Adopt Kubernetes style TLS Secret #597
Conversation
There was a problem hiding this comment.
Would be good to include a makefile that generates this and the other files in this directory.
Similar to https://github.com/fluxcd/source-controller/blob/aa370f284db70e09d8acb49d5bed4e42908b8cb3/internal/controller/testdata/certs/Makefile#L17-L20 .
| if err := r.Get(ctx, providerName, provider); err != nil { | ||
| // log not found errors since they get filtered out | ||
| ctrl.LoggerFrom(ctx).Error(err, "failed to get provider %s", providerName.String()) | ||
| ctrl.LoggerFrom(ctx).Error(err, fmt.Sprintf("failed to get provider '%s'", providerName.String())) |
There was a problem hiding this comment.
In favor of structured logging I suggest:
| ctrl.LoggerFrom(ctx).Error(err, fmt.Sprintf("failed to get provider '%s'", providerName.String())) | |
| ctrl.LoggerFrom(ctx).Error(err, "failed to get provider", "provider", providerName.String()) |
| return fmt.Errorf("no caFile found in secret %s", provider.Spec.CertSecretRef.Name) | ||
| caFile, ok = secret.Data["caFile"] | ||
| if !ok { | ||
| return fmt.Errorf("no `ca.crt` key found in secret '%s'", provider.Spec.CertSecretRef.Name) |
There was a problem hiding this comment.
| return fmt.Errorf("no `ca.crt` key found in secret '%s'", provider.Spec.CertSecretRef.Name) | |
| return fmt.Errorf("no 'ca.crt' nor 'caFile' key found in secret", "secret", provider.Spec.CertSecretRef.Name) |
There was a problem hiding this comment.
I am not sure if we want to add the deprecated key caFile to the log so as not to encourage users to use it.
There was a problem hiding this comment.
Yeah, had the same thought. Up to you.
| if !ok { | ||
| return fmt.Errorf("no `ca.crt` key found in secret '%s'", provider.Spec.CertSecretRef.Name) | ||
| } | ||
| log.Info("warning: specifying CA cert via `caFile` is deprecated, please use `ca.crt` instead") |
There was a problem hiding this comment.
| log.Info("warning: specifying CA cert via `caFile` is deprecated, please use `ca.crt` instead") | |
| log.Info("warning: specifying CA cert via 'caFile' is deprecated, please use 'ca.crt' instead") |
| continue | ||
| caFile, ok = secret.Data["caFile"] | ||
| if !ok { | ||
| alertLogger.Error(nil, "no `ca.crt` key found in secret '%s'", provider.Spec.CertSecretRef.Name) |
There was a problem hiding this comment.
| alertLogger.Error(nil, "no `ca.crt` key found in secret '%s'", provider.Spec.CertSecretRef.Name) | |
| alertLogger.Error(nil, "no 'ca.crt' nor 'caFile' key found in secret", "secret", provider.Spec.CertSecretRef.Name) |
|
|
||
| To enable notification-controller to communicate with a provider API over HTTPS | ||
| using a self-signed TLS certificate, set the `caFile` like so: | ||
| using a self-signed TLS certificate, set the `ca.crt` like so: |
There was a problem hiding this comment.
we also need to add a deprecation notice for the caFile key like the one here: https://github.com/fluxcd/source-controller/blob/main/docs/spec/v1beta2/helmrepositories.md#secret-reference
There was a problem hiding this comment.
my bad, skipped it somehow but the same goes for the API docs
somtochiama
force-pushed
the
kube-tls-secret
branch
from
015ebc4 to
0ac4494
Compare
| **Note:** Support for the `caFile` key have been | ||
| deprecated. If you have any Secrets using these keys, |
There was a problem hiding this comment.
| **Note:** Support for the `caFile` key have been | |
| deprecated. If you have any Secrets using these keys, | |
| **Warning:** Support for the `caFile` key has been | |
| deprecated. If you have any Secrets using this key, |
There was a problem hiding this comment.
Also, maybe mention the types of Secret that's allowed in the above section, not part of this warning.
Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
somtochiama
force-pushed
the
kube-tls-secret
branch
from
794d100 to
23e733b
Compare
stefanprodan
left a comment
stefanprodan
left a comment
There was a problem hiding this comment.
LGTM
Thanks @somtochiama 🏅
5 participants
Deprecate the usage of
caFilefor the.spec.certSecretRefsecret in Provider. BothcaFileandca.crtkeys are supported for Provider with the latter taking precedence.Part of: fluxcd/flux2#4137