Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat integrate spiffe #1663

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

TessaIO
Copy link
Member

@TessaIO TessaIO commented Apr 14, 2024

Resolves #1186
TODO:

  • Add docs
  • Add e2e

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: TessaIO
Once this PR has been reviewed and has the lgtm label, please assign marquiz for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Apr 14, 2024
Copy link

netlify bot commented Apr 14, 2024

Deploy Preview for kubernetes-sigs-nfd ready!

Name Link
🔨 Latest commit 520dd72
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-sigs-nfd/deploys/6641180c9e9c520008910841
😎 Deploy Preview https://deploy-preview-1663--kubernetes-sigs-nfd.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@TessaIO TessaIO force-pushed the feat-integrate-spiffe branch 4 times, most recently from b60483c to 2917fe1 Compare April 14, 2024 20:45
@TessaIO
Copy link
Member Author

TessaIO commented Apr 15, 2024

/cc marquiz

@ArangoGutierrez
Copy link
Contributor

Let's close #1434 ;)

Copy link
Contributor

@ArangoGutierrez ArangoGutierrez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some first comments

pkg/utils/spiffe/spiffe.go Outdated Show resolved Hide resolved
pkg/utils/spiffe/spiffe_test.go Outdated Show resolved Hide resolved
pkg/utils/spiffe/spiffe.go Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 19, 2024
@TessaIO TessaIO force-pushed the feat-integrate-spiffe branch 2 times, most recently from c433995 to 5e5183d Compare April 22, 2024 16:11
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 22, 2024
@@ -91,6 +91,8 @@ func main() {
klog.InfoS("-port is deprecated, will be removed in a future release along with the deprecated gRPC API")
case "verify-node-name":
klog.InfoS("-verify-node-name is deprecated, will be removed in a future release along with the deprecated gRPC API")
case "enable-spiffe":
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@marquiz should we define this as a feature-gate???

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably not. I think this will never be enabled by default so feature gate feels superfluous (and unintuitive). It would serve as a unnecessary second-level gate (we'd want the enable/disable setting anyway), i.e. you'd need to specify -feature-gates spiffe=true -enable-spiffe

pkg/utils/spiffe/spiffe.go Outdated Show resolved Hide resolved
pkg/utils/spiffe/spiffe_test.go Outdated Show resolved Hide resolved
Comment on lines +26 to +28
"github.com/stretchr/testify/assert"
"sigs.k8s.io/node-feature-discovery/api/nfd/v1alpha1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this file go imports checked?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it contain any problem? My IDE does not complain about it.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 26, 2024
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 28, 2024
@TessaIO TessaIO force-pushed the feat-integrate-spiffe branch 2 times, most recently from 65e5b03 to aee2686 Compare April 28, 2024 09:52
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 30, 2024
@@ -91,6 +91,8 @@ func main() {
klog.InfoS("-port is deprecated, will be removed in a future release along with the deprecated gRPC API")
case "verify-node-name":
klog.InfoS("-verify-node-name is deprecated, will be removed in a future release along with the deprecated gRPC API")
case "enable-spiffe":
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably not. I think this will never be enabled by default so feature gate feels superfluous (and unintuitive). It would serve as a unnecessary second-level gate (we'd want the enable/disable setting anyway), i.e. you'd need to specify -feature-gates spiffe=true -enable-spiffe

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't we want to depend on/refer to some official Spire Helm chart for deploying spire instead of maintaining our own?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes for Helm charts that would be better. But I'm wondering how we're going to do that for Kustomize.

@@ -85,6 +90,7 @@ type NFDConfig struct {
LeaderElection LeaderElectionConfig
NfdApiParallelism int
Klog klogutils.KlogConfigOpts
EnableSpiffe bool
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, looking at this maybe it would be safest to only have this as a command line argument (i.e. NOT at as a dynamically configurable config file setting). Just to make it very clear if/when the setting is changed. WDYT?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds good for me!

@k8s-ci-robot k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels May 12, 2024
@k8s-ci-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@marquiz
Copy link
Contributor

marquiz commented May 24, 2024

/milestone v0.17

@k8s-ci-robot k8s-ci-robot added this to the v0.17 milestone May 24, 2024
@k8s-ci-robot
Copy link
Contributor

@TessaIO: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-node-feature-discovery-build-image-cross-generic 520dd72 link true /test pull-node-feature-discovery-build-image-cross-generic
pull-node-feature-discovery-e2e-test-master 520dd72 link true /test pull-node-feature-discovery-e2e-test-master

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Copy link

codecov bot commented Jul 8, 2024

Codecov Report

Attention: Patch coverage is 22.78481% with 122 lines in your changes missing coverage. Please review.

Project coverage is 39.49%. Comparing base (eef9912) to head (520dd72).
Report is 68 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1663      +/-   ##
==========================================
- Coverage   39.85%   39.49%   -0.37%     
==========================================
  Files          80       81       +1     
  Lines        6839     6996     +157     
==========================================
+ Hits         2726     2763      +37     
- Misses       3859     3968     +109     
- Partials      254      265      +11     
Files Coverage Δ
cmd/nfd-worker/main.go 53.91% <50.00%> (-0.15%) ⬇️
cmd/nfd-master/main.go 0.00% <0.00%> (ø)
pkg/nfd-master/nfd-master.go 39.78% <12.19%> (-1.24%) ⬇️
pkg/nfd-worker/nfd-worker.go 49.64% <7.31%> (-2.91%) ⬇️
pkg/utils/spiffe/spiffe.go 38.23% <38.23%> (ø)

@marquiz
Copy link
Contributor

marquiz commented Sep 16, 2024

/milestone v0.18

@k8s-ci-robot k8s-ci-robot modified the milestones: v0.17, v0.18 Sep 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Spiffe support
4 participants