Add command to generate Kubernetes Secrets #202
Conversation
versilis
force-pushed
the
versilis/kube-secret
branch
from
b7f4f96 to
3226cf1
Compare
Signed-off-by: versilis <[email protected]>
Signed-off-by: versilis <[email protected]>
Signed-off-by: versilis <[email protected]>
Signed-off-by: versilis <[email protected]>
versilis
force-pushed
the
versilis/kube-secret
branch
from
7202b3f to
10ad02d
Compare
versilis
changed the title
versilis
added
the
3 – Normal Priority
There was a problem hiding this comment.
Looks pretty good.
The must-fix items: let's add the ability to write to stdout, and use the default namespace. (And the redundant code in addAgentToECS.)
I would like to see us tackle YAML output with a library here on an easy case before we have to tackle parsing and rewriting a Deployment resource. Unless you were planning on using just string manipulation? But I don't insist on it.
cmd/internal/kube/secret.go
Outdated
| ) | ||
| _ = secretCmd.MarkFlagRequired("namespace") | ||
|
|
||
| secretCmd.Flags().StringVarP(&output, "output", "o", "akita-secret.yml", "File to output the generated secret.") |
There was a problem hiding this comment.
This should have come up in the design review -- sorry. I think the correct default, which is most idiomatic to Kubernetes tools, is to print to standard output.
The idiomatic usage we are aiming for is something like "akita kube secret | kubectl apply -f -"
cmd/internal/kube/secret.go
Outdated
| func init() { | ||
| var err error | ||
|
|
||
| secretTemplate, err = template.ParseFS(templateFS, "template/akita-secret.tmpl") |
There was a problem hiding this comment.
I'm mostly OK with using a template here. But, I think this will be much harder to pull off for the next command, and I would like the two implementations to be consistent. If we have to have YAML parsing and output, let's start here with the easy case. :)
There was a problem hiding this comment.
Currently, there's a discrepancy between the Kubernetes openapi spec and the Go packages API model representation. Here's a link to the issue that covers it: kubernetes/kubernetes#109427
I've opened a separate PR to address using the Kubernetes API for generating secrets: #204
Co-authored-by: Mark Gritter <[email protected]>
This provides a workaround to remove all telemetry info logs during a command's initialization. This is needed by the kube secret command because only the raw YAML output should be printed to stdout.
cmd/internal/kube/secret.go
Outdated
| // Output the generated secret to the console | ||
| printer.RawOutput(output) |
There was a problem hiding this comment.
Sorry, I think I was unclear. The two uses cases are:
-
Apply directly
akita kube secret | kubectl apply -f - -
Apply via a file (convenience, they could always pipe to a file.)
akita kube secret -f mysecret.yaml
kubectl apply -f mysecret.yaml
In case #2 we should not print to standard output as well, it should be one or the other. We can support this in a few different ways, I don't much care whether (a) standard out is the default if -f not specified, or (b) -f - writes to standard output..
I kind of think like in case #1 we should not write the file that was not asked for as well.
Come talk to me if what should happen in these two cases are still unclear.
cmd/internal/kube/secret.go
Outdated
| } | ||
|
|
||
| // Creates a file at the give path to be used for storing of the generated Secret config | ||
| // If any child dicrectories do not exist, it will be created. |
There was a problem hiding this comment.
Is this comment correct? I think you mean "it will not be created".
pcap/stream_test.go
Outdated
| @@ -127,6 +128,7 @@ func runTCPFlowTestCase(c tcpFlowTestCase) error { | |||
| } | |||
|
|
|||
| func TestTCPFlow(t *testing.T) { | |||
| telemetry.Init(false) | |||
There was a problem hiding this comment.
I think I understand the need here and in pase_http_test since the error functions in parsing send telemetry.
Is there a fix to telemetry that checks whether uninitialized instead? If it's not easy to do, we can keep this, it just seems a bit odd to be initializing telemetry in a situation where we don't really want it.
This adds two new commands, `akita kube inject` and `akita kube secret`, for simplifying the process of installing Akita as a sidecar in Kubernetes Deployments. Changes include: - #202 - #207 - #206 --------- Signed-off-by: versilis <[email protected]> Co-authored-by: Mark Gritter <[email protected]> Co-authored-by: Jed Liu <[email protected]>
This adds a new command
akita kube secretwhich generates a Kubernetes secret configuration file that stores a user's base-64 encoded Akita API credentials.To simplify file generation, I've used go's built-in templating utilities;
akita-secret.tmplis used as the template for creating the secret.Example usage: