Add --pull-secret flag #617
Conversation
There was a problem hiding this comment.
@navidshaikh: 0 warnings.
In response to this:
Fixes #616
- Add --pull-secret flag for service create/update operations
- Setting empty string to flag clears the pull secrets
- List ImagePullSecrets for service in
service describedefault output- Run e2e tests against serving v0.11.1 (ImagePullSecrets introduced in this release)
/lint
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
knative-prow-robot
added
size/M
navidshaikh
force-pushed
the
pr/pull-secrets
branch
from
e4270fd to
67f0728
Compare
navidshaikh
force-pushed
the
pr/pull-secrets
branch
from
67f0728 to
cbe685a
Compare
docs/cmd/kn_service_create.md
Outdated
| @@ -61,6 +61,7 @@ kn service create NAME --image IMAGE [flags] | |||
| -n, --namespace string Specify the namespace to operate in. | |||
| --no-lock-to-digest do not keep the running image for the service constant when not explicitly specifying the image. (--no-lock-to-digest pulls the image tag afresh with each new revision) | |||
| -p, --port int32 The port where application listens on. | |||
| --pull-secrets string Image pull secrets to set. Empty image pull secrets will result to clear the pull secrets. | |||
There was a problem hiding this comment.
This "Empty image pull secrets will result to clear the pull secrets" reads odd... Perhaps: "Empty image pull secrets will clear the pull secrets field"
There was a problem hiding this comment.
Maybe: "No pull secret is used when no secret is provided as an argument"
btw, this is another example why we might to separate better the create and update help messages as for a kn service create an empty --pull-secrets doesn't make sense at all (and would be a no-op)
There was a problem hiding this comment.
this is another example why we might to separate better the create and update help messages as for a kn service create an empty --pull-secrets doesn't make sense at all (and would be a no-op)
+1, good point!
I kept the message in format as we've for ServiceAccount
--service-account string Service account name to set. Empty service account name will result to clear the service account.
The pull secrets are set per revision of the service, you can create a service specifying the pull secrets and a private image, then update service with another revision with a public image and clearing the pull secrets.
Also note, created a service with pull-secrets and private image, any subsequent updates to service without image and empty pull secrets ("") works fine too.
There was a problem hiding this comment.
I've updated the help text as below for --pull-secrets and --service-account flag.
Image pull secrets to set. Empty image pull secrets will the clear the pull secrets.
Service account name to set. Empty service account name will clear the service account.
| assert.Equal(t, template.Spec.ImagePullSecrets[0].Name, "quay") | ||
|
|
||
| UpdateImagePullSecrets(template, " ") | ||
| assert.Check(t, template.Spec.ImagePullSecrets == nil) |
There was a problem hiding this comment.
Hmm, is that true. An empty space value will result in nil. From code above
if pullsecrets == "" {
template.Spec.ImagePullSecrets = nil
} else {
template.Spec.ImagePullSecrets = []corev1.LocalObjectReference{{
Name: pullsecrets,
}}
}seems like it would be an ImagePullSecrets with a LocalObjectReference of name " ". No?
There was a problem hiding this comment.
No. The zero value for ImagePullSecrets (type slice) is nil here.
pkg/kn/commands/service/describe.go
Outdated
| @@ -171,6 +171,9 @@ func writeService(dw printers.PrefixWriter, service *v1alpha1.Service) { | |||
| if (service.Spec.Template != nil) && (service.Spec.Template.Spec.ServiceAccountName != "") { | |||
| dw.WriteAttribute("ServiceAccount", service.Spec.Template.Spec.ServiceAccountName) | |||
| } | |||
| if service.Spec.Template != nil && service.Spec.Template.Spec.ImagePullSecrets != nil { | |||
| dw.WriteAttribute("ImagePullSecrets", service.Spec.Template.Spec.ImagePullSecrets[0].Name) | |||
There was a problem hiding this comment.
I wonder whether we should use the label with spaces (like in "Image Pull Secrets", maybe also for "Service Account") as we use this for other parts in describe, too, for an easier consumption by a human reader.
But I just saw, that even for a kubectl describe this is not consistent (i.e. mixed usage of camel-case and space separated labels). So probably not a big thing :)
There was a problem hiding this comment.
It occurred to me as well, though I went along with other fields as mentioned for ServiceAccount. Will change it to space separated.
There was a problem hiding this comment.
Changed to Image Pull Secrets and Service Account.
| @@ -397,6 +397,18 @@ func UpdateServiceAccountName(template *servingv1alpha1.RevisionTemplateSpec, se | |||
| return nil | |||
| } | |||
|
|
|||
| // UpdateImagePullSecrets updates the image pull secrets used for the corresponding knative service | |||
| func UpdateImagePullSecrets(template *servingv1alpha1.RevisionTemplateSpec, pullsecrets string) { | |||
| pullsecrets = strings.TrimSpace(pullsecrets) | |||
There was a problem hiding this comment.
@maximilien this is where leading and trailing spaces are removed, therefor a test with " " works (and also tests that trim)
|
/retest |
Fixes knative#616 - Add --pull-secrets flag for service create/update operations - Setting empty string to flag clears the pull secrets - List ImagePullSecrets for service in `service describe` default output - Run e2e tests against latets serving v0.12.0 (ImagePullSecrets introduced in v0.11.1 release)
navidshaikh
force-pushed
the
pr/pull-secrets
branch
from
cbe685a to
c7b9bb2
Compare
docs/cmd/kn_service_create.md
Outdated
| @@ -62,10 +62,11 @@ kn service create NAME --image IMAGE [flags] | |||
| -n, --namespace string Specify the namespace to operate in. | |||
| --no-lock-to-digest do not keep the running image for the service constant when not explicitly specifying the image. (--no-lock-to-digest pulls the image tag afresh with each new revision) | |||
| -p, --port int32 The port where application listens on. | |||
| --pull-secrets string Image pull secrets to set. Empty image pull secrets will the clear the pull secrets. | |||
There was a problem hiding this comment.
| --pull-secrets string Image pull secrets to set. Empty image pull secrets will the clear the pull secrets. | |
| --pull-secrets string Image pull secret to set. An empty argument clears the pull secret. This must be the name of a secret in the service's namespace. |
pkg/kn/commands/service/describe.go
Outdated
| dw.WriteAttribute("Service Account", service.Spec.Template.Spec.ServiceAccountName) | ||
| } | ||
| if service.Spec.Template != nil && service.Spec.Template.Spec.ImagePullSecrets != nil { | ||
| dw.WriteAttribute("Image Pull Secrets", service.Spec.Template.Spec.ImagePullSecrets[0].Name) |
There was a problem hiding this comment.
So you are using only the first element, right ? IMO it would be more consequent to call the option --image-pull-secret (singular) than --image-pull-secrets
There was a problem hiding this comment.
I removed image from it. Do you mean to add image in the flag as well apart from singular comment?
Yes, we're using only the first element.
IIUC only one image is allowed per Knative Service, but should we keep the flag name closer to the actual field name in spec?
There was a problem hiding this comment.
nope, --pull-secret is ok as the context is clear. My bad.
docs/cmd/kn_service_create.md
Outdated
| --requests-cpu string The requested CPU (e.g., 250m). | ||
| --requests-memory string The requested memory (e.g., 64Mi). | ||
| --revision-name string The revision name to set. Must start with the service name and a dash as a prefix. Empty revision name will result in the server generating a name for the revision. Accepts golang templates, allowing {{.Service}} for the service name, {{.Generation}} for the generation, and {{.Random [n]}} for n random consonants. (default "{{.Service}}-{{.Random 5}}-{{.Generation}}") | ||
| --service-account string Service account name to set. Empty service account name will result to clear the service account. | ||
| --service-account string Service account name to set. Empty service account name will clear the service account. |
There was a problem hiding this comment.
| --service-account string Service account name to set. Empty service account name will clear the service account. | |
| --service-account string Service account name to set. An empty argument clears the service account. The referenced service account must exist in the service's namespace. |
There was a problem hiding this comment.
well, actually I suggest the change on in the edit_flags.go file. But you know what I mean ;-)
- Update the key name in service describe: - ImagePullSecrets --> Image Pull Secrets - ServiceAccount --> Service Account - Update the help message for --service-account and --pull-secrets
navidshaikh
force-pushed
the
pr/pull-secrets
branch
from
c7b9bb2 to
f39e077
Compare
|
The following is the coverage report on the affected files.
|
|
/retest |
|
New Changes:
and |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: maximilien, navidshaikh, rhuss The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Fixes #616
Image Pull Secretinservice describedefault output/lint