Support template parameters in configmap/secret customData #366
Conversation
ASBishop
force-pushed
the
customData-template-parameters
branch
from
04e919c to
eb86b5e
Compare
|
I think a few operators would benefit from this feature. |
I like the idea, just thinking how a user would know/where we document which parameters are supported by the controller. should those be documented in the CRD for the customServiceConfig parameter? |
|
Thanks Alan, |
|
I agree we map need to document the list of template parameters supported by each operator. That said, I suspect the ones that Users will find useful will be relatively small, primarily consisting of things like service passwords. Using the example I described in the commit message, we already document how to configure glance to use cinder for a backend, so we'd just need to update the existing documentation. BTW, that's in the downstream documentation. Another idea would be for controllers that know they support template parameters that Users might find useful to log the list of template parameter keys. |
|
I like the idea, but I'm somewhat concerned that doing the templating blindly like this could create issues. |
|
That's in interesting corner case. One path forward would be to catch and log the resulting template failure, and fall back to include the raw customData line as is. This may not be ideal, but it would preserve the benefit of the feature without any havoc wrecked by corner cases. |
|
That assumes that there will never be a chance of having an accidental valid template. |
ASBishop
force-pushed
the
customData-template-parameters
branch
from
eb86b5e to
eb060f9
Compare
|
I updated the commit message to reflect changes in the last update, but did not update the PR description. Pls see the commit message for the latest update. |
Template parameter expansion has only been supported in template
files themselves, and not in any other sources supplied in the
customData. This patch extends support for expanding parameters
in all customData strings.
The intent is to support template parameters in customServiceConfig
data. A common use case is when a service's config parameter needs
to be set to a value that can be templated, e.g. the service's
own password.
Consider the glance service when it's configured to use cinder
for a backend. The final configuration needs to specify the
'cinder_store_password', which currently requires two things.
1. The cloud admin will need to create a secret containing the
setting, and reference it in the customServiceConfigSecrets.
2. The cloud admin will need to track down the actual value
(i.e. glance's password) in order to put it in the secret.
An alternative approach would allow the cloud admin to use a
template parameter, whereby glance's CR could reference the
password like this:
glance:
template:
customServiceConfig: |
[cinder_backend]
cinder_store_password = {{ .ServicePassword }}
The only restriction is the service's controller must support the
parameter, meaning it must include it in its templateParameters.
If any error occurs when expanding a customData string, an INFO
message logged and the original string is retained (no expansion).
For example, if a CR references a parameter that isn't supported,
the log message will state:
Skipped customData expansion due to: template: tmp:x:y: \
executing "tmp" at <.BadParam>: map has no entry for key "BadParam"
ASBishop
force-pushed
the
customData-template-parameters
branch
from
eb060f9 to
3188587
Compare
| @@ -165,7 +165,13 @@ func createOrUpdateSecret( | |||
| // Note: this can overwrite data rendered from GetTemplateData() if key is same | |||
| if len(st.CustomData) > 0 { | |||
| for k, v := range st.CustomData { | |||
| dataString[k] = v | |||
| vExpanded, err := util.ExecuteTemplateData(v, st.ConfigOptions) | |||
There was a problem hiding this comment.
It should be possible to consolidate this code and the code for the config map into a single function, but I don't think that's a big deal.
Template parameter expansion has only been supported in template files themselves, and not in any other sources supplied in the customData. This patch extends support for expanding parameters in all customData strings.
The intent is to support template parameters in customServiceConfig data. A common use case is when a service's config parameter needs to be set to a value that can be templated, e.g. the service's own password.
Consider the glance service when it's configured to use cinder for a backend. The final configuration needs to specify the 'cinder_store_password', which currently requires two things.
An alternative approach would allow the cloud admin to use a template parameter, whereby glance's CR could reference the password like this:
The only restriction is the service's controller must support the parameter, meaning it must include it in its templateParameters. If a CR references a parameter that isn't supported, the controller will log an error stating, 'map has no entry for key "BadParam"'.