Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow config of http01 solver pod security context #5373

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Allow config of http01 solver pod security context #5373

wants to merge 8 commits into from

Conversation

aidy
Copy link

@aidy aidy commented Aug 7, 2022
edited

This allows configuration of the http01 solver PodSecurityContext as
part of the Issuer specification.

Pull Request Motivation

#5295

Kind

/kind feature

Release Note

Adds ability for users to configure the pod security context of HTTP-01 solver pods

@jetstack-bot jetstack-bot added release-note-none Denotes a PR that doesn't merit a release note. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 7, 2022
@jetstack-bot
Copy link
Collaborator

Hi @aidy. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot jetstack-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. area/acme Indicates a PR directly modifies the ACME Issuer code area/acme/http01 Indicates a PR modifies ACME HTTP01 provider code labels Aug 7, 2022
@aidy
Copy link
Author

aidy commented Aug 7, 2022
edited

This is feels like a slightly clumsy way to allow this configuration, but I think it's the cleanest approach.

Other approaches involve radically altering the way in which the cm controller takes configuration, or providing configuration flags for all the possible PodSecurityContext options. I suspect that the default is fine for nearly all use-cases, and for the few cases where overriding the default is necessary, doing so as a native k8s construct is likely to be preferable.

If necessary, helm templates could be modified to enable more intuitive usage.

I couldn't spot any prior art in the e2e tests for http01 solvers, and it was a little beyond my available time to implement - but if I've just missed it, please do point me in the right direction.

@SgtCoDFish
Copy link
Member

/ok-to-test

Thanks for raising this! I probably won't be able to review but hopefully someone will!

@jetstack-bot jetstack-bot added ok-to-test release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. release-note-none Denotes a PR that doesn't merit a release note. labels Aug 9, 2022
@SgtCoDFish SgtCoDFish added kind/feature Categorizes issue or PR as related to a new feature. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Aug 9, 2022
@SgtCoDFish SgtCoDFish added this to the v1.10 milestone Aug 9, 2022
@irbekrm
Copy link
Collaborator

irbekrm commented Aug 9, 2022
edited

We do already have one mechanism how to configure some pod spec values (for Ingress solvers only at the moment) via issuer.spec.acme.solvers.http01.ingress.podTemplate.spec.
Do we specifically want to make this a flag as opposed to adding another config field to the issuer pod template to make this a global config option?
I'm a little concerned that it could be confusing for users that there would be config options for pod spec in two different places.

@aidy
Copy link
Author

aidy commented Aug 9, 2022

I'm a little concerned that it could be confusing for users that there would be config options for pod spec in two different places.

Maybe this isn't the right approach, but - Isn't that already the case? The options from buildDefaultPod all come from extraArgs, I think.

@irbekrm
Copy link
Collaborator

irbekrm commented Aug 9, 2022
edited

Maybe this isn't the right approach, but - Isn't that already the case? The options from buildDefaultPod all come from extraArgs, I think.

I think that the existing flags are an older approach of configuring the solver pod and the pod template was added later to avoid having to add more and more flags to configure various options, see #1097 but I will verify this, if that's the case, we probably want to document it somewhere

x-post https://kubernetes.slack.com/archives/CDEQJ0Q8M/p1660041935692369

@aidy
Copy link
Author

aidy commented Aug 9, 2022

I've looked a bit harder, and I think I agree - setting via the issuer spec is a cleaner and more intuitive approach. I'll have a look at reworking this.

@irbekrm
Copy link
Collaborator

irbekrm commented Aug 9, 2022

I've looked a bit harder, and I think I agree - setting via the issuer spec is a cleaner and more intuitive approach. I'll have a look at reworking this.

Thanks @aidy and thanks for the work you've done already!

@jetstack-bot jetstack-bot added dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. area/api Indicates a PR directly modifies the 'pkg/apis' directory area/deploy Indicates a PR modifies deployment configuration and removed dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels Aug 9, 2022
@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels Aug 9, 2022
@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 29, 2024
@phandox
Copy link

phandox commented Jan 30, 2024

Thanks!

/lgtm

Hi @maelvls sorry for bothering, but can you also lift the do-not-merge/hold label so this can get released, if all looks good?

Thank you!

@jetstack-bot jetstack-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 12, 2024
aidy and others added 8 commits February 15, 2024 16:07
@aidy
Allow config of http01 solver pod security context
d607f7c 
This allows configuration of the http01 solver PodSecurityContext as
part of the Issuer specification.

Signed-off-by: Adrian Lai <aidy@loathe.me.uk>
@aidy
Generate CRDs / conversion functions
b5c6797 
Signed-off-by: Adrian Lai <aidy@loathe.me.uk>
@aidy
Add test for http01 PodSecurityContext config
d86391e 
Signed-off-by: Adrian Lai <aidy@loathe.me.uk>
@aidy
Fix test
a9eb6fd 
Signed-off-by: Adrian Lai <adrian.lai@jetstack.io>
@aidy
Update/Fix tests for new test structure
d63d14b 
Signed-off-by: Adrian Lai <adrian.lai@jetstack.io>
@aidy
Copy PodSecurityContext over, dropping windowsOptions
0e19d34 
Signed-off-by: Adrian Lai <adrian.lai@jetstack.io>
@aidy
Remove protobuf annotations
9f7edc4 
These were copy-pasted in from the parent definitions. We don't marshal
to protobuf (none of the other structs have equivalent annotations), so
remove them as they are unnecessary.

Signed-off-by: Adrian Lai <adrian.lai@jetstack.io>
@aidy
Update generated code
91bf83a 
Looks like the import changed

Signed-off-by: Adrian Lai <adrian.lai@jetstack.io>
@jetstack-bot jetstack-bot removed the lgtm Indicates that a PR is ready to be merged. label Feb 15, 2024
@jetstack-bot
Copy link
Collaborator

New changes are detected. LGTM label has been removed.

@jetstack-bot jetstack-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 15, 2024
@aidy
Copy link
Author

aidy commented Feb 15, 2024

Rebased on master, no new changes

@phandox
Copy link

phandox commented Feb 29, 2024

Hi @maelvls everything seems to be solved. Would it be possible to add lgtm label, removing do-not-merge/hold label and get this to main branch?

Thanks!

@jetstack-bot
Copy link
Collaborator

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
/close

@jetstack-bot
Copy link
Collaborator

@jetstack-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@phandox
Copy link

phandox commented Apr 3, 2024

/reopen

@jetstack-bot
Copy link
Collaborator

@phandox: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@aidy
Copy link
Author

aidy commented Apr 3, 2024

/reopen

@jetstack-bot jetstack-bot reopened this Apr 3, 2024
@jetstack-bot
Copy link
Collaborator

@aidy: Reopened this PR.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot
Copy link
Collaborator

@aidy: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cert-manager-master-e2e-v1-27-upgrade b52c5e9 link true /test pull-cert-manager-master-e2e-v1-27-upgrade
pull-cert-manager-master-e2e-v1-27 b52c5e9 link true /test pull-cert-manager-master-e2e-v1-27
pull-cert-manager-master-make-test 91bf83a link true /test pull-cert-manager-master-make-test

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@gnd
Copy link

gnd commented Apr 4, 2024

hello, any progress on this ?

@cert-manager-prow
Copy link
Contributor

@aidy: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cert-manager-master-make-verify 91bf83a link true /test pull-cert-manager-master-make-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@cert-manager-prow cert-manager-prow bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 29, 2024
@cert-manager-prow
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maelvls maelvls maelvls left review comments

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/acme/http01 Indicates a PR modifies ACME HTTP01 provider code area/acme Indicates a PR directly modifies the ACME Issuer code area/api Indicates a PR directly modifies the 'pkg/apis' directory area/deploy Indicates a PR modifies deployment configuration dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. ok-to-test release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet