Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conditionally enable mtls for the allocator. #1645

Merged
merged 26 commits into from
Jun 29, 2020
Merged

Conditionally enable mtls for the allocator. #1645

merged 26 commits into from
Jun 29, 2020

Conversation

devloop0
Copy link
Contributor

@devloop0 devloop0 commented Jun 24, 2020

What type of PR is this?
/kind feature

What this PR does / Why we need it:
Customers can provide their own authentication (or none) instead of being forced to use mtls.

Which issue(s) this PR fixes:
Partially addresses: #1590

Special notes for your reviewer:

@agones-bot
Copy link
Collaborator

Build Failed 😱

Build Id: 2e4f3fbd-3710-4f9c-9082-1fae9d88205e

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@agones-bot
Copy link
Collaborator

Build Succeeded 👏

Build Id: d4b036f8-27c2-41ff-8dfa-e41c6755c852

The following development artifacts have been built, and will exist for the next 30 days:

A preview of the website (the last 30 builds are retained):

To install this version:

  • git fetch https://github.com/googleforgames/agones.git pull/1645/head:pr_1645 && git checkout pr_1645
  • helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.7.0-e659e5a

@agones-bot
Copy link
Collaborator

Build Succeeded 👏

Build Id: 730847fe-ca02-432c-bc9c-4d0d4ede3630

The following development artifacts have been built, and will exist for the next 30 days:

A preview of the website (the last 30 builds are retained):

To install this version:

  • git fetch https://github.com/googleforgames/agones.git pull/1645/head:pr_1645 && git checkout pr_1645
  • helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.7.0-89a60ff

@agones-bot
Copy link
Collaborator

Build Failed 😱

Build Id: 5d4865d1-a3b9-4c76-96f8-0711502a9e21

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@agones-bot
Copy link
Collaborator

Build Failed 😱

Build Id: 833a57e5-7ac4-4bb7-987f-769a3c6af789

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@agones-bot
Copy link
Collaborator

Build Succeeded 👏

Build Id: 24e1a8d0-1166-48ec-acfb-99881b8e18e7

The following development artifacts have been built, and will exist for the next 30 days:

A preview of the website (the last 30 builds are retained):

To install this version:

  • git fetch https://github.com/googleforgames/agones.git pull/1645/head:pr_1645 && git checkout pr_1645
  • helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.7.0-24f314c

Copy link
Contributor

@pooneh-m pooneh-m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great. My concern is by using feature gate, it is expected that the feature is enabled by default at one point, which is not going to be the case. @markmandel can you please comment on this? The reason for adapting feature flag is the lack of support for testing the helm parameters.

pkg/util/runtime/features.go Outdated Show resolved Hide resolved
@pooneh-m
Copy link
Contributor

Also, we should make TLS secret requirement conditional on the flag: https://github.com/googleforgames/agones/blob/master/install/helm/agones/templates/service/allocation.yaml#L136

pkg/util/runtime/features.go Outdated Show resolved Hide resolved
pkg/util/runtime/features.go Outdated Show resolved Hide resolved
pkg/gameserverallocations/controller_test.go Outdated Show resolved Hide resolved
cmd/allocator/main_test.go Outdated Show resolved Hide resolved
@agones-bot
Copy link
Collaborator

Build Succeeded 👏

Build Id: e0f2144c-a41a-4dbc-ae69-bd58bc909915

The following development artifacts have been built, and will exist for the next 30 days:

A preview of the website (the last 30 builds are retained):

To install this version:

  • git fetch https://github.com/googleforgames/agones.git pull/1645/head:pr_1645 && git checkout pr_1645
  • helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.7.0-5e3e97b

@agones-bot
Copy link
Collaborator

Build Succeeded 👏

Build Id: 5919332f-0592-4a39-b89a-756d48b9ea4f

The following development artifacts have been built, and will exist for the next 30 days:

A preview of the website (the last 30 builds are retained):

To install this version:

  • git fetch https://github.com/googleforgames/agones.git pull/1645/head:pr_1645 && git checkout pr_1645
  • helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.7.0-d563119

@agones-bot
Copy link
Collaborator

Build Failed 😱

Build Id: add65d9a-f7ed-4cc7-94ed-19ca35210dac

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@agones-bot
Copy link
Collaborator

Build Succeeded 👏

Build Id: e3e04c92-c11a-4287-bac4-61c050afc832

The following development artifacts have been built, and will exist for the next 30 days:

A preview of the website (the last 30 builds are retained):

To install this version:

  • git fetch https://github.com/googleforgames/agones.git pull/1645/head:pr_1645 && git checkout pr_1645
  • helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.7.0-0cb1f98

@markmandel
Copy link
Member

markmandel commented Jun 25, 2020

One thing I'm confused about - if I'm reading this right, the feature flag is what is turning the mTLS off or on?

Shouldn't there be a helm argument that sets this value that is part of the config as well? I know it's a bit of a double-set, but otherwise, would we need to introduce a configuration param to Helm (to be passed down to the allocator as an env/argument) to disable mTLS when we go GA with this feature?

I can definitely see arguments for not having both a feature flag and a helm config that essentially does the same thing, but just wanted to be sure that was the long term plan.

@devloop0
Copy link
Contributor Author

I think the long-term plan should be to include a configuration parameter as part of the values.yaml file.
This offers us more functionality like completely avoiding the need to mount volumes (i.e. only conditionally enabling these lines: https://github.com/googleforgames/agones/blob/master/install/helm/agones/templates/service/allocation.yaml#L136). Currently, all this does is it avoids the need to verify and send certificates when the flag is set, but the certificates still need to present. I think having this flag in the values.yaml file is the best long-term solution.
The reason this isn't being done now is because it's hard to check what happens when yaml files are configured differently at test time.

@markmandel
Copy link
Member

So when we go to beta, then this feature flag will be on by default, so mTLS will be disabled for all users when this feature goes to beta? Because that's the beta feature level contract.

This seems like it's not going to work with our feature gate flow. Also, when the feature goes GA, users will need to change their config from beta->GA because there will be a whole new configuration value - which seems to go against the spirit of the feature levels (i.e. beta should eventually close onto what GA will be before we switch).

Maybe this doesn't need a feature flag? Since it's a straight introduction of a new feature without it impacting existing functionality?

@agones-bot
Copy link
Collaborator

Build Failed 😱

Build Id: 30bc2e39-be54-4cec-bbab-83816c20220c

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@agones-bot
Copy link
Collaborator

Build Failed 😱

Build Id: fba57667-68a8-4bdd-bb68-20dc272714da

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@agones-bot
Copy link
Collaborator

Build Failed 😱

Build Id: 7fc00f71-7027-457a-b766-120bb112cbed

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@markmandel
Copy link
Member

Will take a look, but looks like tests are failing because you'll need to run make gen-install 👍

(Since you edited the helm config, we check if the install.yaml in git still lines up)

@agones-bot
Copy link
Collaborator

Build Failed 😱

Build Id: 1f8d997c-7e27-4812-8fe2-ace1993ea2a2

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@agones-bot
Copy link
Collaborator

Build Failed 😱

Build Id: 562f59bf-1abd-4544-8aa4-09107e138333

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@agones-bot
Copy link
Collaborator

Build Failed 😱

Build Id: 2f270371-2f23-4840-ab76-e1525a83a1c1

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

Copy link
Contributor

@pooneh-m pooneh-m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the change.

pkg/gameserverallocations/allocator.go Outdated Show resolved Hide resolved
@agones-bot
Copy link
Collaborator

Build Succeeded 👏

Build Id: 8b4ce118-cceb-4e02-8e10-a4077c46eef6

The following development artifacts have been built, and will exist for the next 30 days:

A preview of the website (the last 30 builds are retained):

To install this version:

  • git fetch https://github.com/googleforgames/agones.git pull/1645/head:pr_1645 && git checkout pr_1645
  • helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.7.0-737a50e

@agones-bot
Copy link
Collaborator

Build Failed 😱

Build Id: 93c007b6-72c0-461e-8a89-3ed116682186

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@agones-bot
Copy link
Collaborator

Build Failed 😱

Build Id: 4dd91a33-c895-41ed-b6f2-69b6542404b5

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@agones-bot
Copy link
Collaborator

Build Failed 😱

Build Id: 9203dde4-1403-4596-93f5-4936cf0cbc22

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@agones-bot
Copy link
Collaborator

Build Failed 😱

Build Id: 79db9af8-7a69-42dc-8693-0234108a86bc

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@google-oss-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: devloop0, pooneh-m

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@pooneh-m
Copy link
Contributor

Thanks for the change @devloop0. Please also add a note to the issue that e2e testing for this environment variable needs to be added after the test infrastructure is supporting the environment variable testing. Then we need to document this value in the helm parameters.

@agones-bot
Copy link
Collaborator

Build Succeeded 👏

Build Id: 183134db-6e3e-45f7-9956-b175b0d77f55

The following development artifacts have been built, and will exist for the next 30 days:

A preview of the website (the last 30 builds are retained):

To install this version:

  • git fetch https://github.com/googleforgames/agones.git pull/1645/head:pr_1645 && git checkout pr_1645
  • helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.7.0-7d48bb0

@devloop0
Copy link
Contributor Author

Thanks! I'll be sure to add the note once this is merged.

@markmandel
Copy link
Member

Merging!

@markmandel markmandel merged commit 6998d88 into googleforgames:master Jun 29, 2020
@markmandel markmandel added area/operations Installation, updating, metrics etc kind/feature New features for Agones labels Jun 29, 2020
@markmandel markmandel added this to the 1.7.0 milestone Jun 29, 2020
ilkercelikyilmaz pushed a commit to ilkercelikyilmaz/agones that referenced this pull request Oct 23, 2020
* Removed the need for having certificates with mTLS disabled.

Co-authored-by: Nikhil Athreya <nathreya@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved area/operations Installation, updating, metrics etc cla: yes kind/feature New features for Agones lgtm size/L
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants