Conversation
gndrmnn
force-pushed
the
implement_appcred
branch
from
b164bc7 to
3b4c877
Compare
|
Failed to assess the semver bump. See logs for details. |
gndrmnn
force-pushed
the
implement_appcred
branch
from
3b4c877 to
1673576
Compare
|
Failed to assess the semver bump. See logs for details. |
gndrmnn
force-pushed
the
implement_appcred
branch
from
1673576 to
9f8fef7
Compare
|
Failed to assess the semver bump. See logs for details. |
gndrmnn
force-pushed
the
implement_appcred
branch
from
9f8fef7 to
6b99144
Compare
|
Failed to assess the semver bump. See logs for details. |
gndrmnn
force-pushed
the
implement_appcred
branch
from
6b99144 to
2f6ff31
Compare
|
Failed to assess the semver bump. See logs for details. |
gndrmnn
force-pushed
the
implement_appcred
branch
from
2f6ff31 to
480ccef
Compare
gndrmnn
force-pushed
the
implement_appcred
branch
7 times, most recently
from
b05fcb5 to
ba588f7
Compare
mandre
left a comment
mandre
left a comment
There was a problem hiding this comment.
This is a great start! There's a bit more work to do around dependency management and handling of the secret, but hopefully nothing blocking.
It's annoying that the openstack API doesn't allow retrieving an app cred directly via its UUID, forcing us to pass it a user ID as well. I don't think there's a magic solution for it, and we'll have to document the tradeoff we've made, and explain how managing app creds for other user might increase the load on OpenStack API.
Again, really good work.
| var filters []osclients.ResourceFilter[osResourceT] | ||
|
|
||
| // Add client-side filters | ||
| if resourceSpec.Description != nil { |
There was a problem hiding this comment.
Looks like the keystone API allows filtering app creds via description but this is missing from gophercloud.
Would you like to contribute this to gophercloud?
There was a problem hiding this comment.
Yeah, I could address this at some point. But I would like to get this PR merged in the foreseeable future. Would you mind, if we open a new issue for this instead?
There was a problem hiding this comment.
Clearly not something I expect you to fix in gophercloud before this PR lands :)
It was just an observation for something I noticed during review.
gndrmnn
force-pushed
the
implement_appcred
branch
2 times, most recently
from
ac1c351 to
b991cc7
Compare
$ go run ./cmd/scaffold-controller -interactive=false \
-kind=ApplicationCredential \
-gophercloud-client=NewIdentityV3 \
-gophercloud-module=github.com/gophercloud/gophercloud/v2/openstack/identity/v3/applicationcredentials \
-gophercloud-type=ApplicationCredential \
-openstack-json-object=application_credentials \
-required-create-dependency=User \
-import-dependency=User
On-behalf-of: SAP nils.gondermann@sap.com
Register with the resource generator On-behalf-of: SAP nils.gondermann@sap.com
Add the OpenStack client to scope On-behalf-of: SAP nils.gondermann@sap.com
Register the controller On-behalf-of: SAP nils.gondermann@sap.com
gndrmnn
force-pushed
the
implement_appcred
branch
14 times, most recently
from
3337480 to
3b6f422
Compare
On-behalf-of: SAP nils.gondermann@sap.com
On-behalf-of: SAP nils.gondermann@sap.com
On-behalf-of: SAP nils.gondermann@sap.com
On-behalf-of: SAP nils.gondermann@sap.com
gndrmnn
force-pushed
the
implement_appcred
branch
from
3b6f422 to
9379fb5
Compare
On-behalf-of: SAP nils.gondermann@sap.com
On-behalf-of: SAP nils.gondermann@sap.com
gndrmnn
force-pushed
the
implement_appcred
branch
from
9379fb5 to
123212f
Compare
mandre
left a comment
mandre
left a comment
There was a problem hiding this comment.
A lot of changes since I last looked at it, I see there's now proper dependency handling. I've left a few comments, some that really need addressing before we merge, some less important. I also see you chose to make passing the password required, I think that's a fair first implementation, that we can change later.
| unrestricted: true | ||
| secret: | ||
| secretRef: kubernetes-secret | ||
| roleRef: |
There was a problem hiding this comment.
| roleRef: | |
| roleRefs: |
|
|
||
| // secret used to authenticate against the API | ||
| // +required | ||
| Secret ApplicationCredentialSecretSpec `json:"secret,omitempty,omitzero"` |
There was a problem hiding this comment.
If there's no extra parameters associated with the secret, it's probably not necessary to wrap into a struct, is it?
| Secret ApplicationCredentialSecretSpec `json:"secret,omitempty,omitzero"` | |
| SecretRef KubernetesNameRef `json:"secretRef,omitempty"` |
| // +optional | ||
| Name *string `json:"name,omitempty"` | ||
|
|
||
| // id is the ID of an role |
There was a problem hiding this comment.
nit
| // id is the ID of an role | |
| // id is the ID of a role |
| unrestricted: true | ||
| secret: | ||
| secretRef: "application-credential-secret" | ||
| roleRef: |
There was a problem hiding this comment.
Should be plurals. I suspect your test succeeds because you're getting default roles.
| roleRef: | |
| roleRefs: |
| kind: ApplicationCredential | ||
| name: applicationcredential-create-full | ||
| ref: applicationcredential | ||
| - apiVersion: openstack.k-orc.cloud/v1alpha1 |
There was a problem hiding this comment.
I wonder if we shouldn't simply store the UserID in the resource status 🤔
This way, we could drop the hack that goes over all users.
| return user.Status.ID, rs | ||
| } | ||
|
|
||
| func (actuator applicationcredentialActuator) ResolveUserIDDependency(ctx context.Context, orcObject orcObjectPT) (*string, progress.ReconcileStatus) { |
There was a problem hiding this comment.
Same here, this function appears to not be needed?
| // Programming error | ||
| return nil, progress.WrapError(fmt.Errorf("service %s was not returned by GetDependencies", serviceName)) | ||
| } | ||
| accessRule.Service = *service.Status.ID |
There was a problem hiding this comment.
Should be the service type, and not id, right?
|
|
||
| var secretData []byte | ||
|
|
||
| secret, secretReconcileStatus := dependency.FetchDependency( |
There was a problem hiding this comment.
We should move this dependency retrieval at the top of the function, where the other dependencies are retrieved.
| func (actuator applicationcredentialActuator) DeleteResource(ctx context.Context, orcObject orcObjectPT, resource *osResourceT) progress.ReconcileStatus { | ||
| var reconcileStatus progress.ReconcileStatus | ||
|
|
||
| userID, userDepRS := actuator.ResolveUserIDDependency(ctx, orcObject) |
There was a problem hiding this comment.
See my comment about storing the user ID in the resource status. This would make it easier to retrieve here.
|
|
||
| services := make([]string, len(resource.AccessRules)) | ||
| for i := range resource.AccessRules { | ||
| services[i] = string(*resource.AccessRules[i].ServiceRef) |
There was a problem hiding this comment.
ServiceRef is optional, so we would need to check for nil, and only add service refs that are set.
2 participants
Adds ApplicationCredential support
Due to the nature of the OpenStack API, we have to work around addressing application credentials not only by their unique ID, but also a UserRef.
Closes #670