-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auto populate DNS names #122
Conversation
Sorry it has taken so long to get around to this @faisal-memon. @MarcosDY and I will try and get it reviewed sometime this week. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank Faisal!!!
can you update crd on demo too?
pkg/spireentry/entries.go
Outdated
} | ||
sort.Strings(dnsNames) // Sort the list to provide consistent results |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this sorting stuff, can be problematic in some ways, for example, if you want to set a DNS as CN the CN will be the first element on this list, so how can a user say that they want to have an specific value un CN?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in case order is not important, we can simplify add
functions to work only with map (since you are verifying using that map that DNS does not exist) and then parse map to []string,
but I still think we may respect order and more in case of template ones that must go at the start of the list
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @MarcosDY for catching this. Its updated to only sort the auto added dns names. The templated ones will be first and in the order specified in the crd.
require.Len(t, entry.DNSNames, len(spec.DNSNameTemplates)-1) | ||
// DNS names are unique | ||
dnsNamesSet := make(map[string]struct{}) | ||
for _, dnsName := range entry.DNSNames { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
with this approach we can get more items than expected, why not to compare 2 lists? and see that we get the exact list we expect?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a length check to the test.
All comments have been addressed. The demo crds have been updated. |
controllers/pod_controller.go
Outdated
ctx := context.Background() | ||
err := mgr.GetFieldIndexer().IndexField(ctx, &corev1.Endpoints{}, reconciler.EndpointUID, func(rawObj client.Object) []string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if context.Background() is correct here or if we should use something else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
main that is calling this one has a ctx, maybe you may use that one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I missed that one. Change is in.
controllers/pod_controller.go
Outdated
ctx := context.Background() | ||
err := mgr.GetFieldIndexer().IndexField(ctx, &corev1.Endpoints{}, reconciler.EndpointUID, func(rawObj client.Object) []string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
main that is calling this one has a ctx, maybe you may use that one?
controllers/pod_controller.go
Outdated
log := log.FromContext(ctx) | ||
endpoints, ok := rawObj.(*corev1.Endpoints) | ||
if !ok { | ||
log.Error(nil, "unexpected type indexing fields", "type", fmt.Sprintf("%T", rawObj), "expecteed", "*corev1.Endpoints") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
expected
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this expected to happen? I'm worried we'll start to spam logs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should not happen ever
migration/README.md
Outdated
matchLabels: | ||
spiffe.io/spiffe-id: "true" | ||
dnsNameTemplates: ["{{ index .PodMeta.Labels \"app\" }}.{{ .PodMeta.Namespace }}.svc.cluster.local"] | ||
1. Enable `autoPopulateDNSNames` globally in the [Controller Manager Config](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md). See [example](config/spire-controller-manager-config.yaml). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
may we use the "local" path for Controller Manager Config
like used in example (same comment for all paths in this file)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
migration/README.md
Outdated
spiffe.io/spiffe-id: "true" | ||
dnsNameTemplates: ["{{ index .PodMeta.Labels \"app\" }}.{{ .PodMeta.Namespace }}.svc.cluster.local"] | ||
1. Enable `autoPopulateDNSNames` globally in the [Controller Manager Config](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md). See [example](config/spire-controller-manager-config.yaml). | ||
1. For each [ClusterSPIFFEID](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) you to auto populate DNS names for, set the `autoPopulateDNSNames` field there. See [example](config/clusterspiffeid.yaml). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2.?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have each listed as 1. i think is better. Then you don't have to update every line if you add an item in the middle.
migration/README.md
Outdated
spiffe.io/spiffe-id: "true" | ||
dnsNameTemplates: ["{{ index .PodMeta.Labels \"app\" }}.{{ .PodMeta.Namespace }}.svc.cluster.local"] | ||
1. Enable `autoPopulateDNSNames` globally in the [Controller Manager Config](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md). See [example](config/spire-controller-manager-config.yaml). | ||
1. For each [ClusterSPIFFEID](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) you to auto populate DNS names for, set the `autoPopulateDNSNames` field there. See [example](config/clusterspiffeid.yaml). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you to auto populate DNS names for
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
pkg/spireentry/entries.go
Outdated
@@ -160,6 +166,23 @@ func renderDNSName(tmpl *template.Template, data *templateData) (string, error) | |||
return rendered, nil | |||
} | |||
|
|||
func addServiceDNSNames(dnsNames []string, dnsNamesSet map[string]struct{}, endpointsList *corev1.EndpointsList, clusterDomain string) []string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what do you think about this function returning the list of dns from endpoints (only) and sorted.
and in the caller add the new dns to the list?
dsnNames = append(dnsNames, dnsNamesFromEndpoints( dnsNamesSet, endpointsList, clusterDomain))
that wil simplify this code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change made.
Docs updated. Trying to rebase to fix the dco causes a lot merge conflicts. Whenever this is approved Ill squash and then rebase to fix the dco. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good, just a simple nit, and can you solve DCO?
controllers/pod_controller.go
Outdated
// Index endpoints by UID. Later when we reconcile the Pod this will make it easy to find the associated endpoints | ||
// and auto populate DNS names. | ||
err := mgr.GetFieldIndexer().IndexField(ctx, &corev1.Endpoints{}, reconciler.EndpointUID, func(rawObj client.Object) []string { | ||
log := log.FromContext(ctx) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log is only used whn error, can you move into if?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
Signed-off-by: Faisal Memon <[email protected]>
Signed-off-by: Faisal Memon <[email protected]>
Signed-off-by: Faisal Memon <[email protected]>
@MarcosDY all comments addressed, dco fixed. |
Auto populate DNS names from services attached to pods. Similar to the way its done in the reconcile mode k8s-workload-registrar.
name
,name.namespace
,name.namespace.svc
,name.namespace.svc.clusterdomain
. Not a fan of the barename
but added for completeness sake.AutoPopulateDNSNames
configurable globally and then individually on each cluster spifffe id.fixes #48