-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow cert-manager to be provisioned externally #11354
Allow cert-manager to be provisioned externally #11354
Conversation
Hi @codablock. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
if fi.BoolValue(spec.Enabled) && fi.BoolValue(spec.External) { | ||
allErrs = append(allErrs, field.Forbidden(fldPath, "Cert manager must be either enabled or external but not both")) | ||
} | ||
if fi.BoolValue(spec.External) && fi.StringValue(spec.Image) != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems a bit overkill. I think we can just document that when external
is set, any other flag is ignored.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed the last 2 checks.
pkg/apis/kops/componentconfig.go
Outdated
@@ -930,6 +930,10 @@ type CertManagerConfig struct { | |||
// Default: false | |||
Enabled *bool `json:"enabled,omitempty"` | |||
|
|||
// External Tell kops that cert manager is deployed externally. | |||
// Default: false | |||
External *bool `json:"external,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me check if this naming is consistent with other structs where we allow this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think some other time we discussed about "Managed".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you mean setting "managed" to false?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Example:
kops/pkg/apis/kops/ntpconfig.go
Line 23 in ba3914a
Managed *bool `json:"managed,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed the PR to do it the same way
/ok-to-test |
7d7e13f
to
4ad50f0
Compare
either remove this installation prior to enabling this addon, or mark cert-manger as not being managed by kOps (see below). | ||
As long as you are using v1 versions of the cert-manager resources, it is safe to remove existing installs and replace it with this addon** | ||
|
||
The following cert-manager configuration allows provisioning cert-manager externally and allows all dependent plugins |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add the version macro?
{{ kops_feature_table(kops_added_default='1.21', k8s_min='1.16') }}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was not sure where to add this, I hope I got it right
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Usually we just add a subheading and place the macro under.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added another commit. I'm still unsure if this is how you expect it, if not, can you show me how you expect it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks perfect
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you squash? then this is ready to go.
either remove this installation prior to enabling this addon, or mark cert-manger as not being managed by kOps (see below). | ||
As long as you are using v1 versions of the cert-manager resources, it is safe to remove existing installs and replace it with this addon** | ||
|
||
The following cert-manager configuration allows provisioning cert-manager externally and allows all dependent plugins |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks perfect
02a31c3
to
d1ab0af
Compare
Squashed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Much obliged
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: olemarkus The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Could this be cherry-picked back to 1.20? We're running into an error trying to upgrade from 1.19 to 1.20 due to metricsServer being enabled, but now certManager requirement is checked. We already have cert manager in the cluster and want to take more time to make sure all our certs are going to port over if we switch to the add-on. (I'm working around this for now by disabling metricsServer since this on a dev cluster.) |
For metrics-server you can set insecure: true, which will disable the cert manager check. I don't think we'll be doing a 1.20 release before 1.21 anyway. |
…-upstream-release-1.20 Automated cherry pick of #11354: Allow cert-manager to be provisioned externally
This PR allows provisioning of cert-manager externally. It actually leads to a no-op, but makes checks (
IsCertManagerEnabled
) succeed so that other dependent addons are deployable.