OSSM-3235 Ensure operator can't deadlock because istiod isn't running #1155
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If istiod isn't running, but the validating webhook configuration resource is in place, the operator may not be able to reconcile the SMCP and reset istiod. Here, we configure the webhook with an objectSelector that excludes resources with the `maistra-version` label. All resources created by the operator for the SMCP contain this label and thus don't trigger the webhook. This allows the operator to complete the reconciliation even if the webhook is offline.
|
Whoever reviews this, please think about the impact of the users being able to bypass the webhook. |
dgn
approved these changes
Apr 11, 2023
luksa
added a commit
to luksa/istio-operator
that referenced
this pull request
Apr 14, 2023
…maistra#1155) If istiod isn't running, but the validating webhook configuration resource is in place, the operator may not be able to reconcile the SMCP and reset istiod. Here, we configure the webhook with an objectSelector that excludes resources with the `maistra-version` label. All resources created by the operator for the SMCP contain this label and thus don't trigger the webhook. This allows the operator to complete the reconciliation even if the webhook is offline.
luksa
added a commit
to luksa/istio-operator
that referenced
this pull request
Apr 14, 2023
…maistra#1155) If istiod isn't running, but the validating webhook configuration resource is in place, the operator may not be able to reconcile the SMCP and reset istiod. Here, we configure the webhook with an objectSelector that excludes resources with the `maistra-version` label. All resources created by the operator for the SMCP contain this label and thus don't trigger the webhook. This allows the operator to complete the reconciliation even if the webhook is offline.
openshift-merge-robot
pushed a commit
that referenced
this pull request
Apr 14, 2023
…#1155) (#1166) If istiod isn't running, but the validating webhook configuration resource is in place, the operator may not be able to reconcile the SMCP and reset istiod. Here, we configure the webhook with an objectSelector that excludes resources with the `maistra-version` label. All resources created by the operator for the SMCP contain this label and thus don't trigger the webhook. This allows the operator to complete the reconciliation even if the webhook is offline.
openshift-merge-robot
pushed a commit
that referenced
this pull request
Apr 14, 2023
…#1155) (#1165) If istiod isn't running, but the validating webhook configuration resource is in place, the operator may not be able to reconcile the SMCP and reset istiod. Here, we configure the webhook with an objectSelector that excludes resources with the `maistra-version` label. All resources created by the operator for the SMCP contain this label and thus don't trigger the webhook. This allows the operator to complete the reconciliation even if the webhook is offline.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If istiod isn't running, but the validating webhook configuration resource is in place, the operator may not be able to reconcile the SMCP and reset istiod.
Here, we configure the webhook with an objectSelector that excludes resources with the
maistra-versionlabel. All resources created by the operator for the SMCP contain this label and thus don't trigger the webhook. This allows the operator to complete the reconciliation even if the webhook is offline.