apiext: rewrite to fix CA cert renewal and enhance capabilities #5494
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Lance Austin <laustin@datawire.io>
LanceEa
force-pushed
the
laustin/apiext-renew-cert
branch
from
b98fb6e
to
581bcdd
Compare
added 2 commits
January 3, 2024 09:33
This is a complete re-write of the apiext internals for managing and wathcing CA Certs, Patch CRDs and providing a ConversionWebHook Service for converting the getambassador.io resources. - Decouples apiext binary from busyambassador binary to make e2e test simpler and lay framework for extracting from core container (future work) - Add leader election support to provide predictability when managing CA and CRD Patching - New Controller for Patching CRDs with CA bundle - New Controler for Watching CA Cert - New CertificateAuthority abstraction for generating Server certs on conversion webhook requests and cache invalidation on CA Cert changes - New Controller for Managing CA Cert, creates, updates and auto-renews when about to expire - Add ability to run in external managed mode (aka turn off CA and CRD management) and let external tool like CertManager manage the certs Signed-off-by: Lance Austin <laustin@datawire.io>
Extends the fix-crds tool so that it can output standalone files for RBAC, Deployments and CRD's so that we can make easier and more predicatable e2e testing. Generally, speaking we should re-think fix-crds and whether it makes sense but for now this adjusts it to meet the needs for e2e testing the new apiext server. - removed uncessary comments that don't play nice with e2e-framework - added port and path to default Conversion data structure to support externally Managed mode. Note: when apiext server is patching CRD's it will override it like it did previously. Signed-off-by: Lance Austin <laustin@datawire.io>
LanceEa
force-pushed
the
laustin/apiext-renew-cert
branch
8 times, most recently
from
0f00e7a
to
8d22e63
Compare
This adds basic e2e tests for the apiext to ensure that it can properly create, watch and renew expired Certs. An additional test and example was added on how to run it in an externally managed mode with CertManager providing the Certificate and Patching CRD's. Note: this has limited support because it has only been tested against the same settings (RSA, PKCS8) as self-managed mode. It may work with other settings but those are not guaranteed at this time. A new standalone container is generated locally and pushed to k3d. This is only for e2e testing but sets up the framework for having it standalone in the future. Signed-off-by: Lance Austin <laustin@datawire.io>
LanceEa
force-pushed
the
laustin/apiext-renew-cert
branch
from
8d22e63
to
551d888
Compare
LanceEa
changed the title
AliceProxy
approved these changes
Jan 3, 2024
Signed-off-by: Lance Austin <laustin@datawire.io>
This was referenced Jan 3, 2024
|
Are there plans to cut a release soon with this fix? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR looks to fix the long standing issue with CA Certs not auto-renewing and becoming expired thus no longer being able to convert CRD's until a new CA cert is re-created. It expands the capabilities to allow for more flexibility in allowing the CA Cert and CRD Patching to be externally managed by third parties such as CertManager. Also, leverages leader-election to ensure predictability when managed CA Cert and CRD Patching.
APIExt design
The new design is built on top of the controller-runtime using the familiar Runnable and Controller patterns. The following are the key abstractions created.
Now that we support LeaderElection the RBAC has been expanded to include the new permissions needed.
One other thing to mention, is that this PR laid the ground work for publishing the apiext as a stand alone container by decoupling its binary from busy ambassador. However, for now the standalone container is only used to simplify the e2e testing (mainly due to keeping scope down, in an already large PR). The standalone binary is still copied into the core container and the deployment in the charts/manifest are still the same.
Related Issues
CA Cert Renewal and support for externally managing CA Cert and CRD Patching.
Testing
New unit tests for rewrite and added automated e2e tests to CI. Pulled into Edge Stack and verified no issues there as well.
Checklist
CHANGELOG.md.DEVELOPING.mdwith any any special dev tricks I had to use to work on this code efficiently.