WIP: feat: let wrangler manage certs #1570
Conversation
salasberryfin
added
kind/refactor
salasberryfin
force-pushed
the
certficates-managed-by-wrangler
branch
from
02e887b to
86512ac
Compare
salasberryfin
force-pushed
the
certficates-managed-by-wrangler
branch
9 times, most recently
from
ce918fd to
5a1ab33
Compare
Signed-off-by: Carlos Salas <carlos.salas@suse.com>
Signed-off-by: Carlos Salas <carlos.salas@suse.com>
salasberryfin
force-pushed
the
certficates-managed-by-wrangler
branch
3 times, most recently
from
5b4a819 to
1a24f25
Compare
| patchProviderManifestFn, | ||
| } | ||
|
|
||
| if feature.Gates.Enabled(feature.UninstallCertManager) { |
There was a problem hiding this comment.
I find the uninstall cert-manager feature to be misleading. This is not uninstalling cert-manager, it's just removing the dependency from the provider manifest. So:
-
Both new phases (conversion to wrangler && cert-manager dependency removal) have to be gated behind the same feature. It's not going to work if we just add the wrangler notation, it will conflict with the existing cert-manager Certificate most likely.
-
uninstall-cert-manager feature should be renamed imho, I think something like
cert-manager-conversioncould be more appropriate. -
I do miss a phase where the provider deployment is restarted, otherwise the change won't be effective as the controller pod is still using the old/replaced certificate.
There was a problem hiding this comment.
Regarding actually uninstalling cert-manager, I think this simply needs to be left to the user.
Turtles does not know how cert-manager was installed, since it's currently a prerequisite, so the user has to take care of that, once all provider manifests have been converted.
Edit: For this reason it would be nice to have a new CAPIProvider condition to mark that conversion happened successfully, so the user knows when cert-manager is no longer in-use and needed
There was a problem hiding this comment.
maybe rename uninstall-cert-manager to no-cert-manager?
There was a problem hiding this comment.
Also agree that both functions have to be under the same feature gate, the choice is either or another, no options in between.
There was a problem hiding this comment.
On point 3 on @anmazzotti's list, I'm not sure the deployment needs to be restarted, since the provider manifest is updated during Fetch, and before Install, which means that there's no controller running before any of the changes are applied.
There was a problem hiding this comment.
If this is an update and not a first install, then the provider controller is running and (assuming we didn't bump the provider version), there's nothing updated that will make the Deployment rollout.
There was a problem hiding this comment.
What I've seen is using helm upgrade to only update the value of the new feature gate (from false to true), triggers a re-creation of provider's controllers and resources. Shouldn't this suffice to consider it re-deployed?
There was a problem hiding this comment.
Isn't the new feature a Turtles feature? It has nothing to do with CAPIProviders, or is the new feature meant to be per-provider? Sorry I'm confused now.
Just to clarify, the "converted" CAPI provider Deployment needs a rollout. This is what I'm saying. Not Turtles (which does not have webhooks and need no conversion as far I know). I mean the CAPI providers like caprke2, capa, etc. Their respective pods need a rollout, since they will still use the cert-manager Certificate.
I mean they will still work as it's a self signed cert anyway, but it would be best to make the conversion effective immediately with a rollout, rather than waiting for troubles to come unexpectedly at the next rollout, like provider update.
salasberryfin
force-pushed
the
certficates-managed-by-wrangler
branch
from
1a24f25 to
748db18
Compare
Signed-off-by: Carlos Salas <carlos.salas@suse.com>
salasberryfin
force-pushed
the
certficates-managed-by-wrangler
branch
from
748db18 to
5f2f5ae
Compare
Signed-off-by: Carlos Salas <carlos.salas@suse.com>
What this PR does / why we need it:
This PR adds logic to patch objects defined in a provider's manifest leveraging a new CAPI Operator functionality that allows passing a custom alter components function which is executed during the
Fetchphase.There are two core changes. A new feature gate
no-cert-manageris added, and this logic is only applied if set totrue(it is an opt-in action, defaults tofalse):Let wrangler manage certificates
This is implemented in function
patchProviderManifestFn, which retrieves the name of the secret from theCertificateresource and annotates the webhook service (e.g.capi-webhook-servicewith:need-a-cert.cattle.io/secret-name: <secretName>Remove cert-manager
This is implemented in function
removeCertManagerFn:cert-manager.io/inject-ca-fromfrom any resource in the manifest.CertificateandIssuerfrom the list of objects.This step runs on provider installation (or update), as modifying the object manifest after is has already been deployed does not have effect on the existing resources. This is because of the reconciliation phases and the manifest being stored in memory.
Which issue(s) this PR fixes:
Fixes #1513
Special notes for your reviewer:
Checklist: