feat: add --skip-ca-certificates flag #617

GGabriele · 2022-03-16T20:23:07Z

Since CA certificates are 'global' entities in Kong,
they cannot be managed on a per-workspace basis,
making it hard to be handled declaratively with decK.

This introduces a new --skip-ca-certificates to
sync/dump/diff/reset to make sure CA certs are
ignored when needed.

rainest

diff should have parity with sync for the most part, but lacks support for this flag:

14:24:24-0700 esenin $ /tmp/bdeck diff -s /tmp/empty.yaml                       
deleting ca-certificate b368ce04-cacd-4d0c-8811-9c75a5b7fab5
deleting ca-certificate a37fcb6d-a452-42c9-989f-cd5c49c0828f
Summary:
  Created: 0
  Updated: 0
  Deleted: 2
14:24:27-0700 esenin $ /tmp/bdeck sync -s /tmp/empty.yaml --skip-ca-certificates
Summary:
  Created: 0
  Updated: 0
  Deleted: 0
14:24:29-0700 esenin $ /tmp/bdeck diff -s /tmp/empty.yaml --skip-ca-certificates    
Error: unknown flag: --skip-ca-certificates

Other than that and the test version question, looks good to go.

rainest · 2022-03-16T21:38:44Z

tests/integration/sync_test.go

+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			kong.RunWhenKong(t, ">=2.7.0")


Is there a reason that this is gated at 2.7? CA certificates were added much earlier and I'm not aware of any API difference that'd affect the way this flag operates since.

I did it mostly to avoid having N tests for this, due to schema differences on various version. If you think that's needed/good to have, I'll split the tests per-version

What are the differences? If the flag functions the same either way and it's just a matter of the input/output objects not being identical across all versions, fine to leave the gate in place as-is, just add a comment to the effect of "ca_certificates first appeared in 1.3, but we limit to 2.7+ here because the schema changed and the entities aren't the same across all versions, even though the skip functionality works the same."

Exactly. Done.

tests/integration/reset_test.go

Since CA certificates are 'global' entities in Kong, they cannot be managed on a per-workspace basis, making it hard to be handled declaratively with decK. This introduces a new --skip-ca-certificates to sync/dump/diff/reset to make sure CA certs are ignored when needed.

GGabriele · 2022-03-16T21:47:45Z

diff should have parity with sync for the most part, but lacks support for this flag:

Ops, I forgot to git add it :\ did it now

codecov-commenter · 2022-03-16T21:47:56Z

Codecov Report

Merging #617 (716c18b) into main (9892fdb) will decrease coverage by 0.06%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main     #617      +/-   ##
==========================================
- Coverage   45.56%   45.49%   -0.07%     
==========================================
  Files          74       74              
  Lines        8450     8462      +12     
==========================================
  Hits         3850     3850              
- Misses       4241     4253      +12     
  Partials      359      359

Impacted Files	Coverage Δ
cmd/common.go	`6.55% <0.00%> (-0.09%)`	⬇️
cmd/diff.go	`0.00% <0.00%> (ø)`
cmd/dump.go	`0.00% <0.00%> (ø)`
cmd/reset.go	`0.00% <0.00%> (ø)`
cmd/sync.go	`0.00% <0.00%> (ø)`
dump/dump.go	`1.64% <0.00%> (-0.01%)`	⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9892fdb...716c18b. Read the comment docs.

* feat: add --skip-ca-certificates flag Since CA certificates are 'global' entities in Kong, they cannot be managed on a per-workspace basis, making it hard to be handled declaratively with decK. This introduces a new --skip-ca-certificates to sync/dump/diff/reset to make sure CA certs are ignored when needed. * tests: add integration tests for --skip-ca-certificates

GGabriele requested a review from rainest March 16, 2022 20:23

GGabriele requested a review from a team as a code owner March 16, 2022 20:23

rainest suggested changes Mar 16, 2022

View reviewed changes

GGabriele force-pushed the prevent_ca_cert_reset branch from 7199cff to 716c18b Compare March 16, 2022 21:46

GGabriele force-pushed the prevent_ca_cert_reset branch 2 times, most recently from 9ffdb37 to 661d1e9 Compare March 17, 2022 09:11

tests: add integration tests for --skip-ca-certificates

1680a1b

GGabriele force-pushed the prevent_ca_cert_reset branch from 661d1e9 to 1680a1b Compare March 17, 2022 09:15

rainest approved these changes Mar 17, 2022

View reviewed changes

rainest merged commit 5016897 into main Mar 17, 2022

rainest deleted the prevent_ca_cert_reset branch March 17, 2022 18:31

rainest mentioned this pull request Mar 18, 2022

Add flag to skip CA certificates Kong/kubernetes-ingress-controller#2341

Merged

1 task

mflendrich mentioned this pull request Mar 23, 2022

Deal with ca_certificates living across workspaces #300

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add --skip-ca-certificates flag #617

feat: add --skip-ca-certificates flag #617

GGabriele commented Mar 16, 2022

rainest left a comment

rainest Mar 16, 2022

GGabriele Mar 16, 2022

rainest Mar 16, 2022

GGabriele Mar 17, 2022

GGabriele commented Mar 16, 2022

codecov-commenter commented Mar 16, 2022

feat: add --skip-ca-certificates flag #617

feat: add --skip-ca-certificates flag #617

Conversation

GGabriele commented Mar 16, 2022

rainest left a comment

Choose a reason for hiding this comment

rainest Mar 16, 2022

Choose a reason for hiding this comment

GGabriele Mar 16, 2022

Choose a reason for hiding this comment

rainest Mar 16, 2022

Choose a reason for hiding this comment

GGabriele Mar 17, 2022

Choose a reason for hiding this comment

GGabriele commented Mar 16, 2022

codecov-commenter commented Mar 16, 2022

Codecov Report