New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
STOR-1442: Restart webhook Pods if webhook-serving-cert changed #83
STOR-1442: Restart webhook Pods if webhook-serving-cert changed #83
Conversation
The secret `shared-resource-csi-driver-webhook-serving-cert` is bound to the CA cert by annotation `service.beta.openshift.io/serving-cert-secret-name`. This means that if CA cert is rotated, the secret `shared-resource-csi-driver-webhook-serving-cert` will be automatically updated too. This secret keeps TLS cert and key which are used to secure HTTP connection to webhook server which is started by OpenShift Shared Resource CSI Driver. If cert and key are updated, we need to restart CSI driver Pod to re-read new keys. Otherwise, clients coming with new cert won't be able to communicate with the server running with older key/cert.
@mpatlasov: This pull request references STOR-1442 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This PR is the same as #82, but for webhook secret/pods. We don't have any more secrets depending on CA for now:
/assign @adambkaplan |
/cc @jsafrane @openshift/storage |
@mpatlasov: GitHub didn't allow me to request PR reviews from the following users: openshift/storage. Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Pre verifiy passed with the pre merged build # After the metrics-serving-cert secret changed, driver controller restarted
$ oc delete secret shared-resource-csi-driver-webhook-serving-cert
secret "shared-resource-csi-driver-webhook-serving-cert" deleted
$ oc get po -l name=shared-resource-csi-driver-webhook -w
NAME READY STATUS RESTARTS AGE
shared-resource-csi-driver-webhook-7666c65cf5-h6kh8 1/1 Running 0 6s
shared-resource-csi-driver-webhook-7666c65cf5-v8g7j 1/1 Running 0 6s
shared-resource-csi-driver-webhook-559d4c5b57-njbg7 0/1 Pending 0 0s
shared-resource-csi-driver-webhook-559d4c5b57-njbg7 0/1 Pending 0 0s
shared-resource-csi-driver-webhook-7666c65cf5-v8g7j 1/1 Terminating 0 16s
shared-resource-csi-driver-webhook-559d4c5b57-njbg7 0/1 ContainerCreating 0 0s
shared-resource-csi-driver-webhook-559d4c5b57-njbg7 0/1 ContainerCreating 0 0s
shared-resource-csi-driver-webhook-559d4c5b57-qjtsf 0/1 Pending 0 0s
shared-resource-csi-driver-webhook-559d4c5b57-qjtsf 0/1 Pending 0 0s
shared-resource-csi-driver-webhook-559d4c5b57-qjtsf 0/1 ContainerCreating 0 0s
shared-resource-csi-driver-webhook-559d4c5b57-qjtsf 0/1 ContainerCreating 0 0s
shared-resource-csi-driver-webhook-7666c65cf5-v8g7j 0/1 Terminating 0 16s
shared-resource-csi-driver-webhook-7666c65cf5-v8g7j 0/1 Terminating 0 17s
shared-resource-csi-driver-webhook-7666c65cf5-v8g7j 0/1 Terminating 0 17s
shared-resource-csi-driver-webhook-7666c65cf5-v8g7j 0/1 Terminating 0 17s
shared-resource-csi-driver-webhook-559d4c5b57-qjtsf 0/1 ContainerCreating 0 1s
shared-resource-csi-driver-webhook-559d4c5b57-njbg7 0/1 ContainerCreating 0 1s
shared-resource-csi-driver-webhook-559d4c5b57-qjtsf 0/1 Terminating 0 1s
shared-resource-csi-driver-webhook-559d4c5b57-njbg7 0/1 Terminating 0 1s
shared-resource-csi-driver-webhook-6f4b497f54-2dbq4 0/1 Pending 0 0s
shared-resource-csi-driver-webhook-6f4b497f54-cltr7 0/1 Pending 0 0s
shared-resource-csi-driver-webhook-6f4b497f54-2dbq4 0/1 Pending 0 0s
shared-resource-csi-driver-webhook-6f4b497f54-cltr7 0/1 Pending 0 0s
shared-resource-csi-driver-webhook-6f4b497f54-2dbq4 0/1 Pending 0 0s
shared-resource-csi-driver-webhook-6f4b497f54-cltr7 0/1 Pending 0 0s
shared-resource-csi-driver-webhook-6f4b497f54-2dbq4 0/1 ContainerCreating 0 0s
shared-resource-csi-driver-webhook-6f4b497f54-cltr7 0/1 ContainerCreating 0 0s
shared-resource-csi-driver-webhook-559d4c5b57-qjtsf 1/1 Terminating 0 1s
shared-resource-csi-driver-webhook-6f4b497f54-2dbq4 0/1 ContainerCreating 0 1s
shared-resource-csi-driver-webhook-6f4b497f54-cltr7 0/1 ContainerCreating 0 1s
shared-resource-csi-driver-webhook-559d4c5b57-njbg7 1/1 Terminating 0 2s
shared-resource-csi-driver-webhook-559d4c5b57-njbg7 0/1 Terminating 0 2s
shared-resource-csi-driver-webhook-6f4b497f54-cltr7 1/1 Running 0 1s
shared-resource-csi-driver-webhook-7666c65cf5-h6kh8 1/1 Terminating 0 18s
shared-resource-csi-driver-webhook-559d4c5b57-qjtsf 0/1 Terminating 0 3s
shared-resource-csi-driver-webhook-6f4b497f54-2dbq4 1/1 Running 0 2s
shared-resource-csi-driver-webhook-559d4c5b57-njbg7 0/1 Terminating 0 3s
shared-resource-csi-driver-webhook-559d4c5b57-njbg7 0/1 Terminating 0 3s
shared-resource-csi-driver-webhook-559d4c5b57-njbg7 0/1 Terminating 0 3s
shared-resource-csi-driver-webhook-559d4c5b57-qjtsf 0/1 Terminating 0 3s
shared-resource-csi-driver-webhook-559d4c5b57-qjtsf 0/1 Terminating 0 3s
shared-resource-csi-driver-webhook-559d4c5b57-qjtsf 0/1 Terminating 0 3s
shared-resource-csi-driver-webhook-7666c65cf5-h6kh8 0/1 Terminating 0 20s
shared-resource-csi-driver-webhook-7666c65cf5-h6kh8 0/1 Terminating 0 20s
shared-resource-csi-driver-webhook-7666c65cf5-h6kh8 0/1 Terminating 0 20s
shared-resource-csi-driver-webhook-7666c65cf5-h6kh8 0/1 Terminating 0 20s
$ oc get po -l name=shared-resource-csi-driver-webhook
NAME READY STATUS RESTARTS AGE
shared-resource-csi-driver-webhook-6f4b497f54-2dbq4 1/1 Running 0 2m53s
shared-resource-csi-driver-webhook-6f4b497f54-cltr7 1/1 Running 0 2m53s |
/label qe-approved |
/lgtm |
@adambkaplan @gabemontero can you please approve? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan, jsafrane, mpatlasov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@mpatlasov: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Adding
WithSecretHashAnnotationHook()
forshared-resource-csi-driver-webhook-serving-cert
ensures that new annotation is published inshared-resource-csi-driver-webhook
Deployment. This, in turn, leads to webhook pods restart.