[RFC-0004] Allow disabling of insecure HTTP connections for alert providers #404
Conversation
gunishmatta
force-pushed
the
disable-http-scheme-flag
branch
2 times, most recently
from
94e3f95
to
88e5c43
Compare
gunishmatta
force-pushed
the
disable-http-scheme-flag
branch
from
9c03a45
to
8470951
Compare
|
@pjbgf I have done the suggested changes. |
|
@gunishmatta please squash your changes into a single commit. |
|
@makkes I will work on the suggested changes by you and will update the PR Thanks for the review |
|
@gunishmatta please hold working on this, a decision to break Flux for all users is not something that can be taken lightly in a PR, an RFC is needed. |
My line of thought is that #404 (comment) recommends setting the default to true for backwards-compatibility to explicitly not break any existing integration. |
|
@makkes @stefanprodan just wanted to check if we can go ahead with making this flag disabled by default? |
No, I don't think we can without further discussion. Disabling plain HTTP by default would break Grafana integration as @stefanprodan pointed out. An RFC would be needed. |
Sorry, what I mean is releasing with enabling http scheme by default. Thanks |
If all comments from my and |
gunishmatta
force-pushed
the
disable-http-scheme-flag
branch
from
549a300
to
cedf3c2
Compare
|
@pjbgf I have addressed all the changes requested above, Please review and merge if everything is okay |
stefanprodan
changed the title
stefanprodan
added
enhancement
|
@makkes have enabled http by default. |
gunishmatta
force-pushed
the
disable-http-scheme-flag
branch
from
e0e3dd1
to
0c1485d
Compare
|
@pjbgf Please review, have updated the tests |
gunishmatta
force-pushed
the
disable-http-scheme-flag
branch
from
084d443
to
1207eea
Compare
Done this optional change too, Please merge if everything is okay |
There was a problem hiding this comment.
@gunishmatta thank you for working on this. Once the change above is made, squash your changes to a single commit please and we should be good to merge the PR.
gunishmatta
force-pushed
the
disable-http-scheme-flag
branch
from
b2c1262
to
c5cacf2
Compare
|
Hi @pjbgf , I have squashed all commits into one and it was an amazing experience contributing to Flux, Also since I am new to Golang, thanks for patiently reviewing all my changes in PR. Thanks everyone @makkes @stefanprodan |
gunishmatta
force-pushed
the
disable-http-scheme-flag
branch
3 times, most recently
from
57727d3
to
f81a866
Compare
Signed-off-by: Gunish Matta <gunishmatta@gmail.com> Signed-off-by: gunishmatta <gunishmatta@gmail.com>
gunishmatta
force-pushed
the
disable-http-scheme-flag
branch
from
f81a866
to
8ea5d6c
Compare
controllers/event_handling_test.go
Outdated
| } | ||
| for _, eventServerTest := range eventServerTests { | ||
| t.Run(eventServerTest.name, func(t *testing.T) { | ||
|
|
There was a problem hiding this comment.
Please initialize a new g here before using g.Expect, as it's a subtest.
Refer https://github.com/fluxcd/pkg/blob/c6f9759287b14231463a30d7ff8e416e53984a60/git/internal/e2e/gitlab_test.go#L110 for an example.
- Use noopstore to disable throttling behaviour. - Fake k8s client to remove need of interacting with an envtest apiserver. - Replace HTTP Status Code magic numbers, with their respective constants. Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
pjbgf
force-pushed
the
disable-http-scheme-flag
branch
from
5c72e84
to
5a06288
Compare
pjbgf
dismissed
their stale review
Dismissing review as I made the last changes.
| corev1 "k8s.io/api/core/v1" | ||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
| utilruntime "k8s.io/apimachinery/pkg/util/runtime" | ||
| "k8s.io/kubectl/pkg/scheme" |
There was a problem hiding this comment.
We should be able to get rid of this new dependency by using k8s.io/apimachinery/pkg/runtime to create a new scheme. Refer
| "name", providerName.Name, | ||
| "namespace", providerName.Namespace) | ||
| continue | ||
| } |
There was a problem hiding this comment.
Having reviewed #435, I think we can implement this block in a different way such that it becomes more apparent to the user that their Provider and Alert won't work.
At the beginning of this function, handleEvent(), all the alerts are listed and alerts are matched against the event. While doing so, the alerts are checked to be Ready. Not ready alerts are ignored.
In Provider reconciler, we can parse the address of the webhook and mark the object as stalled, as per the RFC https://github.com/fluxcd/flux2/tree/main/rfcs/0004-insecure-http#design-details and Ready=False. But if the address is specified in a secret ref, the address in the secret can change without updating the Provider object. So, when secretRef is present, we can just fail the reconciliation with Ready=False and allow it to retry with exponential backoff.
Because the Provider is not ready, the associated Alert would also become not ready and that intern would make the event handler to drop the event early in the above function. The failure in the configuration would be visible on the object itself, compared to the current implementation where it'll be just logged and may not be visible.
There was a problem hiding this comment.
I propose we delay this PR until v1beta2 is released. If RFC-0004 instructs the objects to marked as stalled, then we'll probably need to add secret watches to NC and cascade stalling from Provider to all dependant Alerts.
There was a problem hiding this comment.
@gunishmatta unfortunately, we will have to label these changes on hold until the #435 is merged, by which point we will need to review the implementation based on @darkowlzz comments above.
There was a problem hiding this comment.
No Worries, Will keep following it and would focus on contributing to other issues at Flux and understanding the code in depth.
|
This PR should no longer be on hold. A lot has changed since the last discussion. With notification-controller v1.2 released recently, the reconcilers for the Provider has been removed, simplifying the implementation. Disabling insecure HTTP connection should be implementable in the event handler based on the given configureation. @gunishmatta sorry for a long hold. Since it has been a long time, if you can no longer work on this, we can make this available for others to implement or carry it forward. Converting the PR to a draft for now as it'll require a lot of changes before it's ready for review. |
Hi,
Please review and suggest changes.
Thanks
Fixes: #386