Skip to content

add cluster-trust-bundle feature #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
m00g3n wants to merge 6 commits into
base: main
Choose a base branch
from
Open

add cluster-trust-bundle feature #51

m00g3n wants to merge 6 commits into from

Conversation

@m00g3n
Copy link
Contributor

@m00g3n m00g3n commented Jan 2, 2026

Description

Changes proposed in this pull request:

  • add cluster-trust-bundle feature

Related issue(s)

@m00g3n m00g3n requested a review from a team as a code owner January 2, 2026 09:26
@m00g3n m00g3n self-assigned this Jan 2, 2026
akgalwas
akgalwas reviewed Jan 5, 2026
View reviewed changes
akgalwas
akgalwas reviewed Jan 5, 2026
View reviewed changes
akgalwas
akgalwas reviewed Jan 5, 2026
View reviewed changes
akgalwas
akgalwas reviewed Jan 8, 2026
View reviewed changes
internal/webhook/v1/pod_defaulters.go
// stores information if any container was modified
var result bool

for _, cs := range [][]corev1.Container{p.Spec.Containers, p.Spec.InitContainers} {
Copy link

@akgalwas akgalwas Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In case we will have two or more containers the volume mounts will be modified only for the first one. || is a conditional operator so that if the first argument is true the second will not be evaluated.

I think the code should be modified as follows:

 if handleVolumeMount(cs) {
        result = true
    }

internal/webhook/v1/pod_defaulters.go Outdated
return result
}

addVolumeMount := func(modified bool, p *corev1.Pod) bool {
Copy link

@akgalwas akgalwas Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The names of the functions could be improved. I would rename addVolumeMount to handleVolumeMounts or similar. Current naming (addVolumeMount for function and handleVolumeMount for single volume increases cognitive load)

config/config/rt-bootstrapper-config.yaml
"replace.me": "ghcr.io",
"example.com": "ghcr.io"
},
"clusterTrustBundleMapping": {
Copy link

@akgalwas akgalwas Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not fully convinced to the name of the element. Instead of using clusterTrustBundleMapping we could do something like:

"clusterTrustBundle": {
       "name": "rt-bootstrapper-k3d.test:ctb:1",
        "certWritePath": "kube-apiserver-serving.pem",
        "volumeMountPath": "/etc/ssl/certs",
        "volumeName": "rt-bootstrapper-certs"
      }

Copy link
Contributor Author

@m00g3n m00g3n Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets do this refactor in the this PR just to avoid collisions.

internal/webhook/v1/pod_defaulters.go
return defaultPod(addImgPullSecret, annotationsSetPullSecret)
}

func BuildDefaulterAddClusterTrustBundle(mapping k8s.ClusterTrustBundleMapping) PodDefaulter {
Copy link

@akgalwas akgalwas Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a general remark: the defaulters could be tested by unit tests. I don't think we must add such unit tests right now, but it would nicely fit into the entire testing idea for the webhook.

Copy link
Contributor Author

@m00g3n m00g3n Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fully agree, we will add tests for all defaulters.
I was planning a small refactor afer we merge everything that is under development, I would add the tests then.

akgalwas
akgalwas requested changes Jan 8, 2026
View reviewed changes
Copy link

@akgalwas akgalwas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to fix the bug in addVolumeMount

akgalwas
akgalwas reviewed Jan 8, 2026
View reviewed changes
internal/webhook/v1/pod_defaulters.go Outdated
return result
}

addVolumeMount := func(modified bool, p *corev1.Pod) bool {
Copy link

@akgalwas akgalwas Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The modified and result names are too generic. The fist one is true if volume was added or updated. The second is true if at least one volumeMount was added.

akgalwas
akgalwas reviewed Jan 8, 2026
View reviewed changes
internal/webhook/v1/pod_defaulters.go Outdated
}

if reflect.DeepEqual(p.Spec.Volumes[index], vol) {
slog.Debug("equal volume found, nothing to do")
Copy link

@akgalwas akgalwas Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This message is not accurate. It should say that volume was already added.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akgalwas akgalwas akgalwas requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@m00g3n m00g3n

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@m00g3n @akgalwas