Fix certmanager race condition and version numbers. #1134
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* To fix the race condition with certmanager (kubeflow#1125) we move the KF issuer into a separate package from the package deploying kubeflow. This way we can wait for cert-manager to start before deploying resources. * Labels need to be immutable otherwise upgrades won't work (see kubeflow#1131). So remove version number from common labels and application selector so that apply will work to update resources.
|
This change is |
|
/assign @krishnadurai |
|
@krishnadurai @johnugeorge @yanniszark could one of you review this please? |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: yanniszark The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jlewi
pushed a commit
to jlewi/manifests
that referenced
this pull request
Jun 1, 2020
* GoogleCloudPlatform/kubeflow-distribution#33 is tracking GCP blueprints on private GKE with VPC-SC * This PR doesn't fully enable that but it includes a lot of necessary changes. * cluster-private-patch.yaml is a cluster patch that turns on a lot of settings to deploy GKE with private GKE * For ease of use we make the master publicly accessible anywhere; users could configure that behavior if desired using patch overlays. * Use kpt setters to name all the networking resources (firewall rules, networks, etc...) * This ensures the names are unique based on the KF deployment name and won't conflict with existing rules. * The setters also ensures that the references get set correctly; e.g. the firewall rules correctly refer the newly created network. * Add a CNRM resource to enable CloudDNS. * Per GoogleCloudPlatform/kubeflow-distribution#31 we should probably use CNRM and not AnthosCLI to enable all required services. * Add a kpt setter to control firewall rule logging * Enabling firewall rule logging can be useful to debug why connections are blocked. Enable logging on firewall rules. * Add an extra firewall rule for ISTIO *Per https://istio.io/docs/setup/platform-setup/gke/ we need to manually create an additional firewall rule to allow traffic to the ISTIO pilot webhook port. * Add a NAT to allow outbound internet egress * Egress is still blocked by firewall rules * Per kbueflow/gcp-blueprints#34 this was an attempt to make it possible to pull images from DockerHub and Quay.IO. This was partially succesful; pulling from DockerHub works but for Quay.IO the firewall rules are strill blocking required connections. * Fix the v3 version of the cert-manager package. * kubeflow#1134 moved the kubeflow issuer into its own package to avoid race conditions * That refactored means that the v3 packages no longer included the actual cert-manager resources * This PR fixes that by having the v3 package pull in the base package
1 task
k8s-ci-robot
pushed a commit
that referenced
this pull request
Jun 2, 2020
* GoogleCloudPlatform/kubeflow-distribution#33 is tracking GCP blueprints on private GKE with VPC-SC * This PR doesn't fully enable that but it includes a lot of necessary changes. * cluster-private-patch.yaml is a cluster patch that turns on a lot of settings to deploy GKE with private GKE * For ease of use we make the master publicly accessible anywhere; users could configure that behavior if desired using patch overlays. * Use kpt setters to name all the networking resources (firewall rules, networks, etc...) * This ensures the names are unique based on the KF deployment name and won't conflict with existing rules. * The setters also ensures that the references get set correctly; e.g. the firewall rules correctly refer the newly created network. * Add a CNRM resource to enable CloudDNS. * Per GoogleCloudPlatform/kubeflow-distribution#31 we should probably use CNRM and not AnthosCLI to enable all required services. * Add a kpt setter to control firewall rule logging * Enabling firewall rule logging can be useful to debug why connections are blocked. Enable logging on firewall rules. * Add an extra firewall rule for ISTIO *Per https://istio.io/docs/setup/platform-setup/gke/ we need to manually create an additional firewall rule to allow traffic to the ISTIO pilot webhook port. * Add a NAT to allow outbound internet egress * Egress is still blocked by firewall rules * Per kbueflow/gcp-blueprints#34 this was an attempt to make it possible to pull images from DockerHub and Quay.IO. This was partially succesful; pulling from DockerHub works but for Quay.IO the firewall rules are strill blocking required connections. * Fix the v3 version of the cert-manager package. * #1134 moved the kubeflow issuer into its own package to avoid race conditions * That refactored means that the v3 packages no longer included the actual cert-manager resources * This PR fixes that by having the v3 package pull in the base package
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
To fix the race condition with certmanager (certmanager install has race condition - try to create KF certmanager resources before cert manager is available #1121) we move the KF
issuer into a separate package from the package deploying kubeflow.
This way we can wait for cert-manager to start before deploying resources.
Labels need to be immutable otherwise upgrades won't work (see commonLabels need to be immutable for upgrades - remove version from commonLabels #1131).
So remove version number from common labels and application selector
so that apply will work to update resources.