nais / cli Goto Github PK

Når man prøver å bruke appen sine credentials for å nå Kafka får man en uforklarlig feilmelding. Her burde vi heller informere om hva som er riktig måte å gjøre dette på.

Feilmelding:

retrieve secret and generating config: secret is must have at least one of these annotations: 'aivenator.aiven.nais.io/protected', 'aivenator.aiven.nais.io/with-time-limit'

Slack-tråd: https://nav-it.slack.com/archives/C5KUST8N6/p1669289958610019

Dokumentasjonen og NAIS burde kunne bakes inn i nais cli. Begge deler er vel i praksis en form for rotasjon av credentials?

The postgres prepare command currently only grants privileges to the cloudsqliamuser role, but does not support downgrading from ALL to SELECT nor revoking the privileges entirely.

Some users would like an option to revoke these privileges.

See discussion on Slack: https://nav-it.slack.com/archives/C5KUST8N6/p1676968734044309

Ikke den viktigste saken i verden, men ser på https://doc.nais.io/cli/install/ at anbefalt installasjonsbetode for Mac er med brew og for Linux med apt-kommandoen og et PPA. Brew fungerer fint på Linux også. Er det kanskje lettere å distribuere via Brew for Linux, akkurat som for Mac?

When attempting to validate a resource that contains template placeholders e.g:

apiVersion: nais.io/v1alpha1
kind: Application
metadata:
  name: some-app
  namespace: some-team
  labels:
    team: some-team
spec:
  image: {{image}}

a somewhat cryptic error is returned:

failed to convert yaml to json: error converting YAML to JSON: yaml: invalid map key: map[interface {}]interface {}{"image":interface {}(nil)}

This is of course due to {} being parsed as a map for the image field in the above example.

In case a given resource contains placeholders, we should consider doing the following:

1. Return a more appropriate error message.
2. Inform the user of the available templating support to fix the errors.

For fields that expect string values we could consider automatically wrapping the placeholders with quotes, but this seems hacky.

Pipeline, could be made more automatic or robust and automatic.

It is possible to add IAM conditions to roles/cloudsql.client to lock down to a single instance like this resource.name == 'projects/abc123/instances/myinstance' && resource.type == 'sqladmin.googleapis.com/Instance'

A command that does the steps from https://doc.nais.io/deployment/troubleshooting/ for you and gives a useful report with next steps.

Postgres 15 removed default permissions from the public schema. This affects how cloudsqliam users get access to this schema. I think we create superusers for the applications themselves, so they and their credentials will still work.

Når brukeren har glemt å logge inn med --update-adc burde nais-cli informere om dette, i tillegg til feilmeldingen som kommer nå.

❯ nais postgres prepare hm-grunndata-api
Prepare will prepare the postgres instance by connecting using the
application credentials and modify the permissions on the public schema.
All IAM users in your GCP project will be able to connect to the instance.

This operation is only required to run once for each postgresql instance.

Are you sure you want to continue (y/N): y
2022/05/13 14:38:11 default proxy initialization failed; consider calling proxy.Init explicitly: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.

Able to specify a command that generates only a .env file with all properties from secret

When running nais kubeconfig, onprem clusters are included, but without the user defined.

Can we just stop having the --include-onprem flag?

Nå er alle Aiven-kommandoer knyttet til NAV-tenanten, disse burde skrives om til å være basert på hvilken tenant brukeren er logget inn på i naisdevice.

nais kubeconfig har løst dette med å hente aktiv tenant direkte fra kjørende naisdevice. Usikker på om det er like lett for Aiven, om den har navn/labels knyttet til tenant.

In the documentation it says:

Note that if you change your application name, database name or envVarPrefix, and then change it later, you have to manually reset database credentials.

Under reset database credentials it says all you have to do for a database with default user is to run nais postgres password rotate <MYAPP>. However, this will not delete the credentials from kubernetes secrets. Thus, changing the database name does not generate new env variable names. Either the docs should be updated or the password rotate functionality should be extended with functionality to update credentials.

Får følgende feilmelding når jeg kjører nais start teamdigisos sosialhjelp-avtaler-admin

OS: Ubuntu 22.04, Regolith

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x137f318]

goroutine 1 [running]:
github.com/nais/cli/pkg/appstarter.makeHttpRequest(0x0?)
	/home/runner/work/cli/cli/pkg/appstarter/appstarter.go:122 +0x2d8
github.com/nais/cli/pkg/appstarter.Naisify({0x7fff620b9fd2, 0x19}, {0x7fff620b9fc6, 0xb}, {0x0, 0x0, 0x0}, {0x0, 0x0, 0x0}, ...)
	/home/runner/work/cli/cli/pkg/appstarter/appstarter.go:60 +0x278
github.com/nais/cli/cmd.commands.Command.func2(0xc0001fe6c0)
	/home/runner/work/cli/cli/cmd/appstartercmd/appstarter.go:47 +0x132
github.com/urfave/cli/v2.(*Command).Run(0xc00035cf20, 0xc0001fe6c0, {0xc0007150b0, 0x3, 0x3})
	/home/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/command.go:279 +0x97d
github.com/urfave/cli/v2.(*Command).Run(0xc0003b91e0, 0xc0001fe540, {0xc000148040, 0x4, 0x4})
	/home/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/command.go:272 +0xbb7
github.com/urfave/cli/v2.(*App).RunContext(0xc0003ba000, {0x2083b30, 0x2fbb300}, {0xc000148040, 0x4, 0x4})
	/home/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:337 +0x58b
github.com/urfave/cli/v2.(*App).Run(...)
	/home/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:311
github.com/nais/cli/cmd.Run()
	/home/runner/work/cli/cli/cmd/cmd.go:47 +0x14c
main.main()
	/home/runner/work/cli/cli/main.go:6 +0xf

There's a discussion on Slack about his for more context and workarounds, but essentially, the location and filename for the pgpass file are different on Windows than they are on Linux and Mac, and the CLI doesn't take this into account when it generates (or updates) it.

An extract from the PostgreSQL documentation:

The file .pgpass in a user's home directory can contain passwords to be used if the connection requires a password (and no password has been specified otherwise). On Microsoft Windows the file is named %APPDATA%\postgresql\pgpass.conf (where %APPDATA% refers to the Application Data subdirectory in the user's profile). Alternatively, the password file to use can be specified using the connection parameter passfile or the environment variable PGPASSFILE.

Now of course, we could use those workarounds, but I submit that a tool that aims to reduce friction should take care of this for us 😄

Prøver å bruke IntelliJ sin Big Data Tool til å se på meldinger i en Kafka-topic, men sliter. Det er ikke dokumentert - ihvertfall ikke eksplisitt - for nais-cli på https://github.com/nais/doc/blob/main/docs/cli/commands/aiven.md

I dag bruker Validate https://storage.googleapis.com/nais-json-schema-2c91/nais-all.json for å hente inn schema å validere kubernetes ressurser mot.
Denne inneholder CRD-er for NAIS. Men siden vi oppfordrer å lage flere ressurser, som f.eks. PrometheusRule bør vi kanskje støtte alle ressurser som vi dokumenterer i doc-en?

• The issue starts with the merge of a dependabot PR: #51

• We got a response in slack about errors with brew tap nais/tap

• Reverted merge of dependabot PR, dident seem to fix the issue.

• The real issue was go-releaser version > v1.7.0 we used default latest in go-releaser action.

Seems like we need to do some changes to go-releaser yml configuration before upgrading goreleaser > v1.7.0.

kjører nais naas kubeconfig

får dette :)

$ kubectl config get-contexts
CURRENT   NAME       CLUSTER    AUTHINFO    NAMESPACE
          ci-fss     ci-fss     nais-user   default
          dev-fss    dev-fss    nais-user   default
*         prod-fss   prod-fss   nais-user   default

Could be useful not to get all files exported, but only the ones you want. This could include specifying what type of configuration you need, e.g kcat.conf

or if you want all/some of the exported files as .env

nais-d is a unfortunate , as the former app app used the name naisd.

nais currently requires users to install a version of kubectl to interact with their application. The version of kubectl must be compatible with whatever version we might be running.

Would be nais if the cli could ensure that a there is a valid version of kubectl for the current OS.

A flag might control where the binary lands, e.g. a directory on $PATH

nais aiven create kafka <username> <namespace> -p nav-prod

The created aivenapplication has pool set to the default value, not the value specified.

Vi har jo et CLI i dag, men det gjør jo ikke så alt for mye nyttig... enda.
Her er det potensiale for å gjøre mye moro.

Hva om nais CLI er en slags kjernekomponent i hverdagen til en nais-utvikler?
Om vi ser for oss at du som ny utvikler skriver nais up, og alt som er nais installeres automatisk for deg:

• naisdevice
• kubeconfigs hentes
• gloud installeres

Når du så har fått alt som er nais får du så mulighet til å bruke dette CLI'et for å navigere alle naistjenester som er tilgjengelige:

• logger
• metrikker
• app-info
• deploy
• doktor
• databasekobling
• manifestgenerering
• osv.

Når man kjører nais-kommandoen
nais start --appname --teamname --appListenPort 8000
og man har generert et kotlin-prosjekt får man først feilmelding om at man mangler pom.xml eller tilsvarende. Hvis man toucher pom.xml og kjører på nytt får man yaml-filer som ikke passer helt med gradle og kotlin.

Forventet resultat: Det genereres oppsett som gjør at man kan kjøre kotlin-applikasjon på nais.
(Man kan sikkert snik-kikke på https://github.com/navikt/sokos-ktor-template .)

If a resource with a matching name already exists, we should not overwrite it but instead return an error to the user.

Currently we assume everything is done within the public schema. We should add support to specify schema when granting permissions and connecting.

https://nav-it.slack.com/archives/C5KUST8N6/p1704977244543049