feat(config): add webhook as kustomize component#122
feat(config): add webhook as kustomize component#122AvineshTripathi wants to merge 2 commits intokubernetes-sigs:mainfrom
Conversation
Signed-off-by: AvineshTripathi <avineshtripathi1@gmail.com>
✅ Deploy Preview for node-readiness-controller canceled.
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: AvineshTripathi The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @AvineshTripathi. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/L
| name: validating-webhook-configuration | ||
| annotations: | ||
| cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) | ||
| cert-manager.io/inject-ca-from: nrr-system/nrr-serving-cert |
There was a problem hiding this comment.
There is a reason these values are hardcoded here: they were previously populated using vars. However, vars is now deprecated (kubernetes-sigs/kustomize#5046
), and we should move to using replacements. When running Kustomize, it also throws the following warning indicating this deprecation.
# Warning: 'vars' is deprecated. Please use 'replacements' instead. [EXPERIMENTAL] Run 'kustomize edit fix' to update your Kustomization automatically.
If we switch to replacements, we run into a dependency issue. Both the webhook and metrics services need these replacements, but they are individual components and may or may not be deployed together. Because of this, we cannot keep the replacements in config/default. Placing them in individual components also does not work, as it fails to populate the nrr- prefix in the DNS names and annotations.
So I thought a better solution would be to hardcode it. Open for suggestions
Other places:
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
ajaysundark
requested review from
Priyankasaggu11929 and
ajaysundark
and removed request for
dchen1107 and
haircommander
|
@Priyankasaggu11929 had interests in testing the validation webhook, could you find time for this review? |
yes, let me test it over the coming week and get back. |
| apiVersion: cert-manager.io/v1 | ||
| kind: Certificate | ||
| metadata: | ||
| name: metrics-certs | ||
| namespace: system | ||
| spec: | ||
| commonName: nrr-metrics | ||
| dnsNames: | ||
| - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc | ||
| - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local | ||
| issuerRef: | ||
| kind: Issuer | ||
| name: selfsigned-issuer | ||
| secretName: metrics-server-cert |
There was a problem hiding this comment.
(confirming as I read the changes)
Is this change is essentially a cleanup? Basically moving the certificate creation under the component that needs the certificate right?
- so for prometheus (metrics-cert) is defined here now -
config/prometheus/tls/certificate.yaml - and same, webhook (serving-cert) is defined here -
config/webhook/certificate.yaml
There was a problem hiding this comment.
that is correct!
| name: metrics-certs | ||
| namespace: system | ||
| spec: | ||
| commonName: metrics |
There was a problem hiding this comment.
just wondering, is there any use of commonName now?
(because IIUC, hostname verification will happen with SAN entries below)
If it is for just completion sake in the certificate, let's add some commonName to the webhook certificate as well?
Maybe it's a nit, but then atleast both our certificates will have common meta
| target: | ||
| kind: Deployment | ||
| # Configure ServiceMonitor for TLS | ||
| - path: monitor_tls_patch.yaml |
There was a problem hiding this comment.
we delete the monitor_tls_patch.yaml file if not in use?
| target: | ||
| kind: Service | ||
|
|
||
| replacements: |
There was a problem hiding this comment.
was there any benefit of not hardcoding these values earlier?
And just to confirm - this replacements section is not required now because you've hardcoded the dnsNames in the new config/prometheus/tls/certificate.yaml?
dnsNames:
- nrr-controller-manager-metrics-service.nrr-system.svc
- nrr-controller-manager-metrics-service.nrr-system.svc.cluster.local
There was a problem hiding this comment.
Earlier too, the dnsName field was not propagating correctly; however, it seems Prometheus was still allowing that, but in the case of a webhook, the API server does not allow a mismatch in dnsName.
Since I was doing the changes in webhook certificate, I corrected it as well.
| dnsNames: | ||
| - nrr-controller-manager-metrics-service.nrr-system.svc | ||
| - nrr-controller-manager-metrics-service.nrr-system.svc.cluster.local |
There was a problem hiding this comment.
Nit:
I see in the webhook certificate below, the dnsNames entries are shorter:
dnsNames:
- nrr-webhook-service.nrr-system.svc
- nrr-webhook-service.nrr-system.svc.cluster.local
should we trim the service name for metrics as well? to follow a pattern?
(remove the controller-manager bit?)
| apiVersion: kustomize.config.k8s.io/v1alpha1 | ||
| kind: Component | ||
| resources: | ||
| - monitor.yaml |
There was a problem hiding this comment.
Delete the monitor.yaml file as well if not in use?
config/webhook/webhook_patch.yaml
Outdated
| name: webhook-service | ||
| namespace: system | ||
| path: /validate-nodereadiness-io-v1alpha1-nodereadinessrule | ||
| path: /validate-readiness-node-x-k8s-io-v1alpha1-nodereadinessrule |
There was a problem hiding this comment.
why are we correcting the path here with the patch and not directly correcting the marker itself (which IMO is the source of truth) -
I tried correcting the marker and removing this patch - it works.
So, I suggest we drop patching the path here and only keep this patch to add the required cert-manager annotation?
More so, because if we don't update the marker, any subsequent make manifests and make deploy will go back to using the old path defined in the markers, and that will break
There was a problem hiding this comment.
Thanks, @Priyankasaggu11929. I totally agree on updating the marker itself
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| name: controller-manager | ||
| namespace: system | ||
| spec: | ||
| template: | ||
| spec: | ||
| containers: | ||
| - name: manager | ||
| args: | ||
| - --leader-elect | ||
| - --health-probe-bind-address=:8081 | ||
| - --enable-webhook=true | ||
| ports: | ||
| - containerPort: 9443 | ||
| name: webhook-server | ||
| protocol: TCP | ||
| volumeMounts: | ||
| - mountPath: /tmp/k8s-webhook-server/serving-certs | ||
| name: cert | ||
| readOnly: true | ||
| volumes: | ||
| - name: cert | ||
| secret: | ||
| defaultMode: 420 | ||
| secretName: webhook-server-certs No newline at end of file |
There was a problem hiding this comment.
Again, only for confirmation -
This change is just moving the patch to config/webhook/manager_webhook_patch.yaml and using JSON Patch format?
There was a problem hiding this comment.
yes, that is correct
|
One thing (and maybe not for the scope of this PR and can be handled in follow ups) - How would we manage scheduling cert-manager deployments on a tainted worker node (infact all other componets too?) The other PR #117 only handle injecting matching tolerations for daemonsets. And I don't think we can upfront manually insert matching tolerations in our provided kustomization components yaml? |
Signed-off-by: AvineshTripathi <avineshtripathi1@gmail.com>
4 participants
Description
This PR converts the webhook config to a component like metrics and cert-manager and enables it. It also removes dependency of service monitor from the controller.
NOTE: webhooks require TLS, so cert manager crds installation is mandatory and
ENABLE_TLSneeds to betrue.Related Issue
Testing
Checklist
make testpassesmake lintpasses