CM-830: Integrate trust-manager with cert-manager-operator #1914
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
chiragkyal
changed the title
chiragkyal
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@chiragkyal: This pull request references CM-830 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@chiragkyal: This pull request references CM-830 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
chiragkyal
force-pushed
the
trust-manager
branch
from
5728ef0 to
fcc188e
Compare
chiragkyal
force-pushed
the
trust-manager
branch
from
fcc188e to
624ef6b
Compare
bharath-b-rh
left a comment
bharath-b-rh
left a comment
There was a problem hiding this comment.
LGTM mostly. I will need a second read.
|
|
||
| // status is the most recently observed status of the TrustManager. | ||
| // +kubebuilder:validation:Optional | ||
| // +optional |
There was a problem hiding this comment.
Please have all optional fields as pointer types, to explicitly interpret non-configured values.
There was a problem hiding this comment.
I think, as per this(https://github.com/openshift/enhancements/blob/master/dev-guide/api-conventions.md#optional-fields-should-not-be-pointers-in-custom-resource-based-apis), we should not use pointers for optional fields.
| - `trust-manager-controller` based on the configuration in `trustmanagers.operator.openshift.io` CR, installs `trust-manager` | ||
| in the `cert-manager` namespace. | ||
| - If `defaultCAPackage.enabled` is true: | ||
| 1. Controller creates a ConfigMap with annotation `config.openshift.io/inject-trusted-cabundle: true` |
There was a problem hiding this comment.
I would suggest having the configmap created irrespective of whether defaultCAPackage is enabled and instead depend on the featuregate to create it. i.e. if feature enabled create the configmap and have it ready.
There was a problem hiding this comment.
instead depend on the featuregate to create it. i.e. if feature enabled create the configmap and have it ready.
Once we will promote to GA, does it mean that irrespective of whether defaultCAPackage is enabled or disabled, both the configmaps will always be created, and we will only add/remove the volumeMounts in the deployment based on the flag. Is my understanding correct?
This enhancement describes extending cert-manager-operator to deploy and manage trust-manager as an operand. Signed-off-by: chiragkyal <ckyal@redhat.com>
chiragkyal
force-pushed
the
trust-manager
branch
from
624ef6b to
76a2381
Compare
| // +kubebuilder:validation:MaxLength:=63 | ||
| // +kubebuilder:validation:Optional | ||
| // +optional | ||
| TrustNamespace string `json:"trustNamespace,omitempty"` |
There was a problem hiding this comment.
Should we make TrustNamespace an immutable field? Otherwise, changing the TrustNamespace on a running cluster is a destructive action. The operand would lose access to its current data source.
chiragkyal
force-pushed
the
trust-manager
branch
3 times, most recently
from
f43588f to
c31d38c
Compare
Signed-off-by: chiragkyal <ckyal@redhat.com>
chiragkyal
force-pushed
the
trust-manager
branch
from
c31d38c to
b7c9665
Compare
|
@chiragkyal: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
lunarwhite
left a comment
lunarwhite
left a comment
There was a problem hiding this comment.
It looks fairly good to me 👍. I'm very glad to see that the upstream planned Bundle API changes/deprecations are mentioned in this EP. As we move toward GA (future), we might need to adjust our custom APIs based on the stabilized upstream CRD APIs accordingly.
| - Different log levels and formats | ||
| - Custom trust namespace | ||
| - Secret targets policy (Disabled/All/Specific) | ||
| - DefaultCAPackage policy (Enabled/Disabled) |
There was a problem hiding this comment.
| - Different log levels and formats | |
| - Custom trust namespace | |
| - Secret targets policy (Disabled/All/Specific) | |
| - DefaultCAPackage policy (Enabled/Disabled) | |
| - Custom trust namespace | |
| - Secret targets policy (Disabled/All/Specific) | |
| - DefaultCAPackage policy (Enabled/Disabled) | |
| - FilterExpiredCertificates policy (Enabled/Disabled) | |
| - Common configurations: log levels and formats, resources, node selector, tolerations and affinity |
| ## Upgrade / Downgrade Strategy | ||
|
|
||
| On upgrade: | ||
| - cert-manager-operator will have functionality to enable trust-manager and based on the administrator configuration, | ||
| trust-manager will be deployed and available for usage. |
There was a problem hiding this comment.
Should we explicitly mention that directly upgrading from a TP version to a GA version is not supported? Users are expected to perform a fresh installation rather than migrating from a TP to GA considering there might be significant API changes.
| oc get Certificates,Issuers,ClusterRoles,ClusterRoleBindings,Deployments,Roles,RoleBindings,Services,ServiceAccounts,ValidatingWebhookConfigurations,ConfigMaps -l "trustmanager.openshift.operator.io/managed-by=trust-manager-controller" -n cert-manager | ||
|
|
||
| # If trust namespace is different from cert-manager, also check for Role/RoleBinding there | ||
| # oc get Roles,RoleBindings -l "trustmanager.openshift.operator.io/managed-by=trust-manager-controller" -n <trust-namespace> |
There was a problem hiding this comment.
I don't see trustmanager.openshift.operator.io/managed-by=trust-manager-controller is mentioned somewhere else. Perhaps you want to mention app.kubernetes.io/name=cert-manager-trust-manager or app.kubernetes.io/instance=cert-manager-trust-manager?
| * `app: cert-manager-trust-manager` | ||
| * `app.kubernetes.io/name: cert-manager-trust-manager` | ||
| * `app.kubernetes.io/instance: cert-manager-trust-manager` | ||
| * `app.kubernetes.io/version: "v0.20.2"` |
There was a problem hiding this comment.
Just bringing this up because I noticed the latest tag is now v0.20.3 (released a few weeks ago). Maybe we could build on top of that in actual implementation. I understand that when this EP was being drafted, perhaps v0.20.3 hadn't been released yet, and it doesn't hurt to reference v0.20.2 for the proposal.
| ### Workflow Description | ||
|
|
There was a problem hiding this comment.
nitpick: It'd be great if we could add a mermaid diagram to help illustrate the end-end workflow.
/lgtm |
openshift-ci
bot
added
the
do-not-merge/hold
5 participants
Extend cert-manager-operator to deploy and manage trust-manager as an operand, providing a solution for trust bundle distribution on OpenShift.