-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support using swarm Configs as CredentialSpecs in Services. #1781
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1781 +/- ##
=========================================
+ Coverage 56.33% 56.73% +0.4%
=========================================
Files 308 308
Lines 21504 21610 +106
=========================================
+ Hits 12114 12261 +147
+ Misses 8498 8449 -49
- Partials 892 900 +8 |
Added tests, removed WIP. |
007e491
to
23b54b8
Compare
Refactored to reduce cyclomatic complexity, which should hopefully be enough to pass lint. |
Added compose support. |
56ea44b
to
999fab0
Compare
cli/compose/convert/service.go
Outdated
// file in the container. This is used for supporting CredentialSpec | ||
// configs. | ||
if config.Runtime { | ||
if config.Target != "" || config.UID != "" || config.GID != "" || config.Mode != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't target and uid/gid still be configurable? (i.e., mount a config as credential-spec, but specify which uid/gid and/or path to use?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, because a credentialspec is never mounted into the container, or written to the filesystem. And in any case, the actual API type (which is a ConfigReference
with a ConfigReferenceRuntimeTarget
) does not allow setting file attributes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤦♂️ ah, yes, makes sense
cli/compose/types/types.go
Outdated
// the service. Specifically, this currently only indicates that the Config | ||
// is used as a CredentialSpec. If this field is set `true`, then all other | ||
// fields besides `Source` must be empty. | ||
Runtime bool `yaml:",omitempty" json:"runtime,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we deduct this from the Source
value? (IIUC, it will be prefixed with config://
?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. The string config://
should never actually be in the compose code, I think.
We could theoretically determine that a config is a Runtime
config by looking for the absence of all other fields, but I usually think it's better to affirmatively determine something rather than make assumptions from the absence.
It would be cleaner to have a whole new type besides FileReferenceConfig
but doing so would be more trouble than it's worth, IMHO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it make sense to use a string instead of a bool?
I'd like to avoid a situation where we are adding multiple bools here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A string representing what? The target, file vs runtime?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One thing to take note is that this type (FileReferenceConfig
) is used both for configs and secrets, but we'll only use the "runtime" option for configs; so we might have to create a separate type for configs?
Thinking (UX-wise); in order to use a config as credential-spec, I would have to;
-
define the Config
version: "3.8" configs: my_credentials_spec: file: ./credentials-spec-file.json
(or, if the config already exists):
version: "3.8" configs: my_credentials_spec: external: true
-
add the Config to the Configs section of the compose file (I guess this can only be with the long syntax, because I'd have to specify the
runtime
option);version: "3.8" services: myservice: image: myimage:latest configs: - source: my_credentials_spec runtime: true configs: my_credentials_spec: file: ./credentials-spec-file.json
-
configure the service to use the config as source for the credentials-spec;
version: "3.8" services: myservice: image: myimage:latest credential_spec: config: my_credentials_spec configs: - source: my_credentials_spec runtime: true configs: my_credentials_spec: file: ./my-credential-spec.json
That's a lot of duplication; can we somehow skip step 2.
? i.e., if credential_spec
uses config: <some name>
, we already know that we want to use a config as source. That config must be defined in the compose-file, but we could attach it automatically to the service (if needed) (or can we do that step even "behind the scenes", daemon-side?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, why not.
I had a quick look, but I'm not as familiar with this codebase. @cpuguy83 is this patch also something you could have a look at if you have time? |
// all configs in spec.Configs should have both a Name and ID, because | ||
// they come from an already-accepted spec. | ||
for _, config := range spec.Configs { | ||
// if the config is a Runtime target, make sure it's still in use right |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a bug waiting to happen? Is there something we can do now to prevent someone from overlooking this in the future?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sort of. any future use for runtime specs will probably require similar alterations to the configs logic, which means the implementer will have to look here anyway. then, they'll see this comment, and add the correct removal code.
cli/compose/convert/service.go
Outdated
File: &file, | ||
ConfigName: obj.Name, | ||
}) | ||
// if the obj.File is identical to the zero-value of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As above, is this a bug waiting to happen?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly, but the thing is I'm not sure under what case we'll add another non-file ConfigReference type, so I can't really code defensively against it, and even if I do, it's unlikely that something else will even be implemented at any point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Off the top of my head, a value explicitly for runtime targets.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it would make sense lol
I've made this change, and added tests to boot.
6bdd646
to
34ebae4
Compare
Altered the compose code to infer the need for a Config by the existence of a value in the CredentialSpec.Config field, meaning there is no need to define a This means a service using a CredentialSpec Config would look like this: version: "3.8"
services:
myservice:
image: myimage:latest
credential_spec:
config: my_credentials_spec
configs:
my_credentials_spec:
file: ./my-credential-spec.json| whereas before this change, it would have looked like this: version: "3.8"
services:
myservice:
image: myimage:latest
credential_spec:
config: my_credentials_spec
configs:
- source: my_credentials_spec
runtime: true
configs:
my_credentials_spec:
file: ./my-credential-spec.json |
34ebae4
to
074a96c
Compare
Thanks! That looks a lot more convenient (and less confusing) 🤗 I'll have another look at the code shortly @cpuguy83 @vdemeester if you have some time 🙏 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some comments/questions, but I think it looks pretty sane now
// if we're using a swarm Config for the credential spec, over-write it | ||
// here with the config ID | ||
if swarmCredSpec.Config != "" { | ||
for _, config := range refs { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was wondering if we should have a resolveConfig
/ resolveConfigID
function somewhere, but (I think) all the lookup loops are just slightly different
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Updates the CredentialSpec handling code for services to allow using swarm Configs. Additionally, fixes a bug where the `--credential-spec` flag would not be respected on service updates. Signed-off-by: Drew Erny <[email protected]>
Adds tests for setting and updating swarm service CredentialSpecs, especially when using a Config as a credential spec. Signed-off-by: Drew Erny <[email protected]>
Signed-off-by: Drew Erny <[email protected]>
074a96c
to
42ec51e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
closes #1656
- What I did
Builds on and obsoletes #1656. Uses the final API that went into the engine.
Additionally, in the process, discovered and fixed a bug where the
--credential-spec
flag would not have been respected on service updates.- How I did it
When handling configs, add additional logic for handling runtime configs. Additionally, adds logic to replace the config name which the user passes with the config ID, which is what the engine API needs.
- How to verify it
Includes unit tests.
- Description for the changelog
Add ability to use swarm Configs as CredentialSpecs on Services.