-
Notifications
You must be signed in to change notification settings - Fork 182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Put router-ca configmap in openshift-config-managed iff needed #110
Put router-ca configmap in openshift-config-managed iff needed #110
Conversation
router-ca
configmap if not needed
We got the following failure:
Reviewing the events and operator logs, I believe the following is the sequence of events that results in the failure:
Questions:
|
efe48f9
to
831c67f
Compare
/test e2e-aws-operator |
9da50d0
to
6543496
Compare
/test e2e-aws |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some stuff I found here that needs looked at... another major thing which I expected to see here is a change to https://github.com/openshift/cluster-ingress-operator/blob/master/pkg/manifests/manifests.go#L216 — as we had discussed, my understanding is that we should not update the clusteringress spec field for the default. Instead, if the clusteringress secret reference is nil
, render a default name into the deployment. That way, we can distinguish between our defaulting and user's specification of a secret.
6543496
to
f343a2c
Compare
f343a2c
to
840b2ad
Compare
840b2ad
to
544b8dd
Compare
Hm, should I move |
What about rendering it from ManifestFactory like all the other assets? |
We're not using the manifest factory to create the configmap or the namespace, so that seems like a strange place. Also, manifests currently just exports constants that no other package uses. It's weird. |
/lgtm |
/lgtm cancel |
/retest |
/lgtm |
544b8dd
to
7382f5d
Compare
/lgtm |
/retest |
* manifests/00-cluster-role.yaml: Grant the operator create, get, list, watch, and delete access to configmaps. * pkg/operator/controller/controller.go (GlobalMachineSpecifiedConfigNamespace): New constant for the "openshift-config-managed" namespace. (ensureRouterCACertificate): Create the router-ca configmap in openshift-config-managed. * test/e2e/operator_test.go (TestRouterCACertificate): Get the router-ca configmap from the openshift-config-managed namespace.
* pkg/operator/controller/controller.go (reconcile): Rename errors variable to errs to avoid shadowing the errors package.
* pkg/operator/controller/controller.go (CACert): Delete. (Config): Delete CACert. (ensureRouterCACertificate): Delete caching.
If there exists no clusteringress that uses the generated default certificate, delete the configmap for the CA certificate. This change makes it straightforward for other components to incorporate cluster-ingress-operator's CA certificate into their trust bundles exactly when some router has a default certificate signed by the CA certificate: The router-ca configmap will exist in the openshift-config-managed namespace iff the certificate CA should be trusted. This is a follow-up to commit 228c9b3. Related to NE-139. https://jira.coreos.com/browse/NE-139 * pkg/operator/controller/controller.go (reconcile): Use the new shouldPublishRouterCA function to check whether the CA certificate should be published in a configmap, and use the new ensureRouterCAIsPublished method create or update it and the new ensureRouterCAIsUnpublished method to delete it as appropriate. (ensureRouterForIngress): Use the new ensureDefaultCertificateDeleted method to delete the operator-generated default certificate if .spec.defaultCertificateSecret is set on the clusteringress. (ensureDefaultCertificateForIngress): Delete unnecessary comment. Replace ensureRouterCACertificate with getRouterCA. (ensureDefaultCertificateDeleted): New function that deletes the operator-generated default certificate. (getRouterCA): New function to get the CA, or create it if it does not already exist, using ensureRouterCACertificate. (ensureRouterCACertificate): Rename from this... (ensureRouterCACertificateSecret): ...to this. Change from returning the CA itself to returning the secret. Delete unnecessary comment. Do not create the configmap, which is now the responsibility of the reconcile function. (shouldPublishRouterCA): New function that returns a Boolean value indicating whether there exists any clusteringress that uses the generated default certificate (in which case the CA certificate that was used to generate them should be published). (ensureRouterCAIsPublished): New function that creates or updates the configmap as needed. (ensureRouterCAIsUnpublished): New function that deletes the configmap. * pkg/operator/controller/controller_test.go (TestShouldPublishRouterCA): New test for shouldPublishRouterCA. * test/e2e/operator_test.go (TestClusterIngressUpdate): Make sure that the configmap exists for the default clusteringress, is deleted when the clusteringress has a custom default certificate set, and is recreated when the clusteringress is changed back to using a default certificate generated by the operator.
7382f5d
to
c8d7b5b
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ironcladlou, Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/refresh |
/test all |
/retest |
1 similar comment
/retest |
Put
router-ca
configmap inopenshift-config-managed
manifests/00-cluster-role.yaml
: Grant the operator create, get, list, watch, and delete access to configmaps.pkg/operator/controller/controller.go
(globalMachineSpecifiedConfigNamespace
): New constant for theopenshift-config-managed
namespace.(
ensureRouterCACertificate
): Create therouter-ca
configmap inopenshift-config-managed
.test/e2e/operator_test.go
(TestRouterCACertificate
): Get therouter-ca
configmap from theopenshift-config-managed
namespace.Avoid shadowing the
errors
packagepkg/operator/controller/controller.go
(reconcile
): Renameerrors
variable toerrs
to avoid shadowing theerrors
package.Delete unnecessary caching of the CA certificate
pkg/operator/controller/controller.go
(CACert
): Delete.(
Config
): Delete CACert.(
ensureRouterCACertificate
): Delete caching.Delete
router-ca
configmap if it is not neededIf there exists no clusteringress that uses the generated default certificate, delete the configmap for the CA certificate.
This change makes it straightforward for other components to incorporate cluster-ingress-operator's CA certificate into their trust bundles exactly when some router has a default certificate signed by the CA certificate: The
router-ca
configmap will exist in theopenshift-config-managed
namespace iff the certificate CA should be trusted.This is a follow-up to #109.
Related to NE-139.
pkg/operator/controller/controller.go
(reconcile
): Use the newshouldPublishRouterCA
function to check whether the CA certificate should be published in a configmap, and use the newensureRouterCAIsPublished
method create or update it and the newensureRouterCAIsUnpublished
method to delete it as appropriate.(
ensureRouterForIngress
): Use the newensureDefaultCertificateDeleted
method to delete the operator-generated default certificate if.spec.defaultCertificateSecret
is set on the clusteringress.(
ensureDefaultCertificateForIngress
): Delete unnecessary comment. ReplaceensureRouterCACertificate
withgetRouterCA
.(
ensureDefaultCertificateDeleted
): New function that deletes the operator-generated default certificate.(
getRouterCA
): New function to get the CA, or create it if it does not already exist, usingensureRouterCACertificate
.(
ensureRouterCACertificate
): Rename from this...(
ensureRouterCACertificateSecret
): ...to this. Change from returning the CA itself to returning the secret. Delete unnecessary comment. Do not create the configmap, which is now the responsibility of thereconcile
function.(
shouldPublishRouterCA
): New function that returns a Boolean value indicating whether there exists any clusteringress that uses the generated default certificate (in which case the CA certificate that was used to generate them should be published).(
ensureRouterCAIsPublished
): New function that creates or updates the configmap as needed.(
ensureRouterCAIsUnpublished
): New function that deletes the configmap.pkg/operator/controller/controller_test.go
(TestShouldPublishRouterCA
): New test forshouldPublishRouterCA
.test/e2e/operator_test.go
(TestClusterIngressUpdate
): Make sure that the configmap exists for the default clusteringress, is deleted when the clusteringress has a custom default certificate set, and is recreated when the clusteringress is changed back to using a default certificate generated by the operator.