-
Notifications
You must be signed in to change notification settings - Fork 825
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conditionally enable mtls for the allocator. #1645
Conversation
Build Failed 😱 Build Id: 2e4f3fbd-3710-4f9c-9082-1fae9d88205e To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
Build Succeeded 👏 Build Id: d4b036f8-27c2-41ff-8dfa-e41c6755c852 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
Build Succeeded 👏 Build Id: 730847fe-ca02-432c-bc9c-4d0d4ede3630 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
Build Failed 😱 Build Id: 5d4865d1-a3b9-4c76-96f8-0711502a9e21 To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
Build Failed 😱 Build Id: 833a57e5-7ac4-4bb7-987f-769a3c6af789 To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
Build Succeeded 👏 Build Id: 24e1a8d0-1166-48ec-acfb-99881b8e18e7 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great. My concern is by using feature gate, it is expected that the feature is enabled by default at one point, which is not going to be the case. @markmandel can you please comment on this? The reason for adapting feature flag is the lack of support for testing the helm parameters.
Also, we should make TLS secret requirement conditional on the flag: https://github.com/googleforgames/agones/blob/master/install/helm/agones/templates/service/allocation.yaml#L136 |
Build Succeeded 👏 Build Id: e0f2144c-a41a-4dbc-ae69-bd58bc909915 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
Build Succeeded 👏 Build Id: 5919332f-0592-4a39-b89a-756d48b9ea4f The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
Build Failed 😱 Build Id: add65d9a-f7ed-4cc7-94ed-19ca35210dac To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
Build Succeeded 👏 Build Id: e3e04c92-c11a-4287-bac4-61c050afc832 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
One thing I'm confused about - if I'm reading this right, the feature flag is what is turning the mTLS off or on? Shouldn't there be a helm argument that sets this value that is part of the config as well? I know it's a bit of a double-set, but otherwise, would we need to introduce a configuration param to Helm (to be passed down to the allocator as an env/argument) to disable mTLS when we go GA with this feature? I can definitely see arguments for not having both a feature flag and a helm config that essentially does the same thing, but just wanted to be sure that was the long term plan. |
I think the long-term plan should be to include a configuration parameter as part of the values.yaml file. |
So when we go to beta, then this feature flag will be on by default, so mTLS will be disabled for all users when this feature goes to beta? Because that's the beta feature level contract. This seems like it's not going to work with our feature gate flow. Also, when the feature goes GA, users will need to change their config from beta->GA because there will be a whole new configuration value - which seems to go against the spirit of the feature levels (i.e. beta should eventually close onto what GA will be before we switch). Maybe this doesn't need a feature flag? Since it's a straight introduction of a new feature without it impacting existing functionality? |
Build Failed 😱 Build Id: 30bc2e39-be54-4cec-bbab-83816c20220c To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
Build Failed 😱 Build Id: fba57667-68a8-4bdd-bb68-20dc272714da To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
Build Failed 😱 Build Id: 7fc00f71-7027-457a-b766-120bb112cbed To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
Will take a look, but looks like tests are failing because you'll need to run (Since you edited the helm config, we check if the install.yaml in git still lines up) |
Build Failed 😱 Build Id: 1f8d997c-7e27-4812-8fe2-ace1993ea2a2 To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
Build Failed 😱 Build Id: 562f59bf-1abd-4544-8aa4-09107e138333 To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
Build Failed 😱 Build Id: 2f270371-2f23-4840-ab76-e1525a83a1c1 To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the change.
Build Succeeded 👏 Build Id: 8b4ce118-cceb-4e02-8e10-a4077c46eef6 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
Build Failed 😱 Build Id: 93c007b6-72c0-461e-8a89-3ed116682186 To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
Build Failed 😱 Build Id: 4dd91a33-c895-41ed-b6f2-69b6542404b5 To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
Build Failed 😱 Build Id: 9203dde4-1403-4596-93f5-4936cf0cbc22 To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
Build Failed 😱 Build Id: 79db9af8-7a69-42dc-8693-0234108a86bc To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: devloop0, pooneh-m The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks for the change @devloop0. Please also add a note to the issue that e2e testing for this environment variable needs to be added after the test infrastructure is supporting the environment variable testing. Then we need to document this value in the helm parameters. |
Build Succeeded 👏 Build Id: 183134db-6e3e-45f7-9956-b175b0d77f55 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
Thanks! I'll be sure to add the note once this is merged. |
Merging! |
* Removed the need for having certificates with mTLS disabled. Co-authored-by: Nikhil Athreya <nathreya@google.com>
What type of PR is this?
/kind feature
What this PR does / Why we need it:
Customers can provide their own authentication (or none) instead of being forced to use mtls.
Which issue(s) this PR fixes:
Partially addresses: #1590
Special notes for your reviewer: