. Do you want to result.RequeueAfter or let the default backoff handle it. Question for someone with more k8s knowledge.
| token := string(secret.Data["token"]) | ||
|
|
||
| // Retrieve the cluster's CA certificate | ||
| configMap, err := clientset.CoreV1().ConfigMaps("kube-system").Get(ctx, "kube-root-ca.crt", metav1.GetOptions{}) |
There was a problem hiding this comment.
A lot of the inputs here are hardcoded. This is bad practice.
All the inputs should be configurable via configmap or args.
| // Get the ConfigMap | ||
| cm := &v1.ConfigMap{} | ||
| if err := r.Get(ctx, types.NamespacedName{ | ||
| Namespace: "spire", |
There was a problem hiding this comment.
Again, hardcoded inputs should be avoided.
There was a problem hiding this comment.
This can prob go beside the reconciler tbh. No real use putting it in the resources dir.
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
| ) | ||
|
|
||
| func CreateSpireAgentConfigMap(name string, namespace string, cluster string, serverAddress string, serverPort string) (*v1.ConfigMap, error) { |
There was a problem hiding this comment.
These functions should be relatively easy to unit test.
Signed-off-by: PrimalPimmy <[email protected]>
Signed-off-by: PrimalPimmy <[email protected]>
Signed-off-by: PrimalPimmy <[email protected]>
Signed-off-by: PrimalPimmy <[email protected]>
Signed-off-by: PrimalPimmy <[email protected]>
|
/test presubmit-nephio-golangci-lint |
|
If you add a comment with a reference to issue with the refactoring actions for R5 as a comment here,w e can merge this PR. |
|
Future work in R5 related to SPIFFE: These are the immediate things to be handled, might add more in the future. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: efiacor The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR initiates the work to implement workload Identity in the nephio ecosystem. More documentation can be found here:
Design Document: https://docs.google.com/document/d/1k8Hcd7tJKPIsyiYZX6hpRECuJ4IIxVnaESghU5bLNVQ/edit?usp=sharing
User Story: https://docs.google.com/document/d/1nkh7tTItwii1bY877PfzjFCBtmRos4IDh5EOJxWXRdg/edit?usp=sharing