Quarks secrets (squashed) - Githubissues

cloudfoundry / cf-for-k8s

The open source deployment manifest for Cloud Foundry on Kubernetes

Apache License 2.0

300 stars 115 forks source link

Quarks secrets (squashed) #575

Closed paulcwarren closed 3 years ago

paulcwarren commented 3 years ago

WHAT is this change about?

Add Quarks Secrets behind an experimental feature flag to start driving server side secret generation. Along with the QuarksSecret controller, this PR migrates a few existing secrets to QuarksSecrets. Subsequently, we will update the remaining generated secrets and provide a migration path from user-provided data values to server side generated QuarksSecrets.

Also add ytt unit testing for the experimental feature flag. This PR depends on the addition of new matchers to the yttk8smatchers repo: https://github.com/cloudfoundry/yttk8smatchers/commit/d207637ab62efe1227d64ded4c685444dd8864a2 .

Does this PR introduce a change to `config/values.yml`?

Yes, adds an experimental feature flag to the data values interface.

Acceptance Steps

Validate that the default deployment is unchanged
1. Deploy normally according to the deploy docs and see that we create Secrets directly with the user-provided data values
2. Command to check contents of one of the secrets: kubectl get secret -n cf-system cf-admin-client-credentials -o yaml | yq -r .data | base64 --decode
3. Also see that we do not deploy any additional pods
Validate that when the experimental feature flag is enabled, we deploy QuarksSecret
1. After generating your values, go into the file and manually add the following config:
```
experimental:
quarks_secret:
  enable: true
```
2. Continue to deploy normally with the feature flag enabled
3. Validate that we now have a QuarksSecret deployment with kubectl get deployment -n cf-system cf-quarks-secret
4. Validate that we now have QuarksSecrets with server-side generated values with kubectl get quarkssecrets -n cf-system and kubectl get secret -n cf-system cf-admin-user-credentials -o yaml | yq -r '.data["password"]' | base64 --decode && echo
5. Smoke tests continue to pass normally

Tag your pair, your PM, and/or team

cc @cloudfoundry/cf-release-integration

Notes

#175423840 #173754832 #173799297

cf-gitbot commented 3 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/175752287

The labels on this github issue will be updated when the story is started.

linux-foundation-easycla[bot] commented 3 years ago

:white_check_mark: Tom Kennedy (ce17f9c4f92c458a9efe14d5dcb49f790a64a372)
:white_check_mark: James Pollard (013fe758b47dc46d5c4b26272ef8db4c64e39d5e)
:white_check_mark: Andrew Costa (996dcc2d470a2d18ee9f10cce3b0c3d32eaf2da7, 7a1da8c17cefca4e27f2f882c5b59cb3aabdf676, 5c002fb773d9ebbb6a516c07ea02ca16ccbce373, caa01add0f984ba3423c098a6701e4a4b6774b9c, 5410680d5fe55f7ec4659acd3b0a9ae40e002744)
:white_check_mark: Dave Walter (015cd33db653af84dd672058fe24a079254cbc2f, 3882fe71fb544aae52eef5c2480299c2cb72a701, 954dd90464f0aa894178ec1b7c2dcaf71dfff774, 7613cdb6a57f57c67f9f267f9891187bcb878220, 15a99753d789dfc40802eb923b6b873dcdb24579, be6c4ff6a16726328cd08270e84d121065424fe2, 8c7eb53a19eb21234f7999b75060bb8c3bfd9be8, 9cb10fcd45b6597f6c68bb20bb072c4a8e06816f, 1434c5b15db2d10b537ad5eae4f9fdabda415a92, 640a5ddc2990e1d2c0a0d27f9f7b1a9a12e9cb93, bfbd1c86c63641a57756f637c4d58ce214bfce34, 7eaaa2db5d04a8f743d2eacd421ead94e19459e0, f7e9f2166222d8f088b7a8f86516b747adabdb0f)

:x:The commit (2ee55f19a364ce3bb62dd889d82c3bdba16213e6 ,1418544fbf99cee1be99c655465dae3fda29cf71 ,9b269bcbf2a06498e753a54b26806404db4a41b0 ,d0d45767b52747ef63b5d309320aab80caaf883b ,09404d33e1986b20d6032cf294ea47deebfae893 ,e576e5e60dbfd01352fbbae6aab11ab3956fb01b ,83c588b2a47db0334b1028a836875fea4031b001) is missing the User's ID, preventing the EasyCLA check. Consult GitHub Help to resolve. For further assistance with EasyCLA, please submit a support request ticket.

cf-rel-int-status-bot commented 3 years ago

Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! :eyes:

cf-rel-int-status-bot commented 3 years ago

Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! :eyes:

cf-rel-int-status-bot commented 3 years ago

Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! :eyes:

cf-rel-int-status-bot commented 3 years ago

Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! :eyes:

cf-rel-int-status-bot commented 3 years ago

Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! :eyes:

cf-rel-int-status-bot commented 3 years ago

Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! :eyes:

cf-rel-int-status-bot commented 3 years ago

Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! :eyes:

cf-rel-int-status-bot commented 3 years ago

Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! :eyes:

cf-rel-int-status-bot commented 3 years ago

Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! :eyes:

cf-rel-int-status-bot commented 3 years ago

Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! :eyes: