Improvements to secret injector #13282
Conversation
| @@ -105,6 +116,30 @@ func (si *secretInjector) Admit(attr admission.Attributes) (err error) { | |||
| return nil | |||
| } | |||
|
|
|||
| func (si *secretInjector) admitSecret(attr admission.Attributes, secret *api.Secret) (err error) { | |||
There was a problem hiding this comment.
can't this be part of the static validation logic for secrets, or that's not an option because it's an upstream object so we can't override/extend the validation logic?
There was a problem hiding this comment.
I assumed it's not an option for the reason you mention.
| @@ -12,7 +12,7 @@ var InvalidPatternError = errors.New("invalid pattern") | |||
|
|
|||
| var urlPatternRegex = regexp.MustCompile(`^` + | |||
| `(?:(\*|git|http|https|ssh)://)` + | |||
| `(\*|(?:\*\.)?[^/*]+)` + | |||
| `(\*|(?:\*\.)?[^@/*]+)` + | |||
| `(/.*)` + | |||
| `$`) | |||
There was a problem hiding this comment.
i don't think we should be disallowing this for all users of the utility, since technically urls containing @ can be valid, even though you want to disallow it in your particular usage.
There was a problem hiding this comment.
We're disallowing @ in the host part of the /pattern/, not in the URL matched. A pattern of http://example.com/* would still match the URL http://user:password@example.com/ (although I'll add a test case for this). I want to disable @ in the pattern because I don't think it makes any sense for us to match user:password@ in the URL.
There was a problem hiding this comment.
Test cases added.
There was a problem hiding this comment.
you don't think we'd have a case where we want to ensure a user name is being supplied in the url, as for an ssh url?
we might not need it today, i'm not convinced we wouldn't want it in the future, but i guess i'm ok with adding this restriction for now.
jim-minter
force-pushed
the
secret-injector-improvements
branch
from
85a5ea3
to
f5df357
Compare
| } | ||
|
|
||
| if secret, ok := obj.(*api.Secret); ok { | ||
| return si.admitSecret(attr, secret) | ||
| } |
There was a problem hiding this comment.
i suspect @smarterclayton may have strong opinions about adding this admission control check.
|
lgtm as long as @smarterclayton doesn't veto the use of admission control for this (due to added overhead) |
|
Veto. We don't use admission for validation, and doing this here is wrong in lots of ways. Also, people may already have these, so you have to suck it up a bit. If you want to report broken secrets, fail the build. |
|
Can talk tomorrow and go over it. |
|
@smarterclayton the motivation here is to provide rapid feedback when the annotation added to the secret does not parse, in order to make the situation less confusing to the person adding the annotation. Is there an alternative way to meet this goal? |
|
We don't block creations on annotation parsing (it's just not done).
Annotations are not allowed to break core submission today, and I think
it's unreasonable to expect it to. I think this is a "we'll try to improve
it later, for now, do it in in the controllers" type of thing.
…On Thu, Mar 16, 2017 at 9:27 AM, Jim Minter ***@***.***> wrote:
@smarterclayton <https://github.com/smarterclayton> the motivation here
is to provide rapid feedback when the annotation added to the secret does
not parse, in order to make the situation less confusing to the person
adding the annotation. Is there an alternative way to meet this goal?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#13282 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p_M0ahJ7b_zC6XmXbwydz1rSEVhnks5rmTjKgaJpZM4MVovV>
.
|
|
OK, I think that means that all we can do is log the fact that the annotation didn't parse to the master log when at some point we touch it, which is what we do today. Is that correct? |
|
Where do we touch?
|
|
The documentation suggests using |
|
@smarterclayton is there anything useful that can come out of this PR, or should I just abandon it? |
|
@smarterclayton bump |
jim-minter
force-pushed
the
secret-injector-improvements
branch
from
f5df357
to
77d631c
Compare
jim-minter
force-pushed
the
secret-injector-improvements
branch
from
77d631c
to
280217a
Compare
openshift-merge-robot
added
needs-rebase
… try to add URL patterns of the form username@hostname/path.
jim-minter
force-pushed
the
secret-injector-improvements
branch
from
280217a
to
ae22665
Compare
openshift-merge-robot
removed
the
needs-rebase
openshift-ci-robot
added
size/S
|
@bparees removed the admission controller pieces from this and rebased - ptal |
|
@jim-minter so what's the net effect of this change? who are the consumers that are impacted? any effect on existing objects in clusters? |
|
@jim-minter bump |
|
/retest |
|
@bparees tbh, minimal effect. Whereas previously an invalid url pattern of the form *://user@host/* would have parsed but failed to match anything, now it will fail to parse causing a glog.V(2).Infof to be emitted to the master log. Wider behaviour remains the same - BC object passes through and is created. No effect on existing objects. |
|
thanks @jim-minter |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bparees, jim-minter The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
openshift-merge-robot
added
the
approved
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue (batch tested with PRs 16269, 13282, 16386) |
|
@jim-minter: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Disallow @ character in host component of URL patterns, so that people don't mistakenly try to add URL patterns of the form user@host.
Extend admission controller to reject invalid URL patterns on secrets to provide early feedback to end users when their patterns are wrong.