-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable contextual login in OCI HelmRepository #873
Conversation
b7f09b6
to
8979160
Compare
8979160
to
a745493
Compare
a745493
to
e6ef561
Compare
I tested it on azure using the test infrastructure from fluxcd/pkg/oci/tests/integration. It works. |
e6ef561
to
be8c1fc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to document the contextual login usage. I think the docs can be adapted from https://github.com/fluxcd/source-controller/blob/main/docs/spec/v1beta2/ocirepositories.md#provider
be8c1fc
to
b8d278c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks @souleb 🥇
bff9560
to
afa6914
Compare
fab6e81
to
6afb263
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tiny nit
While testing events and notifications, I found an issue which I believe didn't get much attention earlier because most of the focus was on getting the status conditions correct. source-controller/controllers/helmrepository_controller_oci.go Lines 249 to 250 in 6afb263
checks if the object was ready before and became not ready after the reconciliation, and emits a notification based on that. This works for that exact situation, when the object was ready before. But it doesn't work when the object is created for the first time. Let's change this to notify always when it's not ready but notify once on recovery. Something around: - // Emit events when object's state changes.
+ // Emit event when reconciliation fails or recovers from failure.
ready := conditions.Get(obj, meta.ReadyCondition)
// Became ready from not ready.
if !conditions.IsReady(oldObj) && conditions.IsReady(obj) {
r.eventLogf(ctx, obj, corev1.EventTypeNormal, ready.Reason, ready.Message)
}
- // Became not ready from ready.
- if conditions.IsReady(oldObj) && !conditions.IsReady(obj) {
+ // Not ready, failed.
+ if !conditions.IsReady(obj) { |
6afb263
to
84d016b
Compare
can we do this in another PR? I will make the update. |
If implemented, this pr will enable user to use the auto login feature in order to automatically login to their provider of choice's container registry (i.e. aws, gcr, acr). Signed-off-by: Soule BA <soule@weave.works>
84d016b
to
ad3eb5c
Compare
@souleb okay. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
great job @souleb! 🙇
} | ||
|
||
return loginOpt, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code in this function combined with loginWithManager()
below, it seems like registry.OIDCAdaptHelper()
can just take the result of OCIRepositoryReconciler.oidcAuth()
. The arguments of OCIRepositoryReconciler.oidcAuth()
can just be the URL and the provider name to not make it source type specific. It should be okay to convert OCIRepositoryReconciler.oidcAuth()
into an independent function oidcAuth()
.
In the future, I think we can make a private package with a lot of the OCI related code here and in OCIRepo reconciler.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
true, it would be better. But as you said OCIRepositoryReconciler.oidcAuth()
is a receiver function, so I thought that this would need a specific PR to refactor it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
okay to change it separately.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Just remembered that when testing with both
it seems to be a different behavior. Looking at the code in OCIRepo reconciler, I believe it does the same. |
Let's fix this for both OCI implementations in a separate PR. |
If implemented, this pr will enable user to use the auto login feature in order to automatically login to their provider of choice's container registry (i.e. aws, gcr, acr).
This must be tested with the following providers
IRSA
) that was previously using a cronjob to rotate tokens.If people have existing running gke or aks clusters, that would be nice to help test this.
Fix: #867
Fix: #870
Implements: fluxcd/flux2#3025