New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simplify CA Bundle injection for multus admission webhook #761
Simplify CA Bundle injection for multus admission webhook #761
Conversation
Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
b8a875c
to
3a2d240
Compare
I've been checking this and I don't see where the openshift-service-ca is used at all, I can't find a single reference to it in the multus admission controller. Do we still need this configmap to be created? I think we may be able to also remove the annotation. @s1061123 can you PTAL? |
It's created here: And reconciled here:
No, which is why I removed it
I removed the entire config map, which annotation am I missing? |
Ah, you're right, I was refering to the annotation service.beta.openshift.io/inject-cabundle but this is in mutation webhook now, I didn't know this could be used outside a configmap. |
I don't think we have any e2e of the multus admission webhook (grumble grumble) so this will need to be manually tested. I don't really know any of this code so I'm not sure, but it looks like a nice simplification if it does indeed work. |
I tested that the admission control webhook got the proper CA bundle injected by the ServiceCA, earlier today. So I am sure that works. I will test that it properly works and validates any |
FYI, using https://github.com/openshift/multus-admission-controller#example-of-the-admission-controller-in-action I just validated that it works:
The message |
/lgtm cancel |
/retest |
@dougbtv, could you please take a look at this PR and let us know if what you think? |
@dougbtv : PTAL |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alexanderConstantinescu, danwinship, dougbtv, juanluisvaladas The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
6 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/override ci/prow/e2e-aws-sdn-multi |
@danwinship: Overrode contexts on behalf of danwinship: ci/prow/e2e-aws-sdn-multi In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest Please review the full test history for this PR and help us cut down flakes. |
19 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/override ci/prow/e2e-aws-sdn-multi |
@danwinship: Overrode contexts on behalf of danwinship: ci/prow/e2e-aws-sdn-multi In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest Please review the full test history for this PR and help us cut down flakes. |
3 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
Preamble:
Coming soon will be a validating admission webhook for ovn-kubernetes. Leading to that: I investigated the different mechanisms used in OpenShift and in our CNO to generate certs/ca-bundles, realizing that nothing generates these in the same way. Multus has one way of doing it, Kuryr another, OVN another...deciding to focus on multus I however realized that multus was severely over-complicating things.
The mechanism to inject the CA bundle into its webhook was:
multus-admission-controller/004-configmap.yaml
to generate a configmap (openshift-network-operator/openshift-service-ca
) with the annotationservice.beta.openshift.io/inject-cabundle: "true"
which is reconciled by the ServiceCA to inject the proper CA bundle.In fact, the ServiceCA reconciles any webhook with the annotation
service.beta.openshift.io/inject-cabundle: "true"
and injects the CA-bundle into the webhook directly.This patch thus removes one operator in the CNO, one config map and consolidates the webhook generation according to a more "standard" procedure for OpenShift.
/assign @dougbtv