profile
viewpoint

celery/kombu 1845

Messaging library for Python.

brendanzab/algebra 54

Abstract algebra for Rust (still very much a WIP!)

flaper87/cdr_mongodb 31

MongoDB CDR backend for Asterisk

flaper87/asterisk-zmq-manager 8

An asterisk manager that speaks json and it's based on zmq.

aparo/Pydev-Django-Extension 6

It's a Pydev extension to integrate a django.

d0ugal/mistral-ansible-actions 4

Mistral Actions for calling Ansible

flaper87/bugsquasher 4

A pluggable tool for squashing bugs and tracking down issues

aparo/nosqlkit 3

NoSqlKit for python is a multi NoSQL engine ORM

alessandror/Netcarity---HGW 2

home gateway software stack

MemberEvent

delete branch elastic/cloud-on-k8s

delete branch : openshift

delete time in 12 days

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha 7d936190a79f023d75a0b3302968cf2402bb773d

[ocp] Delete the state direcotry not the bucket

view details

Flavio Percoco

commit sha befb26bea21b7d480676c26596102134a0344e43

Merge pull request #2561 from elastic/openshift [ocp] Delete the state directory not the bucket

view details

push time in 12 days

PR merged elastic/cloud-on-k8s

[ocp] Delete the state directory not the bucket :ci >test
+13 -27

3 comments

2 changed files

flaper87

pr closed time in 12 days

pull request commentelastic/cloud-on-k8s

[ocp] Delete the state directory not the bucket

retest this please

flaper87

comment created time in 12 days

pull request commentelastic/cloud-on-k8s

[ocp] Delete the state directory not the bucket

retest this please

flaper87

comment created time in 13 days

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha 7d936190a79f023d75a0b3302968cf2402bb773d

[ocp] Delete the state direcotry not the bucket

view details

push time in 13 days

pull request commentelastic/cloud-on-k8s

[ocp] Delete the state direcotry not the bucket

retest this please

flaper87

comment created time in 13 days

push eventelastic/cloud-on-k8s

Charith Ellawala

commit sha 688635ead2897cb07ebf6197de53cde9add2b22f

Add operator flag to define default container registry (#2537) * Move all flags to operator package * Add container-registry flag + docs * Add missing licence header * Update NOTICE.txt * Fix product names * Fix attribute rendering * Fix sample image list

view details

Sebastien Guilloux

commit sha d011aad1e6b0af1bb019c8a0a14e13da9bf97210

Grammatical mistake in manage compute resources page (#2547) (#2548) Co-authored-by: Abhilash Bolla <2282894+ivssh@users.noreply.github.com>

view details

Flavio Percoco

commit sha 09be60c9731520cf329d390877e73a0a2bd96221

Merge pull request #2432 from elastic/openshift Add CI files for OCP

view details

Flavio Percoco

commit sha 7858f727daec6c14cf52bfc155c28e1f6493be9f

Merge pull request #2552 from elastic/openshift Sync and place credentials of new OCP clusters before doing other actions

view details

Sebastien Guilloux

commit sha 92229469dd74f01c9a9fe131eb20566f8862c3a1

Make stack version 7.6.0 the new default (#2546) * Make stack version 7.6.0 the new default Upgrade references to the stack version from 7.5.0 to 7.6.0. * Fix references to 7.5.2 * Fix some references to older versions

view details

Michael Bischoff

commit sha 96cd36f8e0f9805a96fe189dbe5358a07a30d5de

Example fix: dynamic heap size is not recommend (#2553) Elastic recommends setting the same value for xms and xmx. The example therefor might be confusing. See: https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html Elasticsearch will assign the entire heap specified in jvm.options via the Xms (minimum heap size) and Xmx (maximum heap size) settings. You should set these two settings to be equal to each other.

view details

Peter Brachwitz

commit sha 3819530fd62f700a9f56a0a71e4ef13d61ef3d5f

Remove operator roles (#2530) * remove the concept of operator roles as flags * remove the global operator manifests * keep/modify the namespace operator manifests to allow deployments restricted to one or more namespaces * allow the parameterization of the operator name to allow multiple (namespaced) operators to be deployed in a single namespace * make the operator logs target work for both variants * run the e2e tests with a all-in-one operator * add a dedicated webhook toggle flag * disable the webhook by default in the namespaced variant, enable it in the all-in-one variant * Remove duplicated word Co-authored-by: Michael Morello <michael.morello@gmail.com>

view details

Thibault Richard

commit sha f1c74dd952f47f61c1686c902022fd03aa6763ea

Correct number of masters in TestVersionUpgradeTwoNodes68xTo73x (#2558) Correct the test TestVersionUpgradeTwoNodes68xTo73x where we want to test the upgrade of a 2-master nodes Elasticsearch cluster. The upgrade with a 1-master node Elasticsearch cluster is already tested in the previous test TestVersionUpgradeSingleNode68xTo73x.

view details

Flavio Percoco

commit sha 924f344fbc1fefa278de9cebd04d012d8f844db5

[ocp] Delete the state direcotry not the bucket

view details

push time in 13 days

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha e6c956401bde69da7ac8dffc12081225935d3247

Sync and place credentials of new OCP clusters before doing other actions

view details

Flavio Percoco

commit sha 7858f727daec6c14cf52bfc155c28e1f6493be9f

Merge pull request #2552 from elastic/openshift Sync and place credentials of new OCP clusters before doing other actions

view details

push time in 14 days

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha e6c956401bde69da7ac8dffc12081225935d3247

Sync and place credentials of new OCP clusters before doing other actions

view details

push time in 14 days

create barnchelastic/cloud-on-k8s

branch : openshift

created branch time in 14 days

delete branch elastic/cloud-on-k8s

delete branch : openshift

delete time in 14 days

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha e0dc21cb970b766871106f2e4244bb5c0f32eb04

Add CI files for OCP

view details

Flavio Percoco

commit sha cf7e62254fd3b93bda8a3a3f948ca20f5baffef6

Add openshift tools to the CI container image

view details

Flavio Percoco

commit sha 7701d5493d06210c9ff10c84263abab8b11e0b1d

Set the right GCLOUD_PROJECT for OCP's jenkinsfile

view details

Flavio Percoco

commit sha 514f9696071e125a90ac2f962511e30d3e2dc5af

allow test's service account to modify serviceaccounts and OCP scc

view details

Flavio Percoco

commit sha 692323517c2ccdac50d4379dd12febf7dc163bc3

Create apm-service account for the APM Server when running on OCP

view details

Flavio Percoco

commit sha 43ef7071a1461ce2b30476167aad5f07ee40c364

make sure files in the test image belong to the root group This is mainly needed by OpenShift. UIDs used by openshift belong to the root group. By setting the group on the container WORKDIR we're guaranteeing that we will be able to execute, write, and run the test jobs

view details

Flavio Percoco

commit sha 86c51e62efc55dba4a23d573973b6e04b8cfb235

Set the fsGroup and RunAs parameters only for non-OCP environments

view details

Flavio Percoco

commit sha 990978dbdbd7ff4e99064b20e86b714d42a729ab

Misc optimizations to the OCP runner

view details

Flavio Percoco

commit sha c17a127e7b3cd60e20cad9eb66f9101064f46f72

make sure gcloud docker configs are set

view details

Flavio Percoco

commit sha 0656fa05d8510fc6fa17632d2c5e3e9a0474afae

accpet VAULT_TOKEN and skip vault auth

view details

Flavio Percoco

commit sha da364150db8fd5f999c3c213beecf9b789b9f044

golangci-lint run through

view details

Flavio Percoco

commit sha d30cb0ab20bb3a17c76c6cbb97602bb1756d3b80

generated NOTICE, docs, and updated CRDs

view details

Michael Morello

commit sha 7dbcb9018d11375cee9237631c34c9ae5e367d34

Use the K8S native client to patch the SCC

view details

Flavio Percoco

commit sha 66407d0063aa78e8cd1194b9e2e29f0dcc64691d

Fix RBAC and update auto-generated files

view details

Flavio Percoco

commit sha 86d3840d28bec408f01f465a3847788c8084461c

propagete failures to copy kubeconfig

view details

Flavio Percoco

commit sha b7afb6e0ade621e858178270ad6529fad5e8731c

Address review comments

view details

Flavio Percoco

commit sha 09be60c9731520cf329d390877e73a0a2bd96221

Merge pull request #2432 from elastic/openshift Add CI files for OCP

view details

push time in 14 days

PR merged elastic/cloud-on-k8s

Add CI files for OCP :ci >enhancement

This PR will add all the CI files to setup an e2e job on OpenShift

Fixes #2170

+311 -262

8 comments

18 changed files

flaper87

pr closed time in 14 days

issue closedelastic/cloud-on-k8s

Create OpenShift 4.x e2e testing environment

We need an automated OpenShift 4.x environment to run our e2e tests on. The idea is to integrate the OpenShift installer with our existing deployer tooling to stand up an Openshift installation

  • we need to be able to create and teardown these environments from Jenkins
  • we would like to be able to do the same from a local machine for debugging and development purposes

closed time in 14 days

pebrc

pull request commentelastic/cloud-on-k8s

Add CI files for OCP

okidoki, let's see how this works once merged! thank y'all

flaper87

comment created time in 14 days

pull request commentelastic/cloud-on-k8s

Add CI files for OCP

Alrighty, all comments addressed! Thank y'all for your reviews :)

flaper87

comment created time in 14 days

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha b7afb6e0ade621e858178270ad6529fad5e8731c

Address review comments

view details

push time in 14 days

Pull request review commentelastic/cloud-on-k8s

Add CI files for OCP

 docker-push: ifeq ($(REGISTRY), docker.elastic.co) 	@ docker login -u $(ELASTIC_DOCKER_LOGIN) -p $(ELASTIC_DOCKER_PASSWORD) push.docker.elastic.co endif+ifeq ($(REGISTRY), eu.gcr.io)+	@ gcloud auth configure-docker --quiet

This wasn't done automatically for me and after debugging the authentication failure with @david-kow we found out that the local docker configs/auths hooks were not set properly.

I tried running this command on environments that were already configured and it succeeded. This is to say that it should be harmless to run it multiple times from here.

flaper87

comment created time in 14 days

Pull request review commentelastic/cloud-on-k8s

Add CI files for OCP

 plans:   ocp:     region: europe-west2     nodeCount: 3+    overwriteDefaultKubeconfig: true

done!

flaper87

comment created time in 14 days

pull request commentelastic/cloud-on-k8s

Add CI files for OCP

Ok, there are enough nits to make an updated push worth it :smile:

I'll address these comments between today and tomorrow.

flaper87

comment created time in 15 days

Pull request review commentelastic/cloud-on-k8s

Add CI files for OCP

 plans:   ocp:     region: europe-west2     nodeCount: 3+    overwriteDefaultKubeconfig: true

not a bad idea, I'll do it if we need another push to this PR. Otherwise, I'll send a follow-up patch :)

flaper87

comment created time in 15 days

Pull request review commentelastic/cloud-on-k8s

Add CI files for OCP

 rules:       - persistentvolumeclaims       - configmaps       - events+      - serviceaccounts     verbs:       - get       - list       - watch       - delete       - create       - update+  - apiGroups:+      - "security.openshift.io"+    resources:+      - securitycontextconstraints+    verbs:+      - get+      - update

We should be able to do away with the update permission. Should be harmless to keep it for now.

flaper87

comment created time in 15 days

pull request commentelastic/cloud-on-k8s

Add CI files for OCP

I ran a a full test throughout the night and it succeeded with the currently pushed version. I think this is ready for another review. Thanks for all the feedback @barkbay @david-kow @sebgl

flaper87

comment created time in 15 days

push eventelastic/cloud-on-k8s

Kelly Birr

commit sha 214060e3420a356c00b6e5e0d59f62e90ec5c88a

Updated example config (#2499)

view details

Peter Brachwitz

commit sha 24b311e3c65701983102a87ff6ff0d848b03e84d

Add basic APM agent instrumentation (#2462) - Trace all requests via the Elasticsearch client. - Create spans for significant pieces of logic in the controllers. - Error capture is very basic and centralised in the Results abstraction we use. I used github.com/pkg/errors where possible to capture stack traces which facilitate error tracing without the need to have tracing information/contexts at every call site. For controllers that don't use the Results struct I tried to keep the error capture at the top level. This might be somewhat counter intuitive as we want to capture the errors when they are created and not somewhere up, to keep as much context as possible. My rationale was that for errors we create with githubcom/pkg/errors we already have the context so the place of capture is secondary, for errors coming from other libraries we don't have full context anyway (unless they use a similar form of stack trace capture) so reducing the number of places to instrument by keeping the capture statements on the top level seemed a good compromise. - k8s client requests are not traced because we use a cached client, which does not do any requests when we interact with it on reads (it ignores any context passed). We can look into it for writes but that would mean undoing at least partially our own wrapping layer which hides contexts from calling code.

view details

Thibault Richard

commit sha 3fb2618c0ee77f32d1a6fe380a2e04d3985619f3

Clean before execute e2e-run with kind (#2508) This is to remove irrelevant/build-breaking generated public keys that could fail the compilation during `go test`.

view details

Michael Morello

commit sha e2f5808dec4e95e2631290ed3d330c0905918d45

Exclude associations-rbac from e2e samples (#2506) * Exclude associations-rbac from e2e samples * Move rbac samples in recipes directory

view details

Anya Sabo

commit sha a7b7649e680650f5ec40a4d1d3786d3beaaf02a7

Name container ports according to protocol (#2498)

view details

Anya Sabo

commit sha 75ec43bcf96c0fc75e224efc70afae54383761f0

Add log for cert timeout (#2477)

view details

Charith Ellawala

commit sha d50e8355db0d36e584249182ba29b983558589dd

Update dev-setup document (#2507)

view details

Thibault Richard

commit sha 2698c834cbaa2e8eddcaeadf7a7741b078eaa946

Always clean before e2e-docker-build (#2511) The `.../license/zz_generated.pubkey.go` file (generated during the operator build) is present in the Docker container used to run the e2e job. This container uses the image built with `e2e-docker-build`. So, we need to call `clean` before `e2e-docker-build` and not before `e2e-run`. Let's attach `clean` to `e2e-docker-build` to benefit `ci-e2e` and `kind-e2e`.

view details

Peter Brachwitz

commit sha 2305d611953c299c4218797f1a439904182e9df3

Add documentation for the APM agent operator flag (#2514)

view details

alaudazzi

commit sha f0242b8d46c2cce0acf1fcb172f8c6cd72ba5245

Contribute to doc (public repo) (#2516)

view details

Thibault Richard

commit sha 7892889634e8366984e57ee5a6eca7d90751c7ca

Enable dump upload on cloud-on-k8s-versions-vanilla job (#2517) * Call the runTests method in a script block * Pass the loaded lib and the failedTests var in parameter to runTests * Enable dump upload in case of failure

view details

Michael Morello

commit sha 4ad5d7f79b30d1384ad111693a6121c9abe8c7ff

Fix typo in Accessing Elastic Stack services (#2519)

view details

Sebastien Guilloux

commit sha 5116627d4af3d718c4277f394a3ad3f696fdb31b

Remove useless Keystore user in the file realm (#2523) We are handling keystore entries through a cmd line call in an init container, and rotate Pods automatically on any keystore change. As such, ECK does not make any API call to reload keystore entries. Let's remove the dedicated keystore user and role, that are now useless.

view details

ThoTischner

commit sha ab9c3ea85be6567b671bbaada1b27af094355b07

Extend Clusterwide rbac roles for elastic crds (#2495) Signed-off-by: Thomas Tischner <tti@bitsbeats.com>

view details

Thibault Richard

commit sha 89a2c2914fbf4cb702442d0af77e99a5e9d84305

Fix the name of the default e2e storage class for Kind (#2522) The E2E tests expect a storage class named `e2e-default`.

view details

Chris Mark

commit sha b0f1bccd0128536f0b1645c585e1dfcbc1c49582

Make use of secure port when accessing Kubelet API (#2520) What does this PR do? This PR switches Metricbeat k8s manifests and docs to point to Kubelet secure port over https instead of the insecure port. Why is it important? Insecure port of Kubelet (10255/TCP) is now less common and discouraged and also in most cases it is not enabled by default (requiring to restart kubelet with --read-only-port flag) Related to elastic/beats#16063

view details

Charith Ellawala

commit sha 2e3f679d487059284df6acd25ad92e3943404e33

Add webhook network policy troubleshooting information (#2524) * Add network policy section to webhook docs * More troubleshooting information * Fix section ID * Fix typo

view details

Michael Morello

commit sha 1274fd8ef6c51ec7c66fd3625e587adbabc9b3cb

Update documentation for 1.0.1 (#2525)

view details

David Kowalski

commit sha b398e96deb9508161ba87f14b1b06cfdf658ed67

Mount containers and pods logs dirs in filebeat pod (#2529)

view details

Thibault Richard

commit sha 54683c91856e9859ff3e2c15d3be9ffabd680772

Check version of go and kubectl prerequisites (#2531) Note: use `sed -E` and `grep -E` to work for both GNU (Linux) and BSD (OSX).

view details

push time in 15 days

Pull request review commentelastic/cloud-on-k8s

Add CI files for OCP

 require ( 	github.com/tsenart/vegeta v12.7.0+incompatible 	go.uber.org/zap v1.12.0 	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550-	golang.org/x/net v0.0.0-20191011234655-491137f69257 // indirect 	golang.org/x/sys v0.0.0-20191010194322-b09406accb47 // indirect 	golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0 // indirect-	golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 // indirect 	google.golang.org/appengine v1.6.5 // indirect 	gopkg.in/yaml.v2 v2.2.4 	gopkg.in/yaml.v3 v3.0.0-20191120175047-4206685974f2-	k8s.io/api v0.0.0-20191114100352-16d7abae0d2a-	k8s.io/apimachinery v0.0.0-20191028221656-72ed19daf4bb+	k8s.io/api v0.17.1+	k8s.io/apimachinery v0.17.1

@barkbay patch applied perfectly. Just launched tests now, will report back soon :)

flaper87

comment created time in 16 days

Pull request review commentelastic/cloud-on-k8s

Add CI files for OCP

 require ( 	github.com/tsenart/vegeta v12.7.0+incompatible 	go.uber.org/zap v1.12.0 	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550-	golang.org/x/net v0.0.0-20191011234655-491137f69257 // indirect 	golang.org/x/sys v0.0.0-20191010194322-b09406accb47 // indirect 	golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0 // indirect-	golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 // indirect 	google.golang.org/appengine v1.6.5 // indirect 	gopkg.in/yaml.v2 v2.2.4 	gopkg.in/yaml.v3 v3.0.0-20191120175047-4206685974f2-	k8s.io/api v0.0.0-20191114100352-16d7abae0d2a-	k8s.io/apimachinery v0.0.0-20191028221656-72ed19daf4bb+	k8s.io/api v0.17.1+	k8s.io/apimachinery v0.17.1

I think we can avoid to rely on the OCP client if we just need to patch the SCC , which is a CRD starting 4.x btw:

$ k get crd securitycontextconstraints.security.openshift.io 
NAME                                               CREATED AT
securitycontextconstraints.security.openshift.io   2020-02-07T06:52:43Z

This can be done by using the legacy K8S client, using a PATCH request on the right endpoint:

user := fmt.Sprintf(`"system:serviceaccount:%s:%s"`, 
                           b.ServiceAccount.Namespace,
                           b.ServiceAccount.Name,
                 )
// The patch below adds the service account user in the 'users' fields of a SCC
patch := []byte(`{ "users": [` + user + `]}`)

// We want to patch the anyuid SCC. In term of url it means that we need to send a patch request to:
// https://<Openshift URL>/apis/security.openshift.io/v1/securitycontextconstraints/anyuid
patchClient := k8sClient.RESTClient().
    Patch(types.MergePatchType).
    Prefix("apis", "security.openshift.io", "v1").
    Resource("securitycontextconstraints").
    Name("anyuid").
    Body(patch)

result := patchClient.Do()

See a full patch here

It would avoid to rely on those dependencies and deal with new go module files. On other benefit is that it seems to work with both OCP 4.x and 3.11, I'm not sure if the official OCP client for 4.x is compatible with 3.11.

Oh, nice! Thanks. I had tried something like this but I think I did something wrong 'cause it didn't work for me. I'll go with this just to unblock this PR.

As a side note, it feels a bit hacky in the sense that we are avoiding a, perhaps more important, issue that is handling SCCs. I understand we are just talking about our test suite here and not the operator itself, however, I think it would be better to deal with this properly by using the actual clients.

Thank you for taking the time to write this patch

flaper87

comment created time in 16 days

Pull request review commentelastic/cloud-on-k8s

Add CI files for OCP

 require ( 	github.com/tsenart/vegeta v12.7.0+incompatible 	go.uber.org/zap v1.12.0 	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550-	golang.org/x/net v0.0.0-20191011234655-491137f69257 // indirect 	golang.org/x/sys v0.0.0-20191010194322-b09406accb47 // indirect 	golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0 // indirect-	golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 // indirect 	google.golang.org/appengine v1.6.5 // indirect 	gopkg.in/yaml.v2 v2.2.4 	gopkg.in/yaml.v3 v3.0.0-20191120175047-4206685974f2-	k8s.io/api v0.0.0-20191114100352-16d7abae0d2a-	k8s.io/apimachinery v0.0.0-20191028221656-72ed19daf4bb+	k8s.io/api v0.17.1+	k8s.io/apimachinery v0.17.1

I should note that this is a requirement for the tests only, which means we could add these module files to the test/e2e only.

flaper87

comment created time in 21 days

Pull request review commentelastic/cloud-on-k8s

Add CI files for OCP

 require ( 	github.com/tsenart/vegeta v12.7.0+incompatible 	go.uber.org/zap v1.12.0 	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550-	golang.org/x/net v0.0.0-20191011234655-491137f69257 // indirect 	golang.org/x/sys v0.0.0-20191010194322-b09406accb47 // indirect 	golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0 // indirect-	golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 // indirect 	google.golang.org/appengine v1.6.5 // indirect 	gopkg.in/yaml.v2 v2.2.4 	gopkg.in/yaml.v3 v3.0.0-20191120175047-4206685974f2-	k8s.io/api v0.0.0-20191114100352-16d7abae0d2a-	k8s.io/apimachinery v0.0.0-20191028221656-72ed19daf4bb+	k8s.io/api v0.17.1+	k8s.io/apimachinery v0.17.1

Unfortunately, I think not bumping the version may be an issue for this patch. openshift/api depends on these versions so I'll probably take @sebgl suggestion and add a go.mod and go.sum for the deployer.

Any thoughts/opinions on how you would prefer to have this done?

flaper87

comment created time in 21 days

Pull request review commentelastic/cloud-on-k8s

Add CI files for OCP

 require ( 	github.com/tsenart/vegeta v12.7.0+incompatible 	go.uber.org/zap v1.12.0 	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550-	golang.org/x/net v0.0.0-20191011234655-491137f69257 // indirect 	golang.org/x/sys v0.0.0-20191010194322-b09406accb47 // indirect 	golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0 // indirect-	golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 // indirect 	google.golang.org/appengine v1.6.5 // indirect 	gopkg.in/yaml.v2 v2.2.4 	gopkg.in/yaml.v3 v3.0.0-20191120175047-4206685974f2-	k8s.io/api v0.0.0-20191114100352-16d7abae0d2a-	k8s.io/apimachinery v0.0.0-20191028221656-72ed19daf4bb+	k8s.io/api v0.17.1+	k8s.io/apimachinery v0.17.1

I did, or I should say: The ocp dependency did. Do you think this will be a problem?

flaper87

comment created time in 21 days

Pull request review commentelastic/cloud-on-k8s

Add CI files for OCP

 func (h *helper) initTestContext() error { 		TestRun:               h.testRunName, 		TestTimeout:           h.testTimeout, 		IgnoreWebhookFailures: h.ignoreWebhookFailures,+		OcpCluster:            h.kubectl("get", "clusterversion") == nil,

My goal with this was to try to not make OCP a special case. I do realize that the end result here is that in this case I'm doing just that.

My hope, however, is for this to not stay as is forever. Hopefully, all the ifs/cases required for OCP will go away eventually as they are mostly related to how restricted OCP is by default and not because of some technical limitation.

This is all to say that I'd love for this special case to be an internal thing rather than it being exposed externally so that we can remove freely when we reach that ideal state.

Curious to hear your thoughts.

flaper87

comment created time in 21 days

Pull request review commentelastic/cloud-on-k8s

Add CI files for OCP

 func (d *OcpDriver) uploadCredentials() error { }  func (d *OcpDriver) GetCredentials() error {+	log.Printf("Getting credentials") 	kubeConfig := filepath.Join(d.ctx["ClusterStateDir"].(string), "auth", "kubeconfig")+	log.Printf("%s", kubeConfig) +	copyKubeconfig := func() error {+		if d.ctx["OverwriteDefaultKubeconfig"] == true {+			log.Printf("copying %s to ~/.kube/config", kubeConfig)+			if err := os.MkdirAll(filepath.Join(os.Getenv("HOME"), ".kube"), os.ModePerm); err != nil {+				return err+			}+			cmd := fmt.Sprintf("cp %s ~/.kube/config", kubeConfig)+			return NewCommand(cmd).AsTemplate(d.ctx).WithoutStreaming().Run()+		}++		return nil+	} 	// We do this check twice to avoid re-downloading files 	// from the bucket when we already have them locally. 	// The second time is further down in this function and it's 	// done when the rsync succeeds 	if _, err := os.Stat(kubeConfig); !os.IsNotExist(err) {+		_ = copyKubeconfig()

correct! We should handle an error here. Good catch.

flaper87

comment created time in 21 days

Pull request review commentelastic/cloud-on-k8s

Add CI files for OCP

 func (d *OcpDriver) uploadCredentials() error { }  func (d *OcpDriver) GetCredentials() error {+	log.Printf("Getting credentials") 	kubeConfig := filepath.Join(d.ctx["ClusterStateDir"].(string), "auth", "kubeconfig")+	log.Printf("%s", kubeConfig)

no... leftover. I'll remove this

flaper87

comment created time in 21 days

Pull request review commentelastic/cloud-on-k8s

Add CI files for OCP

 func (d *OcpDriver) Execute() error { }  func (d *OcpDriver) auth() error {+	_ = NewCommand(fmt.Sprintf("gcloud config set project %s", d.ctx["GCloudProject"])).Run()

It is, but I can triple check if needed. Without it, the OCP deployment may fail since it'll try to use the default configured account /project. This was not set for me when I ran it.

flaper87

comment created time in 21 days

Pull request review commentelastic/cloud-on-k8s

Add CI files for OCP

 type OcpDriver struct { func (gdf *OcpDriverFactory) Create(plan Plan) (Driver, error) { 	baseDomain := plan.Ocp.BaseDomain 	if baseDomain == "" {-		baseDomain = "ocp.elastic.dev"+		baseDomain = "eck-ocp.elastic.dev"

I'm torn but I'd like to hear your thoughts about it.

This is not a setting that can be 'just changed'. It requires an actual zone to exist in GCP (which I have configured). It is already possible to overwrite this value but I think that having this default in the code is ok. We've created this Zone under the default project and if we ever change it I think it's ok to require a change here for that.

flaper87

comment created time in 21 days

delete branch dliappis/docker_auth

delete branch : pr/tokendb-redis

delete time in 23 days

pull request commentcesanta/docker_auth

Add a Redis-based token storage implementation

there are currently no other options in these, other than address(es). can we pull them up a level and just have redis_addr and redis_cluster_addrs?

I originally did something like this but then changed.

To be honest, I would prefer to not do this. There are other options that could be set (like the DB index / TLS to use in the case of the Client or the PoolSize/TLS in the case of the ClusterOptions )

I think it's important to not prevent users from setting the options for the Redis connection.

karmi

comment created time in 23 days

pull request commentelastic/cloud-on-k8s

Add CI files for OCP

retest this please

flaper87

comment created time in 23 days

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha 62fd13bf65a0798ec0d4048836e692f3a149658d

generated NOTICE, docs, and updated CRDs

view details

push time in 23 days

push eventelastic/cloud-on-k8s

Michael Morello

commit sha 98181c2981783a5b2165375873784af19b7b7aa8

Control associations across namespaces with ServiceAccount and RBAC (#2482) * Control references with ServiceAccount and RBAC

view details

Flavio Percoco

commit sha 032c0306bb1162618cf37e0417e59a48e00c37ad

Add CI files for OCP

view details

Flavio Percoco

commit sha 32a8428c53cd01bcc739c3e64bc4a41f69c58197

Add openshift tools to the CI container image

view details

Flavio Percoco

commit sha 4db371db71999c14685b2975974e70533021c101

Set the right GCLOUD_PROJECT for OCP's jenkinsfile

view details

Flavio Percoco

commit sha afe6384f64caadd70caf3ecbae0aa680b1cb824a

allow test's service account to modify serviceaccounts and OCP scc

view details

Flavio Percoco

commit sha c8e7e7660f344e03f09b68098b413a45cbb1c3f9

Create apm-service account for the APM Server when running on OCP

view details

Flavio Percoco

commit sha 903b2d9a7db299fc0fff9988c6b2bdac28ab5934

make sure files in the test image belong to the root group This is mainly needed by OpenShift. UIDs used by openshift belong to the root group. By setting the group on the container WORKDIR we're guaranteeing that we will be able to execute, write, and run the test jobs

view details

Flavio Percoco

commit sha 6c1099d2e0ad34a06102cb02b8e75a6e25609ece

Set the fsGroup and RunAs parameters only for non-OCP environments

view details

Flavio Percoco

commit sha 963a4c2e4a89688c646b4f9cc7d94795ccebccad

Misc optimizations to the OCP runner

view details

Flavio Percoco

commit sha f978c8f185732dee624f445515c328fd3f858340

add dependencies for the openshift runner

view details

Flavio Percoco

commit sha 40bf37d83bd475b9a928b3f60e4c43bdae44dbf2

make sure gcloud docker configs are set

view details

Flavio Percoco

commit sha e21f803b42a5b2dbf04452fa56cf948d26da2aba

accpet VAULT_TOKEN and skip vault auth

view details

Flavio Percoco

commit sha 6a57518f49a9af45d3886f3d1e1dc98e926c5340

golangci-lint run through

view details

push time in 23 days

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha 5dd16a6e3d8586b5ae8b51f022ffc906571c0184

golangci-lint run through

view details

push time in 23 days

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha e8648e602d605626f0d93b3aff5d4a69a18fd29f

golangci-lint run through

view details

push time in 23 days

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha 04669d3e57729caa0ffdcb340ef6ff2bbfade60d

Update hack/deployer/runner/settings.go Co-Authored-By: david-kow <50632861+david-kow@users.noreply.github.com>

view details

Idan Moyal

commit sha c5bfe3a3f82fd85a183eebf625d2e749ce9cafd7

Create a make target for bootstrapping a GKE cluster

view details

Idan Moyal

commit sha e431c08dfa62233529483449feaadc8cb095b6d8

Create a make target for bootstrapping a GKE cluster

view details

Flavio Percoco

commit sha 423d38b6c73776cf6ad11102fc1eb92df3ba130d

Merge pull request #2429 from elastic/openshift PULL_SECRET should be set for dev environments

view details

david-kow

commit sha d2a7fafb1016c7c44a8df417e98af037594a4cb8

Change license.key secret path (#2435)

view details

Michael Bischoff

commit sha 086957cccd69aa048796cdaf04c148128cc6dc2a

[DOCS] Add an alternative to reach ES in k8s (#2414) Small addition to the docs to alternatively make use of `--resolve`. This could be useful for CI and other temporary hosts/use.

view details

Michael Morello

commit sha b43d5385421439366e9dcef094a6ebcda5c6ae02

Remove GKE 1.12 from the e2e tests, replace it with 1.15 (#2440)

view details

Peter Brachwitz

commit sha ae636f757ef8ded4f304f0086aaf3b9b2fb75896

Fix License model in Elasticsearch client for 7.6 (#2441) The new field 'max_resource_units' is now required. This also makes the existing field `max_nodes` optional.

view details

Thibault Richard

commit sha 793afb7d7c6a6dfe60cfef71e27c126fd8d22f6f

Facilitate filebeat autodiscovery with hints annotation (#2439) - Add a default annotation (`"co.elastic.logs/module": "elasticsearch|kibana"`) to the ES/Kibana pods, taking care not to replace user-provided annotations. - Update the beats recipe and advertise that the annotation is automatically added by ECK.

view details

david-kow

commit sha 74212b1a87cbb465cb3ef177ae40fc15cb237d52

Refactor invariant check during downscale (#2437) * Refactor invariant check during downscale Tightens downscalestate encapsulation * Be explicit about the expected number of nodes for deletion

view details

Michael Morello

commit sha a0fac1e382156dac8f173b7602e497db969a8d68

Cluster bootstrap: ignore ES error when retrieving cluster UUID (#2438)

view details

Sebastien Guilloux

commit sha b1355ceb5b293a6469c3b196d00ffcb070e41437

Fix PDB documentation (#2449) The PDB doc gave an example of a custom PDB with `maxUnavailable: 2`. Unfortunately this can only work with a builtin controller selector (eg. matching a StatefulSet or a deployment). It does not do anything with our custom cluster name label selector. This commit changes it by relying on `minAvailable` instead, and gives more details about how the PDB is set to allow one Pod to be taken down only if the cluster health is green.

view details

Michael Morello

commit sha b96e23f134b8e07d80faf82c95e39c0f03a0e679

Logging: add minimal support for ECS (#2457) * Add some ECS fields * Handle "error" and "source" fields

view details

Sebastien Guilloux

commit sha b614ddde0556a476ff2912290face7ac686821fc

Mention the Kubernetes issue with CPU limits throttling in the docs (#2454) * Mention the Kubernetes issue with CPU limits throttling Some users may experience poor performance correlated with the usage of cpu limits. This is due to a bug in the Kernel that has been fixed in recent Kernel versions. A workaround is to not use limits at all, or tweak the CFS quota period. * Add a NOTE section with 3 options * Remove cpu limits from the example * Remove cpu limit from the Kibana example

view details

David Kowalski

commit sha c591cf4577300b4149fbbe7f2856cedcdd84a30f

Add note about Kibana accessing ESs in other namespaces (#2466) * Add note about Kibana accessing ESs in other namespaces * Update docs/kibana.asciidoc Co-Authored-By: Peter Brachwitz <peter.brachwitz@gmail.com> Co-authored-by: Peter Brachwitz <peter.brachwitz@gmail.com>

view details

Peter Brachwitz

commit sha a3c0ba5c4137d8f6411d3dec5a949cfba0491353

Clarify Enterprise license requirement in docs (#2458)

view details

Sebastien Guilloux

commit sha cc0e96d22fa56066f7d97723ac11bd763fced95c

Update gcloud version to the latest one in CI Jenkinsfile (#2474) I don't know if it will help with our cluster creation timeout errors, but pretty sure it doesn't hurt to use a more recent version.

view details

Sebastien Guilloux

commit sha e19ea38d1827eacdd61bf22944f7bdeae32372bd

Override GKE Pods CIDR IP range to allow more clusters to be created (#2473) * Override GKE Pods CIDR IP range For each k8s cluster, GKE creates 2 additional secondary IP ranges: - a /14 range for Pods (262k Pods per cluster) - a /20 range for Services (4094 Services per cluster) The downside of using the default /14 range is that there are only 62 possible /64 ranges that can be created. Overriding it to /20 allows up to 4094 of those subnets to be defined instead, with up to 4094 Pods per cluster. I hope this mitigates the IP range hard limit we sometimes hit against our default GKE VPC. Both Pods CIDR range and Services CIDR range can now be overridden through the gke settings in the deployer. * Improve how options are passed to the command

view details

Thibault Richard

commit sha 507d134f715c42773fa50330cb19a85bc11dff69

Always go generate to build the operator binary (#2469)

view details

Sebastien Guilloux

commit sha c3c07556f1286df1bd9853a891bdca949b5fd6a7

Allow webhook cert directory to be overridden (#2476) * Allow webhook cert directory path to be overridden Set a new `--webhook-cert-dir` flag that allows overriding the path to the webhook certificates, most likely mounted from a Secret. It's intended to be used this way: ``` args: ["manager", "--operator-roles", "all", "--webhook-cert-dir=/tmp/whatever"] ``` (or by overriding the equivalent environment variable) And the corresponding secret mount: ``` volumeMounts: - mountPath: /tmp/whatever name: cert readOnly: true ``` * Fix typos and update docs

view details

push time in 23 days

push eventdliappis/docker_auth

Flavio Percoco

commit sha d61822c7f8e14f373db085f0481eb57162a06578

rename node_options and cluster_options to redis_options and redis_cluster_options

view details

push time in 23 days

Pull request review commentcesanta/docker_auth

Add a Redis-based token storage implementation

 func validate(c *Config) error { 			} 			ghac.ClientSecret = strings.TrimSpace(string(contents)) 		}-		if ghac.ClientId == "" || ghac.ClientSecret == "" || (ghac.TokenDB == "" && ghac.GCSTokenDB == nil) {+		if ghac.ClientId == "" || ghac.ClientSecret == "" || (ghac.TokenDB == "" && (ghac.GCSTokenDB == nil && ghac.RedisTokenDB == nil)) { 			return errors.New("github_auth.{client_id,client_secret,token_db} are required") 		}  		if ghac.ClientId == "" || ghac.ClientSecret == "" || (ghac.GCSTokenDB != nil && (ghac.GCSTokenDB.Bucket == "" || ghac.GCSTokenDB.ClientSecretFile == "")) { 			return errors.New("github_auth.{client_id,client_secret,gcs_token_db{bucket,client_secret_file}} are required") 		}++		if ghac.ClientId == "" || ghac.ClientSecret == "" || (ghac.RedisTokenDB != nil && ghac.RedisTokenDB.NodeOptions.Addr == "" && len(ghac.RedisTokenDB.ClusterOptions.Addrs) < 1) {

I left this change here but we should be able to do away with it. go-redis has a default value for Addr and Addrs. I kept it mainly because handling the configuration options will be weird if we don't set one of these explicitly:

For example:

redis_token_db:
    node_options:
    cluster_options:

The above would be a valid config but we won't know if we should create a single node connection or a cluster one. We can default to the single node one but it will be confusing to users.

karmi

comment created time in 23 days

pull request commentcesanta/docker_auth

Add a Redis-based token storage implementation

@rojer I've removed the encryption support for the redis token DB. I think this PR is ready for a review now. :)

Thanks a bunch

karmi

comment created time in 23 days

push eventdliappis/docker_auth

Flavio Percoco

commit sha 9a4599397336f21af5afaf37bac2ffb31a363764

remove encryption support for redis token db

view details

push time in 23 days

pull request commentcesanta/docker_auth

Add a Redis-based token storage implementation

@rojer Would you be open to considering keeping the encryption part of the code after @karmi and @dliappis explanation on why it was added?

nvm, I just re-read your previous comment and your concerns about the lack of rotation for the key. I'll get rid of that part for now so that we don't block this PR on it.

The more I think about it, the more I'm convinced it'd be nice for docker_auth to provide support for encryption, either through an external service/implementation or an internal one. This certainly doesn't belong to the DB code.

karmi

comment created time in 23 days

pull request commentcesanta/docker_auth

Add a Redis-based token storage implementation

Right, using len(urls) == 1 as the condition would be optimal, but if memory serves, unfortunately on AWS ElastiCache (the Redis service we have been using), there's indeed only a single URL to connect to. Maybe @fxdgear or @flaper87 have some ideas here? It looks like a good way to get familiar with the codebase.

I do agree that it would be best to leave the encryption to an external service. For us, it was really only a nice way how to make the implementation more robust security-wise — if the Redis instance would be compromised, the tokens are useless, since they are encrypted.

I took a stab at this and replaced the Url/Urls options in favor of the go-redis Options and ClusterOptions types. This should reduce the customization in docker_auth and it'll make it easier for users to configure their redis options.

@rojer Would you be open to considering keeping the encryption part of the code after @karmi and @dliappis explanation on why it was added?

karmi

comment created time in 23 days

push eventdliappis/docker_auth

Flavio Percoco

commit sha 3885dad8ce6b0c12b6e10336f95967ba0af04f9e

Use Redi's Options/ClusterOptions structs to manage config options

view details

push time in 23 days

pull request commentcesanta/docker_auth

Send the scope class as part of the token

We (elastic) are running it and we'd be happy to help maintaining the project, if you'd have us. 😊🤗

flaper87

comment created time in a month

push eventdliappis/docker_auth

Flavio Percoco

commit sha 27b3826838625be6e080c7970ed6ee15a46e677d

Send the scope class as part of the token As it is right now, it is not possible to authenticate plugin requests using `docker-auth`. The docker distribution registry expects[0] a scope with `Type` repository and `docker-auth` is sending `repository(plugin)` as that's what it receives in the request. Instead of sending `repository(plugin)` we should be sending `repository` and setting the scope class to `plugin`. The default class is `image`, which is why this works fine right now. Fixes #269

view details

Karel Minarik

commit sha 5e9f1f2d5b71e21013a3da3b70e22e534416d969

[authn] Added a Redis-based `TokenDB` implementation This patch adds an implementation of TokenDB which stores user tokens in Redis (http://redis.io). The primary motivation is to enable operation in a distributed environment, where multiple instances of the `auth_server` are running, and the default LevelDB-based implementation stores tokens in a file on disk. This was inspired by the `GCSTokenDB` implementation, which solves a similar problem, but is tied to Google Cloud Storage, which would introduce latency when fetching tokens eg. from AWS.

view details

Karel Minarik

commit sha 3df4e43302996976b8dc448e68cbe9dffa058842

[authn] Added the ability to use `RedisTokenDB` implementation for storing Github tokens This patch introduces `RedisTokenDB` into the Github authentication mechanism. It allows to use it in `NewGitHubAuth` and passes the URL from the YAML configuration to it. An example configuration has been added to `reference.yml`.

view details

Karel Minarik

commit sha 0fff3865254c20c7ba800b2d2fa8a7534cc58e0e

[authn] Added an option to encrypt tokens in `RedisTokenDB` If the `encrypt_key` is provided in the YAML configuration, the Redis token database will encrypt the value before storing it, and decrypt it when reading it. The implementation is based on <https://astaxie.gitbooks.io/build-web-application-with-golang/en/09.6.html>.

view details

Karel Minarik

commit sha 255a2fcfa46359de6a2e3c68790eadd1acbf46ff

[authn] Added the ability to use Redis Cluster in `RedisTokenDB` Since the client for Redis in cluster mode is a separate type (https://godoc.org/github.com/go-redis/redis#NewClusterClient), an interface has been added, and `ClusterClient` is used when the `github_auth.redis_token_db.urls` is configured, otherwise the regular client (https://godoc.org/github.com/go-redis/redis#NewClient) is used.

view details

push time in a month

delete branch flaper87/docker_auth

delete branch : scope-type

delete time in a month

pull request commentcesanta/docker_auth

Send the scope class as part of the token

thank you!

thank you for the review and for maintaining this project

flaper87

comment created time in a month

pull request commentcesanta/docker_auth

Send the scope class as part of the token

I did already :)

Plugin push:

~/…/docker_auth/auth_server $ docker plugin push localhost:5000/mine/my-plugin:0.0.1
The push refers to repository [localhost:5000/mine/my-plugin]
d3adcb574d5b: Pushed
0.0.1: digest: sha256:3c62fd743e3d8f1eed511969dc16d74c043cf9b24fa3522f92d19a388a6deae7 size: 519

Repository push

~/…/docker_auth/auth_server $ docker push localhost:5000/mine/docker_auth
The push refers to repository [localhost:5000/mine/docker_auth]
9db3677022cc: Layer already exists
0537e79a9821: Layer already exists
cd7100a72410: Layer already exists
latest: digest: sha256:3f5e60df82833e39e5179e02400b302aa9290790539233aa548cd6bcfae60f78 size: 949

docker auth logs:

I0131 16:36:30.080223 1967670 server.go:379] New token for {flaper87:***@[::1]:57978 [{repository  mine/my-plugin [pull push]}]} map[teams:[REDACTED]]: {"iss":"Acme auth server","sub":"flaper87","aud":"Docker registry","exp":1580489490,"nbf":1580488580,"iat":1580488590,"jti":"6276831680445898189","access":[{"type":"repository","name":"mine/my-plugin","actions":["pull","push"]}]}
I0131 16:36:35.972957 1967670 server.go:379] New token for {flaper87:***@[::1]:58000 [{repository  mine/docker_auth [pull push]}]} map[teams:[REDACTED]]: {"iss":"Acme auth server","sub":"flaper87","aud":"Docker registry","exp":1580489495,"nbf":1580488585,"iat":1580488595,"jti":"1270047298924844124","access":[{"type":"repository","name":"mine/docker_auth","actions":["pull","push"]}]}
flaper87

comment created time in a month

push eventflaper87/docker_auth

Flavio Percoco

commit sha 0c3004591a5fb64bcafdd8f638b8d90879ce0e43

Send the scope class as part of the token As it is right now, it is not possible to authenticate plugin requests using `docker-auth`. The docker distribution registry expects[0] a scope with `Type` repository and `docker-auth` is sending `repository(plugin)` as that's what it receives in the request. Instead of sending `repository(plugin)` we should be sending `repository` and setting the scope class to `plugin`. The default class is `image`, which is why this works fine right now. Fixes #269

view details

push time in a month

Pull request review commentcesanta/docker_auth

Send the scope class as part of the token

 import (  var ( 	hostPortRegex = regexp.MustCompile(`\[?(.+?)\]?:\d+$`)+	scopeRegex    = regexp.MustCompile(`([a-z0-9]+)($|\(([a-z0-9]+)\))`)

Won't it produce the same result? Why do you prefer this other regex?

flaper87

comment created time in a month

Pull request review commentcesanta/docker_auth

Send the scope class as part of the token

 import (  var ( 	hostPortRegex = regexp.MustCompile(`\[?(.+?)\]?:\d+$`)+	scopeRegex    = regexp.MustCompile("(\\w+)($|\\((\\w+)\\))")

a-ha! Good catch. Fixed it! :)

flaper87

comment created time in a month

push eventflaper87/docker_auth

Flavio Percoco

commit sha 95415a624f33151b2b79bf6fa7884392cbabac00

Send the scope class as part of the token As it is right now, it is not possible to authenticate plugin requests using `docker-auth`. The docker distribution registry expects[0] a scope with `Type` repository and `docker-auth` is sending `repository(plugin)` as that's what it receives in the request. Instead of sending `repository(plugin)` we should be sending `repository` and setting the scope class to `plugin`. The default class is `image`, which is why this works fine right now. Fixes #269

view details

push time in a month

push eventflaper87/docker_auth

Flavio Percoco

commit sha 3e3baf129868d0f070e8feec297ccfda8acbf0e8

Send the scope class as part of the token As it is right now, it is not possible to authenticate plugin requests using `docker-auth`. The docker distribution registry expects[0] a scope with `Type` repository and `docker-auth` is sending `repository(plugin)` as that's what it receives in the request. Instead of sending `repository(plugin)` we should be sending `repository` and setting the scope class to `plugin`. The default class is `image`, which is why this works fine right now. Fixes #269

view details

push time in a month

Pull request review commentcesanta/docker_auth

Send the scope class as part of the token

 func (as *AuthServer) ParseRequest(req *http.Request) (*authRequest, error) { 		for _, scopeStr := range req.Form["scope"] { 			parts := strings.Split(scopeStr, ":") 			var scope authScope++			scopeType := parts[0]+			var scopeClass string+			if strings.HasPrefix(scopeType, "repository") {

Ok, this is done! Thanks for the review :)

flaper87

comment created time in a month

Pull request review commentcesanta/docker_auth

Send the scope class as part of the token

 func (as *AuthServer) ParseRequest(req *http.Request) (*authRequest, error) { 		for _, scopeStr := range req.Form["scope"] { 			parts := strings.Split(scopeStr, ":") 			var scope authScope++			scopeType := parts[0]+			var scopeClass string+			if strings.HasPrefix(scopeType, "repository") {

yes, let's do that!

flaper87

comment created time in a month

Pull request review commentcesanta/docker_auth

Send the scope class as part of the token

 func (as *AuthServer) ParseRequest(req *http.Request) (*authRequest, error) { 		for _, scopeStr := range req.Form["scope"] { 			parts := strings.Split(scopeStr, ":") 			var scope authScope++			scopeType := parts[0]+			var scopeClass string+			if strings.HasPrefix(scopeType, "repository") {

According to this document there's a third scope that could be sent. This is why I went with matching tring parts.

flaper87

comment created time in a month

pull request commentcesanta/docker_auth

Add a Redis-based token storage implementation

Thank you for your comment. I'll address #1, not a fan of it myself either. I limited myself to just rebasing the patch. in the previous push.

As for #2, I've asked @karmi to please shed some light as I'm just starting to familiarize myself with this PR. Maybe @dliappis can also answer the question.

karmi

comment created time in a month

pull request commentcesanta/docker_auth

Add a Redis-based token storage implementation

Ok, It is rebased now :)

karmi

comment created time in a month

push eventdliappis/docker_auth

Kevin

commit sha 2ee85ad8040bab72a929958b4c3c8037dbcd31ae

Initial proof of concept mapping memberOf CN to the label groups #63 (cherry picked from commit 4a33badac6b74617dfe3797a716a6907cf018b27)

view details

Kevin

commit sha 3f5e1b78519238ca65e6084f48cbdd56531e4c84

Apply attribute mapping from configuration (cherry picked from commit ddde2fa779e746d7e74cd972a4c6795c72f17ee6)

view details

Kevin

commit sha 98c4191ee4eae3e3e823c91226179c740e77f3a9

Remove unused configuration fields, never implemented? (cherry picked from commit cd37001980267a99a9faa19f1927891af63acb90)

view details

Kevin

commit sha 1b5d134966c8bd1cba9afaeca284476e66a495e5

Add LDAP label map examples to the reference config (cherry picked from commit 2fd43be4e5c2cfe177d9e1d36bcd1b29f4d6f262)

view details

Manuel Rüger

commit sha 1bc75974e70ff7a84bdf3323889b81e44ea3dc00

reference.yml: Add example ACL

view details

Karel Minarik

commit sha 6c06b8bca2cb7429e9f39a9bba264c63c320d553

Add authorization based on Github teams (#219) * [authn] Added the fetching of Github teams into token `labels` This patch adds the ability to: * Fetch user's team in configured organization (the `fetchTeams` function), with suppor for pagination of resuls * Store them as list of strings in the `TokenDBValue` struct * Return them as `labels` in the `Authenticate` function The motivation is to use the list of user's teams as `labels` in the ACL configuration, eg.: - match: {labels: {"teams": "developers"}} actions: ["*"] comment: Developers have access to everything The Github API used, https://developer.github.com/v3/orgs/teams/#list-user-teams, is currently marked as experimental, but it's currently the only way how to fetch the teams of a user. The teams are fetched _only_ when a Github organization is configured in YAML, with the assumption that it will be used in context of a company Docker registry, which eg. allows public access for pulling, and private access for pushing the images. Implements: https://github.com/cesanta/docker_auth/issues/191 This patch improves the visual style of the `/github_auth` page, adding some CSS and better HTML structure. The Github logo is added as an inline SVG string in the CSS declaration. It also adds a new HTML page for the subsequent page, when user has been authenticated at Github, showing a formatted `docker login` command. It also changes the handler in `server.go` to redirect to `/github_auth` immediately, when it was configured in the YAML file, to skip and unnecessary step.

view details

Adam Shannon

commit sha 335f36b35872304c92e85429b6fcd0327ffca051

doc: mention make deps in auth_server README (#233)

view details

Adam Shannon

commit sha fb1183af2d98345aba03474d64aca7e16a5b6bbf

drop hardcoded configs around TLS 1.x (#232) Modern Go versions (1.9 and 1.10) as of this commit are much better about cipher suite selection and the ssl/tls protocols used. In fact, SSLv3 needs to be explicitly enabled now. Fixes: https://github.com/cesanta/docker_auth/issues/231

view details

Karel Minarik

commit sha 4bd401c0a07a8e2d5807af1f1995cf114a8c5e16

[authn] Added the `Labels` property to the `TokenDBValue` struct (#217) This patch extends the `TokenDBValue` struct in order to allow storing "labels" associated with a user directly in the data structure, ie. without a need for secondary storage. The primary motivation is related to the possibility of storing user's Github teams as `labels`, and using them in the ACL configuration.

view details

rojer

commit sha 3420ca1aaf63bbdfe9bfe47d9c2eab6482b5a9d2

Drop the -i, it's cleaner Newer versions of Go do not need -i to not rebuild everything

view details

Adam Shannon

commit sha e10780b62fb04d6dc0f9012a39a5afe46755a308

docs: quick setup steps for github auth (#234)

view details

Karel Minarik

commit sha b1fb3677cf290a9d4b19f7c50aced0a35ba05fb3

[authn] Added the ability to display full `docker login` command (#221) In order to make the `docker login` command more user-friendly, allow to set `registry_url` in the YAML configuration, and display it when the user has been succesfully authenticated. If the parameter is not set, display an example URL. (cherry picked from commit 3aeb8476dcb5b208cc3aac4d64bf1c10c020daf4)

view details

Richard Kettlewell

commit sha 01ff449c422d341c86a78bb431828a091a905ac3

Fix broken build instructions

view details

Deomid Ryabkov

commit sha 7f136039dc4dee11c73a272ca233c08ee65d2ffd

Merge pull request #242 from ewxrjk/readme Fix broken build instructions

view details

rojer

commit sha 1e138837a652d45b2278a457ec0698985e0190e3

Add autoredirect: false to example https://github.com/cesanta/docker_auth/issues/245

view details

Deomid Ryabkov

commit sha b89dec9a4f0098fb0f71d9b94e44d1710c1fe5cf

Merge pull request #228 from mrueg/ldap MAP LDAP account attributes to labels such as groups

view details

Tharindu Jayathilake

commit sha bfb15170322adfa5681480a4767cdca4a463e787

Add custom authentication and authorization implementations to avoid spawning new processes (#254) Purpose To avoid spawning new processes for requests received by docker auth endpoint. To allow developers to add their own plugins to docker auth. Approach Add new custom authentication and authorization implementations by implementing the existing authentication and authorization interfaces. Therefore the developers can add their own plugins with their program logics. Test environment go version: go1.12.5 darwin/amd64 OS: Mac OS 10.14.5

view details

Deomid "rojer" Ryabkov

commit sha abffb0d065e5da201b31082aedeed0df3944a9b8

gofmt everything

view details

High~Kick

commit sha 9c17b9ae2427bc48259a5825fcf4b25740e5ba17

return 401 when there is no user or password (#251) Signed-off-by: duyanghao <1294057873@qq.com>

view details

Bogdan Padalko

commit sha eca2321318427961b52056c751ca9ee4273c150c

Add support for lowercases DN elements (#247)

view details

push time in a month

pull request commentcesanta/docker_auth

Add a Redis-based token storage implementation

@karmi can you rebase?

I'll do it!

karmi

comment created time in a month

PR opened cesanta/docker_auth

Send the scope class as part of the token

As it is right now, it is not possible to authenticate plugin requests using docker-auth. The docker distribution registry expects[0] a scope with Type repository and docker-auth is sending repository(plugin) as that's what it receives in the request.

Instead of sending repository(plugin) we should be sending repository and setting the scope class to plugin. The default class is image, which is why this works fine right now.

I had trouble finding a detailed documentation about how the docker registry uses class but here's a test:

curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository(plugin):rchicoli/docker-log-elasticsearch:pull,push"

The above command produces a token that contains the following access request (you can decode the token using https://jwt.io/ [thanks for the hint @fxdgear) ]:

...
"access": [
    {
      "type": "repository",
      "class": "plugin",
      "name": "rchicoli/docker-log-elasticsearch",
      "actions": [
        "pull"
      ]
    }
  ],
...

Fixes #269

+16 -2

0 comment

1 changed file

pr created time in a month

create barnchflaper87/docker_auth

branch : scope-type

created branch time in a month

fork flaper87/docker_auth

Authentication server for Docker Registry 2

fork in a month

pull request commentdjango-import-export/django-import-export

Generalized post-save behavior

I recently ran into a case where something like this is needed. I'd love to see this going in :D

Thanks for the PR

mcdeoliveira

comment created time in a month

issue commentjazzband/prettytable

Implement Jazzband guidelines for prettytable

prettytable has not been published on RTD yet so the whole setup should be done from scratch. I've given jazzband permissions on pypi and we should be able to automate releases.

hugovk

comment created time in a month

issue commentjazzband/prettytable

New PyPI release?

@flaper87 See #22 for the TODOs.

Done! Sorry again for having missed these notifications :(

hugovk

comment created time in a month

issue commentjazzband/prettytable

New PyPI release?

Jeeeez, this ended up being filtered out by gmail. I am soooooo sorry about this. I'm happy to give access to the Pypi project to Jazzband. What should I do to make prettytable releasable by jazzband?

hugovk

comment created time in a month

pull request commentelastic/cloud-on-k8s

Add CI files for OCP

Small update: I'm making progress and very close to submitting an update to this PR. :)

flaper87

comment created time in a month

pull request commentelastic/cloud-on-k8s

Add CI files for OCP

@david-kow In order for openshift-install to work, I have to configure the CI service account (grant it specific permissions) and I'll have to create an ocp-ci test zone. I'll start configuring that, then I'll run tests as you recommended and get back with an updated version of this PR when those commands pass for me

Thanks :)

flaper87

comment created time in a month

Pull request review commentelastic/cloud-on-k8s

Add CI files for OCP

+pipeline {++    agent {+        label 'linux'+    }++    options {+        timeout(time: 300, unit: 'MINUTES')+    }++    environment {+        VAULT_ADDR = credentials('vault-addr')+        VAULT_ROLE_ID = credentials('vault-role-id')+        VAULT_SECRET_ID = credentials('vault-secret-id')+    }++    stages {+        stage('Checkout from GitHub') {+            steps {+                checkout scm+            }+        }+        stage('Run Checks') {+            steps {+                sh 'make -C build/ci TARGET=ci-check ci'+            }+        }+        stage("Run E2E tests") {+            steps {+                sh """+                    cat >.env <<EOF+GCLOUD_PROJECT = $GCLOUD_PROJECT

done, thanks!

flaper87

comment created time in a month

startedNefelim4ag/Ananicy

started time in a month

PR opened elastic/cloud-on-k8s

Add CI files for OCP

This PR will add all the CI files to setup an e2e job on OpenShift

Fixes #2170

+113 -0

0 comment

2 changed files

pr created time in a month

create barnchelastic/cloud-on-k8s

branch : openshift

created branch time in a month

delete branch elastic/cloud-on-k8s

delete branch : openshift

delete time in a month

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha 0044a92bed28e808e25e91a59596ec7747b72c83

PULL_SECRET should be set for dev environments

view details

Flavio Percoco

commit sha 04669d3e57729caa0ffdcb340ef6ff2bbfade60d

Update hack/deployer/runner/settings.go Co-Authored-By: david-kow <50632861+david-kow@users.noreply.github.com>

view details

Flavio Percoco

commit sha 423d38b6c73776cf6ad11102fc1eb92df3ba130d

Merge pull request #2429 from elastic/openshift PULL_SECRET should be set for dev environments

view details

push time in a month

PR merged elastic/cloud-on-k8s

PULL_SECRET should be set for dev environments :ci >enhancement
+16 -6

0 comment

3 changed files

flaper87

pr closed time in a month

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha 04669d3e57729caa0ffdcb340ef6ff2bbfade60d

Update hack/deployer/runner/settings.go Co-Authored-By: david-kow <50632861+david-kow@users.noreply.github.com>

view details

push time in a month

Pull request review commentelastic/cloud-on-k8s

PULL_SECRET should be set for dev environments

 type OcpSettings struct { 	Region        string `yaml:"region"` 	AdminUsername string `yaml:"adminUsername"` 	WorkDir       string `yaml:"workDir"`+	PullSecret    string `yaml:"PullSecret"`

argh, forgot to change the capitalization

flaper87

comment created time in a month

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha 0044a92bed28e808e25e91a59596ec7747b72c83

PULL_SECRET should be set for dev environments

view details

push time in a month

PR opened elastic/cloud-on-k8s

Reviewers
PULL_SECRET should be set for dev environments
+18 -6

0 comment

3 changed files

pr created time in a month

push eventelastic/cloud-on-k8s

Michael Morello

commit sha 96c8602b080025f6f51c93cc11e618df3aa01c84

Remove mention to the beta version in the README (#2419)

view details

david-kow

commit sha 3bc31f588eed6f73efe6793ab76a85a709e57e3b

Add mention about Kibana pods restarting during ECK upgrade (#2422) * Add mention about Kibana pods restarting during ECK upgrade * Remove duplicated paragraph

view details

Flavio Percoco

commit sha 07170fb3e1203d4d14038b7ccd7f4febc9303805

Merge pull request #2421 from elastic/openshift Add an OCP deployer

view details

Flavio Percoco

commit sha 1be724bba610a45c17450c33667886468e6b5cc1

PULL_SECRET should be set for dev environments

view details

push time in a month

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha 8614cf40d8727c4b2ef9aa13d01cdc443e2ad77d

Add an OCP deployer This commit adds a new ocp deployer to be able to create openshift clusters on the CI clouds. Future commits will add the ability to run tests on an OpenShift cluster deployed by the deployer

view details

Flavio Percoco

commit sha c64d2bf20267cd961f4a49496d36c3da95357985

Address linting errors

view details

Flavio Percoco

commit sha 5093b56c96d1062d035c5612a5e340ec1d7c78e0

Address review comments

view details

Flavio Percoco

commit sha 872326422270626b152f5d7b7d7146604baa4ba6

use constants for action names

view details

Flavio Percoco

commit sha 965a04b7a519e2ef7fb2448e1cd6aa728ff8e2fe

address review comments

view details

Flavio Percoco

commit sha 07170fb3e1203d4d14038b7ccd7f4febc9303805

Merge pull request #2421 from elastic/openshift Add an OCP deployer

view details

push time in a month

PR merged elastic/cloud-on-k8s

Add an OCP deployer

This PR adds a new ocp deployer to be able to create openshift clusters on the CI clouds. Future commits will add the ability to run tests on an OpenShift cluster deployed by the deployer

Related #2170

+412 -37

1 comment

9 changed files

flaper87

pr closed time in a month

Pull request review commentelastic/cloud-on-k8s

wip: Add an OCP deployer

 type Plans struct {  // Plan encapsulates information needed to provision a cluster type Plan struct {-	Id                string `yaml:"id"` //nolint-	Operation         string `yaml:"operation"`-	ClusterName       string `yaml:"clusterName"`-	Provider          string `yaml:"provider"`-	KubernetesVersion string `yaml:"kubernetesVersion"`-	MachineType       string `yaml:"machineType"`-	ServiceAccount    bool   `yaml:"serviceAccount"`--	Psp bool `yaml:"psp"`--	Gke *GkeSettings `yaml:"gke,omitempty"`-	Aks *AksSettings `yaml:"aks,omitempty"`--	VaultInfo *VaultInfo `yaml:"vaultInfo,omitempty"`+	Id                string       `yaml:"id"` //nolint+	Operation         string       `yaml:"operation"`+	ClusterName       string       `yaml:"clusterName"`+	Provider          string       `yaml:"provider"`+	KubernetesVersion string       `yaml:"kubernetesVersion"`+	MachineType       string       `yaml:"machineType"`+	WorkDir           string       `yaml:"workDir"`

yeah, probably safer and clearer to do this! Thanks for the suggestion.

flaper87

comment created time in a month

Pull request review commentelastic/cloud-on-k8s

wip: Add an OCP deployer

 plans:   aks:     nodeCount: 3     location: northeurope+- id: ocp-ci

A-ha, nice! I'll add the ocp-dev one and test the make targets you mentioned.

flaper87

comment created time in a month

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha 965a04b7a519e2ef7fb2448e1cd6aa728ff8e2fe

address review comments

view details

push time in a month

push eventelastic/cloud-on-k8s

Flavio Percoco

commit sha 5093b56c96d1062d035c5612a5e340ec1d7c78e0

Address review comments

view details

Flavio Percoco

commit sha 872326422270626b152f5d7b7d7146604baa4ba6

use constants for action names

view details

push time in a month

push eventelastic/cloud-on-k8s

Thibault Richard

commit sha 1ac541aa755b565d5b0a595fd2bc1436090481e1

Update licensing doc with max_enterprise_resource_units (#2375)

view details

Thibault Richard

commit sha b2ac2c006947210e12e32017cfa4c17daca4bc26

Do not report max ERUs for basic licenses (#2377)

view details

Anya Sabo

commit sha 553632c2ace200e2aa297d569818c54f875da45c

Update auto labels (#2379)

view details

david-kow

commit sha 5ea01e7607b92d7e4c5248f91e60c281ada2f851

Add note that image field is required even when custom image is provided (#2383)

view details

david-kow

commit sha 8b0e33f775707566df863d2ed3ddea6899fe3f4e

Allow to pick location for AKS in deployer (#2382)

view details

Sebastien Guilloux

commit sha d0db7b005171d06dfe986e29f2389c5d5d3eba19

Use a 15min RollingUpgradeTimeout for keystore checks in E2E tests (#2388) * Use the RollingUpgradeTimeout for keystore checks in E2E tests Since we added a 30sec preStop wait, rolling upgrades take longer than before. We recently updated the rolling upgrade timeout to 15 minutes, but did not do it for the keystore rolling upgrade test which is written differently. * fix comment

view details

Michael Morello

commit sha 8728753f1363c445aa57c198c4e4ab67b5715f80

E2E Tests: Remove readiness probe on global operator (#2390)

view details

Peter Brachwitz

commit sha 4386ce4abb683d7e12e25ca32512f00b7959a1bb

Use version attribute in custom Docker image doc (#2400) * Use version attribute in custom Docker image doc * Fix broken link

view details

Anya Sabo

commit sha 2d34671a6037f87e2776958536b39768cc5dc093

Add release highlights (#2356)

view details

Sebastien Guilloux

commit sha 61a0de4875c2a46260d7bc4db367a4592fdf8bac

Synchronously request the Cluster UUID (#2399) * Perform a synchronous request to retrieve ES cluster UUID Since we only perform that request when: - the cluster is not marked as bootstrapped yet - es is supposed to be reachable It's fine to do it synchronously, and not rely on state observed every 10 seconds asynchronously. Doing a sync requests reduces a bit the time window where we could wrongly assume the cluster has not been bootstrapped yet, and removes some complexity in the code. This commit also refactors a bit the unit tests with a single function that should cover all cases. * Remove unused ObserverState.ClusterInfo

view details

Anya Sabo

commit sha 8afa94457d4f60cf6910789a6009c0451e5a60b7

Update deletion order sort test (#2394)

view details

Peter Brachwitz

commit sha 8c4241e1a03ee1a0e254baa78525ea0e003877be

Ack license put requests and inspect acknowledged field in response (#2398) This fixes an issue where ECK would not be able to install a valid license into a cluster if the cluster already had a license installed. It also now inspects the acknowledge response attribute to ensure the license registered successfully with the cluster.

view details

Sebastien Guilloux

commit sha 0bc4ab28bbeaf4405798fe5e5cc28a583bf1999f

Check cluster UUID annotation in E2E tests (#2404) Ensure the cluster is eventually annotated with its UUID. The nice side effect is that we also make sure the cluster bootstrap is over before applying a mutation.

view details

Anya Sabo

commit sha 2e2f4f01c5487acdfe131f982e0a286c2a1f1e47

Add beta -> upgrade docs (#2407)

view details

david-kow

commit sha c0155249e999a0fd52d3bc76351dd526f3e0c7f8

Rework Makefile targets to not be cloud specific (#2386) * Rework Makefile targets to not be cloud specific * Make linter happy * Make ifeq args placement consistent

view details

Michael Morello

commit sha 3c97cf5c730489305fecd96434a33939958456ae

Ensure that the list of nodes scheduled for upgrade is consistent in case of version change (#2411) * Add version comparison to podsToUpgrade(..) Co-authored-by: Peter Brachwitz <peter.brachwitz@gmail.com>

view details

Charith Ellawala

commit sha 051ae0635b4d843df2788e06f3a22270fe8d76a6

Backport doc changes to update strategy and Stack upgrade (#2412) * Editing "Update strategy" section (#2410) * Update elasticsearch-specification.asciidoc * Update docs/elasticsearch-specification.asciidoc Integrate Charith's feedback Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> * Update docs/elasticsearch-specification.asciidoc Integrate Charith's comments Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> * Update docs/elasticsearch-specification.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> * Update docs/elasticsearch-specification.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> * Update docs/elasticsearch-specification.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> * Update docs/elasticsearch-specification.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> Co-authored-by: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> * Update upgrading-stack.asciidoc (#2384) Co-authored-by: alaudazzi <46651782+alaudazzi@users.noreply.github.com>

view details

Michael Morello

commit sha bd810e13cfcb1fa07f409984e394600d347f6011

Update orchestration doc (#2392) * Update orchestration doc Co-authored-by: alaudazzi <46651782+alaudazzi@users.noreply.github.com>

view details

Flavio Percoco

commit sha 8614cf40d8727c4b2ef9aa13d01cdc443e2ad77d

Add an OCP deployer This commit adds a new ocp deployer to be able to create openshift clusters on the CI clouds. Future commits will add the ability to run tests on an OpenShift cluster deployed by the deployer

view details

Flavio Percoco

commit sha c64d2bf20267cd961f4a49496d36c3da95357985

Address linting errors

view details

push time in a month

pull request commentelastic/cloud-on-k8s

wip: Add an OCP deployer

  1. Could you also add two default, sane configs - one for ci and one for devs - in cloud-on-k8s/hack/deployer/config/plans.yml?

Done

  1. Could you add generation of a default override file for devs in cloud-on-k8s/hack/deployer/cmd/create.go? You might want to rebase beforehand as it had some changes recently.

Done

  1. Could you add the below target in cloud-on-k8s/Makefile? Similar to switch-gke and switch-aks.
switch-ocp:
	@ echo "ocp" > hack/deployer/config/provider

Done

flaper87

comment created time in a month

more