-
-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support for Ory Network #133
base: master
Are you sure you want to change the base?
Conversation
Hello there! |
I understand the concerns, we use Flux HelmReleases, so it's easy for us to inject these as secrets still. So two options come to mind if you have a preference?
|
I think we can connect both approaches :) apiKeySecretRef:
name: foo which is optional, and if not supplied we default to the secret in 1, if that is not defines too, don't use apikey altogether |
Disclaimer: I've only just recently starting picking up Go, so fairly new to it still - any feedback is appreciated! This now supports both a global environment variable, or a CR level option. Option 1: Environment Variable If Open to suggestions on a more appropriate name for this variable too. Option 2: CR Option This will also replace any value defined in the global
I'll leave the PR in draft for any feedback. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi there! Sorry for the delay, but I was off for some time. The PR is coming along nicely, leaving some feedback regarding code structure :)
// ApiKeySecretRef contains Secret details for the API Key | ||
type ApiKeySecretRef struct { | ||
// Name of the secret containing the API Key | ||
Name string `json:"name,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Name string `json:"name,omitempty"` | |
Name string `json:"name"` |
The whole object can be optional, but once given the name of the secret must be supplied.
Moreover, for the object to properly validated by k8s we need to add the annotations like here
// +kubebuilder:validation:Type=object
// +nullable
// +optional
//
// Metadata is abritrary data
Metadata apiextensionsv1.JSON `json:"metadata,omitempty"`
|
||
type ApiKeySecretRef struct { | ||
Name string | ||
Namespace string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you forget about the Key here ;d?
spec.HydraAdmin.ApiKeySecretRef.Name = secretName | ||
spec.HydraAdmin.ApiKeySecretRef.Namespace = secretNamespace | ||
if spec.HydraAdmin.ApiKeySecretRef.Key == "" { | ||
spec.HydraAdmin.ApiKeySecretRef.Key = "hydra_api_key" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for consistency please move the default key value to consts and refer to it here :)
// Name of the secret containing the API Key | ||
Name string `json:"name,omitempty"` | ||
// Key of the secret for the API key | ||
Key string `json:"key,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The default value of the field can be defined in 2 ways:
1 - in the code using a const like we do for other variables
2 - define it in the CRD using // +kubebuilder:default=foo
|
||
func determineApiSecretName(spec *hydrav1alpha1.HydraAdmin) string { | ||
if spec.ApiKeySecretRef.Name != "" { | ||
return spec.ApiKeySecretRef.Name |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the name should be always given, this shouldn't be required, or throw an error if the name is empty
return "" | ||
} | ||
|
||
func determineApiSecretNamespace(spec *hydrav1alpha1.OAuth2Client) string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this would make more sense as a method on the OAuth2Client
type
cfg := ctrl.GetConfigOrDie() | ||
kubeClient, err := client.New(cfg, client.Options{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a fan of this pattern. I think we should define the clients either in the New function, or pass them to the function to avoid the possibility of creating multiple instances. Then we can refactor this function into a method and create some unit tests :)
adamstrawson seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
Adds support for Ory Network by adding a new api key flag.
When specified, the
Authorization
header is included in all requests.Related Issue or Design Document
#132
Checklist
If this pull request addresses a security vulnerability,
I confirm that I got approval (please contact security@ory.sh) from the maintainers to push the changes.
Further comments