Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

first draft of configmap/secret injection via volumes enhancement #174

Closed
wants to merge 1 commit into from

Conversation

bparees
Copy link
Contributor

@bparees bparees commented Jan 8, 2020

No description provided.

@bparees
Copy link
Contributor Author

bparees commented Jan 8, 2020

/assign @adambkaplan
/cc @smarterclayton

@openshift-ci-robot openshift-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jan 8, 2020
@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bparees

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 8, 2020

### Non-Goals

* This enhancement is not related to the frequently requested "build volumes" feature which would make it possible to mount a volume during a build and read/write content on that volume during the build such as to cache dependencies.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hrm - I kind of expected you to say “we should not create a solution for mounting multiple volume types in different ways, so while we aren’t solving for that we expect to expose an api compatible with the future”.

Ie I expect mounting secrets for pods and builds to be the same api experience.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

well that ship already sailed to some degree (in terms of build-pod volume mounts. not in terms of buildah-mounting). We are always going to have the existing secret/configmap input api which controls build-pod mounts.

we may also have the api you seem to be asking for, which would be a secondary way to drive build-pod mounts.

but users don't care about build-pod mounts since that has no real impact on experience. they care about whether we are doing buildah-mounts, or injecting the content in a different way, since that determines what ultimately ends up in the output image.

in any case your suggestion has benefits in terms of pushing us towards the "support PVs" direction, though at the short term cost of being a larger implementation for the immediate goal of treating secrets as a buildah-mount.

namespace: p1
spec:
source:
secrets:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don’t like this. I would want to mount volumes in the future design. Mounting volumes and injecting the current set of secrets are already different (in terms of use case)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm. So you're looking for an api which is "volume as an input" and then that volume can potentially come from a configmap, secret, PV, etc.

And then after we mounted that content into the build-pod, we'd wire it through as a buildah-mount.

It can be done, i think it's substantially more work than what this augmentation would require (define+implement an entire new api for mounting content into the build-pod, which this enhancement doesn't need since all that logic already exists for secret/configmap input api).

and of course we'll have to constrain the initial implementation to only allow secret+configmap "volume-types".

but i will take a pass at it

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think volume mounts aren't part of "source" - they are part of "build execution environment" (which admittedly we don't have well defined). I think source is about assembly of the input, but execution environment is more about the pod.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reasonable. unfortunately today the closest thing we have to something that's part of the execution environment is our "env var" injection, which is defined on a per-strategy basis.

i'd prefer not to do this on a per-strategy basis, though we certainly could.

if we did it top-level it probably looks like:

apiVersion: v1
items:
- apiVersion: build.openshift.io/v1
  kind: BuildConfig
  metadata:
    name: mybuild
    namespace: p1
  spec:
    source:
      secrets:
      - secret: 
          name: myOtherSecret
        destinationDir: /tmp/creds
      - configMaps:
        configMap:
          name: myOtherConfigMap
        destinationDir: /tmp/config
    executionContext:
      volumes:
      - type: Secret
        reference:
          name: mySecretName
        destinationDir: /etc/subscriptions
      - type: ConfigMap
        reference: 
          name: myConfigMapName
        destinationDir: /tmp/config

if we bolted it into strategy we'd have:

apiVersion: v1
items:
- apiVersion: build.openshift.io/v1
  kind: BuildConfig
  metadata:
    name: mybuild
    namespace: p1
  spec:
    source:
      git:
        uri: https://github.com/openshift/nodejs-ex
      secrets:
      - secret: 
          name: myOtherSecret
        destinationDir: /tmp/creds
      - configMaps:
        configMap:
          name: myOtherConfigMap
        destinationDir: /tmp/config
    strategy:
      type: Source
      sourceStrategy:
        env:
        - name: foo
          value: bar
        volumes:
        - type: Secret
          reference:
            name: mySecretName
          destinationDir: /etc/subscriptions
        - type: ConfigMap
          reference: 
            name: myConfigMapName
          destinationDir: /tmp/config

@bparees
Copy link
Contributor Author

bparees commented Jan 13, 2020

@smarterclayton @adambkaplan i've added a new commit with a revised version of the design based on @smarterclayton's feedback

@bparees
Copy link
Contributor Author

bparees commented Feb 12, 2020

@smarterclayton i've revised the api to more or less just use pod Volume structs, ptal.

items:
- key: somekey
path: volume/path/value.txt
volumeMounts:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this LGTM for now.

@smarterclayton
Copy link
Contributor

I think this is pretty close, let's get final round of feedback?

@bparees
Copy link
Contributor Author

bparees commented Feb 27, 2020

@adambkaplan @gabemontero you want to take a pass?

Copy link
Contributor

@gabemontero gabemontero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK @bparees some thoughts occurred to me given recent efforts elsewhere that did not occur to me when you first drafted this.

Certainly not "staunch" suggestions if you want to keep things as is, but I'm curious on your take all the same.


* Simplify how users consume secret + configmap content in builds
* Increase the security of protected content being injected to images
* Simplify use cases like mounting subscription entitlement credentials into a build so subscription content can be pulled down during a build while not including the credentials in the resulting image.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we still want to cite this given where #214 is headed re: CSI and mounting content via admission yada yada

If that proposal manifests, the openshift/builder image presumably just needs to look in the well understood location to seed buildah and the build API / controller sugar this proposal gives us.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Granted you can solve entitlements with this but at this point we probably won't.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are other use cases where credentials can otherwise leak, like private Artifactory creds for npm/maven downloads.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

technically it could still be used for this use case until the entitlement feature lands (depending which of these lands first) and also might be used to "override" the entitlements that are otherwise being injected.

that said, i'll revise the wording to make it more generically about providing a way to inject credentials that are not published w/ the output image.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pushed

This will be done by adding a Volume[] field to the Source and Docker strategy structs. The Volume[] field will allow
defining volumes to be mounted to the build pod in the same way that a normal pod allows for this. Similarly a VolumeMount[]
field will be added, but without the MountPropagation and SubPath fields. MountPropagation and SubPath can be considered
for support in the future.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if there will be both some API reuse as well as perhaps some level of pod template manipulation with this that could be shared with build v2 if it was factored in the right way (both api and repo housing code)

How interested are you @bparees in citing that as a goal above?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'd say "not very". If we decide we got this api perfect, then i'm ok w/ builds v2 just cloning/copying it as it's just not that complicated/bulky. I'd rather not try to abstract it in hopes of reusing it, especially in case we ultimately conclude it's "close" but not perfect by the time we get to the builds v2 api.

In any case the only new structs this is actually defining is the VolumeMount struct (simplified version of the k8s VolumeMount). So that actually will be a standalone struct that could in theory be reused elsewhere if desired.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading over volumes support in Tekton, what they provide appears to be a thin vaneer over the kube volume API. We need to be clear that the mount path is the destination as seen inside the build, not the path that we mount into the container that runs buildah.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to be clear that the mount path is the destination as seen inside the build, not the path that we mount into the container that runs buildah.

yes good point. the build-controller will autogen/pick the pod mount path. the VolumeMount will determine the mapping of those pod mount paths, to the buildah args.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i was trying to make that clear with // Path within the build environment at which the volume should be mounted.

@openshift-bot
Copy link

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci-robot openshift-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 1, 2020
@openshift-bot
Copy link

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

@openshift-ci-robot openshift-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Oct 31, 2020
@bparees
Copy link
Contributor Author

bparees commented Oct 31, 2020

/lifecycle frozen
/remove-lifecycle rotten

@openshift-ci-robot openshift-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. labels Oct 31, 2020
Copy link
Contributor

@adambkaplan adambkaplan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviving this EP - supporting only Secrets and ConfigMaps initially is a perfect starting point.

For getting entilements/content access certs into builds, we should also add support for the csi volume type. That way users could try out the projected resource CSI driver in builds in a decoupled fashion.

field will be added, but without the MountPropagation and SubPath fields. MountPropagation and SubPath can be considered
for support in the future.

These fields will be wired, via the build controller, directly to the build pod that is constructed, modulo some validation logic to constrain the types of Volumes we want to support (initially just configmaps and secrets). In addition all mounts
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps instead of using the core k8s Volume object, we create our own object that is a subset of Volume with only the volume types we support.

enhancements/builds/volume-secrets.md Show resolved Hide resolved
@adambkaplan
Copy link
Contributor

/close

Replaced by #733

@openshift-ci-robot
Copy link

@adambkaplan: Closed this PR.

In response to this:

/close

Replaced by #733

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants