Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump dependencies. Changes to get latest c/r library working. #138

Merged
merged 9 commits into from
Jun 2, 2023
Merged

Bump dependencies. Changes to get latest c/r library working. #138

merged 9 commits into from
Jun 2, 2023

Conversation

irbekrm
Copy link
Contributor

@irbekrm irbekrm commented Jun 1, 2023
edited

This PR:

  • updates go module dependencies
  • bumps Go 1.19 -> 1.20
  • makes changes required to use latest c/r library:
    • updates controller watch setup
    • changes to use the new webhook setup mechanism as the one we currently use has been removed
    • changes how the fake cache gets loaded with objects
    • ⚠️ BREAKING ⚠️ changes validating webhook path /validate -> /validate-trust-cert-manager-io-v1alpha1-bundle as this is hardcoded in the new c/r webhook setup. This has a potential of causing webhook downtime during upgrade to the version of trust-manager that adds this change (if the ValidatingWebhookConfiguration has been updated, but the webhook is still running the old version that does not yet serve to the new path)

Look at https://github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.15.0 to understand the changes

This PR is also very similar to cert-manager/approver-policy#233

@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jun 1, 2023
@irbekrm
go get -u -t ./...
3e09712 
Signed-off-by: irbekrm <irbekrm@gmail.com>
@irbekrm
Go 1.19 -> 1.20
1921b84 
Signed-off-by: irbekrm <irbekrm@gmail.com>
@irbekrm
Adds a comment about why we have a second cache
991c2d6 
Signed-off-by: irbekrm <irbekrm@gmail.com>
@irbekrm
Removes transforms that were used as a cache test
3db11e5 
This should be a test rather than something that's in users request path

Signed-off-by: irbekrm <irbekrm@gmail.com>
@irbekrm
c/r changes: make watch setup work with latest c/r
1e0c3fb 
This commit does not actually change any of the logic. All the changes are in response to c/r v0.15 changes for Watch setup. See c/r release notes https://github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.15.0

Signed-off-by: irbekrm <irbekrm@gmail.com>
@irbekrm
c/r changes: fake objects with status subresource requires loading se…
6c430da 
…parately

See kubernetes-sigs/controller-runtime#2259

Signed-off-by: irbekrm <irbekrm@gmail.com>
@irbekrm
c/r changes: adapt the new webhook setup mechanism
59a8ba3 
As the mechanism that we have been using so far that depends on injector decoder injection has been removed

Signed-off-by: irbekrm <irbekrm@gmail.com>
@irbekrm
c/r changes: BREAKING: use the new validating webhook path
bc2b2bd 
The path is hardcoded in c/r, so we can't keep the old path

Signed-off-by: irbekrm <irbekrm@gmail.com>
@irbekrm irbekrm changed the title Bump deps Bump dependencies. Changes to get latest c/r library working. Jun 1, 2023
irbekrm
irbekrm commented Jun 1, 2023
View reviewed changes
pkg/bundle/controller.go
Comment on lines -72 to -90
// These transforms are used as a safety check to ensure that only
// resources of the expected types are cached.
TransformByObject: map[client.Object]toolscache.TransformFunc{
new(corev1.Namespace): func(obj any) (any, error) {
return obj, nil
},
new(trustapi.Bundle): func(obj any) (any, error) {
return obj, nil
},
new(corev1.Secret): func(obj any) (any, error) {
return obj, nil
},
new(corev1.ConfigMap): func(obj any) (any, error) {
return obj, nil
},
},
DefaultTransform: func(obj any) (any, error) {
return nil, fmt.Errorf("object %T not supported by target cache", obj)
},
Copy link
Contributor Author

@irbekrm irbekrm Jun 1, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand that it's hard or potentially not possible to devise a test that could test that the cache only has watches for these object types. But I don't think that we should put a check like this that should run as a test in every user request's path. Ultimately, if this would actually catch anything, it would most likely be first noticed by a user when it started spamming their logs.

irbekrm
irbekrm commented Jun 1, 2023
View reviewed changes
pkg/bundle/controller.go

// Reconcile trust.cert-manager.io Bundles
Watches(source.NewKindWithCache(new(trustapi.Bundle), sourceCache), &handler.EnqueueRequestForObject{}).
WatchesRawSource(&source.Informer{Informer: bundleInformer}, &handler.EnqueueRequestForObject{}).
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the new set up of how to use external cache

irbekrm
irbekrm commented Jun 1, 2023
View reviewed changes
pkg/webhook/webhook.go
validator := &validator{log: opts.Log.WithName("validation")}
mgr.GetWebhookServer().Register("/validate", &webhook.Admission{Handler: validator})
mgr.AddReadyzCheck("validator", validator.check)
err := builder.WebhookManagedBy(mgr).
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See cert-manager/approver-policy#233 (comment)

irbekrm
irbekrm commented Jun 1, 2023
View reviewed changes
pkg/webhook/validation_test.go
@@ -20,11 +20,10 @@ import (
"context"
"testing"

admissionv1 "k8s.io/api/admission/v1"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test change is purely in response to the new webhook setup mechanism. A couple test cases that were dealing with populating admission response/retrieving object from admission request have been removed as we no longer need to do that- c/r gives our webhook validator the decoded object from the request and only expects back an error and warnings.

irbekrm
irbekrm commented Jun 1, 2023
View reviewed changes
deploy/charts/trust-manager/templates/webhook.yaml
@@ -49,4 +49,4 @@ webhooks:
service:
name: {{ include "trust-manager.name" . }}
namespace: {{ .Release.Namespace | quote }}
path: /validate
path: /validate-trust-cert-manager-io-v1alpha1-bundle
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See cert-manager/approver-policy#233 (comment)

@SgtCoDFish SgtCoDFish mentioned this pull request Jun 1, 2023
Closed
SgtCoDFish
SgtCoDFish reviewed Jun 1, 2023
View reviewed changes
Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple of questions / suggestions on this - thanks for doing it!

pkg/bundle/controller.go Outdated Show resolved Hide resolved
pkg/bundle/controller.go Outdated Show resolved Hide resolved
@irbekrm
Copy link
Contributor Author

irbekrm commented Jun 1, 2023

Thanks for taking a look and spotting the issues @SgtCoDFish ! Think I've now fixed those

SgtCoDFish
SgtCoDFish requested changes Jun 1, 2023
View reviewed changes
pkg/bundle/controller.go Outdated Show resolved Hide resolved
pkg/bundle/controller.go Outdated Show resolved Hide resolved
@irbekrm
Code review feedback
6d339ca 
Signed-off-by: irbekrm <irbekrm@gmail.com>
@irbekrm
Copy link
Contributor Author

irbekrm commented Jun 2, 2023

weird docker flake

/retest

SgtCoDFish
SgtCoDFish approved these changes Jun 2, 2023
View reviewed changes
Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

This looks great and this is a piece of work that would've sucked to do so I really appreciate you doing it! 🚀

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Jun 2, 2023
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: irbekrm, SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@SgtCoDFish SgtCoDFish merged commit 99cd18a into cert-manager:main Jun 2, 2023
4 checks passed
@irbekrm irbekrm deleted the bump_deps branch June 2, 2023 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SgtCoDFish SgtCoDFish SgtCoDFish approved these changes

Assignees

@SgtCoDFish SgtCoDFish

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@irbekrm @jetstack-bot @SgtCoDFish