-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding e2e test for the admission webhook #52368
Comments
/sig apimachinery |
Automatic merge from submit-queue (batch tested with PRs 51824, 50476, 52451, 52009, 52237) Plumbing the proxy dialer to the webhook admission plugin * Fixing #49987. Plumb the `Dial` function to the `transport.Config` * Fixing #52366. Let the webhook admission plugin sets the `TLSConfg.ServerName`. I tested it in my gke setup. I don't have time to implement an e2e test before 1.8 release. I think it's ok to add the test later, because *i)* the change only affects the alpha webhook admission feature, and *ii)* the webhook feature is unusable without the fix. That said, it's up to my reviewer to decide. Filed #52368 for the missing e2e test. ( The second commit is #52372, which is just a cleanup of client configuration in e2e tests. It removed a function that marshalled the client config to json and then unmarshalled it. It is a prerequisite of this PR, because this PR added the `Dial` function to the config which is not json marshallable.) ```release-note Fixed the webhook admission plugin so that it works even if the apiserver and the nodes are in two networks (e.g., in GKE). Fixed the webhook admission plugin so that webhook author could use the DNS name of the service as the CommonName when generating the server cert for the webhook. Action required: Anyone who generated server cert for admission webhooks need to regenerate the cert. Previously, when generating server cert for the admission webhook, the CN value doesn't matter. Now you must set it to the DNS name of the webhook service, i.e., `<service.Name>.<service.Namespace>.svc`. ```
Automatic merge from submit-queue (batch tested with PRs 51824, 50476, 52451, 52009, 52237) Plumbing the proxy dialer to the webhook admission plugin * Fixing kubernetes/kubernetes#49987. Plumb the `Dial` function to the `transport.Config` * Fixing kubernetes/kubernetes#52366. Let the webhook admission plugin sets the `TLSConfg.ServerName`. I tested it in my gke setup. I don't have time to implement an e2e test before 1.8 release. I think it's ok to add the test later, because *i)* the change only affects the alpha webhook admission feature, and *ii)* the webhook feature is unusable without the fix. That said, it's up to my reviewer to decide. Filed kubernetes/kubernetes#52368 for the missing e2e test. ( The second commit is kubernetes/kubernetes#52372, which is just a cleanup of client configuration in e2e tests. It removed a function that marshalled the client config to json and then unmarshalled it. It is a prerequisite of this PR, because this PR added the `Dial` function to the config which is not json marshallable.) ```release-note Fixed the webhook admission plugin so that it works even if the apiserver and the nodes are in two networks (e.g., in GKE). Fixed the webhook admission plugin so that webhook author could use the DNS name of the service as the CommonName when generating the server cert for the webhook. Action required: Anyone who generated server cert for admission webhooks need to regenerate the cert. Previously, when generating server cert for the admission webhook, the CN value doesn't matter. Now you must set it to the DNS name of the webhook service, i.e., `<service.Name>.<service.Namespace>.svc`. ``` Kubernetes-commit: 7181dd49460787871b602a47ab2ad05babacb820
/sig api-machinery |
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
As a followup of #50476.
We need to test:
The text was updated successfully, but these errors were encountered: