-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: KMP periodic retrieval with k8s requeue #1625
Conversation
pkg/controllers/clusterresource/keymanagementprovider_controller.go
Outdated
Show resolved
Hide resolved
dae0f30
to
234e835
Compare
Would like to understand the scope of this PR. If docs and e2e tests will be included in this PR |
Please complete test coverage section once PR is ready for Review. Here are some suggestion, let us know if you have any questions, thanks!
|
My thinking was this PR would include the changes to the KMP resource that enabled the refresh possible for clustered and namedspaced resources of the KMP. I was thinking the e2e tests would be a separate PR but, I don't have a strong opinion. So, if it's preferred to have them in this PR, that's fine with me also. |
I think e2e can be a separate PR if this PR is covered by manual testing. @duffney , do you think this PR will be ready for review this week? |
ca14514
to
7f195ad
Compare
@susanshi the PR is ready for another around of review. :) I just pushed changes that add the refresh interface to namespaced resources. I'll work on manually testing these changes and documenting the steps. That'll give me a better idea of how to build the e2e test for the next PR. |
a237ec3
to
ef0ec99
Compare
discussed in PR review , for 1.3 default to empty string ( disable refresh) , in 1.4, once we support N version of cert , default to 1min. (Note the breaking scenario of disabled key/cert) |
@susanshi is the default to 1 min too short? The key/cert is not likely to be rotated in such a short period normally. |
ef0ec99
to
20f09ea
Compare
@susanshi, can you elaborate on what you're meaning by this test? Does this mean that the user defined and interval and then replaced it with a different value later on? |
pkg/controllers/clusterresource/keymanagementprovider_controller.go
Outdated
Show resolved
Hide resolved
pkg/controllers/clusterresource/keymanagementprovider_controller.go
Outdated
Show resolved
Hide resolved
Hi Yi, the scenario in mind how long does customer have to wait for the refresh. In scenarios like changes in permission role assignment, customer might want to wait short amount of time to validate that the cert retrieval succeeded. KV providers have thousands of transaction limit per 10 sec, there is no concern from the request throttling side. |
config/crd/bases/config.ratify.deislabs.io_keymanagementproviders.yaml
Outdated
Show resolved
Hide resolved
thanks for confirming @joshuaphelpsms. Yes that is correct, exactly , "the user defined and interval and then replaced it with a different value later on" |
pkg/controllers/clusterresource/keymanagementprovider_controller.go
Outdated
Show resolved
Hide resolved
@duffney thanks for PR. Overall looks good. Do you think we need to add a new interval value in the helm chart for AKV? |
You're most welcome! And yes, adding a |
a0540d2
to
060fd3e
Compare
@duffney yes that's correct. Maybe you can add the refresh interval for AKV KMP here: ratify/charts/ratify/values.yaml Line 70 in 56ffab4
|
please review factory at , 85d7006 |
08d651f
to
1e59e53
Compare
pkg/controllers/clusterresource/keymanagementprovider_controller.go
Outdated
Show resolved
Hide resolved
pkg/controllers/namespaceresource/keymanagementprovider_controller.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for addressing my comments!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks for adding the feature and unit tests!
feat: refresher interface fix: formatting and license test: kuberefresher test: kuberefresher helpers refactor: IsRefreshable KMP interface method fix: add IsRefreshable method refactor: kmp spec interval as string mod: rm todo mod: rm comment style: use embedded type feat: namespaced refresher interface test: mock factory & test refreshable logic refactor: use kubeRefreshNamespaced in controller mod: add license blocks refactor: kmp.spec.interval default to empty string disabling refresh tests: increase refresher coverage refactor(kmp): use factory for creating refresher objects This change introduces a RefresherFactory that is responsible for creating the appropriate refresher object based on a configuration that's passed in. This decouples the reconcile logic from the object creation, making the code more modular and easier to test mod: rename interval to refreshinterval & adds crd descriptions mod: remove verbose logging from refresher docs: kmp refresh interval samples doc: corrected resource name of akv samples fix: kmp spec json tag using incorrect values & add refresh interval description fix: add licenses & update interval name in tests mod: comments for exported interfaces test: improve refresher test coverage Signed-off-by: Joshua Duffney <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.0 to 0.17.1. - [Release notes](https://github.com/anchore/sbom-action/releases) - [Commits](anchore/sbom-action@d94f46e...ab9d16d) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Joshua Duffney <[email protected]>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.0 to 3.26.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@eb055d7...29d86d2) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Joshua Duffney <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
…ect#1697) Signed-off-by: Joshua Duffney <[email protected]>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.1 to 3.26.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@29d86d2...429e197) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Joshua Duffney <[email protected]>
Signed-off-by: Yi Zha <[email protected]> Signed-off-by: Joshua Duffney <[email protected]>
Head branch was pushed to by a user without write access
3f2eaef
to
7a89eac
Compare
Description
Implements a periodic refresh for KMP resources deployed to Kubernetes by using the controller's re-queue functionality.
What this PR does / why we need it:
Adds two new properties to the KMP CRD spec
Interval
andRefreshable
. Interval determines the amount of time in-between refreshes. Refreshable determines if the resources is eligible for refresh.Logic from the controller's reconcile method has been abstracted into a new
refresh
interface. TODO: more detailsWhich issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when the PR gets merged):Fixes #1131
Type of change
Please delete options that are not relevant.
main
branch)How Has This Been Tested?
Unit Tests:
Manual Tests:
Behavior:
Behavior:
E2E
Checklist:
Post Merge Requirements
Helm Chart Change