-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: support private terraform registry #352
Feat: support private terraform registry #352
Conversation
Codecov ReportBase: 79.31% // Head: 80.36% // Increases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## master #352 +/- ##
==========================================
+ Coverage 79.31% 80.36% +1.04%
==========================================
Files 23 23
Lines 1750 1935 +185
==========================================
+ Hits 1388 1555 +167
- Misses 278 290 +12
- Partials 84 90 +6
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for contribution. These capabilities is important. Here are some suggestions about code optimization:
- Consider the variable name, especially about
Registry
. - Reduce the duplication. make it more maintainable and easier for other contributors to understand and build upon.
api/types/state.go
Outdated
TerraformInitError ConfigurationState = "TerraformInitError" | ||
InvalidGitCredentialsSecretReference ConfigurationState = "InvalidGitCredentialsSecretReference" | ||
InvalidTerraformCredentialsSecretReference ConfigurationState = "InvalidTerraformCredentialsSecretReference" | ||
InvalidTerraformRegistryConfigMapReference ConfigurationState = "InvalidTerraformRegistryConfigMapReference" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I understand correctly, all constant, variables, and functions named "TerraformRegistryConfigMapReference" refer to .terraformrc
file stored in a ConfigMap). But we shouldn't refer it as simply Registry
because this file contains more configuration more than just registry than registry information. It would be more appropriate to refer to it as "TerraformRC".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed as per review comments.
@@ -571,6 +602,48 @@ func (r *ConfigurationReconciler) preCheck(ctx context.Context, configuration *v | |||
} | |||
} | |||
|
|||
if meta.TerraformCredentialsSecretReference != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here we have four similar logics fragment. It would be better to organize the content with a table like:
secretConfigMapToCheck:=struct{
ref *SecretConfigMapReference
notFoundState ConfigurationState
}{
{gitRef, InvalidGitCredentialsSecretReference},
{credsRef, InvalidTerraformCredentialsSecretReference
}
for _,check:=range secretConfigMapToCheck{
// check the secret or configMap
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed as per review comments.
@@ -929,6 +1038,36 @@ func (meta *TFConfigurationMeta) createGitAuthConfigVolume() v1.Volume { | |||
return gitAuthSecretVolume | |||
} | |||
|
|||
func (meta *TFConfigurationMeta) createTerraformCredentialsConfigVolume() v1.Volume { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The four (three new added and createGitAuthConfigVolume
) similar function can be unified. Please implement them with a generator function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed as per review comments.
@@ -1358,3 +1497,61 @@ func GetGitCredentialsSecret(ctx context.Context, k8sClient client.Client, secre | |||
|
|||
return secret, nil | |||
} | |||
|
|||
// GetTerraformCredentialsSecret will get the secret containing the terraform credentials | |||
func GetTerraformCredentialsSecret(ctx context.Context, k8sClient client.Client, secretRef *v1.SecretReference) (*v1.Secret, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, these GetFooSecret/GetFooConfigMap can be unified with a generator function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed as per review comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed GetFooSecret/GetFooConfigMap functions and we call GetSecretOrConfigMap to retrieve the secret/configmap
You can use |
62520e5
to
6a1232f
Compare
// validate secretreferences and config maps. 1. GitCredentialsSecretReference 2. TerraformCredentialsSecretReference 3. TerraformRCConfigMapReference | ||
// 4. TerraformCredentialsHelperConfigMapReference |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please format the comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
secretConfigMapToCheck := []struct { | ||
ref *v1.SecretReference | ||
notFoundState types.ConfigurationState | ||
refType string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can replace the refType with a function and use this function to check the existence. No need to match by type.
[]struct {
ref *v1.SecretReference
notFoundState types.ConfigurationState
checkFn func(ctx context.Context, k8sClient client.Client, ref *Reference) (metav1.Object, error)
}
There is another thing to do: define a Reference struct which has all field of SecretReference and ConfigMapReference. You can cast the type to Reference when you call check
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See #352 (comment). And checkFn will be assigned with GetObjectByReferenceFn(ctx, client, ref, needKey, errMsg)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed the function call and changed the code to call a single method to retrieve secret or configmap.
case "GitCredentialsSecretReference": | ||
gitCreds, err := GetGitCredentialsSecret(ctx, k8sClient, check.ref) | ||
if gitCreds == nil { | ||
checkErr = err | ||
checkErrFlag = true | ||
} | ||
case "TerraformCredentialsSecretReference": | ||
terraformCreds, err := GetTerraformCredentialsSecret(ctx, k8sClient, check.ref) | ||
if terraformCreds == nil { | ||
checkErr = err | ||
checkErrFlag = true | ||
} | ||
case "TerraformRCConfigMapReference": | ||
terraformRegistryConfig, err := GetTerraformRCConfigMap(ctx, k8sClient, check.ref) | ||
if terraformRegistryConfig == nil { | ||
checkErr = err | ||
checkErrFlag = true | ||
} | ||
case "TerraformCredentialsHelperConfigMapReference": | ||
terraformCredentialsHelper, err := GetTerraformCredentialsHelperConfigMap(ctx, k8sClient, check.ref) | ||
if terraformCredentialsHelper == nil { | ||
checkErr = err | ||
checkErrFlag = true | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And this become
checkedObj,err:= check.checkFn(ctx, k8sObject, (*Reference)check.ref)
// check err and objects...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed the function call.
@@ -898,9 +1020,21 @@ func (meta *TFConfigurationMeta) assembleExecutorVolumes() []v1.Volume { | |||
tfBackendVolume := meta.createTFBackendVolume() | |||
executorVolumes := []v1.Volume{workingVolume, inputTFConfigurationVolume, tfBackendVolume} | |||
if meta.GitCredentialsSecretReference != nil { | |||
gitAuthConfigVolume := meta.createGitAuthConfigVolume() | |||
gitAuthConfigVolume := meta.createSecretOrConfigMapVolume(true, meta.GitCredentialsSecretReference.Name, GitAuthConfigVolumeName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the same. Embed a function in a table and loop it instead of execute respectively。
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
if configMap != nil { | ||
return configMap, nil | ||
} else { | ||
return nil, err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, we're used to check the err first. Sometimes you can assume that if configMap returned isn't nil, then no error happens. But it depends. My suggestion is to check it first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
errMsg := "Failed to get the terraform credentials helper configmap" | ||
neededKeys := []string{} | ||
_, configMap, err := GetSecretOrConfigMap(ctx, k8sClient, false, configMapRef, neededKeys, errMsg, "") | ||
if configMap != nil { | ||
return configMap, nil | ||
} else { | ||
return nil, err | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, seems you have made some abstraction using GetSecretOrConfigMap
. As I mentioned in the last review, we can make GetFooConfigMap/GetBarSecret
function more general.
You can use a function to generate these function like
type ObjectGetter func (ctx context.Context, k8sClient client.Client, ref *Reference) (metav1.Object,error)
func GetObjectByReferenceFn(ctx context.Context, k8sClient client.Client, ref *Reference, ,needKeys []string, errMsg string) ObjectGetter {
return func(ctx context.Context, k8sClient client.Client, ref *Reference)(metav1.Object,error){
// get configMap or Secret
// check err
// return metav1.Object
}
}
Returned metav1.Object
is an option. You can also use unstructrured.Unstructured
. They are type/interface that can represent both Secret and ConfigMap from k8s.io/apimechinary
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
@@ -1639,6 +1639,118 @@ func TestAssembleTerraformJobWithGitCredentialsSecretRef(t *testing.T) { | |||
assert.Contains(t, spec.Volumes, gitAuthSecretVolume) | |||
} | |||
|
|||
func TestAssembleTerraformJobWithTerraformRegistryConfigAndCredentialsSecretRef(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func TestAssembleTerraformJobWithTerraformRegistryConfigAndCredentialsSecretRef(t *testing.T) { | |
func TestAssembleTerraformJobWithTerraformRCAndCredentials(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
|
||
} | ||
|
||
func TestAssembleTerraformJobWithTerraformRegistryConfigAndCredentialsHelperConfigMapRef(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not merge this with the last test?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
merged the two tests.
k8sClient: k8sClient, | ||
TerraformCredentialsSecretReference: &corev1.SecretReference{ | ||
Namespace: "default", | ||
Name: "terraform-credentials", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Name: "terraform-credentials", | |
Name: "secret-not-exist", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally LGTM. Please add some e2e test.
…rm a kubernetes secret. Signed-off-by: raradhakrishnan <raradhakrishnan@guidewire.com>
Signed-off-by: raradhakrishnan <raradhakrishnan@guidewire.com>
Signed-off-by: raradhakrishnan <raradhakrishnan@guidewire.com>
Signed-off-by: raradhakrishnan <raradhakrishnan@guidewire.com>
Signed-off-by: raradhakrishnan <raradhakrishnan@guidewire.com>
…tials-helper form configmaps. Signed-off-by: raradhakrishnan <raradhakrishnan@guidewire.com>
…ry as per review commments. Signed-off-by: raradhakrishnan <raradhakrishnan@guidewire.com>
… or configMap. Review comment fixed. Signed-off-by: raradhakrishnan <raradhakrishnan@guidewire.com>
…fixed review comment. Signed-off-by: raradhakrishnan <raradhakrishnan@guidewire.com>
…tent for secret and configmaps check. Fixed review comments. Signed-off-by: raradhakrishnan <raradhakrishnan@guidewire.com>
Signed-off-by: raradhakrishnan <raradhakrishnan@guidewire.com>
Signed-off-by: raradhakrishnan <raradhakrishnan@guidewire.com>
Signed-off-by: raradhakrishnan <raradhakrishnan@guidewire.com>
Co-authored-by: qiaozp <47812250+chivalryq@users.noreply.github.com> Signed-off-by: raradhakrishnan <raradhakrishnan@guidewire.com>
Co-authored-by: qiaozp <47812250+chivalryq@users.noreply.github.com> Signed-off-by: raradhakrishnan <raradhakrishnan@guidewire.com>
6a6cb4c
to
5b3fffb
Compare
pull request to support volume mounting of the credentials.tfrc.json and .terraformrc files to be able to connect to private terraform registry.