Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modify helm chart: delete validations for certManagerIssuerRef #22921

Merged
merged 1 commit into from
Jan 23, 2023
Merged

Modify helm chart: delete validations for certManagerIssuerRef #22921

merged 1 commit into from
Jan 23, 2023

Conversation

Shunpoco
Copy link
Contributor

@Shunpoco Shunpoco commented Jan 4, 2023
edited

Because the helm chart generates cert manager issuers and attaches them to certificates, we have to remove validations which fail if we don't specify certManagerIssuerRef.

I investigated that in #17238,

  • firstly we set the validations to restrict users to set their certManagerIssuer.
  • But finally, we added template files which generates issuers if users don't specify certManagerIssuer.

I think that we have to delete these validations, otherwise helm can't generate manifest files without specifying certManagerIssuerRef.

Here is the trial on my local:

  1. Prepare test-values.yaml:
test-values.yaml 
rollOutCiliumPods: true

cni:
  exclusive: false
  debug:
    enabled: true

prometheus:
  enabled: true

operator:
  rollOutPods: true
  prometheus:
    enabled: true

kubeProxyReplacement: "strict"

k8sServiceHost: "172.16.102.137"
k8sServicePort: "6443"

bpf:
  masquerade: true

bgp:
  enabled: false
  announce:
    loadbalancerIP: true

ipam:
  mode: "kubernetes"

bgpControlPlane:
  enabled: true

ingressController:
  enabled: true

hubble:
  relay:
    rollOutPods: true
    enabled: true
  ui:
    rollOutPods: true
    enabled: true

bandwidthManager:
  enabled: true

cluster:
  name: "cluster2"
  id: 2

clustermesh:
  name: "cluster2"
  config:
    enable: true
  clusters: ["cluster1", "cluster2"]
  useAPIServer: true
  apiserver:
    tls:
      auto:
        method: "certmanager"
  1. Using this test-values.yaml, I ran helm template:
cd install/kubernetes/cilium
helm template test ./ --values=test-values.yaml > generated_manifests.yaml
  1. Check the output. the following is the part of the output:
generated_manifests.yaml 
# Source: cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: clustermesh-apiserver-admin-cert
  namespace: default
spec:
  issuerRef:
    
      group: cert-manager.io
      kind: Issuer
      name: clustermesh-apiserver-issuer
  secretName: clustermesh-apiserver-admin-cert
  commonName: root
  dnsNames:
  - localhost
  duration: 26280h0m0s
---
# Source: cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: clustermesh-apiserver-remote-cert
  namespace: default
spec:
  issuerRef:
    
      group: cert-manager.io
      kind: Issuer
      name: clustermesh-apiserver-issuer
  secretName: clustermesh-apiserver-remote-cert
  commonName: remote
  duration: 26280h0m0s
---
# Source: cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: clustermesh-apiserver-server-cert
  namespace: default
spec:
  issuerRef:
    
      group: cert-manager.io
      kind: Issuer
      name: clustermesh-apiserver-issuer
  secretName: clustermesh-apiserver-server-cert
  commonName: clustermesh-apiserver.cilium.io
  dnsNames:
  - clustermesh-apiserver.cilium.io
  - "*.mesh.cilium.io"
  ipAddresses:
  - "127.0.0.1"
  - "::1"
  duration: 26280h0m0s
---
# Source: cilium/templates/cilium-ingress-service.yaml
apiVersion: v1
kind: Endpoints
metadata:
  name: cilium-ingress
  namespace: default
subsets:
- addresses:
  - ip: "192.192.192.192"
  ports:
  - port: 9999
---
# Source: cilium/templates/clustermesh-apiserver/tls-certmanager/clustermesh-apiserver-issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: clustermesh-apiserver-issuer
  namespace: default
spec:
  ca:
    secretName: clustermesh-apiserver-ca-cert

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Thanks for contributing!

Fixes: #22784

helm: Delete validations for certManagerIssuerRef

@Shunpoco
Modify helm chart: delete validations for certManagerIssuerRef
ae2a1cd 
Because the helm chart generates cert manager issuers and attaches them
to certificates, we have to remove validations which fail if we don't
specify certManagerIssuerRef.

Fixes: cilium#22784

Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com>
@Shunpoco Shunpoco requested review from a team as code owners January 4, 2023 08:42
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 4, 2023
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Jan 4, 2023
@pchaigno pchaigno added area/helm Impacts helm charts and user deployment experience kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. needs-backport/1.12 needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Jan 4, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 4, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.12.6 Jan 4, 2023
sayboras
sayboras approved these changes Jan 5, 2023
View reviewed changes
Copy link
Member

@sayboras sayboras left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks and LGTM ✔️

@darkstarmv
Copy link

@nathanjsweet can we get this merged?

@nathanjsweet
Copy link
Member

/test

@nathanjsweet
Copy link
Member

There is a minor ci-datapath failure, but it is trivial and cannot possibly be linked to this PR. Marking ready-to-merge.

@nathanjsweet nathanjsweet added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 23, 2023
@ldelossa ldelossa merged commit bc2ed14 into cilium:master Jan 23, 2023
@sayboras sayboras mentioned this pull request Jan 24, 2023
Merged
9 tasks
@sayboras sayboras added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Jan 24, 2023
@ldelossa ldelossa mentioned this pull request Jan 24, 2023
Merged
14 tasks
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.12 in 1.12.6 Jan 24, 2023
@aanm aanm added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Jan 24, 2023
@michi-covalent michi-covalent added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.12 labels Jan 26, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.12 to Backport done to v1.12 in 1.12.6 Jan 26, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.12 to Backport done to v1.12 in 1.12.6 Jan 26, 2023
@michi-covalent michi-covalent mentioned this pull request Jan 26, 2023
Merged
@giorio94 giorio94 mentioned this pull request Mar 31, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathanjsweet nathanjsweet nathanjsweet approved these changes

@sayboras sayboras sayboras approved these changes

Assignees
No one assigned
Labels
area/helm Impacts helm charts and user deployment experience backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. kind/bug This is a bug in the Cilium logic. kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
No open projects
1.12.6
Backport done to v1.12
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Helm Chart: certmanager requires user specify .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef
8 participants
@Shunpoco @darkstarmv @nathanjsweet @sayboras @pchaigno @ldelossa @aanm @michi-covalent