-
Notifications
You must be signed in to change notification settings - Fork 591
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change kongCredType to a label #2502
Comments
Note that this is very likely to end up being a breaking change, so if a PR comes for this change, we might need to be careful about when to release this. |
Agreed that @rainest will split this into an issue for v2.x (implement support for type label in Secrets in parallel with kongCredType) and a separate issue for a breaking change to come in a major version (drop kongCredType in favor of already supported labels) |
Minor note to self: I briefly thought this was mooted by the fix for #2868, but it isn't, as this concerns the admission webhook, not the controllers. We do still want this to avoid overly-aggressive admission checks on Secrets we don't care about. |
For migration, jq can parse existing credential secrets and print a list of commands to update them:
or without global namespace access:
This finds all secrets with the
Alternatives are building our own tool to do this or to build a tool that both finds and modifies resources. IMO jq is ubiquitous enough that creating and distributing our own standalone tool probably isn't worth it. Outputting |
Is there an existing issue for this?
Problem Statement
Currently the controller uses a special
kongCredType
key in Secret data to identify whether a Secret contains Kong credentials and what type of credential the Secret contains.Admission webhooks can only filter resources based on labels. We have no means of filtering out only the Secrets we need because we have no label for them.
Proposed Solution
Add controller support for determining which Secrets are relevant and determining their type using a label. Optionally remove the code for doing so using the kongCredType key. Update the admission webhook definition to include an objectSelector that excludes Secrets without the label.
Additional information
Broken out of #2431.
Removing support for the kongCredType key is a breaking change. Users will need to update existing resources to use labels instead. We can ease this process by:
The objectSelector documentation is a bit confusing. https:/Kong/charts/blob/8af6326aa3a0ef7aac1b683f6438cd7f6e8488af/charts/kong/templates/admission-webhook.yaml#L37-L42 shows an example, though note that you'll need to use the
In
operator.Acceptance Criteria
The text was updated successfully, but these errors were encountered: