Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move cert-manager execution to a new pod #716

Merged
merged 1 commit into from
Mar 25, 2021

Conversation

qinqon
Copy link
Member

@qinqon qinqon commented Mar 17, 2021

Is this a BUG FIX or a FEATURE ?:

Uncomment only one, leave it on its own line:

/kind bug
/kind enhancement

What this PR does / why we need it:
Currectly the cert-manager from kube-admission-webhook is running
whithing the webhook server itself, this means that we need to create a
placeholder secret and also a very specific readiness probe has to be
used to ensure that secret is properly rotated at start up. This change
introduces a new pod runing the cert-manager code so we don't need to
create the placeholder secret (the webhook pod will not start until the
secret is not created) and we don't need a readiness probess since
secret will be correct form the beginning.

Also start up is faster since webhook pods start at the very moment the
secret is created by cert-manager pod.

Special notes for your reviewer:

Release note:

Move cert-manager code to a cert-manager pod 

@kubevirt-bot kubevirt-bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/L labels Mar 17, 2021
@kubevirt-bot kubevirt-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Mar 17, 2021
@qinqon qinqon requested review from rhrazdil and RamLavi and removed request for yboaron March 17, 2021 11:06
@qinqon qinqon mentioned this pull request Mar 17, 2021
ports:
- containerPort: 8443
- containerPort: 9443
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we changing this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are going to use directly the webhook server from controller-runtime so we just use the defaults there since there are good enough for us and we don't have to add more code to change it to 8443, same happends to TLS cert directory.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack, Thanks

@qinqon qinqon requested a review from rhrazdil March 17, 2021 13:54
@rhrazdil
Copy link
Collaborator

/lgtm

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Mar 17, 2021
@qinqon
Copy link
Member Author

qinqon commented Mar 18, 2021

/hold

Let's do a test PR at CNAO to verify that it's happy about this.

@kubevirt-bot kubevirt-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 18, 2021
Copy link
Collaborator

@RamLavi RamLavi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

first brush,
Genereally speaking, don't we want to move it to a pod from kaw itself?

ports:
- containerPort: 8443
- containerPort: 9443
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will it have future value to put this in a env var (prevent future collisions)?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't run it with network=host so is not going to collision, I doubt we are going to have multiple containers at the same pod with the same port.

volumeMounts:
- name: tls-key-pair
readOnly: true
mountPath: /etc/webhook/certs
mountPath: /tmp/k8s-webhook-server/serving-certs/
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

genereally speaking, why in /tmp/...?

Copy link
Member Author

@qinqon qinqon Mar 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the default value from controller-runtime webhook server, even without /tmp/ if pod is restarted certs will be mounted too.

@phoracek
Copy link
Member

/retest

@qinqon
Copy link
Member Author

qinqon commented Mar 22, 2021

first brush,
Genereally speaking, don't we want to move it to a pod from kaw itself?

kaw is just a little cert-manager specialized on webhooks, where or how do you deploy is user's responsability.

@qinqon qinqon requested a review from RamLavi March 22, 2021 10:12
@qinqon qinqon force-pushed the cert-manager-pod branch from 4ff33d9 to ada5f0e Compare March 22, 2021 14:28
@kubevirt-bot kubevirt-bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 22, 2021
@qinqon
Copy link
Member Author

qinqon commented Mar 22, 2021

Testing it a CNAO here kubevirt/cluster-network-addons-operator#806

@qinqon
Copy link
Member Author

qinqon commented Mar 23, 2021

/hold cancel

Test PR at CNAO is working fine kubevirt/cluster-network-addons-operator#806

@kubevirt-bot kubevirt-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 23, 2021
app: kubernetes-nmstate
component: kubernetes-nmstate-cert-manager
spec:
replicas: 2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nmstate already has quite a lot of moving parts. We don't mind downtime of couple of minutes in case one of the nodes running this goes down, do we? If not, could we keep it on a single replica? To save memory and CPU.

Currectly the cert-manager from kube-admission-webhook is running
whithing the webhook server itself, this means that we need to create a
placeholder secret and also a very specific readiness probe has to be
used to ensure that secret is properly rotated at start up. This change
introduces a new pod runing the cert-manager code so we don't need to
create the placeholder secret (the webhook pod will not start until the
secret is not created) and we don't need a readiness probess since
secret will be correct form the beginning.

Also start up is faster since webhook pods start at the very moment the
secret is created by cert-manager pod.

Signed-off-by: Quique Llorente <[email protected]>
@qinqon qinqon force-pushed the cert-manager-pod branch from ada5f0e to 7405cd2 Compare March 25, 2021 12:36
@qinqon qinqon requested a review from phoracek March 25, 2021 12:36
Copy link
Member

@phoracek phoracek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Mar 25, 2021
@kubevirt-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: phoracek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 25, 2021
@kubevirt-bot
Copy link
Collaborator

@qinqon: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
pull-kubernetes-nmstate-e2e-handler-k8s-future 7405cd2 link /test pull-kubernetes-nmstate-e2e-handler-k8s-future

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@kubevirt-bot kubevirt-bot merged commit 2ecbe04 into nmstate:master Mar 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants