-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement support for ManagedCertificate CRD #508
Conversation
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
I signed it |
1 similar comment
I signed it |
/assign @bowei |
/ok-to-test |
/assign @rramkumar1 |
pkg/controller/controller_test.go
Outdated
@@ -43,6 +44,13 @@ var ( | |||
clusterUID = "aaaaa" | |||
) | |||
|
|||
type recorderProducerMock struct { | |||
} | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you move this mock to pkg/events.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the same file as the interface definition is fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
pkg/loadbalancers/utils.go
Outdated
separator = "," | ||
) | ||
|
||
// splitAnnotation splits annotation by separator and trims whitespace |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you put this in pkg/utils instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. I also added a unit test. There was one special case I didn't expect: if annotation was empty, splitAnnotation produced []string{""} instead of nil or []string{}, I fixed it.
can you rebase and squash the commits, then split into:
|
00571a9
to
934d510
Compare
I rebased, squashed and split the commits into vendor/+Gopkg.lock changes, implementation and unit tests. I didn't get what files changed for vendoring means. |
/cc @prameshj |
@rramkumar1: GitHub didn't allow me to request PR reviews from the following users: prameshj. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
pkg/loadbalancers/certificates.go
Outdated
func (l *L7) checkSSLCert() error { | ||
// Handle Pre-Shared cert and early return if used | ||
if used, err := l.usePreSharedCert(); used { | ||
// Handle annotation managed-certificates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the previous behavior was that if the user specified both pre-shared certs and secrets, we would only take the pre-shared certs and ignore the secrets. Correct me if I am wrong, but here it seems like you accept all three (managed, pre-shared and secret).
I would prefer to stick with the existing semantics. Specifically, Managed certs should take precedence over everything else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that the current code either uses managed certificates and pre-shared-cert or managed certificates and k8s secrets. I think it does not support all 3 types at once. This is because of return at line 51.:
if used {
l.sslCerts = append(managedSslCerts, preSharedSslCerts...)
return err
}
Also I added a test case for that to loadbalancer_test.go (one of last two test cases).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason we want to mix the modes? If we support both managed certs and preshared together, user might be confused why preshared and secrets don't work together or why all 3 are not picked up. Supporting just one mode with a priority in case more than one is specified might be clearer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess one reason to combine preshared and managed certs is because neither of them is ingress created and hence do not need to be garbage-collected. I am curious to see if you had any other reasons, and also motivation for supporting managed certs and secrets .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only with modes combined it is possible to support no-downtime migration scenarios. GCLB has its own logic for selecting a certificate and Ingress really should just pass all the certificates down to GCLB. But pre-shared-cert and secrets are already implemented differently and I just wanted to keep this behavior unchanged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed offline, I think it would make sense to keep consistency with the existing behavior. Namely, only take one form of cert. In this case, the precedence would be managed cert > pre-shared > secret.
pkg/events/events.go
Outdated
@@ -0,0 +1,32 @@ | |||
/* | |||
Copyright 2015 The Kubernetes Authors. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit : Change to 2018?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK - please leave it unresolved and once we agree what changes are necessary I'll take a look to fix it.
pkg/loadbalancers/certificates.go
Outdated
func (l *L7) checkSSLCert() error { | ||
// Handle Pre-Shared cert and early return if used | ||
if used, err := l.usePreSharedCert(); used { | ||
// Handle annotation managed-certificates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason we want to mix the modes? If we support both managed certs and preshared together, user might be confused why preshared and secrets don't work together or why all 3 are not picked up. Supporting just one mode with a priority in case more than one is specified might be clearer?
pkg/loadbalancers/certificates.go
Outdated
func (l *L7) checkSSLCert() error { | ||
// Handle Pre-Shared cert and early return if used | ||
if used, err := l.usePreSharedCert(); used { | ||
// Handle annotation managed-certificates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess one reason to combine preshared and managed certs is because neither of them is ingress created and hence do not need to be garbage-collected. I am curious to see if you had any other reasons, and also motivation for supporting managed certs and secrets .
pkg/loadbalancers/certificates.go
Outdated
// getExistingSecretsSslCerts fetches SslCertificate resources created and managed by this load balancer | ||
// instance. These SslCertificate resources were created based on kubernetes secrets in Ingress | ||
// configuration. | ||
func (l *L7) getExistingSecretsSslCerts() ([]*compute.SslCertificate, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe call this "getIngressManagedSslCerts()" ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK, I can rename later when introducing all required changes.
pkg/utils/annotation.go
Outdated
var result []string | ||
for _, token := range strings.Split(annotation, separator) { | ||
if token != "" { | ||
result = append(result, strings.TrimSpace(token)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible for token to be " ", in which case we will still append an empty string to result since trimspace will make it "" ?
Maybe just check the result of TrimSpace for empty string?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, thanks. I'll also fix it once we agree what changes are necessary.
/lgtm @prameshj if this looks good to you, we can merge. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some small nits, looks good to me otherwise.
Thanks for making the changes.
} | ||
|
||
sel := labels.NewSelector() | ||
sel.Add(*req) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can req be nil if there were no errors in line 156?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it can't based on the implementation of apimachinery labels, and also based on the Go convention for constructors I observed: err != nil or err == nil and an object is instantiated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, thanks for verifying.
for _, mcrt := range mcrts { | ||
if mcrt.Status.CertificateName != "" { | ||
names = append(names, mcrt.Status.CertificateName) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it valid to have managed cert status with empty Certificate name? Should we log an error in this case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When a user creates a ManagedCertificate, he wouldn't usually fill in the status field, so the CertificateName field can be empty and it is not an error.
…SslCertificate resources
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: krzykwas, rramkumar1 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@krzykwas when can we expect this to be available in prod ? |
This change adds to Ingress support for ManagedCertificate CRD to integrate with https://github.com/GoogleCloudPlatform/gke-managed-certs