-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add kudo init --unsafe-self-signed-webhook-ca
option
#1459
Conversation
Summary: added a new `kudo init ... --self-signed-webhook-ca-for-testing-only` option which can be used when installing KUDO with enabled instance admission webhook (`kudo init --webhook InstanceValidation`) to avoid the cert-manager dependency. When using this option a certificate signed by a self-singed CA is used by the webhook server. This option is meant to be used for local development, testing and demos and is **not meant to be used in production.** Signed-off-by: Aleksey Dukhovniy <alex.dukhovniy@googlemail.com>
Lets see how that goes Signed-off-by: Aleksey Dukhovniy <alex.dukhovniy@googlemail.com>
Not today ¯\_(ツ)_/¯ Signed-off-by: Aleksey Dukhovniy <alex.dukhovniy@googlemail.com>
late in the night for me and there is a lot here... I will review first thing in the morning... initial thoughts is looks nice! I'm questioning the public exposure to a flag that is for dev only. I think I would rather have an ENV var that is picked up for dev and not expose non-production flags and features to production. thoughts @zen-dog ? |
I like it, but same thoughts as ken: Maybe we can make this a (rather hidden) configuration in an env var, or maybe in a .kudo/config? |
I don't believe that making it an env var hides it enough for people not to use it in production. The safety aspect is twofold: a) psychological as the parameter name clearly indicates it is not for productions and b) technical as the generated cert is only valid for a week. IMHO an env var does not offer more "safety" than that 🤷 I removed this option from the |
…ion in `init` docs Signed-off-by: Aleksey Dukhovniy <alex.dukhovniy@googlemail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm ok with this as is. I don't think using an ENV-var would be better, although I do think that having this as an entry in a kudo-config-file would be better.
I was reasonably sure we already have a ~/.kudo/config
file where some things are stored, but it seems I have imagined that. I'd love to have that, especially for this flag, as well as some other things that might be really nice to have for operator-developers but shouldn't be exposed/active for all KUDO users.
pkg/kudoctl/kudoinit/options.go
Outdated
// ServiceName is the controllers service name. Currently hard-coded to "kudo-controller-manager-service" | ||
// as we don't support setting it in the CLI | ||
ServiceName string | ||
// SecretName is used by the manager when the webhooks are activated. Contains certificate and the key files for | ||
// the webhook server. Currently hard-coded to "kudo-webhook-server-secret" as we don't support setting it in the CLI | ||
SecretName string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👏
Signed-off-by: Aleksey Dukhovniy <alex.dukhovniy@googlemail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like it! really good stuff.
Can we please change the flag name?
It would also be great to use thekudoinit.DefaultName
in many places... but it's a blocker.
nice job!
pkg/kudoctl/cmd/init.go
Outdated
@@ -105,6 +108,7 @@ func newInitCmd(fs afero.Fs, out io.Writer) *cobra.Command { | |||
f.Int64Var(&i.timeout, "wait-timeout", 300, "Wait timeout to be used") | |||
f.StringVar(&i.webhooks, "webhook", "", "List of webhooks to install separated by commas (One of: InstanceValidation)") | |||
f.StringVarP(&i.serviceAccount, "service-account", "", "", "Override for the default serviceAccount kudo-manager") | |||
f.BoolVar(&i.selfSignedWebhookCA, "self-signed-webhook-ca-for-testing-only", false, "Use self-signed CA bundle (for testing only) for the webhooks") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not a fan of the "testing-only" suffix... do we need to add "-ga" or "-prod" to everything else? I would much rather have the shorter flag name. IF you want to double check, lets add a confirmation requiring a Y/n if flag detected. I would rather just document it, it's purpose and consequences. It is up to users as to when they will use it or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't mind making it shorter at all, however, there were a number of concerns that users will end up using it in production. Hence the long and descriptive name making it clear that it shouldn't be used in prod.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if you don't mind.. who does? and what are the "number" of concerns... there seems to be only one...
@@ -128,13 +132,16 @@ func (initCmd *initCmd) validate(flags *flag.FlagSet) error { | |||
if initCmd.webhooks != "" && initCmd.webhooks != "InstanceValidation" { | |||
return errors.New("webhooks can be only empty or contain a single string 'InstanceValidation'. No other webhooks supported") | |||
} | |||
if initCmd.webhooks == "" && initCmd.selfSignedWebhookCA { | |||
return errors.New("self-signed CA bundle can only be used with webhooks option") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is more of a warning.. right? there is no value of a CA bundle without webhooks... but there is no reason we can't run that way. I'm ok with it... just seems unnecessary
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The webhook is populated with the CA bundle so it does need it. Also, most CLIs that I use fail in the presence of an invalid option. I think we should do the same here. It might save the user some surprises.
Signed-off-by: Aleksey Dukhovniy <alex.dukhovniy@googlemail.com>
Signed-off-by: Aleksey Dukhovniy <alex.dukhovniy@googlemail.com>
@zen-dog regarding your ENV response
I also like and prefer @ANeumann82 suggestion of having a kudo file... however the only config file we have that I'm aware of is for the client... not for the manager |
another review pass... looks like the configuration is at the client... the kudo config sounds like a good idea |
I'm not fond of it. One immediate use case that we have is for e2e tests which generate all KUDO manifests by running |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm good with team consensus... I have a preference for removing "testing-only" from the flag or moving it out to an ENV or config... but this feature is useful and valuable... good work!
Signed-off-by: Aleksey Dukhovniy <alex.dukhovniy@googlemail.com>
--self-signed-webhook-ca-for-testing-only
option--unsafe-self-signed-webhook-ca
option
Summary:
added a new
kudo init ... --unsafe-self-signed-webhook-ca
option which can be used when installing KUDO with enabled instance admission webhook (kudo init --webhook InstanceValidation
) to avoid the cert-manager dependency. When using this option a certificate signed by a self-signed CA is used by the webhook server. This option is meant to be used for local development, testing, and demos and is not meant to be used in production.Signed-off-by: Aleksey Dukhovniy alex.dukhovniy@googlemail.com
Co-authored-by: alenkacz avarkockova@mesosphere.com