-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC-0004] Allow disabling of insecure HTTP connections for alert providers #404
base: main
Are you sure you want to change the base?
Conversation
94e3f95
to
88e5c43
Compare
9c03a45
to
8470951
Compare
@pjbgf I have done the suggested changes. |
@gunishmatta please squash your changes into a single commit. |
@makkes I will work on the suggested changes by you and will update the PR Thanks for the review |
@gunishmatta please hold working on this, a decision to break Flux for all users is not something that can be taken lightly in a PR, an RFC is needed. |
My line of thought is that #404 (comment) recommends setting the default to true for backwards-compatibility to explicitly not break any existing integration. |
@makkes @stefanprodan just wanted to check if we can go ahead with making this flag disabled by default? |
No, I don't think we can without further discussion. Disabling plain HTTP by default would break Grafana integration as @stefanprodan pointed out. An RFC would be needed. |
Sorry, what I mean is releasing with enabling http scheme by default. Thanks |
If all comments from my and |
549a300
to
cedf3c2
Compare
@pjbgf I have addressed all the changes requested above, Please review and merge if everything is okay |
@makkes have enabled http by default. |
e0e3dd1
to
0c1485d
Compare
@pjbgf Please review, have updated the tests |
084d443
to
1207eea
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than the unnecessary condition this looks good to me now.
Done this optional change too, Please merge if everything is okay |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gunishmatta thank you for working on this. Once the change above is made, squash your changes to a single commit please and we should be good to merge the PR.
b2c1262
to
c5cacf2
Compare
Hi @pjbgf , I have squashed all commits into one and it was an amazing experience contributing to Flux, Also since I am new to Golang, thanks for patiently reviewing all my changes in PR. Thanks everyone @makkes @stefanprodan |
57727d3
to
f81a866
Compare
Signed-off-by: Gunish Matta <[email protected]> Signed-off-by: gunishmatta <[email protected]>
f81a866
to
8ea5d6c
Compare
controllers/event_handling_test.go
Outdated
} | ||
for _, eventServerTest := range eventServerTests { | ||
t.Run(eventServerTest.name, func(t *testing.T) { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please initialize a new g
here before using g.Expect
, as it's a subtest.
Refer https://github.com/fluxcd/pkg/blob/c6f9759287b14231463a30d7ff8e416e53984a60/git/internal/e2e/gitlab_test.go#L110 for an example.
- Use noopstore to disable throttling behaviour. - Fake k8s client to remove need of interacting with an envtest apiserver. - Replace HTTP Status Code magic numbers, with their respective constants. Signed-off-by: Paulo Gomes <[email protected]>
5c72e84
to
5a06288
Compare
Dismissing review as I made the last changes.
corev1 "k8s.io/api/core/v1" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
utilruntime "k8s.io/apimachinery/pkg/util/runtime" | ||
"k8s.io/kubectl/pkg/scheme" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should be able to get rid of this new dependency by using k8s.io/apimachinery/pkg/runtime
to create a new scheme. Refer
scheme := runtime.NewScheme() |
"name", providerName.Name, | ||
"namespace", providerName.Namespace) | ||
continue | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having reviewed #435, I think we can implement this block in a different way such that it becomes more apparent to the user that their Provider and Alert won't work.
At the beginning of this function, handleEvent()
, all the alerts are listed and alerts are matched against the event. While doing so, the alerts are checked to be Ready. Not ready alerts are ignored.
In Provider reconciler, we can parse the address of the webhook and mark the object as stalled, as per the RFC https://github.com/fluxcd/flux2/tree/main/rfcs/0004-insecure-http#design-details and Ready=False. But if the address is specified in a secret ref, the address in the secret can change without updating the Provider object. So, when secretRef is present, we can just fail the reconciliation with Ready=False and allow it to retry with exponential backoff.
Because the Provider is not ready, the associated Alert would also become not ready and that intern would make the event handler to drop the event early in the above function. The failure in the configuration would be visible on the object itself, compared to the current implementation where it'll be just logged and may not be visible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I propose we delay this PR until v1beta2 is released. If RFC-0004 instructs the objects to marked as stalled, then we'll probably need to add secret watches to NC and cascade stalling from Provider to all dependant Alerts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gunishmatta unfortunately, we will have to label these changes on hold until the #435 is merged, by which point we will need to review the implementation based on @darkowlzz comments above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No Worries, Will keep following it and would focus on contributing to other issues at Flux and understanding the code in depth.
This PR should no longer be on hold. A lot has changed since the last discussion. With notification-controller v1.2 released recently, the reconcilers for the Provider has been removed, simplifying the implementation. Disabling insecure HTTP connection should be implementable in the event handler based on the given configureation. @gunishmatta sorry for a long hold. Since it has been a long time, if you can no longer work on this, we can make this available for others to implement or carry it forward. Converting the PR to a draft for now as it'll require a lot of changes before it's ready for review. |
Hi,
Please review and suggest changes.
Thanks
Fixes: #386