chore: updating pubsub system #3646
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #3646 +/- ##
==========================================
- Coverage 54.49% 47.67% -6.83%
==========================================
Files 134 234 +100
Lines 12329 19855 +7526
==========================================
+ Hits 6719 9465 +2746
- Misses 5116 9498 +4382
- Partials 494 892 +398
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
JaydipGabani
changed the title
JaydipGabani
force-pushed
the
exporter-interface
branch
from
570505d to
7c48595
Compare
JaydipGabani
changed the title
|
Still working on doc changes. |
| @@ -26,37 +26,37 @@ import ( | |||
| ) | |||
|
|
|||
| var ( | |||
| PubsubEnabled = flag.Bool("enable-pub-sub", false, "(alpha) Enabled pubsub to publish messages") | |||
| ExportEnabled = flag.Bool("enable-pub-sub", false, "(alpha) Enabled pubsub to publish messages") | |||
There was a problem hiding this comment.
Do we want to rename the flag to remove pub-sub word?
There was a problem hiding this comment.
May as well while it's still alpha
There was a problem hiding this comment.
should we provide a warning for the user if we change the name? we can remove it after a release?
There was a problem hiding this comment.
What do you mean? How would we provide warning for changing a name before release?
|
Fixes #3497 |
| @@ -114,22 +114,22 @@ func (r *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) ( | |||
| } | |||
|
|
|||
| if len(cfg.Data) == 0 { | |||
| return reconcile.Result{}, fmt.Errorf(fmt.Sprintf("data missing in configmap %s, unable to configure respective pubsub", request.NamespacedName)) | |||
| return reconcile.Result{}, fmt.Errorf(fmt.Sprintf("data missing in configmap %s, unable to establish connection", request.NamespacedName)) | |||
There was a problem hiding this comment.
is it a "connection" necessarily?
There was a problem hiding this comment.
"link" may be? I just couldn't come up with better alternative at the time.
There was a problem hiding this comment.
"unable to configure exporter"?
| } | ||
| if _, ok := cfg.Data["provider"]; !ok { | ||
| return reconcile.Result{}, fmt.Errorf(fmt.Sprintf("missing provider field in configmap %s, unable to configure respective pubsub", request.NamespacedName)) | ||
| if _, ok := cfg.Data["driver"]; !ok { |
There was a problem hiding this comment.
Is changing from config map to CRD coming later?
There was a problem hiding this comment.
I can raise a follow up PR, we have the design finalized as per last discussion.
JaydipGabani
force-pushed
the
exporter-interface
branch
from
bf0c5cf to
1f2905e
Compare
| } | ||
|
|
||
| func (a *Adder) Add(mgr manager.Manager) error { | ||
| if !*PubsubEnabled { | ||
| if !*ExportEnabled { | ||
| return nil | ||
| } | ||
| log.Info("Warning: Alpha flag enable-pub-sub is set to true. This flag may change in the future.") |
There was a problem hiding this comment.
update this too if we change the flag name
| @@ -114,22 +114,22 @@ func (r *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) ( | |||
| } | |||
|
|
|||
| if len(cfg.Data) == 0 { | |||
| return reconcile.Result{}, fmt.Errorf(fmt.Sprintf("data missing in configmap %s, unable to configure respective pubsub", request.NamespacedName)) | |||
| return reconcile.Result{}, fmt.Errorf(fmt.Sprintf("data missing in configmap %s, unable to establish connection", request.NamespacedName)) | |||
There was a problem hiding this comment.
"unable to configure exporter"?
| title: Export Interface/Driver walkthrough | ||
| --- | ||
|
|
||
| This guide provides an overview of the driver interface, including details of its structure and functionality. Additionally, it offers instructions on adding a new driver and utilizing different backends to export violations. |
There was a problem hiding this comment.
| This guide provides an overview of the driver interface, including details of its structure and functionality. Additionally, it offers instructions on adding a new driver and utilizing different backends to export violations. | |
| This guide provides an overview of the driver interface, including details of its structure and functionality. Additionally, it offers instructions on adding a new driver and utilizing different backends to export audit violations. |
| @@ -67,8 +67,8 @@ var ( | |||
| auditEventsInvolvedNamespace = flag.Bool("audit-events-involved-namespace", false, "emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will still follow the default behavior") | |||
| auditMatchKindOnly = flag.Bool("audit-match-kind-only", false, "only use kinds specified in all constraints for auditing cluster resources. if kind is not specified in any of the constraints, it will audit all resources (same as setting this flag to false)") | |||
| apiCacheDir = flag.String("api-cache-dir", defaultAPICacheDir, "The directory where audit from api server cache are stored, defaults to /tmp/audit") | |||
| auditConnection = flag.String("audit-connection", defaultConnection, "(alpha) Connection name for publishing audit violation messages. Defaults to audit-connection") | |||
| auditChannel = flag.String("audit-channel", defaultChannel, "(alpha) Channel name for publishing audit violation messages. Defaults to audit-channel") | |||
| auditConnection = flag.String("audit-connection", defaultConnection, "(alpha) Connection name for exporting audit violation messages. Defaults to audit-connection") | |||
There was a problem hiding this comment.
we may want to change default to something else in this case?
I am wondering if removing audit-connection and audit-channel flags altogether makes sense. We would create connections for configmaps created in gatekeeper-system when gatekeeper.sh/exporter-config: yes annotation is attached to it. This opens up door for supporting multiple connections at the same time as well by creating connections with multiple config_map rather than the one passed down with --audit-connection. And audit-channel should be passed in as part of the config. Additionally, replacing config_map with CRD should also be relatively seamless with this modification.
I am more than happy to just change flag names and helm variables in revisit this later. LMK your thoughts @sozercan @maxsmythe @ritazh
There was a problem hiding this comment.
As per community discussion, keep the flag names as is and then remove once we have CRD inplace.
| auditConnection = flag.String("audit-connection", defaultConnection, "(alpha) Connection name for publishing audit violation messages. Defaults to audit-connection") | ||
| auditChannel = flag.String("audit-channel", defaultChannel, "(alpha) Channel name for publishing audit violation messages. Defaults to audit-channel") | ||
| auditConnection = flag.String("audit-connection", defaultConnection, "(alpha) Connection name for exporting audit violation messages. Defaults to audit-connection") | ||
| auditChannel = flag.String("audit-channel", defaultChannel, "(alpha) Channel name for exporting audit violation messages. Defaults to audit-channel") |
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
JaydipGabani
force-pushed
the
exporter-interface
branch
from
1b578cb to
2fba5c2
Compare
Signed-off-by: Jaydip Gabani <[email protected]>
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when the PR gets merged):Fixes #1037 #3497
Special notes for your reviewer: