Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(kuma-cp) Secrets validation on K8S #696

Merged
merged 2 commits into from
Apr 29, 2020
Merged

feat(kuma-cp) Secrets validation on K8S #696

merged 2 commits into from
Apr 29, 2020

Conversation

jakubdyszkiewicz
Copy link
Contributor

Summary

Since Kuma Secrets on K8S can be applied directly using kubectl, we need to validate those.

I added validation that:

  • the mesh exists
  • you cannot change the mesh of the secret
  • data in secrets exist

@jakubdyszkiewicz jakubdyszkiewicz requested a review from a team April 24, 2020 11:09
lobkovilya
lobkovilya approved these changes Apr 27, 2020
View reviewed changes
app/kumactl/data/install/k8s/control-plane/kuma-cp/app.yaml
@@ -235,3 +235,21 @@ webhooks:
- UPDATE
resources:
- services
- name: secret.validator.kuma-admission.kuma.io
failurePolicy: Fail
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The question arose from my merging injector and kuma-cp:
Why injector.failurePolicy is parametrized and by default equals Ignore, unlike all other webhooks, have failurePolicy hardcoded and equal Fail?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not the original author of injector, but my guess is that we don't want to stop the deployment even if Kuma DP fails to be injected.

@jakubdyszkiewicz jakubdyszkiewicz merged commit 749b6db into master Apr 29, 2020
@jakubdyszkiewicz jakubdyszkiewicz deleted the feat/secrets-k8s-validation branch October 15, 2020 11:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lobkovilya lobkovilya lobkovilya approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jakubdyszkiewicz @lobkovilya