ACM-2940 Setup cluster-manager webhook proxying in hosted-mode MCE #390
Conversation
Signed-off-by: Cameron Wall <cwall@redhat.com>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cameronmwall The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
SonarCloud Quality Gate failed. |
|
|
||
| err = r.Client.Get(ctx, registrationWebhookServiceNN, registrationWebhookService) | ||
| err2 := r.Client.Get(ctx, workWebhookServiceNN, workWebhookService) | ||
| addresses := []string{registrationWebhookService.Spec.ClusterIP, workWebhookService.Spec.ClusterIP} |
There was a problem hiding this comment.
If err or err2 != nil would this line panic?
controllers/hosted.go
Outdated
| return ctrl.Result{}, fmt.Errorf("error applying object Name: %s Kind: %s, %w", cmTemplate.GetName(), cmTemplate.GetKind(), err) | ||
| } | ||
| } | ||
| log.Info("made it this far") |
controllers/hosted.go
Outdated
| Kind: "NetworkPolicy", | ||
| }, | ||
| ) | ||
| hCNS, _ := utils.GetHostedClusterNamespace(mce) |
There was a problem hiding this comment.
should address possible error
| } else { | ||
|
|
||
| // Apply clustermanager | ||
| cmTemplate := foundation.HostedClusterManager(mce, r.Images, registrationWebhookService.Spec.ClusterIP, workWebhookService.Spec.ClusterIP) |
There was a problem hiding this comment.
Is it possible MCE will declare itself available before the clusterIPs are set?
| command: | ||
| - /usr/bin/proxy-agent | ||
| # MCE has an external image entry for the proxy agent image. SHould we use that? | ||
| image: quay.io/stolostron/apiserver-network-proxy:latest |
There was a problem hiding this comment.
Is there an image that needs to be onboarded for this deployment?
The PR create several new resources when enabling cluster manager so as to allow proxying for the web hooks. The most important of these is the konnectivity deployment which takes in the addresses of the two web hook services. These addresses are also added to be cluster manager itself. When this deployment is up and running in the MCE target namespace, proxying should be working. In order to test this I get a |
JakobGray
changed the title
There was a problem hiding this comment.
On initial run with these changes it didn't seem to change much, until I found out I had to poke the hosted MCE to get it to progress. Despite that the MCE was showing as Available. I believe it's because this doesn't meet the criteria:
MCE status tracks success of resources applied
So MCE is still only showing one Deployment and one ClusterManager in its status.
Can you provide a list of commands to run to verify everything is deployed as it should be? For example:
oc get deploy cluster-manager-webhook-konnectivity-agent -n <mceNS>
oc get service cluster-manager-work-webhook -n <mceNS>
KUBECONFIG=<hosted-kubeconfig> oc get service .....
I tried the oc api-resources call and nothing stood out to me before or after the changes were applied so I'm not sure if anything happened.
pkg/utils/annotations.go
Outdated
| func GetKonnectivitySecret(mce *backplanev1.MultiClusterEngine) (types.NamespacedName, error) { | ||
| nn := types.NamespacedName{} | ||
| if mce.Annotations == nil || mce.Annotations[AnnotationHyperShiftNamespace] == "" { | ||
| return nn, fmt.Errorf("no kubeconfig secret annotation defined in %s", mce.Name) |
Signed-off-by: Cameron Wall <cwall@redhat.com>
Signed-off-by: Cameron Wall <cwall@redhat.com>
|
/hold |
|
@cameronmwall: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
The PR create several new resources when enabling cluster manager so as to allow proxying for the web hooks. The most important of these is the konnectivity deployment which takes in the addresses of the two web hook services. These addresses are also added to be cluster manager itself. When this deployment is up and running in the MCE target namespace, proxying should be working. In order to test this I get a oc api-resources on the hosted cluster which was expected to complete successfully
Issue: https://issues.redhat.com/browse/ACM-2940