Read Kubernetes config in as Liberty config variables

[Emily-Jiang]

We need to inject a property defined in a mounted file. This is an important scenario in a k8s environment, where credentials from a secret are mounted (volumeMount) into the container, rather than bound to env vars. Maybe we should opt in some folders where any key/values defined there would be available for injection.

@tevans78: (18th Feb 2020) @Emily-Jiang and I have been mulling over a design for this and I think we have concluded that the feature can be broadened out to include multiple different types of properties files. Initially we will go for just Java properties files and Kubernetes secrets files. In the future we may be able to also include json files, yaml files, xml files etc etc. We are also going to include the ability to read multiple files by specifying a directory rather than just a specific file.

@tevans78: Old UFO removed

@tevans78: (17th March 2020) Further discussion suggests that reading/loading Kubernetes configuration should be solved more generally for Liberty, not just for MP Config. Much of the processing would either be done by an Operator before Liberty starts OR it would be done at the kernel level as Liberty starts. Either way, the K8 properties would most likely end up as Liberty variables. MP Config would not be involved.

The generic file Config Source suggested above is something that has been asked for before so we may spin that off into a separate feature.

@brenthdaniel: (13th July 2020) New UFO: https://ibm.box.com/s/6xg3tvkodxr2qwth7drgvnb60k2zmefs FTS: https://github.com/OpenLiberty/open-liberty/issues/14768

[arthurdm]

+1

To match the secret-mounting-behaviour from k8s, a proposal is to define a folder within OL (perhaps configurable), such that each filename in that folder maps to a MP Config key and the contents of that file map to that key's value.

For example, if we have a secret called couchDBSecret with the following items:

couchdb.username: arthur
couchdb.password: xzy123

Then during deployment the user has two options:

1. Mounting the entire secret to a folder.
   This is done via:

   ...
   volumeMounts:
   - name: couchDB
     mountPath: "/etc/couchdb"
     readOnly: true
   volumes:
   - name: couchDB
   secret:
     secretName: couchDBSecret
   ...

   Then inside our container we will have a file with path /etc/couchdb/couchdb.username, with value arthur, and another file with path /etc/couchdb/couchdb.password, with value xyz123.

In this scenario our Java app would have:

   @Inject @ConfigProperty(name="couchdb.username") Optional<String> dbUsername;
   @Inject @ConfigProperty(name="couchdb.password") Optional<String> dbPassword;

2. The user can pick which filename and option they use For example, let's say only the password is needed, you could do:

   ...
   volumeMounts:
   - name: couchDB
     mountPath: "/etc/couchdb"
     readOnly: true
   volumes:
   - name: couchDB
   secret:
     secretName: couchDBSecret
     items:
     - key: password
       path: myPassword
   ...

   In this case the only file created is at /etc/couchdb/myPassword, with its value being xyz123.

In this scenario our Java app would have:

   @Inject @ConfigProperty(name="myPassword") Optional<String> dbPassword;

[Emily-Jiang]

@arthurdm Thanks for the detailed explanation! For scenario 2., why does - key: username need to be mentioned?

[arthurdm]

@Emily-Jiang - good catch, that should have been key : password. I have updated the comment now. :)

[hutchig]

For OpenShift it would be great if we can firm up on a convention for a solid service binding information 'root' location - so that we can write server Java code, or third-parties can, for example, write MicroProfile Reactive Messaging Connector Java code that can go and look in the default location (either directly of via MP Config) so that service binding can be resolved automatically on behalf of the user - for example for EventStreams. If we can not get a convention on a root location for mounting then we should push for some sort of convention for a sign-post that points to the varying bindings root location.

(The above to be advocated via https://groups.google.com/forum/#!topic/operator-framework/ScQXAsGCFeg probably by @arthurdm and /Chris Bailey.

[tevans78]

The mounting binding information is proposed here: https://github.com/application-stacks/service-binding-specification/tree/updateBar#mounting-binding-information

[yeekangc]

We should consider if we need a new guide to cover this. Currently, we have https://openliberty.io/guides/kubernetes-microprofile-config.html.

If we believe a new guide is warranted, please file an issue here: https://github.com/OpenLiberty/guides-common/issues

Cc @gkwan-ibm.

[brenthdaniel]

@yeekangc At the moment the UFO lists a guide as a possible socialization, but I was planning on soliciting feedback on that. With the current design, the function is most relevant in an OpenShift/CP4A environment with the service binding operator. It could be used with just OL but would require simulating the work that the service binding operator is doing.

[Emily-Jiang]

@yeekangc we do need a guide for this to demonstrate how to make Kubernetes sceret into application running on Open Liberty without asking customers to wire multiple paths.

[brenthdaniel]

List of Steps to complete or get approvals / sign-offs for Onboarding to the Liberty release (GM date)

Instructions:

• Do the actions below and mark them complete in the checklist when they are done.
• Make sure all feature readiness approvers put the appropriate tag on the epic to indicate their approval.

---

TARGET COMPLETION DATE Before Development Starts or 8 weeks before Onboarding

• [x] POC Design / UFO Review Scheduled (David Chang) or N/A.

• [x] POC Design / UFO Reviewed (Feature Owner) or N/A.

• [x] Complete any follow-ons from the POC Review.

• [x] Add "Design Approval Request" tag

• [x] Design / UFO Approval (Alasdair Nottingham) or N/A.

• [ ] No Design / No UFO Approval (Arthur De Magalhaes - cloud / Alasdair Nottingham - server) or N/A.

• [x] SVT Requirements identified. (Epic owner / Feature owner with SVT focal point)

• [x] ID Requirements identified. (Epic owner / Feature owner with ID focal point)

• [x] Create a child task of the epic entitled "FAT Approval Test Summary". Add and fill in the template as described here: https://github.ibm.com/was-liberty/WS-CD-Open/wiki/Feature-Review-(Feature-Test-Summary-Process . Mark "FAT complete" on the Epic when it's ready for review

• ---

  TARGET COMPLETION DATE 3 weeks before Onboarding

• [x] Identify all open source libraries that are changing or are new. Work with Legal Release Services (Cass Tucker or Release PM) to get open source cleared and approved. Or N/A. (Epic Owner). New or changed open source impacts license and Certificate of Originality.

• ---

  TARGET COMPLETION DATE 3 weeks before Onboarding

• [x] All new or changed PII messages are checked into the integration branch, before the last translation shipment out. (Epic Owner)

• ---

  TARGET COMPLETION DATE 2 weeks before Onboarding

• [x] Implementation complete. (Epic owner / Feature owner)

• [x] All function tests complete. Ready for FAT Approval. (Epic owner / Feature owner)

• [x] Review all known issues for Stop Ship. (Epic owner / Feature owner / PM)

• ---

  APPROVALS with TARGET COMPLETION DATE 2 to 1 week before Onboarding

Prerequisites

• You must have the Design Approved or No Design Approved label on the GitHub Epic.

• If the feature is not part of Liberty, set target:ga label in this epic so it is on the approvers' radar.

  Approvals

• [x] Accessibility - (Steven Zvonek). Accessibility testing is complete or N/A. Approver adds label focalApproved:accessibility to the Epic in Github.

• [ ] FAT Liberty SOE - (Kevin Smith). SOE FATS are running successfully or N/A . Approver adds label focalApproved:fat to the Epic in Github.

• [x] Globalization (Sam Wong - Liberty / Simy Cheeran - tWAS). Translation is complete or N/A. TVT - complete or N/A. Approver adds label focalApproved:globalization to the Epic in Github.

• [ ] ID - (Kareen Deen). Documentation work is complete or N/A . Approver adds label focalApproved:id to the Epic in Github.

• [x] Performance - (Jared Anderson). Performance testing is complete with no high severity defects or N/A . Approver adds label focalApproved:performance to the Epic in Github.

• [x] Serviceability - (Don Bourne). Serviceability has been addressed.

• [x] STE - (Swati Kasundra). STE chart deck is complete or N/A . Approver adds label focalApproved:ste to the Epic in Github.

• [x] SVT - (Greg Ecock - Cloud, Brian Hanczaryk- APS). SVT is complete or N/A . Approver adds label focalApproved:svt to the Epic in Github.

• [x] Demo - (Tom Evans or Chuck Bridgham). Demo is scheduled for an upcoming EOI. (If Feature is not easily demoable - please present slide explaining enhancement) Approver adds label focalApproved:demo to the Epic in Github.

• ---

  TARGET COMPLETION DATE 1 week before Onboarding

• [ ] No Stop Ship issues for the feature. (Epic owner / Feature owner / Release PM)

• [ ] Ship Readiness Review and Release Notes completed (Epic owner / Feature owner / Release PM)

• [ ] Github Epic and Epic's issues are closed / complete. All PRs are committed to the master branch. (Epic owner / Feature owner / Backlog Subtribe PM)

• ---

  NOT REQUIRED FOR A FEATURE

• [ ] OL Guides - (Yee-Kang Chang). Assessment for OL Guides is complete or N/A.

• [ ] WDT - (Erin Harris). WDT work complete or N/A.

• ---

  Related Deliverables TARGET COMPLETION DATE General Availability

• [ ] Blog article writeup (Epic owner / Feature owner / Laura Cowen)

[yeekangc]

I might have missed some discussions. @brenthdaniel, did we come to a consensus on guide for this? If it's more relevant to OpenShift and the operator there, I can see this as an update to the Deploying to OpenShift using Operator guide, which is in progress.

[brenthdaniel]

@yeekangc The overwhelming response was that we needed a guide. I thought I had opened an issue already, but it looks like I didn't. https://github.com/OpenLiberty/guides-common/issues/511 id open now.

[donbourne]

Serviceability Approval Comment - Please answer the following questions for serviceability approval:

1. UFO -- does the UFO identify the most likely problems customers will see and identify how the feature will enable them to diagnose and solve those problems without resorting to raising a PMR? Have these issues been addressed in the implementation?

Yes... Error messages have been added where appropriate.

2. Test and Demo -- As part of the serviceability process we're asking feature teams to test and analyze common problem paths for serviceability and demo those problem paths to someone not involved in the development of the feature (eg. L2, test team, or another development team).
   a) What problem paths were tested and demonstrated? b) Who did you demo to? c) Do the people you demo'd to agree that the serviceability of the demonstrated problem scenarios is sufficient to avoid PMRs for any problems customers are likely to encounter, or that L2 should be able to quickly address those problems without need to engage L3?

a) Loading a binary file b) kernel team (not involved in development) c) yes

3. SVT -- SVT team is often the first team to try new features and often encounters problems setting up and using them. Note that we're not expecting SVT to do full serviceability testing -- just to sign-off on the serviceability of the problem paths they encountered. a) Who conducted SVT tests for this feature? b) Do they agree that the serviceability of the problems they encountered is sufficient to avoid PMRs, or that L2 should be able to quickly address those problems without need to engage L3?

N/A

4. Which L2 / L3 queues will handle PMRs for this feature? Ensure they are present in the contact reference file and in the queue contact summary, and that the respective L2/L3 teams know they are supporting it. Ask Don Bourne if you need links or more info.

L3 Liberty Kernel

5. Does this feature add any new metrics or emit any new JSON events? If yes, have you updated the JMX metrics reference list / Metrics reference list / JSON log events reference list in the Open Liberty docs?

N/A

[mhldr]

We'll need some information before Fat Approval.

[brenthdaniel]

FAT test summary: https://github.com/OpenLiberty/open-liberty/issues/14768

[skasund]

L2 has requested STE slides for this feature. The STE template can be found at the links below. You can use either one to create the education.

Slide Template: https://ibm.box.com/s/1an42g7zdgmaj84w7dft0indqfgi8ffm

Github Template: https://pages.github.ibm.com/WASL3/site/STE/about

Please upload the completed slides to the same 'STE Archive' BOX folder or provide me the Github link. Thanks!

[brenthdaniel]

STE: https://ibm.box.com/s/lg3dmlhnpdyligw9se38qyiucqd6bp2g

[skasund]

@brenthdaniel Thanks for slides. I've approved the feature.

[jhanders34]

@jdmcclur took a look at the performance and did not see any red flags related to this feature. He found a performance issue in mpConfig that he is looking at making a PR to resolve. But since it isn't caused by by this feature, I am marking it approved.

[donbourne]

@brenthdaniel , what will happen in case where file in config directory has wrong ownership or mode such that it can't be read by Liberty?

[brenthdaniel]

@donbourne Any error reading the file will result in the same error message: error.bad.variable.file=CWWKG0106E: The {0} file can not be read. error.bad.variable.file.explanation=The file can not be loaded as a variable because it can not be read. error.bad.variable.file.useraction=Verify that the file contains text content and check the operating system permissions for the file.

[chirp1]

Brent opened the ID issue at https://github.com/OpenLiberty/docs/issues/4567 and included the information to be documented. The docs are done. Brent has approved the doc updates. I'm adding ID approved to this epic.