Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix RBAC for openshift and add openshift compatibility #1395

Merged
merged 5 commits into from
May 2, 2019
Merged

Fix RBAC for openshift and add openshift compatibility #1395

merged 5 commits into from
May 2, 2019

Conversation

JGodin-C2C
Copy link
Contributor

@JGodin-C2C JGodin-C2C commented Feb 21, 2019
edited

What this PR does / why we need it:
This PR relaxes some right in order to enable this Chart to be deployed flawlessly on Openshift.

Special notes for your reviewer:
This helm chart have some trouble launching the webhook, after investigation, it sounded like it had some trouble creating or editing some of the needed secrets.
Also, cert-manager needs to edit ingress. This cannot be done with the actual rights of this chart.

Allow Openshift to install cert-manager chart

@jetstack-bot jetstack-bot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels Feb 21, 2019
@jetstack-bot jetstack-bot added area/deploy Indicates a PR modifies deployment configuration size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 21, 2019
@jetstack-bot
Copy link
Contributor

Hi @JGodin-C2C. Thanks for your PR.

I'm waiting for a jetstack or cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot jetstack-bot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Feb 21, 2019
@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels Feb 21, 2019
@JGodin-C2C
Copy link
Contributor Author

/assign @munnerz

munnerz
munnerz reviewed Feb 22, 2019
View reviewed changes
Copy link
Member

@munnerz munnerz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for investigating and testing here 😄 I've added some comments, if you could try it again without those permissions that'd be great 🙏

deploy/charts/cert-manager/templates/rbac.yaml Outdated
@@ -10,14 +10,19 @@ metadata:
heritage: {{ .Release.Service }}
rules:
- apiGroups: ["certmanager.k8s.io"]
resources: ["certificates", "certificates/finalizers", "issuers", "clusterissuers", "orders", "orders/finalizers", "challenges"]
resources: ["certificates", "certificates/finalizers", "issuers", "issuers/finalizers","clusterissuers", "orders", "orders/finalizers", "challenges", "challenges/finalizers"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't use finalizers on Issuer resources - are you sure this permission is required?

deploy/charts/cert-manager/templates/rbac.yaml Outdated
verbs: ["*"]
- apiGroups: [""]
resources: ["configmaps", "secrets", "events", "services", "pods"]
resources: ["configmaps", "secrets", "secrets/finalizers","events", "services", "services/finalizers","pods", "pods/finalizers"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't use finalizers on secrets, services or pods 😄

deploy/charts/cert-manager/templates/rbac.yaml Outdated
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
resources: ["ingresses", "ingresses/finalizers", "ingresses/status"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised we need any of these as we don't use finalizers or the status subresource on ingresses 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need the finalzer for this as it fire this error
ingress-shim controller: Re-queuing item "hello-world-ssl/prod-ingress" due to error processing: certificates.certmanager.k8s.io "prod-ingress-ssl" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: no RBAC policy matched, <nil>

The status, however, does not seems to be needed
That however , may be an openshift centric problem

deploy/charts/cert-manager/templates/rbac.yaml
verbs: ["*"]
{{- if .Values.global.isOpenshift }}
- apiGroups: ["route.openshift.io"]
resources: ["routes", "routes/custom-host", "routes/finalizers"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this required? We don't modify 'route' resources ever, so I'm surprised this is needed 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, i will first answer this , as this was the most difficult one to find.
i have no idea why , but it looks like openshift NEEDS these rules to modify the ingress.

@JGodin-C2C
Copy link
Contributor Author

Thanks for the feedback , i will checkity check all this . thanks ! 💪

@JGodin-C2C
Copy link
Contributor Author

ok, so , here is the refined list of rights
Most of the finalizers are here for because it looks like openshift is enforcing the policies.

@munnerz
Copy link
Member

munnerz commented Feb 22, 2019

/ok-to-test

@jetstack-bot jetstack-bot added ok-to-test and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 22, 2019
@JGodin-C2C
Copy link
Contributor Author

I guess all these are errors on the test suite as i dont see any of my part ?

@munnerz
Copy link
Member

munnerz commented Mar 1, 2019

It looks like some of the test failures are genuine failures caused by this PR (notably, the -bazel job)

/retest

@JGodin-C2C
Copy link
Contributor Author

JGodin-C2C commented Mar 5, 2019
edited

How can i launch the test suite on my machine ? any documentation about all this ?
I found the cert-manager/test/chart directory, but no documentation .

J\x00

@munnerz munnerz added this to the v0.8 milestone Mar 7, 2019
@munnerz munnerz added this to In progress in v0.8 Mar 7, 2019
@jetstack-bot jetstack-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 7, 2019
@munnerz
Copy link
Member

munnerz commented Mar 8, 2019

👋 you need to bump the chart version as part of this PR as well, as you're modifying the Helm chart.

If you look in deploy/charts/cert-manager/Chart.yaml and change the version: field (increment the patch version by 1).

After you've done this, you'll need to run bazel run //hack:update-deploy-gen to regenerate the 'static' deployment manifests, and then commit the resulting changes 😄

@jetstack-bot jetstack-bot added the area/acme Indicates a PR directly modifies the ACME Issuer code label Apr 1, 2019
@jetstack-bot jetstack-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Apr 29, 2019
@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels Apr 29, 2019
@jetstack-bot jetstack-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 30, 2019
@munnerz
Copy link
Member

munnerz commented May 1, 2019

Thanks for your persistence here 😄

/lgtm
/approve

@jetstack-bot jetstack-bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels May 1, 2019
@jetstack-bot jetstack-bot removed the lgtm Indicates that a PR is ready to be merged. label May 1, 2019
@JGodin-C2C
Copy link
Contributor Author

Well , looks like i was too late.
I bumped the version.
Should be okay now i guess.

@munnerz
Copy link
Member

munnerz commented May 1, 2019

🙈 I'm really sorry, there's just been a new change to these files which has once again caused your branch to go out of date. One day soon we'll remove the requirement to bump the chart version in the repo altogether, as it's just really annoying and doesn't help anyone.

Would you mind doing it one more time, and then I'll lgtm & approve this PR before others?

JGodin-C2C and others added 5 commits May 2, 2019 07:56
@JGodin-C2C
Fix RBAC for openshift and add openshift compatibility
4871ac3 
Signed-off-by: Julien Godin <julien.godin@camptocamp.com>
@JGodin-C2C
Update documentation for openshift
e11456b 
Signed-off-by: Julien Godin <julien.godin@camptocamp.com>
@JGodin-C2C
Regenerate static files
71fdf30 
Signed-off-by: Julien Godin <julien.godin@camptocamp.com>
@munnerz @JGodin-C2C
Update the crds script link
7724c46 
Co-Authored-By: JGodin-C2C <40758407+JGodin-C2C@users.noreply.github.com>
Signed-off-by: Julien Godin <julien.godin@camptocamp.com>
@JGodin-C2C
Regenerate static file and bump version
240f3fc 
Signed-off-by: Julien Godin <julien.godin@camptocamp.com>
@JGodin-C2C
Copy link
Contributor Author

Are we there yet ? 😄

@munnerz
Copy link
Member

munnerz commented May 2, 2019

/retest
/lgtm
/approve

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label May 2, 2019
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JGodin-C2C, munnerz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot merged commit 459bb84 into cert-manager:master May 2, 2019
v0.8 automation moved this from In progress to Done May 2, 2019
@JGodin-C2C
Copy link
Contributor Author

🎉

@munnerz
Copy link
Member

munnerz commented May 2, 2019

Thanks for the hard work on this, and sorry it's taken so long!

@gparvin gparvin mentioned this pull request May 17, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@munnerz munnerz munnerz left review comments

Assignees

@munnerz munnerz

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/acme/dns01 Indicates a PR modifies ACME DNS01 provider code area/acme/http01 Indicates a PR modifies ACME HTTP01 provider code area/acme Indicates a PR directly modifies the ACME Issuer code area/api Indicates a PR directly modifies the 'pkg/apis' directory area/ca Indicates a PR directly modifies the CA Issuer code area/deploy Indicates a PR modifies deployment configuration area/monitoring Indicates a PR or issue relates to monitoring area/testing Issues relating to testing area/vault Indicates a PR directly modifies the Vault Issuer code dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/documentation Categorizes issue or PR as related to documentation. lgtm Indicates that a PR is ready to be merged. ok-to-test release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
No open projects
v0.8
  
Done
Milestone
v0.8
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@JGodin-C2C @jetstack-bot @munnerz