Detect different versions of cert-manager #1546
Conversation
… ones Signed-off-by: Andreas Neumann <aneumann@mesosphere.com>
ANeumann82
requested review from
alenkacz,
gerred,
kensipe,
nfnt and
zen-dog
as code owners
Signed-off-by: Andreas Neumann <aneumann@mesosphere.com>
| @@ -154,10 +154,12 @@ func (initCmd *initCmd) run() error { | |||
| } | |||
| } | |||
|
|
|||
| installer := setup.NewInstaller(opts, initCmd.crdOnly) | |||
There was a problem hiding this comment.
I still don't know why crdOnly is not part of the opts. But that's another story
| } | ||
|
|
||
| const ( | ||
| certManagerAPIVersion = "v1alpha2" | ||
| certManagerControllerVersion = "v0.12.0" | ||
| certManagerOldGroup = "certmanager.k8s.io" |
There was a problem hiding this comment.
What about a group -> api mapping instead like?
certManagerGroupAPI := map[string]string{
"v1alpha1": "certmanager.k8s.io",
"v1alpha2": "cert-manager.io",
}
There was a problem hiding this comment.
It's not necessarily a map... It might be a map of lists:
certManagerAPIs := map[string][]string{
"certmanager.k8s.io": []string{ "v1alpha1"},
"cert-manager.io": []string{ "v1alpha1", "v1alpha2", "v1alpha3" },
}
(at least I think "cert-manager.io" has "v1alpha1" as well in some version, it certainly has v1alpha2 and v1alpha3)
There was a problem hiding this comment.
So even easier to check all permutatations 👍
There was a problem hiding this comment.
This is incomplete and I would prefer some refactor for readability.
The incomplete element is:
- webhook.goL225 has a "warning" that is still showing up.. which has multiple issues: first we should NOT print warning messages which use the wording "failed". second, if we successfully install for v1 (while preferring v2) it should NOT print any warnings... (unless verbose clog is > 0). If we are deprecating support and provide a warning that indicates that... that seems cool.
output of init
go run cmd/kubectl-kudo/main.go init --wait
$KUDO_HOME has been configured at /Users/kensipe/.kudo
Warnings
failed to get cert-manager deployment in namespace cert-manager. Make sure cert-manager is running.
✅ installed crds
✅ installed namespace
✅ installed service account
✅ installed webhook
✅ installed kudo controller
⌛Waiting for KUDO controller to be ready in your cluster...
The Warning section should not exist IMO.
Also... our docs for uninstall are: https://kudo.dev/docs/runbooks/admin/remove-kudo.html
our output for uninstall is:
go run cmd/kubectl-kudo/main.go init --dry-run --output yaml | kubectl delete -f -
customresourcedefinition.apiextensions.k8s.io "operators.kudo.dev" deleted
customresourcedefinition.apiextensions.k8s.io "operatorversions.kudo.dev" deleted
customresourcedefinition.apiextensions.k8s.io "instances.kudo.dev" deleted
namespace "kudo-system" deleted
serviceaccount "kudo-manager" deleted
clusterrolebinding.rbac.authorization.k8s.io "kudo-manager-rolebinding" deleted
mutatingwebhookconfiguration.admissionregistration.k8s.io "kudo-manager-instance-admission-webhook-config" deleted
service "kudo-controller-manager-service" deleted
statefulset.apps "kudo-controller-manager" deleted
unable to recognize "STDIN": no matches for kind "Issuer" in version "cert-manager.io/v1alpha2"
unable to recognize "STDIN": no matches for kind "Certificate" in version "cert-manager.io/v1alpha2"
we should not try to output issuer and cert if they are not requested.... and/or we need doc updates for users to understand this message.
| } | ||
| if k.certManagerGroup != "" { | ||
| return nil | ||
| } |
There was a problem hiding this comment.
this is odd combo of funcs and state... this function needs intimate knowledge of the detectCertManagerCRD func... which is odd..
there is a lot of refactor here IMO...
detectCertManagerVersionseems like a very specific func name when it could be a generic kube func- we should prefer the return of values rather than the change of values passed by ref. It would be much easy to read and reason about IMO
- it also seems strange that error handling is happening in 2 different ways... we have the return of an err and an adding of an error to the "result" which returns a nil. It isn't clear when one vs the other is appropriate.
|
as I'm looking deeper at code... I don't understand why we do all the checks on the cert-man... if can detect we have a deployment... why check for a container. and then why check for health? This is a moment in time... just because it isn't healthy at this moment... doesn't mean it won't eventually be... and just because it is healthy in this moment... doesn't mean it will be when needed? this seems like a lot of extra and brittle code for questionable value. |
Signed-off-by: Ken Sipe <kensipe@gmail.com>
| func (k *KudoWebHook) resourcesWithCertManager() []runtime.Object { | ||
| // We have to fall back to a default here as for a dry-run we can't detect the actual version of a cluster | ||
| k.issuer = issuer(k.opts.Namespace, certManagerNewGroup, certManagerAPIVersions[0]) | ||
| k.certificate = certificate(k.opts.Namespace, certManagerNewGroup, certManagerAPIVersions[0]) |
There was a problem hiding this comment.
these lines of code... can we get rid of them? Issuer and Certificate do NOT seem to be installed with --unsafe-self-signed-webhook-ca. it is unclear if they are ever used... other than --dry-run -o yaml. If we have a need to provide details around issuer and cert for this model of installation we should do it. If these are needed for a specific style of installation we need to talk about it.
These should be complete removed which will resolve the remaining blocking issue.
There was a problem hiding this comment.
Well, they are not used when --unsafe-self-signed-webhook-ca is used. Issuer and Certificate are created when we don't use a self-signed-ca.
With this refactoring they are detected in the preInstallVerify step and the correct version of Issuer and Certificate for the installed cert-manager are created.
They are then applied in the Install step.
The problem with resources is that this step currently does not use the preInstallVerify step, and it usually doesn't even have a client initialized because it doesn't need an existing K8s cluster at all. Now that we need to detect the correct cert-manager version, we may have to do that. Maybe that's not a bad thing...
|
I pushed a version of cert-man detection that works for konvoy and should work for any distro that provides the standard label of The remaining blocking issue is around the kinds |
Yeah, I like that. And I agree that we probably can get rid of the additional checks for cert-manager health, etc.
The cert is used here: kudo/pkg/kudoctl/kudoinit/prereq/webhook.go Line 248 in 2464231 It's either this or the self-signed-webhook-ca... |
Refactoring of webhook cert-manager detection Signed-off-by: Andreas Neumann <aneumann@mesosphere.com>
# Conflicts: # pkg/kudoctl/cmd/testdata/deploy-kudo-webhook.yaml.golden
…r error message when no cluster is reachable Signed-off-by: Andreas Neumann <aneumann@mesosphere.com>
Signed-off-by: Andreas Neumann <aneumann@mesosphere.com>
Signed-off-by: Andreas Neumann <aneumann@mesosphere.com>
Signed-off-by: Ken Sipe <kensipe@gmail.com>
Detect different versions of cert-manager and install the correct CRDs
kudo init --dry-run --output yamluses a default with the newest cert-manager APISigned-off-by: Andreas Neumann aneumann@mesosphere.com