Preserve labels and annotations on public cert secrets #1580
Conversation
charith-elastic
added
>enhancement
|
retest this please |
| return true | ||
| } | ||
| if !reflect.DeepEqual(reconciled.Data, expected.Data) { | ||
| case !reflect.DeepEqual(expected.Data, reconciled.Data): |
There was a problem hiding this comment.
I wonder if it would make sense to use a hash of the expected service here, similar to what we do for Elasticsearch ssets and Kibana deployments? Not sure myself, so this is not necessary for this to get merged I would say. Wdyt?
There was a problem hiding this comment.
Are you suggesting something like comparing the certificate fingerprints? The comparison here is between two Secret objects so in order to use hashes, I think we will have to figure out how to hash the items in the Data map in a deterministic way.
There was a problem hiding this comment.
Maybe I am missing something important but I was thinking of https://github.com/pebrc/cloud-on-k8s/blob/d495796116a956d4d09c773bfd55921b8ddd0702/operators/pkg/controller/common/hash/hash.go#L47 which uses spew. I think that just hexdumps byte arrays and calculates the hash of that. In any case this is not for this PR, your solution is fine IMO
There was a problem hiding this comment.
I didn't realise that existed and it's certainly worth investigating. I was initially going to evaluate https://github.com/banzaicloud/k8s-objectmatcher for this issue but it felt like too large a change at this point.
I will create a new issue to explore these options.
This change allows any external labels and annotations added to public certificate secrets (
*-http-certs-publicand*-transport-certs-public) to be preserved after reconciliation.Fixes #1472