Initial work to allow juju trust for sidecar charms #12883
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wallyworld
force-pushed
the
test-sidecar-charms
branch
2 times, most recently
from
a1722dd to
00dcc01
Compare
hpidcock
approved these changes
Apr 16, 2021
| @@ -23,11 +23,15 @@ type Application interface { | |||
| Watch() (watcher.NotifyWatcher, error) | |||
| WatchReplicas() (watcher.NotifyWatcher, error) | |||
|
|
|||
| // Scale scales the Application's unit to the value specificied. Scale must | |||
| // Scale scales the Application's unit to the value specified. Scale must | |||
wallyworld
force-pushed
the
test-sidecar-charms
branch
2 times, most recently
from
8124dc9 to
ba3960d
Compare
Codecov Report
@@ Coverage Diff @@
## 2.9 #12883 +/- ##
=======================================
Coverage 69.46% 69.46%
=======================================
Files 262 262
Lines 25178 25178
=======================================
Hits 17490 17490
Misses 5562 5562
Partials 2126 2126 Continue to review full report at Codecov.
|
wallyworld
force-pushed
the
test-sidecar-charms
branch
from
ba3960d to
2a756d7
Compare
|
|
jujubot
added a commit
that referenced
this pull request
Apr 19, 2021
#12889 A recent PR #12883 added juju trust support which also activated mounting of service account secrets. Newer k8s do this as a projected volume so that needs to be added to the ignore list when looping over volume mounts. ## QA steps Deploy the latest charmed k8s, add it as a cloud to juju, and deploy a sidecar charm.
Merged
jujubot
added a commit
that referenced
this pull request
Apr 21, 2021
#12909 Merge 2.9 #12827 Unsubscribe from hub when closing state pool #12829 Correct default bootstrap-timeout value displayed in help. #12840 Constraint tags can be used for pod affinity #12842 Fix upgrade series agent version handling #12794 Add disk provisioning customization #12845 Restore space support for manual machines #12839 Support merging of netplan configs #12853 Add display type for network-get results #12854 Fix for LP1921557 sni in Juju login. #12850 Use Base in Charmhub packge and its response structures. #12858 Ensure assess-upgrade-series does not report started prematuremly #12860 Removed logging from core annotations. #12861 Fixes bug where empty error can happen in storage #12865 Update Pebble version to include new files API #12866 Workaround for k8s dashboard URL with k8s client proxy #12862 Fix/lp 1923051 #12867 Fix/lp 1923561 #12870 Use channel logic in charm library #12873 Add support for setting pod affinity topology key #12874 Use Patch instead of Update for ensuring ingress resources #12831 Integration fixes #12879 Ensure refresh uses version #12864 bug: fix for bootstrap fail on vsphere 7 + multi network #12883 Initial work to allow juju trust for sidecar charms #12884 Fix ssh with sidecar charms and containers. #12886 Charmhub bases #12881 Use charm pkg updates #12889 Ignore projected volume mounts when looking up juju storage #12890 Fix passing empty string container name to unit params #12893 Add CLA checker GH action and remove codecov push action #12897 Use production charmhub endpoint #12887 Resource validation error #12888 Ensure we validate the model target #12898 Remove usage of systems package from CAAS application provisioner #12899 CAAS bundle deployments #12900 Bump up Pebble version to include user/group in list-files #12901 charm Format helper #12902 charm Iskubernetes helper #12903 Display ... for really long k8s app versions in status #12904 Filter out more full registry paths for app version in status #12905 Fix k8s bundle deploys with v2 charms #12906 Register resource-get for containeragent binary Conflicts mostly due to charm v8 vs v9 imports. The other one was due to changes to dashboard CLI. ``` # Conflicts: # api/common/charms/common.go # api/common/charms/common_test.go # apiserver/facades/client/application/application.go # apiserver/facades/client/application/charmstore.go # apiserver/facades/client/application/update_series_mocks_test.go # apiserver/facades/client/charms/client.go # apiserver/facades/client/charms/convertions.go # apiserver/facades/client/machinemanager/types_mock_test.go # apiserver/facades/controller/caasoperatorprovisioner/provisioner.go # cmd/juju/application/deployer/bundlehandler_test.go # cmd/juju/application/refresh_test.go # cmd/juju/application/refresher/refresher_mock_test.go # cmd/juju/dashboard/dashboard.go # core/charm/strategies_mock_test.go # core/model/model.go # core/model/model_test.go # go.mod # go.sum # resource/resourceadapters/charmhub.go # scripts/win-installer/setup.iss # service/agentconf_test.go # snap/snapcraft.yaml # state/charm.go # state/migration_export.go # state/state.go # version/version.go # worker/caasfirewallerembedded/applicationworker.go # worker/caasfirewallerembedded/applicationworker_test.go ``` ## QA steps See PRs
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add support for
juju trustwith sidecar charms.This needed extra work to create, for each deployed application, a service account, roles, and rolebindings. The application pod is then given this service account rather than the cluster default. The initial role policy rules are the same as those used for pod spec charms.
Still need to implement this for pod spec charms
Also, a bigger issue is that the unit agent and k8s application provisioner workers both watch for trust changes separately. So the uniter agent might fire the config-change hook to signal a trust change before the provisioner has updated the service account roles. This will need to be addressed.
QA steps
Check application pod has service account set
Check app service account, role bindings, roles are created.
Trust the app
Debug logs should have
Role should have new rules:
Remove trust: