From a451c7ab7d241064e7f50cace8a4d1ef9d82deb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=A0=E7=A5=96=E5=BB=BA?= Date: Sun, 8 Oct 2023 13:44:19 +0800 Subject: [PATCH 1/2] webhook: use dedicated port for health probe MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 张祖建 --- Makefile | 4 ++-- cmd/webhook/server.go | 12 ++++++++++++ yamls/webhook.yaml | 19 +++++++++++++------ 3 files changed, 27 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index 8111e10f6ab..4291b278d93 100644 --- a/Makefile +++ b/Makefile @@ -40,7 +40,7 @@ KUBEVIRT_TEST_YAML = https://kubevirt.io/labs/manifests/vm.yaml CILIUM_VERSION = 1.14.1 CILIUM_IMAGE_REPO = quay.io/cilium/cilium -CERT_MANAGER_VERSION = v1.12.3 +CERT_MANAGER_VERSION = v1.12.5 CERT_MANAGER_CONTROLLER = quay.io/jetstack/cert-manager-controller:$(CERT_MANAGER_VERSION) CERT_MANAGER_CAINJECTOR = quay.io/jetstack/cert-manager-cainjector:$(CERT_MANAGER_VERSION) CERT_MANAGER_WEBHOOK = quay.io/jetstack/cert-manager-webhook:$(CERT_MANAGER_VERSION) @@ -769,7 +769,7 @@ kind-install-webhook: kind-install kubectl rollout status deployment/cert-manager-cainjector -n cert-manager --timeout 120s kubectl rollout status deployment/cert-manager-webhook -n cert-manager --timeout 120s - kubectl apply -f yamls/webhook.yaml + sed 's#image: .*#image: $(REGISTRY)/kube-ovn:$(VERSION)#' yamls/webhook.yaml | kubectl apply -f - kubectl rollout status deployment/kube-ovn-webhook -n kube-system --timeout 120s .PHONY: kind-install-cilium-chaining diff --git a/cmd/webhook/server.go b/cmd/webhook/server.go index 2d9de801a9a..f38c30d7ad6 100644 --- a/cmd/webhook/server.go +++ b/cmd/webhook/server.go @@ -2,6 +2,7 @@ package main import ( "flag" + "os" "github.com/spf13/pflag" appsv1 "k8s.io/api/apps/v1" @@ -10,6 +11,7 @@ import ( "k8s.io/klog/v2" "k8s.io/klog/v2/klogr" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/healthz" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" ctrlwebhook "sigs.k8s.io/controller-runtime/pkg/webhook" @@ -19,6 +21,8 @@ import ( "github.com/kubeovn/kube-ovn/versions" ) +const healthProbePort = 8080 + const hookServerCertDir = "/tmp/k8s-webhook-server/serving-certs" var scheme = runtime.NewScheme() @@ -73,6 +77,7 @@ func main() { Metrics: metricsserver.Options{ BindAddress: "0", }, + HealthProbeBindAddress: util.JoinHostPort(os.Getenv("POD_IP"), healthProbePort), }) if err != nil { panic(err) @@ -91,6 +96,13 @@ func main() { panic(err) } + if err = mgr.AddHealthzCheck("liveness probe", healthz.Ping); err != nil { + panic(err) + } + if err = mgr.AddReadyzCheck("readiness probe", healthz.Ping); err != nil { + panic(err) + } + // Start the server by starting a previously-set-up manager if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { panic(err) diff --git a/yamls/webhook.yaml b/yamls/webhook.yaml index dbbd919a8a0..ca5bf74b36b 100644 --- a/yamls/webhook.yaml +++ b/yamls/webhook.yaml @@ -40,6 +40,12 @@ spec: args: - --port=8443 - --v=3 + env: + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert @@ -48,12 +54,14 @@ spec: - containerPort: 8443 name: https protocol: TCP + - containerPort: 8080 + name: health-probe + protocol: TCP livenessProbe: failureThreshold: 3 httpGet: - path: /validating - port: 8443 - scheme: HTTPS + path: /healthz + port: 8080 initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 @@ -61,9 +69,8 @@ spec: readinessProbe: failureThreshold: 3 httpGet: - path: /validating - port: 8443 - scheme: HTTPS + path: /readyz + port: 8080 initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 From b41ced59a417561e896c5979e630a535eb1a818b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=A0=E7=A5=96=E5=BB=BA?= Date: Sun, 8 Oct 2023 15:29:26 +0800 Subject: [PATCH 2/2] pass probe port via command argument MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 张祖建 --- cmd/webhook/server.go | 5 ++--- yamls/webhook.yaml | 1 + 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/webhook/server.go b/cmd/webhook/server.go index f38c30d7ad6..b9f053e6082 100644 --- a/cmd/webhook/server.go +++ b/cmd/webhook/server.go @@ -21,8 +21,6 @@ import ( "github.com/kubeovn/kube-ovn/versions" ) -const healthProbePort = 8080 - const hookServerCertDir = "/tmp/k8s-webhook-server/serving-certs" var scheme = runtime.NewScheme() @@ -43,6 +41,7 @@ func main() { klog.Infof(versions.String()) port := pflag.Int("port", 8443, "The port webhook listen on.") + healthProbePort := pflag.Int32("health-probe-port", 8080, "The port health probes listen on.") klogFlags := flag.NewFlagSet("klog", flag.ExitOnError) klog.InitFlags(klogFlags) @@ -77,7 +76,7 @@ func main() { Metrics: metricsserver.Options{ BindAddress: "0", }, - HealthProbeBindAddress: util.JoinHostPort(os.Getenv("POD_IP"), healthProbePort), + HealthProbeBindAddress: util.JoinHostPort(os.Getenv("POD_IP"), *healthProbePort), }) if err != nil { panic(err) diff --git a/yamls/webhook.yaml b/yamls/webhook.yaml index ca5bf74b36b..fe76f86523d 100644 --- a/yamls/webhook.yaml +++ b/yamls/webhook.yaml @@ -39,6 +39,7 @@ spec: - /kube-ovn/kube-ovn-webhook args: - --port=8443 + - --health-probe-port=8080 - --v=3 env: - name: POD_IP