-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move cert-manager execution to a new pod #716
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -56,38 +56,85 @@ spec: | |
value: "False" | ||
- name: PROFILER_PORT | ||
value: "6060" | ||
- name: CA_ROTATE_INTERVAL | ||
value: {{ .CARotateInterval | default "8760h0m0s" }} | ||
- name: CA_OVERLAP_INTERVAL | ||
value: {{ .CAOverlapInterval | default "24h0m0s" }} | ||
- name: CERT_ROTATE_INTERVAL | ||
value: {{ .CertRotateInterval | default "4380h0m0s" }} | ||
- name: CERT_OVERLAP_INTERVAL | ||
value: {{ .CertOverlapInterval | default "24h0m0s" }} | ||
ports: | ||
- containerPort: 8443 | ||
- containerPort: 9443 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. will it have future value to put this in a env var (prevent future collisions)? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. we don't run it with network=host so is not going to collision, I doubt we are going to have multiple containers at the same pod with the same port. |
||
name: webhook-server | ||
protocol: TCP | ||
readinessProbe: | ||
httpGet: | ||
path: /readyz | ||
port: webhook-server | ||
scheme: HTTPS | ||
httpHeaders: | ||
- name: Content-Type | ||
value: application/json | ||
initialDelaySeconds: 10 | ||
periodSeconds: 10 | ||
volumeMounts: | ||
- name: tls-key-pair | ||
readOnly: true | ||
mountPath: /etc/webhook/certs | ||
mountPath: /tmp/k8s-webhook-server/serving-certs/ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. genereally speaking, why in There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is the default value from controller-runtime webhook server, even without /tmp/ if pod is restarted certs will be mounted too. |
||
volumes: | ||
- name: tls-key-pair | ||
secret: | ||
secretName: {{template "handlerPrefix" .}}nmstate-webhook | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: {{template "handlerPrefix" .}}nmstate-cert-manager | ||
namespace: {{ .HandlerNamespace }} | ||
labels: | ||
app: kubernetes-nmstate | ||
component: kubernetes-nmstate-cert-manager | ||
spec: | ||
replicas: 1 | ||
strategy: | ||
type: Recreate | ||
selector: | ||
matchLabels: | ||
name: {{template "handlerPrefix" .}}nmstate-cert-manager | ||
template: | ||
metadata: | ||
labels: | ||
app: kubernetes-nmstate | ||
component: kubernetes-nmstate-cert-manager | ||
name: {{template "handlerPrefix" .}}nmstate-cert-manager | ||
annotations: | ||
description: kubernetes-nmstate-webhook rotate webhook certs | ||
spec: | ||
serviceAccountName: {{template "handlerPrefix" .}}nmstate-handler | ||
nodeSelector: {{ toYaml .WebhookNodeSelector | nindent 8 }} | ||
tolerations: {{ toYaml .WebhookTolerations | nindent 8 }} | ||
affinity: {{ toYaml .WebhookAffinity | nindent 8 }} | ||
containers: | ||
- name: nmstate-cert-manager | ||
args: | ||
- --v=production | ||
# Replace this with the built image name | ||
image: {{ .HandlerImage }} | ||
imagePullPolicy: {{ .HandlerPullPolicy }} | ||
command: | ||
- manager | ||
env: | ||
- name: WATCH_NAMESPACE | ||
value: "" | ||
- name: POD_NAME | ||
valueFrom: | ||
fieldRef: | ||
fieldPath: metadata.name | ||
- name: POD_NAMESPACE | ||
valueFrom: | ||
fieldRef: | ||
fieldPath: metadata.namespace | ||
- name: RUN_CERT_MANAGER | ||
value: "" | ||
- name: OPERATOR_NAME | ||
value: "{{template "handlerPrefix" .}}nmstate" | ||
- name: ENABLE_PROFILER | ||
value: "False" | ||
- name: PROFILER_PORT | ||
value: "6060" | ||
- name: CA_ROTATE_INTERVAL | ||
value: {{ .CARotateInterval | default "8760h0m0s" }} | ||
- name: CA_OVERLAP_INTERVAL | ||
value: {{ .CAOverlapInterval | default "24h0m0s" }} | ||
- name: CERT_ROTATE_INTERVAL | ||
value: {{ .CertRotateInterval | default "4380h0m0s" }} | ||
- name: CERT_OVERLAP_INTERVAL | ||
value: {{ .CertOverlapInterval | default "24h0m0s" }} | ||
--- | ||
apiVersion: apps/v1 | ||
kind: DaemonSet | ||
metadata: | ||
name: {{template "handlerPrefix" .}}nmstate-handler | ||
|
@@ -187,7 +234,7 @@ spec: | |
publishNotReadyAddresses: true | ||
ports: | ||
- port: 443 | ||
targetPort: 8443 | ||
targetPort: 9443 | ||
selector: | ||
name: {{template "handlerPrefix" .}}nmstate-webhook | ||
--- | ||
|
@@ -261,13 +308,3 @@ spec: | |
selector: | ||
matchLabels: | ||
name: {{template "handlerPrefix" .}}nmstate-webhook | ||
--- | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: {{template "handlerPrefix" .}}nmstate-webhook | ||
namespace: {{ .HandlerNamespace }} | ||
type: kubernetes.io/tls | ||
data: | ||
tls.crt: YmFkIGNlcnRpZmljYXRlCg== | ||
tls.key: YmFkIGtleQo= |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we changing this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are going to use directly the webhook server from controller-runtime so we just use the defaults there since there are good enough for us and we don't have to add more code to change it to 8443, same happends to TLS cert directory.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack, Thanks