feat: allow cert-manager annotations on ingress based on environment variables #86
Conversation
|
from sig-support: @troian holding off merging this until he's confident about the code base from the changes for API refactor and 0.24 network upgrade |
|
@cloud-j-luna rebase it on to |
|
@troian rebased in to |
|
@cloud-j-luna the gpu branch will not be squashed. the check is failing as commit message needs to be formatted with conventional commits spec. |
I meant this PR to be squashed |
|
yeah, however, the commit message is taken from PR. |
cloud-j-luna
force-pushed
the
luna/tls-cert-manager
branch
from
85a1083 to
f629b8f
Compare
cloud-j-luna
force-pushed
the
luna/tls-cert-manager
branch
from
f629b8f to
69740f6
Compare
troian
changed the title
cloud-j-luna
changed the title
cluster/kube/client_ingress.go
Outdated
| @@ -66,11 +67,20 @@ func kubeNginxIngressAnnotations(directive ctypes.ConnectHostnameToDeploymentDir | |||
| } | |||
| } | |||
|
|
|||
| switch env["AKASH_PROVIDER_ISSUER_TYPE"] { | |||
| case "cluster-issuer": | |||
| result[fmt.Sprintf("%s/cluster-issuer", certManager)] = env["AKASH_PROVIDER_ISSUER_NAME"] | |||
There was a problem hiding this comment.
- it looks like we don't need both
AKASH_PROVIDER_ISSUER_TYPEandAKASH_PROVIDER_ISSUER_NAMEand call itAKASH_PROVIDER_CERT_ISSUER AKASH_PROVIDER_CERT_ISSUERshould be defined in the provider env sectionenv["AKASH_PROVIDER_ISSUER_NAME"]may return""if env is not set
There was a problem hiding this comment.
- We need both as the resulting label is different. This will also help in the future if we want to automate per-deployment/account issuers.
There was a problem hiding this comment.
what are the values of both env variables in this case?
There was a problem hiding this comment.
In this case it would be AKASH_PROVIDER_ISSUER_TYPE = "cluster-issuer", AKASH_PROVIDER_ISSUER_NAME would be whatever the provider chose as the cert-manager ClusterIssuer name on the cluster. By default the name is letsencrypt as the default issuer is Let's Encrypt.
There was a problem hiding this comment.
By having letsencrypt value, the code in the provider can deduct, that issue is cluster-issuer ?
There was a problem hiding this comment.
it can't thus the cluster-issuer in the annotation, so the provider knows that its a ClusterIssuer called letsencrypt rather than a namespace scoped issuer called letsencrypt as well
There was a problem hiding this comment.
if workload asks the provider to issue a certificate wouldn't it always be the cluster-issuer?
There was a problem hiding this comment.
Depends on the provider configuration. For now only cluster-issuer are allowed for providers, but the client_ingress.go is ready to work with namespaced issuers.
cluster/kube/client_ingress.go
Outdated
| result[fmt.Sprintf("%s/cluster-issuer", certManager)] = env["AKASH_PROVIDER_ISSUER_NAME"] | ||
| break | ||
| case "issuer": | ||
| result[fmt.Sprintf("%s/issuer", certManager)] = env["AKASH_PROVIDER_ISSUER_NAME"] |
There was a problem hiding this comment.
comment from section above applies here as well
| @@ -98,6 +100,7 @@ func NewClient(ctx context.Context, log log.Logger, ns string, configPath string | |||
| ns: ns, | |||
| log: log.With("client", "kube"), | |||
| kubeContentConfig: config, | |||
| env: util.EnvironmentVariablesToMap(), | |||
There was a problem hiding this comment.
env variables must be validated for values and then read into dedicated struct fields
There was a problem hiding this comment.
Here is a direct conversion from the environment variables to a map[string]string. I can make validations but after this call. To have more fine-grained error handling on unexpected values.
There was a problem hiding this comment.
we would rather want to see dedicated struct fields instead of env converted to map. map is useful as intermediate store in some circumstances (like converting data to json). Go is a strict type of language and we use as much of it.
client instantiation is the last step where all configuration values must be validated
I'm not sure what To have more fine-grained error handling on unexpected values. means. If there is an unexpected configuration client should exit with error.
There was a problem hiding this comment.
It means we know the context in which the usage gave an error. Having a struct makes absolute sense! I'll change the code to support such configuration rather than environment variables
There was a problem hiding this comment.
We treat an error as an error, it is really hard to chase configuration errors on the fly.
- the client must not interact with env variables, configs etc, the only way for it to receive configuration is thru a parameter to NewClient.
- Each environment variable must have a corresponding cli flag for it. That's why using env within the client breaks it.
- Using environment variables inside implementation complicates writing unit tests.
remove environment variables from the client completely and use struct fields as values during annotations init.
I'm still unsure if using two different vars is the correct way to do it. if the workload going to use ns issuer then it has nothing to do with the cluster
|
apparently gh closes PRs if base branched merged, you’ll have to reopen it. |
I have to open a new PR, to which branch do you want me to merge to? This branch is rebased on the |
|
to the |
This PR allows cert-manager annotations on ingress based on environment variables.