-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(kuma-cp) do not replace autogenerated certs #1215
Conversation
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Making |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of suggestions, otherwise OK.
…enerated-secret Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great! LGTM
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com> (cherry picked from commit dc26d88) # Conflicts: # app/kumactl/pkg/install/k8s/control-plane/helmtemplates_vfsdata.go
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Summary
The problem
We were overriding autogenerated certs on Kubernetes therefore you need to restart the pods between upgrades.
The solution
Preserve autogenerated certificates between Kuma upgrades.
HELM
That was tricky. There is no native way to do it in HELM as the issue https://github.com/helm/charts/issues/5167 is still open, but there is a working workaround: read the secret if already exist and take the values from the secret. We cannot just do the
if is upgrade don't render secret
, because if we don't render the secret it will be deleted.kumactl
Kumactl uses HELM under the hood to render YAML. Previously we did not require connection to the Kubernetes to render the YAML which was convenient. The
lookup
function just returnsnil
if you useRender
instead ofRenderWithClient
, but we want to have the same behavior as in HELM. To do it,kumactl
now requires connection to Kubernetes to check the state of secrets and now override them.Alternative solutions
We could introduce something like
initialSetup
in Values.yaml and instruct the user to set this to false when installing for the first time + use"helm.sh/resource-policy": keep
, but then we won't clean this secret on delete.On
kumactl
we could haveinstall
andupgrade
, but I think it's much easier to have this in one command.Full changelog
app/kumactl/pkg/k8s
. It was from the early days of Kuma.install dns
andinstall control-plane
Documentation