Closed Emily-Jiang closed 2 years ago
+1
To match the secret-mounting-behaviour from k8s, a proposal is to define a folder within OL (perhaps configurable), such that each filename in that folder maps to a MP Config key
and the contents of that file map to that key's value
.
For example, if we have a secret called couchDBSecret
with the following items:
couchdb.username: arthur
couchdb.password: xzy123
Then during deployment the user has two options:
...
volumeMounts:
- name: couchDB
mountPath: "/etc/couchdb"
readOnly: true
volumes:
- name: couchDB
secret:
secretName: couchDBSecret
...
Then inside our container we will have a file with path /etc/couchdb/couchdb.username
, with value arthur
, and another file with path /etc/couchdb/couchdb.password
, with value xyz123
.
In this scenario our Java app would have:
@Inject @ConfigProperty(name="couchdb.username") Optional<String> dbUsername;
@Inject @ConfigProperty(name="couchdb.password") Optional<String> dbPassword;
...
volumeMounts:
- name: couchDB
mountPath: "/etc/couchdb"
readOnly: true
volumes:
- name: couchDB
secret:
secretName: couchDBSecret
items:
- key: password
path: myPassword
...
In this case the only file created is at /etc/couchdb/myPassword
, with its value being xyz123
.
In this scenario our Java app would have:
@Inject @ConfigProperty(name="myPassword") Optional<String> dbPassword;
@arthurdm Thanks for the detailed explanation! For scenario 2., why does - key: username
need to be mentioned?
@Emily-Jiang - good catch, that should have been key : password
. I have updated the comment now. :)
For OpenShift it would be great if we can firm up on a convention for a solid service binding information 'root' location - so that we can write server Java code, or third-parties can, for example, write MicroProfile Reactive Messaging Connector Java code that can go and look in the default location (either directly of via MP Config) so that service binding can be resolved automatically on behalf of the user - for example for EventStreams. If we can not get a convention on a root location for mounting then we should push for some sort of convention for a sign-post that points to the varying bindings root location.
(The above to be advocated via https://groups.google.com/forum/#!topic/operator-framework/ScQXAsGCFeg probably by @arthurdm and /Chris Bailey.
The mounting binding information is proposed here: https://github.com/application-stacks/service-binding-specification/tree/updateBar#mounting-binding-information
We should consider if we need a new guide to cover this. Currently, we have https://openliberty.io/guides/kubernetes-microprofile-config.html.
If we believe a new guide is warranted, please file an issue here: https://github.com/OpenLiberty/guides-common/issues
Cc @gkwan-ibm.
@yeekangc At the moment the UFO lists a guide as a possible socialization, but I was planning on soliciting feedback on that. With the current design, the function is most relevant in an OpenShift/CP4A environment with the service binding operator. It could be used with just OL but would require simulating the work that the service binding operator is doing.
@yeekangc we do need a guide for this to demonstrate how to make Kubernetes sceret into application running on Open Liberty without asking customers to wire multiple paths.
Instructions:
[x] POC Design / UFO Review Scheduled (David Chang) or N/A.
[x] POC Design / UFO Reviewed (Feature Owner) or N/A.
[x] Complete any follow-ons from the POC Review.
[x] Add "Design Approval Request" tag
[x] Design / UFO Approval (Alasdair Nottingham) or N/A.
[ ] No Design / No UFO Approval (Arthur De Magalhaes - cloud / Alasdair Nottingham - server) or N/A.
[x] SVT Requirements identified. (Epic owner / Feature owner with SVT focal point)
[x] ID Requirements identified. (Epic owner / Feature owner with ID focal point)
[x] Create a child task of the epic entitled "FAT Approval Test Summary". Add and fill in the template as described here: https://github.ibm.com/was-liberty/WS-CD-Open/wiki/Feature-Review-(Feature-Test-Summary-Process . Mark "FAT complete" on the Epic when it's ready for review
[x] Identify all open source libraries that are changing or are new. Work with Legal Release Services (Cass Tucker or Release PM) to get open source cleared and approved. Or N/A. (Epic Owner). New or changed open source impacts license and Certificate of Originality.
[x] All new or changed PII messages are checked into the integration branch, before the last translation shipment out. (Epic Owner)
[x] Implementation complete. (Epic owner / Feature owner)
[x] All function tests complete. Ready for FAT Approval. (Epic owner / Feature owner)
[x] Review all known issues for Stop Ship. (Epic owner / Feature owner / PM)
You must have the Design Approved or No Design Approved label on the GitHub Epic.
If the feature is not part of Liberty, set target:ga
label in this epic so it is on the approvers' radar.
[x] Accessibility - (Steven Zvonek). Accessibility testing is complete or N/A. Approver adds label focalApproved:accessibility to the Epic in Github.
[ ] FAT Liberty SOE - (Kevin Smith). SOE FATS are running successfully or N/A . Approver adds label focalApproved:fat to the Epic in Github.
[x] Globalization (Sam Wong - Liberty / Simy Cheeran - tWAS). Translation is complete or N/A. TVT - complete or N/A. Approver adds label focalApproved:globalization to the Epic in Github.
[ ] ID - (Kareen Deen). Documentation work is complete or N/A . Approver adds label focalApproved:id to the Epic in Github.
[x] Performance - (Jared Anderson). Performance testing is complete with no high severity defects or N/A . Approver adds label focalApproved:performance to the Epic in Github.
[x] Serviceability - (Don Bourne). Serviceability has been addressed.
[x] STE - (Swati Kasundra). STE chart deck is complete or N/A . Approver adds label focalApproved:ste to the Epic in Github.
[x] SVT - (Greg Ecock - Cloud, Brian Hanczaryk- APS). SVT is complete or N/A . Approver adds label focalApproved:svt to the Epic in Github.
[x] Demo - (Tom Evans or Chuck Bridgham). Demo is scheduled for an upcoming EOI. (If Feature is not easily demoable - please present slide explaining enhancement) Approver adds label focalApproved:demo to the Epic in Github.
[ ] No Stop Ship issues for the feature. (Epic owner / Feature owner / Release PM)
[ ] Ship Readiness Review and Release Notes completed (Epic owner / Feature owner / Release PM)
[ ] Github Epic and Epic's issues are closed / complete. All PRs are committed to the master branch. (Epic owner / Feature owner / Backlog Subtribe PM)
[ ] OL Guides - (Yee-Kang Chang). Assessment for OL Guides is complete or N/A.
[ ] WDT - (Erin Harris). WDT work complete or N/A.
[ ] Blog article writeup (Epic owner / Feature owner / Laura Cowen)
I might have missed some discussions. @brenthdaniel, did we come to a consensus on guide for this? If it's more relevant to OpenShift and the operator there, I can see this as an update to the Deploying to OpenShift using Operator guide, which is in progress.
@yeekangc The overwhelming response was that we needed a guide. I thought I had opened an issue already, but it looks like I didn't. https://github.com/OpenLiberty/guides-common/issues/511 id open now.
Serviceability Approval Comment - Please answer the following questions for serviceability approval:
Yes... Error messages have been added where appropriate.
a) Loading a binary file b) kernel team (not involved in development) c) yes
N/A
L3 Liberty Kernel
N/A
We'll need some information before Fat Approval.
FAT test summary: https://github.com/OpenLiberty/open-liberty/issues/14768
L2 has requested STE slides for this feature. The STE template can be found at the links below. You can use either one to create the education.
Slide Template: https://ibm.box.com/s/1an42g7zdgmaj84w7dft0indqfgi8ffm
Github Template: https://pages.github.ibm.com/WASL3/site/STE/about
Please upload the completed slides to the same 'STE Archive' BOX folder or provide me the Github link. Thanks!
@brenthdaniel Thanks for slides. I've approved the feature.
@jdmcclur took a look at the performance and did not see any red flags related to this feature. He found a performance issue in mpConfig that he is looking at making a PR to resolve. But since it isn't caused by by this feature, I am marking it approved.
@brenthdaniel , what will happen in case where file in config directory has wrong ownership or mode such that it can't be read by Liberty?
@donbourne Any error reading the file will result in the same error message: error.bad.variable.file=CWWKG0106E: The {0} file can not be read. error.bad.variable.file.explanation=The file can not be loaded as a variable because it can not be read. error.bad.variable.file.useraction=Verify that the file contains text content and check the operating system permissions for the file.
Brent opened the ID issue at https://github.com/OpenLiberty/docs/issues/4567 and included the information to be documented. The docs are done. Brent has approved the doc updates. I'm adding ID approved to this epic.
We need to inject a property defined in a mounted file. This is an important scenario in a k8s environment, where credentials from a secret are mounted (volumeMount) into the container, rather than bound to env vars. Maybe we should opt in some folders where any key/values defined there would be available for injection.
@tevans78: (18th Feb 2020) @Emily-Jiang and I have been mulling over a design for this and I think we have concluded that the feature can be broadened out to include multiple different types of properties files. Initially we will go for just Java properties files and Kubernetes secrets files. In the future we may be able to also include json files, yaml files, xml files etc etc. We are also going to include the ability to read multiple files by specifying a directory rather than just a specific file.
@tevans78: Old UFO removed
@tevans78: (17th March 2020) Further discussion suggests that reading/loading Kubernetes configuration should be solved more generally for Liberty, not just for MP Config. Much of the processing would either be done by an Operator before Liberty starts OR it would be done at the kernel level as Liberty starts. Either way, the K8 properties would most likely end up as Liberty variables. MP Config would not be involved.
The generic file Config Source suggested above is something that has been asked for before so we may spin that off into a separate feature.
@brenthdaniel: (13th July 2020) New UFO: https://ibm.box.com/s/6xg3tvkodxr2qwth7drgvnb60k2zmefs FTS: https://github.com/OpenLiberty/open-liberty/issues/14768