-
Notifications
You must be signed in to change notification settings - Fork 10
Adds support for running in Istio environments #21
Conversation
this may be the wrong place to put this logic. ideally, istio fixes their shit and we no longer have to (a) wait for the sidecar to be ready and (b) send an envoy quit signal after a job pod is done. alas, this is not the case right now and wrapping this logic around the actual command will require us to migrate off of a "distroless" base docker image. poop or vomit? pick one.
Codecov Report
@@ Coverage Diff @@
## main #21 +/- ##
==========================================
- Coverage 80.35% 79.49% -0.87%
==========================================
Files 23 24 +1
Lines 1507 1531 +24
==========================================
+ Hits 1211 1217 +6
- Misses 207 225 +18
Partials 89 89
Continue to review full report at Codecov.
|
- adds support for '--istio-enabled' crd cmd flag - adds psp use permissions to hooks - adds custom psp for operator - adds new values to control rendering
exposed ports are health, metrics, and webhook. not sure we need to block access to these but maybe i'm wrong
@ddl-audi @steved I just need to add some tests and/or tweak this codecov config (I know, I know, coverage is 🤮). One of the interesting things to note about this change is the way we handle PSP permissions specific to a cluster (i.e. If you then try to create a
I think we have covered internally, correct? Initially, I decided NOT to create PSPs for clusters since I didn't want to manage external resources via a finalizer. But, since we're now using StatefulSets and clean up their PVCs on CR delete, perhaps this changes the equation? I don't think it obviates my initial concern but I'm curious to get your input. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine to me based on what we discussed
not very important yet annoying
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Initially, I decided NOT to create PSPs for clusters since I didn't want to manage external resources via a finalizer. But, since we're now using StatefulSets and clean up their PVCs on CR delete, perhaps this changes the equation? I don't think it obviates my initial concern but I'm curious to get your input.
I think instinctively it feels like we're fighting K8s and I'm not sure I'm a huge fan of controlling these global resources in the controller since it runs into ownership issues and such.
Changes to application
--istio-enabled
flag to command and codifies Istio proxy readiness check + quitquitquit wrapper around CRD actionsChanges to chart