Enable the Ceph admission controller by default

[travisn]

Is this a bug report or feature request?

• Feature Request

What should the feature do:
The admission controller currently requires extra steps to start, thus it is not enabled by default. We need the admission controller to start by default to get the extra level of checking in all clusters instead of just the few clusters that have enabled this feature.

See the Admission Controller topic for current requirements to start it.

What is use case behind this feature:
Improve error checking for all clusters.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.

[leseb]

How far are we from doing this? @subhamkrai @travisn?

[subhamkrai]

@leseb We are waiting to see how the OCS operator does this. Currently, if we want we can add an extra step to have cert-manager installed(I'll have to look again on this).

[travisn]

To enable the admission controller by default it seems we need to require that the cert-manager exists. Perhaps we could require this by default, but allow an option to disable it.

IMO the alternative of using a self-signed cert and running a script isn't an option for enabling by default.

[leseb]

To enable the admission controller by default it seems we need to require that the cert-manager exists. Perhaps we could require this by default, but allow an option to disable it.

IMO the alternative of using a self-signed cert and running a script isn't an option for enabling by default.

Why not? I remember we explored a lot of different options for this. Running a script or an operator as a dependency, isn't that the same thing? Also, cert-manager can also use self-signed certificates.

[travisn]

We currently have two methods for install:

1. Helm chart + create yamls
2. Create yamls

If we require something more than this, we need a really good reason. As much as I want to see the admission controller enabled by default, it doesn't seem like a critical requirement to justify adding a new dependency unless most clusters would already have that dependency enabled. For example, if the cert manager is already being used by majority of clusters, it seems acceptable to require it. But if not many clusters have it already, it will be a point of friction and cause fewer people to even try Rook.

[subhamkrai]

unassigned myself, in case someone else wants to try.

[travisn]

Closing for now, may come back to it another time...