-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helm: default to cronJob as tls.auto.method #25620
Conversation
e6ae6e2
to
0f5ec27
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for tackling this!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with the change as is, but if we make cronJob
the default, we likely also need to figure out how helm uninstall
is supposed to work in cronJob
mode before the feature freeze in a couple of weeks: cilium/cilium-cli#1648
I haven't yet looked through this PR, but FYI #25261 should be merged soon, and it will remove the latest occurrences of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I just left a couple of nits inline. I guess that you should be able to drop the first commit once #25261 gets merged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of nits, otherwise LGTM. Approving with the understanding that changes must be made prior to merge.
is this test failure related to this pull request? 👀 https://github.com/cilium/cilium/actions/runs/5057980055/jobs/9077443138?pr=25620 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's harmonize 🧘
0f5ec27
to
dc5abc4
Compare
@gandro @giorio94 thanks! Addressed all the nits/typos and added a couple more cleanup commits, please take another look.
@gandro @michi-covalent yes so my understanding is that the cilium-cli assumes the helm method (see here) and consequently is not compatible with certgen. The best way forward might be to "teach" certgen to the cilium-cli so that we can drop the helm method eventually, but as @gandro pointed out the problem of generated resource ownership described at cilium/cilium-cli#1648 needs to be tackled (both in the context of the cilium-cli and helm if I understand correctly). Thoughts? |
Converted to draft until the cilium-cli compatibility issue is sorted out. |
0b691bb
to
6940095
Compare
/test |
@kaworu are you trying to get this in before v1.15 feature freeze? 👀 it's 11/30. |
very sad indeed but i understand 🚀🙏 |
This pull request has been automatically marked as stale because it |
This pull request has not seen any activity since it was marked stale. |
This pull request has been automatically marked as stale because it |
This pull request has not seen any activity since it was marked stale. |
This method was introduced as a quick way to get TLS setup for Hubble and clustermesh before other method were implemented. Because of its inherent limitations (not gitops friendly, forcing certificate re-generation on Helm ugprades) the default is going to be changed to the cronJob method, and thus the helm method is now deprecated and planned for removal in v1.16. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
The previous commit deprecated the default helm method, and this commit promote the cronJob method as the new default. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
The hubble-ca-cert ConfigMap was removed by 4635ffa. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
All other references to this secret were removed in fcc927f. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
6940095
to
73a00a5
Compare
This pull request has been automatically marked as stale because it |
This pull request has not seen any activity since it was marked stale. |
For both Hubble and Clustermesh. Deprecate the previous default
helm
method on the way.See first task of #25345.