Comments (8)
This sounds like a good idea which could easily be implemented if we limit connection secret to contain only some remote secret content. This could help for syncing back username
and password
in the given example but not for hostname
.
However, to support hostname
as well, we would need to support reading arbitrary resources back (e.g. ip of loadbalancer type service), not only secrets which would require some more work where we would need to define some API to specify which field of which resource to read and store with which key in connection secret.
Something like:
apiVersion: helm.crossplane.io/v1alpha1
kind: Release
metadata:
name: mariadb-example
spec:
connectionDetails:
- apiVersion: v1
kind: Secret
name: mariadb-example
namespace: mariadb
- apiVersion: v1
kind: Service
name: mariadb-example
namespace: mariadb
fieldPath: status.loadBalancer.ingress[0].ip
toConnectionSecretKey: hostname
writeConnectionSecretToRef:
name: mariadb-conn
namespace: crossplane-system
forProvider:
...
from provider-helm.
@negz I agree with what you are saying in terms of this being a common need across all providers managing kubernetes workloads and originally I was thinking this functionality should be part of a (yet-to-be-implemented) provider-kubernetes
in the form of an observe only
resource.
However, having this functionality natively in provider helm as mentioned above also has some value like:
- Using provider helm without additional dependency (e.g. provider-kubernetes)
- Using
Release
objects individually (e.g. not being part of composition) as mentioned by @srueg above - Consuming what is deployed with that
Release
instance without additional CRs
As an analogy, we have GKECluster
resource which publishes connection details of the cluster it creates. Having a GKEClusterObservation
resource to read connection details of an already existing cluster should not necessarily mean; we should not be publishing connection secrets in GKECluster
resource and always rely on GKEClusterObservation
to consume the cluster.
I feel like satisfying this common need in the form of reusable code instead (i.e. part of crossplane-runtime), would make more sense considering above. Then, we could still introduce an observe-only managed resource as part of provider-kubernetes by re-using common code or reuse that implementation in provider-kustomize later to have native support.
What do you think about having this functionality in crossplane-runtime?
from provider-helm.
I thought about this too, but we'd still need to get the actual state from the cluster and not just from the metadata. Otherwise things like the externalIP of a LoadBalancer service couldn't be retrieved.
Yeah, definitely. I meant only validating whether asked resource is part of the release or not via Release manifest.
If valid, we will fetch actual state on the cluster and return value from there.
from provider-helm.
We could also work with crossplane/crossplane#1722 to "read" the state? It would require to have an "observeOnly" variant for arbitrary Kubernetes resources though...
Having said that, it would only work when using the Release
as part of a Composition
, I guess. So it might make sense to have this functionality native in provider-helm.
from provider-helm.
Something like
@turkenh I like the look of this API, though I wonder whether it belongs in provider-helm, as opposed to a distinct provider. I imagine that if we were to write a provider-kustomize for example we'd want the same functionality and a similar API there. I suppose we could just repeat the same pattern in provider-kustomize, but I wonder if there's a case for a generic managed resource that just exposes a connection secret derived from some other Kubernetes resource - e.g. one that Crossplane doesn't manage. 🤔
This does start to sound a lot like the "observe only" resources, but scoped specifically to observing Kubernetes resources which is a bit more of a manageable problem given all the machinery we have for working with the Kubernetes API.
from provider-helm.
@turkenh I see your point, though it does feel a bit strange that the Release
resource can seemingly ask for anything in the cluster (whether it be part of the release or not) to be included in its connection secret. 🤔
from provider-helm.
@negz yes I feel same about being able to ask for anything independent about Release
resource.
I think we can fix this by just limiting what could be asked to the resources only deployed with the release. This should be technically possible since we have access to release metadata which contains manifests for deployed object.
from provider-helm.
I think we can fix this by just limiting what could be asked to the resources only deployed with the release. This should be technically possible since we have access to release metadata which contains manifests for deployed object.
I thought about this too, but we'd still need to get the actual state from the cluster and not just from the metadata. Otherwise things like the externalIP
of a LoadBalancer
service couldn't be retrieved.
from provider-helm.
Related Issues (20)
- Ability to store secrets in vault
- On Helm release with the specified option pullSecretRef does not find the Secret in the namespace
- Support aws s3 bucket as a helm repository HOT 8
- Establish Ownership and Visibility of Helm Resources in ArgoCD via OwnerReferences HOT 2
- Passing args to configure the Helm provider package to configure the controller and be more verbose HOT 2
- make: *** No rule to make target `local.up', needed by `local-dev'. Stop. HOT 3
- Retry should be enabled by default HOT 1
- Add Proxy Support
- howto debugging reconciling loop HOT 1
- Installation of provider-helm fails with "resource name may not be empty" in air-gapped environment. HOT 1
- Unable to pull Charts from Private Registry HOT 3
- Add x-kubernetes-map-type: granular to release values to support serve side apply
- identity section for AzureAD auth in ProviderConfig should not be processed when the supplied kubeconfig does not require AzureAD auth
- Enable support for Management Policies in Helm Provider HOT 1
- What is the purpose of putting an `*` as an option in an enum?? HOT 2
- Drop v1alpha1 or add conversion webhooks HOT 13
- Release Ready status should be aggregation of readines of object deployed within a release
- Observe data from resources created by Release object
- ProviderConfig does not support "InjectedIdentity" as `source.identity`
- Rollback feature doesn't work as expected.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from provider-helm.