[cert-manager-setup] allow for multiple clusterissuers #380

alejandroEsc · 2020-01-24T00:28:52Z

This change allows one to define multiple certificates, issuers and clusterissuers. Note that it maintains backwards compatibility.

fixes a job issue where SA is not defined and so task cannot complete, this is particularly harmful for upgrades
removes job that contains a sleep, that isnt necessary.

tested out the chart as mentioned below

joejulian

Worked for me, setting up LE and LE-staging issuers on my home cluster.

jimmidyson · 2020-01-24T09:25:53Z

This is a breaking change to the chart though right? Do we want to handle upgrade without need to change values on upgrade, as in still support clusterissuer if set and clusterissuers is unset?

alejandroEsc · 2020-01-24T21:36:49Z

This is a breaking change to the chart though right? Do we want to handle upgrade without need to change values on upgrade, as in still support clusterissuer if set and clusterissuers is unset?

this is absolutely a breaking change. we have upgrade strategies in place, and we can mitigate things as you mention here. But still trying to achieve the right set of features we want from this.

joejulian · 2020-01-24T21:41:24Z

To rephrase what I think I hear Jimmi suggesting:

If you retain the old clusterissuer template and value, but also add the clusterissuers template (as you have), it won't be breaking but will still support the new functionality. Perhaps add something to NOTES.txt warning of a deprecation (if we're deprecating clusterissuer).

alejandroEsc · 2020-01-24T21:43:06Z

To rephrase what I think I hear Jimmi suggesting:

If you retain the old clusterissuer template and value, but also add the clusterissuers template (as you have), it won't be breaking but will still support the new functionality. Perhaps add something to NOTES.txt warning of a deprecation (if we're deprecating clusterissuer).

yes, i agree. What i am saying is i am still figuring out what is missing. As you mention, we can handle the breaking change in this way you suggest.

GoelDeepak

Good work!! lgtm

joejulian · 2020-01-30T05:32:53Z

With a previous install of 0.1.5 with the values of:

clusterissuer:
  name: kubernetes-ca
  spec:
    ca:
      secretName: kubernetes-intermediate-ca

and an upgrade to this version with the values:

---
clusterissuers:
  - name: kubernetes-ca
    spec:
      ca:
        secretName: kubernetes-intermediate-ca
  - name: letsencrypt
    spec:
      acme:
        email: me@joejulian.name
        privateKeySecretRef:
          name: acme-issuer-account-key
        server: https://acme-v02.api.letsencrypt.org/directory
        solvers:
          - http01:
              ingress:
                class: traefik
  - name: letsencrypt-staging
    spec:
      acme:
        email: me@joejulian.name
        privateKeySecretRef:
          name: acme-staging-issuer-account-key
        server: https://acme-staging-v02.api.letsencrypt.org/directory
        solvers:
          - http01:
              ingress:
                class: traefik
installCertManager: true

Job name: cert-manager-kubeaddons-cert-manager-setup

Error from server (Forbidden): apiservices.apiregistration.k8s.io "v1beta1.webhook.certmanager.k8s.io" is forbidden: User "system:serviceaccount:cert-manager:default" cannot get resource "apiservices" in API group "apiregistration.k8s.io" at the cluster scope

alejandroEsc · 2020-01-30T06:08:08Z

With a previous install of 0.1.5 with the values of:

clusterissuer:
  name: kubernetes-ca
  spec:
    ca:
      secretName: kubernetes-intermediate-ca

and an upgrade to this version with the values:

---
clusterissuers:
  - name: kubernetes-ca
    spec:
      ca:
        secretName: kubernetes-intermediate-ca
  - name: letsencrypt
    spec:
      acme:
        email: me@joejulian.name
        privateKeySecretRef:
          name: acme-issuer-account-key
        server: https://acme-v02.api.letsencrypt.org/directory
        solvers:
          - http01:
              ingress:
                class: traefik
  - name: letsencrypt-staging
    spec:
      acme:
        email: me@joejulian.name
        privateKeySecretRef:
          name: acme-staging-issuer-account-key
        server: https://acme-staging-v02.api.letsencrypt.org/directory
        solvers:
          - http01:
              ingress:
                class: traefik
installCertManager: true

Job name: cert-manager-kubeaddons-cert-manager-setup

Error from server (Forbidden): apiservices.apiregistration.k8s.io "v1beta1.webhook.certmanager.k8s.io" is forbidden: User "system:serviceaccount:cert-manager:default" cannot get resource "apiservices" in API group "apiregistration.k8s.io" at the cluster scope

That may in fact be an issue with the chart itself. Would have to investigate a bit, also did you create the issuers and certificates that you needed? I would like to get a copy of your values chart and test out the upgrade. Thanks for checking in!

… task

alejandroEsc · 2020-01-30T20:47:29Z

So after some investigation, i got things to work out, turned out that there was no pointer to the SA for the job to follow. Regardless, here is the output of an upgrade:

A new konvoy cluster was created using master kubernetes-base-addons

I used the following values file


issuers:
  - name: kubernetes-root-issuer
    secretName: kubernetes-root-ca

certificates:
  - name: kubernetes-intermediate-ca
    secretName: kubernetes-intermediate-ca
    issuerRef:
      name: kubernetes-root-issuer
      kind: Issuer
      # These are the default usages for reference
      usages:
        - "digital signature"
        - "key encipherment"
    commonName: cert-manager
    duration: 87600h
    dnsNames: []

clusterissuers:
  - name: kubernetes-ca
    spec:
      ca:
        secretName: kubernetes-intermediate-ca

# DEPRECATED, please use the above issuers, certificates and clusterissuers
clusterissuer: {}

then i ran the upgrade commands

$ helm upgrade --install cert-manager-kubeaddons --values myvalues.yaml --namespace cert-manager ./
Release "cert-manager-kubeaddons" has been upgraded.
LAST DEPLOYED: Thu Jan 30 12:38:12 2020
NAMESPACE: cert-manager
STATUS: DEPLOYED

RESOURCES:
==> v1/ClusterRole
NAME                                               AGE
cert-manager-kubeaddons-edit                       4m57s
cert-manager-kubeaddons-view                       4m57s
cert-manager-kubeaddons-webhook:webhook-requester  4m57s

==> v1/Deployment
NAME                                AGE
cert-manager-kubeaddons             4m57s
cert-manager-kubeaddons-cainjector  4m57s
cert-manager-kubeaddons-webhook     4m57s

==> v1/Pod(related)
NAME                                                 AGE
cert-manager-kubeaddons-7d7f98fbc6-c94g5             4m57s
cert-manager-kubeaddons-cainjector-6dcd94769b-mnhqc  4m57s
cert-manager-kubeaddons-webhook-77fbc6d59b-9t5kd     4m57s

==> v1/Service
NAME                             AGE
cert-manager-kubeaddons          4m57s
cert-manager-kubeaddons-webhook  4m57s

==> v1/ServiceAccount
NAME                                AGE
cert-manager-kubeaddons             4m57s
cert-manager-kubeaddons-cainjector  4m57s
cert-manager-kubeaddons-webhook     4m57s

==> v1beta1/APIService
NAME                                AGE
v1beta1.webhook.certmanager.k8s.io  4m57s

==> v1beta1/ClusterRole
NAME                                               AGE
cert-manager-kubeaddons-cainjector                 4m57s
cert-manager-kubeaddons-controller-certificates    4m57s
cert-manager-kubeaddons-controller-challenges      4m57s
cert-manager-kubeaddons-controller-clusterissuers  4m57s
cert-manager-kubeaddons-controller-ingress-shim    4m57s
cert-manager-kubeaddons-controller-issuers         4m57s
cert-manager-kubeaddons-controller-orders          4m57s
cert-manager-kubeaddons-leaderelection             4m57s

==> v1beta1/ClusterRoleBinding
NAME                                               AGE
cert-manager-kubeaddons-cainjector                 4m57s
cert-manager-kubeaddons-controller-certificates    4m57s
cert-manager-kubeaddons-controller-challenges      4m57s
cert-manager-kubeaddons-controller-clusterissuers  4m57s
cert-manager-kubeaddons-controller-ingress-shim    4m57s
cert-manager-kubeaddons-controller-issuers         4m57s
cert-manager-kubeaddons-controller-orders          4m57s
cert-manager-kubeaddons-leaderelection             4m57s
cert-manager-kubeaddons-webhook:auth-delegator     4m57s

==> v1beta1/MutatingWebhookConfiguration
NAME                             AGE
cert-manager-kubeaddons-webhook  4m57s

==> v1beta1/RoleBinding
NAME                                                           AGE
cert-manager-kubeaddons-webhook:webhook-authentication-reader  4m57s

==> v1beta1/ValidatingWebhookConfiguration
NAME                             AGE
cert-manager-kubeaddons-webhook  4m57s


NOTES:
Deploys cert-manager and submits the kubernetes-ca ClusterIssuer post installation.

with helm list

$ helm list
NAME                           	REVISION	UPDATED                 	STATUS  	CHART                      	APP VERSION	NAMESPACE
cert-manager-kubeaddons        	2       	Thu Jan 30 12:38:12 2020	DEPLOYED	cert-manager-setup-0.1.8   	0.10.1     	cert-manager

The upgrade process succeeded and did not get any of the issues you saw, the issuers, certificatets, and clusterissuers were as expected. I was able to log into the cluster with no perceivable issues.

joejulian

Thanks for fixing the other stuff this exposed.

staging/cert-manager-setup/Chart.yaml

staging/cert-manager-setup/ci/general-test-values.yaml

staging/cert-manager-setup/ci/test-values.yaml

staging/cert-manager-setup/templates/certificates.yaml

staging/cert-manager-setup/templates/clusterissuer.yaml

staging/cert-manager-setup/templates/clusterrole.yaml

staging/cert-manager-setup/templates/post-install-hook-job.yaml

Co-Authored-By: Shane Utt <shaneutt@users.noreply.github.com>

…-manager-setup] allow for multiple clusterissuers * fix: allow job point to the default sa to get priviledges and perform task * Update staging/cert-manager-setup/templates/clusterrole.yaml Co-Authored-By: Shane Utt <shaneutt@users.noreply.github.com> Co-authored-by: Shane Utt <shaneutt@users.noreply.github.com>

@jieyu

@jieyu

@jieyu

@jieyu

* chore: update aws-ebs-csi-driver from 0.4.0 to 0.5.0 [Documentation](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/v0.5.0/docs/README.md) filename | sha512 hash --------- | ------------ [v0.5.0.zip](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/archive/v0.5.0.zip) | `c53327e090352a7f79ee642dbf8c211733f4a2cb78968ec688a1eade55151e65f1f97cd228d22168317439f1db9f3d2f07dcaa2873f44732ad23aaf632cbef3a` [v0.5.0.tar.gz](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/archive/v0.5.0.tar.gz) | `ec4963d34c601cdf718838d90b8aa6f36b16c9ac127743e73fbe76118a606d41aced116aaaab73370c17bcc536945d5ccd735bc5a4a00f523025c8e41ddedcb8` * Add a cmdline option to add extra volume tags ([#353](kubernetes-sigs/aws-ebs-csi-driver#353), [@jieyu](https://github.com/jieyu)) * Switch to use kustomize for manifest ([#360](kubernetes-sigs/aws-ebs-csi-driver#360), [@leakingtapan](https://github.com/leakingtapan)) * enable users to set ec2-endpoint for nonstandard regions ([#369](kubernetes-sigs/aws-ebs-csi-driver#369), [@amdonov](https://github.com/amdonov)) * Add standard volume type ([#379](kubernetes-sigs/aws-ebs-csi-driver#379), [@leakingtapan](https://github.com/leakingtapan)) * Update aws sdk version to enable EKS IAM for SA ([#386](kubernetes-sigs/aws-ebs-csi-driver#386), [@leakingtapan](https://github.com/leakingtapan)) * Implement different driver modes and AWS Region override for controller service ([#438](kubernetes-sigs/aws-ebs-csi-driver#438), [@rfranzke](https://github.com/rfranzke)) * Add manifest files for snapshotter 2.0 ([#452](kubernetes-sigs/aws-ebs-csi-driver#452), [@leakingtapan](https://github.com/leakingtapan)) * Return success if instance or volume are not found ([#375](kubernetes-sigs/aws-ebs-csi-driver#375), [@bertinatto](https://github.com/bertinatto)) * Patch k8scsi sidecars CVE-2019-11255 ([#413](kubernetes-sigs/aws-ebs-csi-driver#413), [@jnaulty](https://github.com/jnaulty)) * Handle mount flags in NodeStageVolume ([#430](kubernetes-sigs/aws-ebs-csi-driver#430), [@bertinatto](https://github.com/bertinatto)) * Run upstream e2e test suites with migration ([#341](kubernetes-sigs/aws-ebs-csi-driver#341), [@wongma7](https://github.com/wongma7)) * Use new test framework for test orchestration ([#359](kubernetes-sigs/aws-ebs-csi-driver#359), [@leakingtapan](https://github.com/leakingtapan)) * Update to use 1.16 cluster with inline test enabled ([#362](kubernetes-sigs/aws-ebs-csi-driver#362), [@leakingtapan](https://github.com/leakingtapan)) * Enable leader election ([#380](kubernetes-sigs/aws-ebs-csi-driver#380), [@leakingtapan](https://github.com/leakingtapan)) * Update go mod and mount library ([#388](kubernetes-sigs/aws-ebs-csi-driver#388), [@leakingtapan](https://github.com/leakingtapan)) * Refactor NewCloud by pass in region ([#394](kubernetes-sigs/aws-ebs-csi-driver#394), [@leakingtapan](https://github.com/leakingtapan)) * helm: provide an option to set extra volume tags ([#396](kubernetes-sigs/aws-ebs-csi-driver#396), [@jieyu](https://github.com/jieyu)) * Allow override for csi-provisioner image ([#401](kubernetes-sigs/aws-ebs-csi-driver#401), [@gliptak](https://github.com/gliptak)) * Enable volume expansion e2e test for CSI migration ([#407](kubernetes-sigs/aws-ebs-csi-driver#407), [@leakingtapan](https://github.com/leakingtapan)) * Swith to use kops 1.16 ([#409](kubernetes-sigs/aws-ebs-csi-driver#409), [@leakingtapan](https://github.com/leakingtapan)) * Added tolerations for node support ([#420](kubernetes-sigs/aws-ebs-csi-driver#420), [@zerkms](https://github.com/zerkms)) * Update helm chart to better match available values and add the ability to add annotations ([#423](kubernetes-sigs/aws-ebs-csi-driver#423), [@krmichel](https://github.com/krmichel)) * [helm] Also add toleration support to controller ([#433](kubernetes-sigs/aws-ebs-csi-driver#433), [@jyaworski](https://github.com/jyaworski)) * Add ec2:ModifyVolume action ([#434](kubernetes-sigs/aws-ebs-csi-driver#434), [@zodiac12k](https://github.com/zodiac12k)) * Schedule the EBS CSI DaemonSet on all nodes by default ([#441](kubernetes-sigs/aws-ebs-csi-driver#441), [@pcfens](https://github.com/pcfens)) * bump chart version * chore: bump liveness probe from 1.1.0 to 2.0.0 - Introduce V(5) on the health check begin/success log lines to allow filtering of these entries from logs. If you would like to retain these log entries the action required would be to set `-v==5` or higher for the livenessprobe container. ([#57](kubernetes-csi/livenessprobe#57), [@stefansedich](https://github.com/stefansedich)) - Deprecated "--connection-timeout" argument has been removed. ([#59](kubernetes-csi/livenessprobe#59), [@msau42](https://github.com/msau42)) - Fix nil pointer bug when driver responds with not ready ([#58](kubernetes-csi/livenessprobe#58), [@scuzhanglei](https://github.com/scuzhanglei)) - Migrated to Go modules, so the source builds also outside of GOPATH. ([#53](kubernetes-csi/livenessprobe#53), [@pohly](https://github.com/pohly)) * chore: bump csi external-provisioner from 1.3.0 to 1.4.0 All external-provisioner versions < 1.4.0 are deprecated and will stop functioning in Kubernetes v1.20. See [#323](kubernetes-csi/external-provisioner#323) and [k/k#80978](kubernetes/kubernetes#80978) for more details. Upgrade your external-provisioner to v1.4+ before Kubernetes v1.20. None - Fixes migration scenarios for Topology, fstype, and accessmodes for the kubernetes.io/gce-pd in-tree plugin ([#277](kubernetes-csi/external-provisioner#277), [@davidz627](https://github.com/davidz627)) - Checks if volume content source is populated if creating a volume from a snapshot source. ([#283](kubernetes-csi/external-provisioner#283), [@zhucan](https://github.com/zhucan)) - Fixes issue when SelfLink removal is turned on in Kubernetes. ([#323](kubernetes-csi/external-provisioner#323), [@msau42](https://github.com/msau42)) - CSI driver can return `CreateVolumeResponse` with size 0, which means unknown volume size. In this case, Provisioner will use PVC requested size as PV size rather than 0 bytes ([#271](kubernetes-csi/external-provisioner#271), [@hoyho](https://github.com/hoyho)) - Fixed potential leak of volumes after CSI driver timeouts. ([#312](kubernetes-csi/external-provisioner#312), [@jsafrane](https://github.com/jsafrane)) - Fixes issue where provisioner provisions volumes for in-tree PVC's which have not been migrated ([#341](kubernetes-csi/external-provisioner#341), [@davidz627](https://github.com/davidz627)) - Send the CSI volume_id instead of PVC Name to the csi-driver in volumeCreate when datasource is PVC ([#310](kubernetes-csi/external-provisioner#310), [@Madhu-1](https://github.com/Madhu-1)) - Fixes nil pointer derefence in log when migration turned on ([#342](kubernetes-csi/external-provisioner#342), [@davidz627](https://github.com/davidz627)) - Handle deletion of CSI migrated volumes ([#273](kubernetes-csi/external-provisioner#273), [@ddebroy](https://github.com/ddebroy)) - Reduced logging noise of unrelated PVCs. Emit event on successful provisioning. ([#351](kubernetes-csi/external-provisioner#351), [@jsafrane](https://github.com/jsafrane)) - Added extra verification of source Snapshot and PersistentVolumeClaim before provisioning. ([#352](kubernetes-csi/external-provisioner#352), [@jsafrane](https://github.com/jsafrane)) * chore: bump attacher * Fixed handling of ControllerUnpublish errors. The attacher will retry to ControllerUnpublish a volume after any error except for NotFound. (#168, @jsafrane) * bump external-snapshotter from 1.1.0 to 1.2.2 Breaking Changes * Changes the API group name for the fake VolumeSnapshot object to "snapshot.storage.k8s.io" to be in-sync with the group name of the real VolumeSnapshot object. As a result, the generated interfaces for clientset and informers of VolumeSnapshot are also changed from "VolumeSnapshot" to "Snapshot". (#123, @xing-yang) New Features * Adds Finalizer on the snapshot source PVC to prevent it from being deleted when a snapshot is being created from it. (#47, @xing-yang) Other Notable Changes * Add Status subresource for VolumeSnapshot. (#121, @zhucan) * Cherry picks PR #138: Prebound snapshots will work correctly with CSI drivers that does not support ListSnasphots.(#156, @hakanmemisoglu) * Cherry picks PR #172: Added extra verification of source PersistentVolumeClaim before creating snapshot.(#173, @xing-yang) * bump external-resizer from 0.2.0 to 0.4.0 New Features * Add prometheus metrics to CSI external-resizer under the /metrics endpoint. This can be enabled via the "--metrics-address" and "--metrics-path" options. (#67, @saad-ali) Bug Fixes * Avoid concurrent processing of same PVCs (#6, @mlmhl) * Exit on CSI gRPC conn loss (#55, @ggriffiths) * Verify claimref associated with PVs before resizing (#57, @gnufied) Other Notable Changes * Migrated to Go modules, so the source builds also outside of GOPATH. (#60, @pohly) * feat(awsebscsiprovisioner): updated awsebscsiprovisioner flags - updated args as mentioned in comments - updated container versions as mentioned in the comments D2IQ-64990 #comment updated awsebscsiprovisioner pod arg * feat(awsebscsiprovisioner): added podAnnotations - added statefulSet.podAnnotations feature - added new roles and snapshotter-controller - added more values to be setable D2IQ-64992 #comment updated awsebscsiprovisioner to include statefulSet.podAnnotations * fix: added replacing system-x-critial replacement - this was added for being able to run the ct install / upgrade behaviour so that we also can test with that priorityClassName set pods, that normally get a system-node critial or system-cluster-critical priorityClassName set. These only will be allowed to run in namespace kube-system and that for we need to drop the priorityClassName here to null for our tests. - separated lint and install, as otherwise lint would fail because of the sed changes - exclude gcp-csi-driver [D2IQ-65765] [D2IQ-65765]: https://jira.d2iq.com/browse/D2IQ-65765 Co-authored-by: Sebastian Brandt <793580+sebbrandt87@users.noreply.github.com>

@jieyu

…bs-csi-driver from 0.4.0 to 0.5.0 [Documentation](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/v0.5.0/docs/README.md) filename | sha512 hash --------- | ------------ [v0.5.0.zip](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/archive/v0.5.0.zip) | [v0.5.0.tar.gz](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/archive/v0.5.0.tar.gz) | * Add a cmdline option to add extra volume tags ([#353](kubernetes-sigs/aws-ebs-csi-driver#353), [@jieyu](https://github.com/jieyu)) * Switch to use kustomize for manifest ([#360](kubernetes-sigs/aws-ebs-csi-driver#360), [@leakingtapan](https://github.com/leakingtapan)) * enable users to set ec2-endpoint for nonstandard regions ([#369](kubernetes-sigs/aws-ebs-csi-driver#369), [@amdonov](https://github.com/amdonov)) * Add standard volume type ([#379](kubernetes-sigs/aws-ebs-csi-driver#379), [@leakingtapan](https://github.com/leakingtapan)) * Update aws sdk version to enable EKS IAM for SA ([#386](kubernetes-sigs/aws-ebs-csi-driver#386), [@leakingtapan](https://github.com/leakingtapan)) * Implement different driver modes and AWS Region override for controller service ([#438](kubernetes-sigs/aws-ebs-csi-driver#438), [@rfranzke](https://github.com/rfranzke)) * Add manifest files for snapshotter 2.0 ([#452](kubernetes-sigs/aws-ebs-csi-driver#452), [@leakingtapan](https://github.com/leakingtapan)) * Return success if instance or volume are not found ([#375](kubernetes-sigs/aws-ebs-csi-driver#375), [@bertinatto](https://github.com/bertinatto)) * Patch k8scsi sidecars CVE-2019-11255 ([#413](kubernetes-sigs/aws-ebs-csi-driver#413), [@jnaulty](https://github.com/jnaulty)) * Handle mount flags in NodeStageVolume ([#430](kubernetes-sigs/aws-ebs-csi-driver#430), [@bertinatto](https://github.com/bertinatto)) * Run upstream e2e test suites with migration ([#341](kubernetes-sigs/aws-ebs-csi-driver#341), [@wongma7](https://github.com/wongma7)) * Use new test framework for test orchestration ([#359](kubernetes-sigs/aws-ebs-csi-driver#359), [@leakingtapan](https://github.com/leakingtapan)) * Update to use 1.16 cluster with inline test enabled ([#362](kubernetes-sigs/aws-ebs-csi-driver#362), [@leakingtapan](https://github.com/leakingtapan)) * Enable leader election ([#380](kubernetes-sigs/aws-ebs-csi-driver#380), [@leakingtapan](https://github.com/leakingtapan)) * Update go mod and mount library ([#388](kubernetes-sigs/aws-ebs-csi-driver#388), [@leakingtapan](https://github.com/leakingtapan)) * Refactor NewCloud by pass in region ([#394](kubernetes-sigs/aws-ebs-csi-driver#394), [@leakingtapan](https://github.com/leakingtapan)) * helm: provide an option to set extra volume tags ([#396](kubernetes-sigs/aws-ebs-csi-driver#396), [@jieyu](https://github.com/jieyu)) * Allow override for csi-provisioner image ([#401](kubernetes-sigs/aws-ebs-csi-driver#401), [@gliptak](https://github.com/gliptak)) * Enable volume expansion e2e test for CSI migration ([#407](kubernetes-sigs/aws-ebs-csi-driver#407), [@leakingtapan](https://github.com/leakingtapan)) * Swith to use kops 1.16 ([#409](kubernetes-sigs/aws-ebs-csi-driver#409), [@leakingtapan](https://github.com/leakingtapan)) * Added tolerations for node support ([#420](kubernetes-sigs/aws-ebs-csi-driver#420), [@zerkms](https://github.com/zerkms)) * Update helm chart to better match available values and add the ability to add annotations ([#423](kubernetes-sigs/aws-ebs-csi-driver#423), [@krmichel](https://github.com/krmichel)) * [helm] Also add toleration support to controller ([#433](kubernetes-sigs/aws-ebs-csi-driver#433), [@jyaworski](https://github.com/jyaworski)) * Add ec2:ModifyVolume action ([#434](kubernetes-sigs/aws-ebs-csi-driver#434), [@zodiac12k](https://github.com/zodiac12k)) * Schedule the EBS CSI DaemonSet on all nodes by default ([#441](kubernetes-sigs/aws-ebs-csi-driver#441), [@pcfens](https://github.com/pcfens)) * bump chart version * chore: bump liveness probe from 1.1.0 to 2.0.0 - Introduce V(5) on the health check begin/success log lines to allow filtering of these entries from logs. If you would like to retain these log entries the action required would be to set or higher for the livenessprobe container. ([#57](kubernetes-csi/livenessprobe#57), [@stefansedich](https://github.com/stefansedich)) - Deprecated --connection-timeout argument has been removed. ([#59](kubernetes-csi/livenessprobe#59), [@msau42](https://github.com/msau42)) - Fix nil pointer bug when driver responds with not ready ([#58](kubernetes-csi/livenessprobe#58), [@scuzhanglei](https://github.com/scuzhanglei)) - Migrated to Go modules, so the source builds also outside of GOPATH. ([#53](kubernetes-csi/livenessprobe#53), [@pohly](https://github.com/pohly)) * chore: bump csi external-provisioner from 1.3.0 to 1.4.0 All external-provisioner versions < 1.4.0 are deprecated and will stop functioning in Kubernetes v1.20. See [#323](kubernetes-csi/external-provisioner#323) and [k/k#80978](kubernetes/kubernetes#80978) for more details. Upgrade your external-provisioner to v1.4+ before Kubernetes v1.20. None - Fixes migration scenarios for Topology, fstype, and accessmodes for the kubernetes.io/gce-pd in-tree plugin ([#277](kubernetes-csi/external-provisioner#277), [@davidz627](https://github.com/davidz627)) - Checks if volume content source is populated if creating a volume from a snapshot source. ([#283](kubernetes-csi/external-provisioner#283), [@zhucan](https://github.com/zhucan)) - Fixes issue when SelfLink removal is turned on in Kubernetes. ([#323](kubernetes-csi/external-provisioner#323), [@msau42](https://github.com/msau42)) - CSI driver can return with size 0, which means unknown volume size. In this case, Provisioner will use PVC requested size as PV size rather than 0 bytes ([#271](kubernetes-csi/external-provisioner#271), [@hoyho](https://github.com/hoyho)) - Fixed potential leak of volumes after CSI driver timeouts. ([#312](kubernetes-csi/external-provisioner#312), [@jsafrane](https://github.com/jsafrane)) - Fixes issue where provisioner provisions volumes for in-tree PVC's which have not been migrated ([#341](kubernetes-csi/external-provisioner#341), [@davidz627](https://github.com/davidz627)) - Send the CSI volume_id instead of PVC Name to the csi-driver in volumeCreate when datasource is PVC ([#310](kubernetes-csi/external-provisioner#310), [@Madhu-1](https://github.com/Madhu-1)) - Fixes nil pointer derefence in log when migration turned on ([#342](kubernetes-csi/external-provisioner#342), [@davidz627](https://github.com/davidz627)) - Handle deletion of CSI migrated volumes ([#273](kubernetes-csi/external-provisioner#273), [@ddebroy](https://github.com/ddebroy)) - Reduced logging noise of unrelated PVCs. Emit event on successful provisioning. ([#351](kubernetes-csi/external-provisioner#351), [@jsafrane](https://github.com/jsafrane)) - Added extra verification of source Snapshot and PersistentVolumeClaim before provisioning. ([#352](kubernetes-csi/external-provisioner#352), [@jsafrane](https://github.com/jsafrane)) * chore: bump attacher * Fixed handling of ControllerUnpublish errors. The attacher will retry to ControllerUnpublish a volume after any error except for NotFound. (#168, @jsafrane) * bump external-snapshotter from 1.1.0 to 1.2.2 Breaking Changes * Changes the API group name for the fake VolumeSnapshot object to snapshot.storage.k8s.io to be in-sync with the group name of the real VolumeSnapshot object. As a result, the generated interfaces for clientset and informers of VolumeSnapshot are also changed from VolumeSnapshot to Snapshot. (#123, @xing-yang) New Features * Adds Finalizer on the snapshot source PVC to prevent it from being deleted when a snapshot is being created from it. (#47, @xing-yang) Other Notable Changes * Add Status subresource for VolumeSnapshot. (#121, @zhucan) * Cherry picks PR #138: Prebound snapshots will work correctly with CSI drivers that does not support ListSnasphots.(#156, @hakanmemisoglu) * Cherry picks PR #172: Added extra verification of source PersistentVolumeClaim before creating snapshot.(#173, @xing-yang) * bump external-resizer from 0.2.0 to 0.4.0 New Features * Add prometheus metrics to CSI external-resizer under the /metrics endpoint. This can be enabled via the --metrics-address and --metrics-path options. (#67, @saad-ali) Bug Fixes * Avoid concurrent processing of same PVCs (#6, @mlmhl) * Exit on CSI gRPC conn loss (#55, @ggriffiths) * Verify claimref associated with PVs before resizing (#57, @gnufied) Other Notable Changes * Migrated to Go modules, so the source builds also outside of GOPATH. (#60, @pohly) * feat(awsebscsiprovisioner): updated awsebscsiprovisioner flags - updated args as mentioned in comments - updated container versions as mentioned in the comments D2IQ-64990 #comment updated awsebscsiprovisioner pod arg * feat(awsebscsiprovisioner): added podAnnotations - added statefulSet.podAnnotations feature - added new roles and snapshotter-controller - added more values to be setable D2IQ-64992 #comment updated awsebscsiprovisioner to include statefulSet.podAnnotations * fix: added replacing system-x-critial replacement - this was added for being able to run the ct install / upgrade behaviour so that we also can test with that priorityClassName set pods, that normally get a system-node critial or system-cluster-critical priorityClassName set. These only will be allowed to run in namespace kube-system and that for we need to drop the priorityClassName here to null for our tests. - separated lint and install, as otherwise lint would fail because of the sed changes - exclude gcp-csi-driver [D2IQ-65765] [D2IQ-65765]: https://jira.d2iq.com/browse/D2IQ-65765 Co-authored-by: Sebastian Brandt <793580+sebbrandt87@users.noreply.github.com>

alejandroEsc added the wip label Jan 24, 2020

alejandroEsc requested review from joejulian and a team January 24, 2020 00:28

alejandroEsc self-assigned this Jan 24, 2020

joejulian previously approved these changes Jan 24, 2020

View reviewed changes

alejandroEsc dismissed joejulian’s stale review via 5b4fbd0 January 24, 2020 04:13

alejandroEsc force-pushed the ae/DCOS-63297 branch from 47c29f7 to 65187ab Compare January 24, 2020 06:04

joejulian requested a review from timaa2k January 24, 2020 21:42

alejandroEsc force-pushed the ae/DCOS-63297 branch from 52e146b to 756183c Compare January 27, 2020 21:32

alejandroEsc requested a review from joejulian January 27, 2020 22:45

alejandroEsc added ready ready and removed wip labels Jan 27, 2020

GoelDeepak previously approved these changes Jan 28, 2020

View reviewed changes

alejandroEsc added 2 commits January 30, 2020 10:59

[cert-manager-setup] allow for multiple clusterissuers

d5f3923

fix: allow job point to the default sa to get priviledges and perform…

1a62ec8

… task

alejandroEsc dismissed GoelDeepak’s stale review via 1a62ec8 January 30, 2020 20:40

alejandroEsc force-pushed the ae/DCOS-63297 branch from a7ba9b5 to 1a62ec8 Compare January 30, 2020 20:40

alejandroEsc requested a review from GoelDeepak January 30, 2020 20:42

joejulian previously approved these changes Jan 30, 2020

View reviewed changes

shaneutt suggested changes Jan 30, 2020

View reviewed changes

Update staging/cert-manager-setup/templates/clusterrole.yaml

a62f12c

Co-Authored-By: Shane Utt <shaneutt@users.noreply.github.com>

alejandroEsc dismissed joejulian’s stale review via a62f12c January 30, 2020 23:10

shaneutt approved these changes Jan 30, 2020

View reviewed changes

shaneutt requested a review from joejulian January 30, 2020 23:15

joejulian approved these changes Jan 30, 2020

View reviewed changes

alejandroEsc merged commit 9a2824b into master Jan 31, 2020

alejandroEsc deleted the ae/DCOS-63297 branch January 31, 2020 00:01

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[cert-manager-setup] allow for multiple clusterissuers #380

[cert-manager-setup] allow for multiple clusterissuers #380

alejandroEsc commented Jan 24, 2020 •

edited

joejulian left a comment

jimmidyson commented Jan 24, 2020

alejandroEsc commented Jan 24, 2020 •

edited

joejulian commented Jan 24, 2020

alejandroEsc commented Jan 24, 2020 •

edited

GoelDeepak left a comment

joejulian commented Jan 30, 2020

alejandroEsc commented Jan 30, 2020

alejandroEsc commented Jan 30, 2020

joejulian left a comment

[cert-manager-setup] allow for multiple clusterissuers #380

[cert-manager-setup] allow for multiple clusterissuers #380

Conversation

alejandroEsc commented Jan 24, 2020 • edited

joejulian left a comment

Choose a reason for hiding this comment

jimmidyson commented Jan 24, 2020

alejandroEsc commented Jan 24, 2020 • edited

joejulian commented Jan 24, 2020

alejandroEsc commented Jan 24, 2020 • edited

GoelDeepak left a comment

Choose a reason for hiding this comment

joejulian commented Jan 30, 2020

alejandroEsc commented Jan 30, 2020

alejandroEsc commented Jan 30, 2020

joejulian left a comment

Choose a reason for hiding this comment

alejandroEsc commented Jan 24, 2020 •

edited

alejandroEsc commented Jan 24, 2020 •

edited

alejandroEsc commented Jan 24, 2020 •

edited