Skip to content

Add --requestheader-allowed-names where necessary#214

Merged
kcp-ci-bot merged 1 commit into
kcp-dev:mainfrom
gman0:fix-flags-requestheader-allowed-names
Apr 17, 2026
Merged

Add --requestheader-allowed-names where necessary#214
kcp-ci-bot merged 1 commit into
kcp-dev:mainfrom
gman0:fix-flags-requestheader-allowed-names

Conversation

@gman0
Copy link
Copy Markdown
Contributor

@gman0 gman0 commented Apr 17, 2026

Summary

Adds --requestheader-allowed-names to RootShard, Shard and VirtualWorkspace deployments.

k/k 1.35 requires --requestheader-allowed-names to be passed if --requestheader-client-ca-file and --client-ca-file point to the same cert, otherwise the apiserver exits with non-zero return code immediately.

What Type of PR Is This?

/kind bug

Related Issue(s)

Fixes kcp-dev/kcp#4032

Release Notes

Adds --requestheader-allowed-names to RootShard, Shard and VirtualWorkspace deployments

@gman0
Add --requestheader-allowed-names where necessary
c0694a4 
Adds --requestheader-allowed-names to RootShard, Shard
and VirtualWorkspace deployments.

k/k 1.35 requires --requestheader-allowed-names to be passed if
--requestheader-client-ca-file and --client-ca-file point to the same cert.

On-behalf-of: @SAP robert.vasek@sap.com
Signed-off-by: Robert Vasek <robert.vasek@clyso.com>
@kcp-ci-bot kcp-ci-bot added kind/bug Categorizes issue or PR as related to a bug. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has signed the DCO. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Apr 17, 2026
@xrstf
Copy link
Copy Markdown
Contributor

xrstf commented Apr 17, 2026

Why did we not notice this through our canary tests? 🤔

xrstf
xrstf approved these changes Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@xrstf xrstf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@kcp-ci-bot kcp-ci-bot added the lgtm Indicates that a PR is ready to be merged. label Apr 17, 2026
@kcp-ci-bot
Copy link
Copy Markdown
Contributor

kcp-ci-bot commented Apr 17, 2026

LGTM label has been added.

DetailsGit tree hash: 3841b9a76b1ef46c4a02274bad6811d84db1e312

@kcp-ci-bot
Copy link
Copy Markdown
Contributor

kcp-ci-bot commented Apr 17, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: xrstf

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kcp-ci-bot kcp-ci-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 17, 2026
@kcp-ci-bot kcp-ci-bot merged commit c065464 into kcp-dev:main Apr 17, 2026
13 checks passed
@gman0
Copy link
Copy Markdown
Contributor Author

gman0 commented Apr 17, 2026

@xrstf yeah we should definitely track this down, see what exactly happened for this bug to be here, and make sure this doesn't happen again.

@gman0 gman0 deleted the fix-flags-requestheader-allowed-names branch April 17, 2026 09:28
@mjudeikis
Copy link
Copy Markdown
Contributor

mjudeikis commented Apr 17, 2026

Why did we not notice this through our canary tests? 🤔

This is something we need to get to the bottom of before next release

@mjudeikis
Copy link
Copy Markdown
Contributor

mjudeikis commented Apr 17, 2026

/cherry-pick release-0.7

@kcp-ci-bot
Copy link
Copy Markdown
Contributor

kcp-ci-bot commented Apr 17, 2026

@mjudeikis: new pull request created: #216

Details

In response to this:

/cherry-pick release-0.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kcp-ci-bot kcp-ci-bot mentioned this pull request Apr 17, 2026
Merged
@xrstf
Copy link
Copy Markdown
Contributor

xrstf commented Apr 21, 2026

For the record, this happened because the e2e tests in the operator are not perfectly replicating our contrib examples. In this case specifically, the custom self-signed CA that is used by the dekker examples is causing the issue (I suppose the operator creates in this case an unsuitable CABundle that triggers the issue).

ghdrope pushed a commit to ghdrope/forked-kcp-operator that referenced this pull request Apr 21, 2026
@gman0 @ghdrope
Add --requestheader-allowed-names where necessary (kcp-dev#214)
3a8e41e 
Adds --requestheader-allowed-names to RootShard, Shard
and VirtualWorkspace deployments.

k/k 1.35 requires --requestheader-allowed-names to be passed if
--requestheader-client-ca-file and --client-ca-file point to the same cert.

On-behalf-of: @SAP robert.vasek@sap.com

Signed-off-by: Robert Vasek <robert.vasek@clyso.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xrstf xrstf xrstf approved these changes

Assignees

@xrstf xrstf

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has signed the DCO. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: CrashLoopBackoff on Shard pods after upgrade to 0.31.0 with selfsigned ca

4 participants

@gman0 @xrstf @kcp-ci-bot @mjudeikis