[elasticsearch-exporter] Support ssl-skip-verify option (and make securitycontext configurable) #14748
Conversation
helm-bot
added
the
size/S
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @bquartier. Thanks for your PR. I'm waiting for a helm member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Signed-off-by: Benoit Quartier <benoit.quartier@camptocamp.com>
helm-bot
added
the
Contribution Allowed
|
@svenmueller , @desaintmartin , |
|
/assign |
k8s-ci-robot
added
ok-to-test
and removed
needs-ok-to-test
There was a problem hiding this comment.
More generally, could you add a test file in the ci directory (see https://github.com/helm/charts/tree/master/stable/elasticsearch/ci for inspiration)?
| @@ -1,7 +1,7 @@ | |||
| apiVersion: v1 | |||
| description: Elasticsearch stats exporter for Prometheus | |||
| name: elasticsearch-exporter | |||
| version: 1.3.1 | |||
| version: 1.4.1 | |||
There was a problem hiding this comment.
| version: 1.4.1 | |
| version: 1.4.0 |
There was a problem hiding this comment.
I updated the version.
Regarding the test, I will need to have a look at the documentation.
What do you think should be tested in this case?
There was a problem hiding this comment.
if you want to write tests, you might want to look at some examples, e.g. https://github.com/helm/charts/blob/master/stable/grafana/templates/tests/test-podsecuritypolicy.yaml
There was a problem hiding this comment.
I don't really want to add test for such a small PR, but I was respondint to @desaintmartin coment regarding https://github.com/helm/charts/tree/master/stable/elasticsearch/ci
There was a problem hiding this comment.
Oh, it is very simple, just adding a file or two in ci that acts as values.yaml testing the different configurations you are introducing (along with an empty file to also test default values).
In my experience those things tend to break after some "unrelated" PRs if it is not tested.
| @@ -11,6 +11,10 @@ image: | |||
| tag: 1.0.2 | |||
| pullPolicy: IfNotPresent | |||
|
|
|||
| securityContext: | |||
There was a problem hiding this comment.
Maybe state that you should comment in order to disable.
Usually this is done by a enabled flag but it does not work this way here unless we explicitely get runAsNonRoot runAsUser in deployment.yaml. What do you think?
There was a problem hiding this comment.
What is needed in the securityContext depends on the version of the image you use and the flavor of Kubernetes. I think it is good to have it completely configurable.
I added a comment in the value file.
There was a problem hiding this comment.
i double-checked how other charts are doing it. It seems to be standard to use a flag for enabling/disabling configuration snippets (as @desaintmartin mentioned already), e.g.
{{- if .Values.securityContext.enabled }}
securityContext:
runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
runAsUser: {{ .Values.securityContext.runAsUser }}
...
{{- end }}
would this be an option?
There was a problem hiding this comment.
@svenmueller this is an option.
However, with your example it would not be possible to set runAsNonRoot without setting runAsUser.
I could do:
{{- if .Values.securityContext.enabled }}
securityContext:
{{- if .Values.securityContext.runAsNonRoot }}
runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
{{- end}}
{{- if .Values.securityContext.runAsUser }}
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
...
{{- end }}but it seems quite heavy, not sure it is really worth it.
@svenmueller , @desaintmartin what do you think?
There was a problem hiding this comment.
in that case, i would prefer you current solution.
There was a problem hiding this comment.
Ok, thanks @svenmueller .
The lgtm label is still needed to merge this PR.
There was a problem hiding this comment.
Who can put the lgtm label (my understanding of the process is that it comes before the approve label)?
There was a problem hiding this comment.
I've just realized something.
Actually, if you comment the whole section in your own custom values.yaml, it will take values from the default values.yaml (this file!) and it will be still used. Same if you comment runAsNonRoot for example.
This is why the enabled flags are preferred.
But maybe we can workaround this by setting securityContext: {} or something like this.
There was a problem hiding this comment.
@desaintmartin You're right, it is not good. :(.
Initially, I wanted to let the securityContext configuration 100% configurable. However, it is not what other stable charts in this repository do.
I searched this repository for securityContext.enabled and I propose to use the same pattern as they use in the mongodb chart. It is not as configurable as I initially wanted it to be but it covers the two cases I am aware of, Kubernetes and OpenShift.
There was a problem hiding this comment.
I agree, I don't like this pattern (any new parameter requires a PR) but this might be the simplest way for now.
ghost
force-pushed
the
master
branch
3 times, most recently
from
980fb20 to
4bce2ae
Compare
helm-bot
added
size/M
|
/approve |
k8s-ci-robot
added
the
approved
helm-bot
added
size/S
| # Set default security context for kubernetes | ||
|
|
||
| securityContext: | ||
| runAsNonRoot: true |
There was a problem hiding this comment.
1/ It also requires an empty file as well to test with the default values : https://github.com/helm/charts/blob/30b5c13ae1cad13655c0e3f43c7f4cf525e76944/stable/redis/ci/default-values.yaml, so that the default values are tested
2/ In this file, you can change securityContext to be disabled.
And then let's merge this!
There was a problem hiding this comment.
@desaintmartin like this?
By the way, I am not familiar at all with those files for the CI. Do you have a link to the documentation?
There was a problem hiding this comment.
Signed-off-by: Benoit Quartier <benoit.quartier@camptocamp.com>
|
Do you think we can merge this PR now? |
|
Thanks for this work! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bquartier, desaintmartin, svenmueller The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…uritycontext configurable) (helm#14748) * [elasticsearch-exporter] Add es.ssl-skip-verify option Signed-off-by: Benoit Quartier <benoit.quartier@camptocamp.com> * [stable/elasticsearch-exporter] Make securityContext configurable Signed-off-by: Benoit Quartier <benoit.quartier@camptocamp.com> Signed-off-by: Nigel Foucha <nigel.foucha@gmail.com>
…uritycontext configurable) (helm#14748) * [elasticsearch-exporter] Add es.ssl-skip-verify option Signed-off-by: Benoit Quartier <benoit.quartier@camptocamp.com> * [stable/elasticsearch-exporter] Make securityContext configurable Signed-off-by: Benoit Quartier <benoit.quartier@camptocamp.com> Signed-off-by: Andrii Nasinnyk <anasinnyk@macpaw.com>
Just a simple update to add a parameter to the README that was added in helm#14748
What this PR does / why we need it:
(Redo of #12627 that I accidentally closed)