search

cloudfoundry / cf-for-k8s

The open source deployment manifest for Cloud Foundry on Kubernetes
Apache License 2.0
300 stars 115 forks source link

Add quarks secrets #569

Closed acosta11 closed 3 years ago

acosta11 commented 3 years ago

WHAT is this change about?

Add Quarks Secrets behind an experimental feature flag to start driving server side secret generation. Along with the QuarksSecret controller, this PR migrates a few existing secrets to QuarksSecrets. Subsequently, we will update the remaining generated secrets and provide a migration path from user-provided data values to server side generated QuarksSecrets.

Also add ytt unit testing for the experimental feature flag. This PR depends on the addition of new matchers to the yttk8smatchers repo: https://github.com/cloudfoundry/yttk8smatchers/commit/d207637ab62efe1227d64ded4c685444dd8864a2 .

Does this PR introduce a change to config/values.yml?

Yes, adds an experimental feature flag to the data values interface.

Acceptance Steps

  1. Validate that the default deployment is unchanged
    1. Deploy normally according to the deploy docs and see that we create Secrets directly with the user-provided data values
    2. Command to check contents of one of the secrets: kubectl get secret -n cf-system cf-admin-client-credentials -o yaml | yq -r .data | base64 --decode
    3. Also see that we do not deploy any additional pods

  2. Validate that when the experimental feature flag is enabled, we deploy QuarksSecret

    1. After generating your values, go into the file and manually add the following config:

      quarks_secret:
enable: true

    2. Continue to deploy normally with the feature flag enabled

    3. Validate that we now have a QuarksSecret deployment with kubectl get deployment -n cf-system cf-quarks-secret

    4. Validate that we now have QuarksSecrets with server-side generated values with kubectl get quarkssecrets -n cf-system and kubectl get secret -n cf-system cf-admin-user-credentials -o yaml | yq -r '.data["password"]' | base64 --decode && echo

    5. Smoke tests continue to pass normally

Tag your pair, your PM, and/or team

cc @cloudfoundry/cf-release-integration

Notes

#175423840 #173754832 #173799297

cf-rel-int-status-bot commented 3 years ago

Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! :eyes:

cf-rel-int-status-bot commented 3 years ago

Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! :eyes:

paulcwarren commented 3 years ago

Superseded by #574