Use controllerruntime to discover CABundle #636
Conversation
|
✔️ Deploy Preview for karpenter-docs-prod canceled. 🔨 Explore the source changes: 85a721d 🔍 Inspect the deploy log: https://app.netlify.com/sites/karpenter-docs-prod/deploys/61303df7a6caed0007f5addf |
|
looks like the toolchain install is broken because this link does not work to download kubebuilder 2.3.1 anymore: https://go.kubebuilder.io/dl/2.3.1/linux/amd64 Not sure why that one doesn't work, but https://go.kubebuilder.io/releases/latest/linux/amd64 does work. The github assets link does work though, so maybe we just change to that (the go.kubebuilder.io/releases just redirects to github): |
JacobGabrielson
force-pushed
the
fstest
branch
from
81f6683 to
6f17e85
Compare
JacobGabrielson
changed the title
JacobGabrielson
changed the title
JacobGabrielson
force-pushed
the
fstest
branch
from
bf9e964 to
8ce467d
Compare
| errs = errs.Also(apis.ErrMissingField("name")).ViaField("cluster") | ||
| } | ||
| if ptr.StringValue(spec.Cluster.CABundle) == "" { |
There was a problem hiding this comment.
FYI: I deliberately skipped this check in my initial version of CABundle handling, to support the use-case where there is no CABundle (e.g. if the k8s API endpoint is served in plain-text without TLS). I know this might not be possible with EKS (which is always TLS), but it can still happen with non EKS clusters hosted on EC2.
Personally, I don't care to much, as I only use TLS protected k8s API endpoints and plain-text endpoints are a bad practice anyway. However, I still prefer to have secure defaults while still allowing others to opt-out (for whatever reasons they might have).
Maybe, we can make this check conditional, based on the protocol (scheme) part for the cluster endpoint.
https-> apply this checkhttp-> ignore this check
There was a problem hiding this comment.
@rustrial thanks! That makes sense to me, I'll make the change and see what everyone thinks.
There was a problem hiding this comment.
Ok, for now I've changed the code back to the way it was before - it won't complain if CABundle is missing. I'll add the http/https nuance back in in a future change.
JacobGabrielson
force-pushed
the
fstest
branch
2 times, most recently
from
ea33ba6 to
05a211e
Compare
JacobGabrielson
changed the title
JacobGabrielson
force-pushed
the
fstest
branch
from
e0abdba to
9e7ef29
Compare
JacobGabrielson
changed the title
... instead of rest.InClusterConfig() - this will work in more scenarios, such as when Karpenter is not running inside of the cluster
JacobGabrielson
changed the title
JacobGabrielson
changed the title
It started getting complicated trying to call a function from the templates, so it seemed easier overall to switch to the more clunky old school method. |
This reverts commit 7012c92.
Issue, if available:
N/A
Description of changes:
Apologies for the churn folks, after talking to @ellistarn offline, it seems like the best path forward, given some other changes coming soon, is to explicitly call GetCABundle() from the cloudprovider, rather than dynamically default it in.
Also, this change now uses
client-goto discover the CABundle contents (effectively it's still doing the same thingas before, just using their library code now).
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.