charts/csi-powermax: Migrate reverse proxy config from ConfigMap to Secret #608
Conversation
* remove mode from pmax config.yaml * remove mode from pmax config.yaml
| @@ -20,31 +20,50 @@ spec: | |||
| image: {{ required "Must provided an image for reverseproxy container." .Values.image }} | |||
| imagePullPolicy: Always | |||
| env: | |||
| {{- $useRevProxySecret := not (empty .Values.secretName) }} | |||
There was a problem hiding this comment.
Clever way to set this parameter without having to explicitly provide it in the values files.
There was a problem hiding this comment.
So, the caveat here is, if the user is using their old values file during an upgrade, which does not have secretName in it, the new csireverseproxy values file will provide the default value and try to deploy with the new secret.
As far as I was able to find, there isn't a way to avoid this behavior unless we set secretName: "" in the default csireverseproxy values file.
There was a problem hiding this comment.
You can use hasKey along with the current condition in the helm template to check if Values.secretName exists (https://helm.sh/docs/chart_template_guide/function_list/#haskey). Then it will still work even if they are using the old values file.
- update default value for secretName in both values files. - update secret-configMap switching logic to check for existing secretName key, for better backward compat.
- remove use of csireverseproxy.secretName in favor of csireverseproxy.useSecret. - if useSecret is set, use defaultCredentialsSecret to specify the reverse proxy secret name.
lukeatdell
changed the base branch from
release-v1.14.0
to
usr/spark/powermax-secret-feature
charts/csi-powermax/values.yaml
Outdated
| # and login credentials. If set to false, the deprecated ConfigMap will be used. | ||
| # Default value: true | ||
| # Example: false | ||
| useSecret: true |
There was a problem hiding this comment.
question: Should this be set to false? Also, I see that it is in two different Values files, should that be the case?
There was a problem hiding this comment.
Is that because the example is false or because we don't want to enable it by default?
There doesn't have to be two instances of it, but since the driver's chart has a dependency on the proxy chart, we can set the values for the proxy from here. So these are just the same proxy chart values provided for convenience, and the values will be passed through. Anything not set here will default to whatever is set in the proxy's chart default values file.
There was a problem hiding this comment.
I think per discussion, we want to default to the config map approach. @tdawe correct me if I'm wrong.
I got it confused with this but this is only used if the reverseproxy is deployed on its own, right?
Lastly, should this be located in the global section of the values? Reason being, since it technically drives the complete configuration and mounting of the controller and driver and not just the reverseproxy.
Just a thought.
There was a problem hiding this comment.
hmm I'll wait for @tdawe 's reply.
That's correct. They're the same exact parameter, but the one coming from the main chart supersedes the one you linked.
Your last point makes sense to me, considering the reverse proxy is a requirement for powemax. Only issue is, the parameter might be unavailable if someone were to (for whatever reason) deploy the proxy on its own. But with the requirement in mind, it sounds as if we might want to combine the two charts anyway.
There was a problem hiding this comment.
We'll want to use the ConfigMap by default to support backwards compatibility. Upgrading to this version of the helm chart should be successful if still using the ConfigMap.
There was a problem hiding this comment.
Got it. I guess I could have avoided a few PR comments if I'd remembered that conversation lol.
Thank you, both.
- add key validation in case user uses old values version to perform upgrade
There was a problem hiding this comment.
@lukeatdell Users should be able to use the new helm chart with old values.yaml if they wanted the old behavior of using a configMap ? The PR description says they would need to set the secretName to an empty string. Is that necessary ?
|
Reading through the documentation changes now, I feel setting useSecret to true by default makes sense. We are deprecating the configMap, so it makes sense to start using the secret now as recommended. If user wants to explicitly use the configMap approach, they can choose to do that by toggling the userSecret flag. That makes sense to me. |
Right, that was my line of thinking as well. I must have missed the portion of the conversation where we decided to continue using the ConfigMap by default. That appears to be the desired path forward. I'm making changes now to align. |
- move useSecret to global scope. - set useSecret default to "false" for backward compatibility.
lukeatdell
requested review from
tdawe and
kumarp20
and removed request for
tdawe
Is this a new chart?
No
What this PR does / why we need it:
Migration of the reverse proxy configuration from a ConfigMap to a Secret allows customers to utilize password vaults and CSM-Authorization with the csi reverse proxy.
Which issue(s) is this PR associated with:
Special notes for your reviewer:
useSecret, has been added.false, the reverse proxy ConfigMap will be created. Otherwise, the user must create the new secret.X_CSI_POWERMAX_ENDPOINT, has been removed because, now that the reverse proxy is a requirement for installing csi-powermax, it appears to no longer be in use.useSecretis set to false or does not exist as a key in the values file.Checklist:
[charts_dir/mychartname]) if applicableTests:
global.useSecret: falseandglobal.deployAsSidecar: falseand ran cert-csi volume-io tests.global.useSecret: falseandglobal.deployAsSidecar: trueand ran cert-csi volume-io tests.