Allow cert-manager to be provisioned externally #11354
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @codablock. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
| if fi.BoolValue(spec.Enabled) && fi.BoolValue(spec.External) { | ||
| allErrs = append(allErrs, field.Forbidden(fldPath, "Cert manager must be either enabled or external but not both")) | ||
| } | ||
| if fi.BoolValue(spec.External) && fi.StringValue(spec.Image) != "" { |
There was a problem hiding this comment.
This seems a bit overkill. I think we can just document that when external is set, any other flag is ignored.
There was a problem hiding this comment.
Removed the last 2 checks.
pkg/apis/kops/componentconfig.go
Outdated
| @@ -930,6 +930,10 @@ type CertManagerConfig struct { | |||
| // Default: false | |||
| Enabled *bool `json:"enabled,omitempty"` | |||
|
|
|||
| // External Tell kops that cert manager is deployed externally. | |||
| // Default: false | |||
| External *bool `json:"external,omitempty"` | |||
There was a problem hiding this comment.
Let me check if this naming is consistent with other structs where we allow this.
There was a problem hiding this comment.
I think some other time we discussed about "Managed".
There was a problem hiding this comment.
you mean setting "managed" to false?
There was a problem hiding this comment.
Example:
kops/pkg/apis/kops/ntpconfig.go
Line 23 in ba3914a
There was a problem hiding this comment.
Changed the PR to do it the same way
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
codablock
force-pushed
the
external-cert-manager
branch
2 times, most recently
from
7d7e13f
to
4ad50f0
Compare
| either remove this installation prior to enabling this addon, or mark cert-manger as not being managed by kOps (see below). | ||
| As long as you are using v1 versions of the cert-manager resources, it is safe to remove existing installs and replace it with this addon** | ||
|
|
||
| The following cert-manager configuration allows provisioning cert-manager externally and allows all dependent plugins |
There was a problem hiding this comment.
Can you add the version macro?
{{ kops_feature_table(kops_added_default='1.21', k8s_min='1.16') }}
There was a problem hiding this comment.
I was not sure where to add this, I hope I got it right
There was a problem hiding this comment.
Usually we just add a subheading and place the macro under.
There was a problem hiding this comment.
Added another commit. I'm still unsure if this is how you expect it, if not, can you show me how you expect it?
| either remove this installation prior to enabling this addon, or mark cert-manger as not being managed by kOps (see below). | ||
| As long as you are using v1 versions of the cert-manager resources, it is safe to remove existing installs and replace it with this addon** | ||
|
|
||
| The following cert-manager configuration allows provisioning cert-manager externally and allows all dependent plugins |
codablock
force-pushed
the
external-cert-manager
branch
from
02a31c3
to
d1ab0af
Compare
|
Squashed |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: olemarkus The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
Could this be cherry-picked back to 1.20? We're running into an error trying to upgrade from 1.19 to 1.20 due to metricsServer being enabled, but now certManager requirement is checked. We already have cert manager in the cluster and want to take more time to make sure all our certs are going to port over if we switch to the add-on. (I'm working around this for now by disabling metricsServer since this on a dev cluster.) |
|
For metrics-server you can set insecure: true, which will disable the cert manager check. I don't think we'll be doing a 1.20 release before 1.21 anyway. |
…-upstream-release-1.20 Automated cherry pick of #11354: Allow cert-manager to be provisioned externally
This PR allows provisioning of cert-manager externally. It actually leads to a no-op, but makes checks (
IsCertManagerEnabled) succeed so that other dependent addons are deployable.