search

replicatedhq / kots

KOTS provides the framework, tools and integrations that enable the delivery and management of 3rd-party Kubernetes applications, a.k.a. Kubernetes Off-The-Shelf (KOTS) Software.
https://kots.io
Apache License 2.0
901 stars 90 forks source link

'kots pull' doesn't preserve valuePlaintext #508

Open MikaelSmith opened 4 years ago

MikaelSmith commented 4 years ago

The admin console workflow to update files says to

However it's not clear where to make changes.

The best solution I found was to do kots download --decrypt-password-values, make changes in upstream, and run kots pull <slug> --local-path <slug>/upstream --rootdir newdir --exclude-admin-console --license-file <slug>/upstream/userdata/license.yaml --downstream this-cluster. I could then upload newdir/<slug> (or say --rootdir . and update in-place) but the password values from config that show up in base have been changed in a way I don't trust.

That kots pull invocation isn't easy to figure out, and it doesn't appear to treat valuePlaintext correctly.

dexhorthy commented 4 years ago

Thanks @MikaelSmith ! I know doing the pull using --local-path is experimental right now, but the workflow you're using should be working, I'd be curious if @marccampbell has any more thoughts on the password values changes.

Just to clarify -- this is for developing your app against kotsadm right, not about adding last-mile kustomize changes to a production application, right?

MikaelSmith commented 4 years ago

Ah yes, this is primarily about developing an application and testing out configuration/templating. So my work-around isn't terrible, but kots pull seems like it should work with valuePlaintext.

P.S. https://kots.io/kotsadm/updating/patching-with-kustomize/ would be a useful link to have in the Admin Console talking about Edit any of your files in your favorite IDE..

MikaelSmith commented 4 years ago

An additional note: doing kots pull also rewrites the userdata/config.yaml with encrypted values, removing the valuePlaintext.

mahesws commented 3 years ago

The admin console workflow to update files says to

  • kots download
  • make changes
  • kots upload
Screen Shot 2020-05-07 at 11 43 39 AM

However it's not clear where to make changes.

  • If I make them in base, then do kots upload, those are reflected in the diff and applied. However if I then make config changes in the console, my changes get overwritten.
  • If I make them in upstream, then do kots upload, the changes don't appear in the diff until I also make some sort of config change in the console.

The best solution I found was to do kots download --decrypt-password-values, make changes in upstream, and run kots pull <slug> --local-path <slug>/upstream --rootdir newdir --exclude-admin-console --license-file <slug>/upstream/userdata/license.yaml --downstream this-cluster. I could then upload newdir/<slug> (or say --rootdir . and update in-place) but the password values from config that show up in base have been changed in a way I don't trust.

That kots pull invocation isn't easy to figure out, and it doesn't appear to treat valuePlaintext correctly.

Is this issue fixed? I am still getting the same when editing "cd4pe/upstream/userdata/config.yaml" file & uploading using "kubectl kots upload --namespace default --slug cd4pe ./cd4pe". No changes in cd4pe apps.

MikaelSmith commented 3 years ago

We've primarily moved to relying on the KOTS Admin Console service to handle pulls, so we only modify "upstream". I modify <app>/upstream/userdata/config.yaml regularly to make changes. Always set/edit value (not default), and make sure there aren't duplicate entries.

Recent versions of KOTS also include kubectl kots set config <key>=<value>, which should be simpler to accomplish the same thing.