New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Status handling for RouteHealth #399
Conversation
66ff13d
to
a23ec0b
Compare
pkg/api/api.go
Outdated
|
||
const ( | ||
DefaultIngressCertFilePath = "/var/default-ingress-cert/ca-bundle.crt" | ||
OAuthEndpointCAFilePath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unused?
pkg/console/operator/sync_v400.go
Outdated
caCertPool = x509.NewCertPool() | ||
} | ||
|
||
trustedCA, tcaErr := co.configMapClient.ConfigMaps(api.OpenShiftConsoleNamespace).Get(api.TrustedCAConfigMapName, metav1.GetOptions{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You may want to have a cached client here (if it isn't already).
pkg/console/operator/sync_v400.go
Outdated
|
||
trustedCA, tcaErr := co.configMapClient.ConfigMaps(api.OpenShiftConsoleNamespace).Get(api.TrustedCAConfigMapName, metav1.GetOptions{}) | ||
if tcaErr != nil { | ||
klog.V(4).Infof("failed to GET configmap %s in %s (synced from %ss)", api.TrustedCAConfigMapName, api.OpenShiftConsoleNamespace, api.OpenShiftConfigManagedNamespace) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this true? The trusted-CAs should be retrieved by having a CM be injected by the network-operator rather than being synced.
pkg/console/operator/sync_v400.go
Outdated
caCertPool.AppendCertsFromPEM([]byte(trustedCABundle)) | ||
|
||
ingressCA, icaErr := co.configMapClient.ConfigMaps(api.OpenShiftConsoleNamespace).Get(api.DefaultIngressCertConfigMapName, metav1.GetOptions{}) | ||
if icaErr != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for _, cmName := range []string{api.TrustedCAConfigMapName, api.DefaultIngressCertConfigMapName} {
cm, err := co.configMapClient.ConfigMaps(api.OpenShiftConsoleNamespace).Get(cmName, metav1.GetOptions{})
if err != nil {
klog.V(4).Infof("failed to GET configmap %s / %s ", api.OpenShiftConsoleNamespace, cmName)
}
caCertPool.AppendCertsFromPEM([]byte(cm.Data["ca.crt"]))
}
or you may consider mounting the configmaps
pkg/console/operator/sync_v400.go
Outdated
} | ||
|
||
func (co *consoleOperator) getCA() (*x509.CertPool, error) { | ||
caCertPool, _ := x509.SystemCertPool() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the trusted-ca bundle should contain all the certificates necessary to communicate with the outer world so you may omit this or mount it to the operator
pkg/console/operator/sync_v400.go
Outdated
return nil, tcaErr | ||
} | ||
trustedCABundle := trustedCA.Data[api.TrustedCABundleKey] | ||
caCertPool.AppendCertsFromPEM([]byte(trustedCABundle)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe add a debug log if AppendCertsFromPEM
returns false
@stlaz comments addressed. Thanks ! |
pkg/console/operator/sync_v400.go
Outdated
@@ -61,6 +65,7 @@ func (co *consoleOperator) sync_v400(updatedOperatorConfig *operatorv1.Console, | |||
if rtErr != nil { | |||
return rtErr | |||
} | |||
co.CheckRouteHealth(updatedOperatorConfig, rt) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm inclined to move this to the route controller here:
After the sync.
@benjaminapetersen comments addressed! PTAL |
/retest |
1 similar comment
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: benjaminapetersen, jhadvig The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Rework of #334
/assign @benjaminapetersen