-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump dependencies. Changes to get latest c/r library working. #138
Conversation
Signed-off-by: irbekrm <irbekrm@gmail.com>
Signed-off-by: irbekrm <irbekrm@gmail.com>
Signed-off-by: irbekrm <irbekrm@gmail.com>
This should be a test rather than something that's in users request path Signed-off-by: irbekrm <irbekrm@gmail.com>
This commit does not actually change any of the logic. All the changes are in response to c/r v0.15 changes for Watch setup. See c/r release notes https://github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.15.0 Signed-off-by: irbekrm <irbekrm@gmail.com>
…parately See kubernetes-sigs/controller-runtime#2259 Signed-off-by: irbekrm <irbekrm@gmail.com>
As the mechanism that we have been using so far that depends on injector decoder injection has been removed Signed-off-by: irbekrm <irbekrm@gmail.com>
The path is hardcoded in c/r, so we can't keep the old path Signed-off-by: irbekrm <irbekrm@gmail.com>
// These transforms are used as a safety check to ensure that only | ||
// resources of the expected types are cached. | ||
TransformByObject: map[client.Object]toolscache.TransformFunc{ | ||
new(corev1.Namespace): func(obj any) (any, error) { | ||
return obj, nil | ||
}, | ||
new(trustapi.Bundle): func(obj any) (any, error) { | ||
return obj, nil | ||
}, | ||
new(corev1.Secret): func(obj any) (any, error) { | ||
return obj, nil | ||
}, | ||
new(corev1.ConfigMap): func(obj any) (any, error) { | ||
return obj, nil | ||
}, | ||
}, | ||
DefaultTransform: func(obj any) (any, error) { | ||
return nil, fmt.Errorf("object %T not supported by target cache", obj) | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand that it's hard or potentially not possible to devise a test that could test that the cache only has watches for these object types. But I don't think that we should put a check like this that should run as a test in every user request's path. Ultimately, if this would actually catch anything, it would most likely be first noticed by a user when it started spamming their logs.
|
||
// Reconcile trust.cert-manager.io Bundles | ||
Watches(source.NewKindWithCache(new(trustapi.Bundle), sourceCache), &handler.EnqueueRequestForObject{}). | ||
WatchesRawSource(&source.Informer{Informer: bundleInformer}, &handler.EnqueueRequestForObject{}). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the new set up of how to use external cache
validator := &validator{log: opts.Log.WithName("validation")} | ||
mgr.GetWebhookServer().Register("/validate", &webhook.Admission{Handler: validator}) | ||
mgr.AddReadyzCheck("validator", validator.check) | ||
err := builder.WebhookManagedBy(mgr). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -20,11 +20,10 @@ import ( | |||
"context" | |||
"testing" | |||
|
|||
admissionv1 "k8s.io/api/admission/v1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test change is purely in response to the new webhook setup mechanism. A couple test cases that were dealing with populating admission response/retrieving object from admission request have been removed as we no longer need to do that- c/r gives our webhook validator the decoded object from the request and only expects back an error and warnings.
@@ -49,4 +49,4 @@ webhooks: | |||
service: | |||
name: {{ include "trust-manager.name" . }} | |||
namespace: {{ .Release.Namespace | quote }} | |||
path: /validate | |||
path: /validate-trust-cert-manager-io-v1alpha1-bundle |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couple of questions / suggestions on this - thanks for doing it!
Thanks for taking a look and spotting the issues @SgtCoDFish ! Think I've now fixed those |
Signed-off-by: irbekrm <irbekrm@gmail.com>
weird docker flake /retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
This looks great and this is a piece of work that would've sucked to do so I really appreciate you doing it! 🚀
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: irbekrm, SgtCoDFish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR:
/validate
->/validate-trust-cert-manager-io-v1alpha1-bundle
as this is hardcoded in the new c/r webhook setup. This has a potential of causing webhook downtime during upgrade to the version of trust-manager that adds this change (if theValidatingWebhookConfiguration
has been updated, but the webhook is still running the old version that does not yet serve to the new path)Look at https://github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.15.0 to understand the changes
This PR is also very similar to cert-manager/approver-policy#233