Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unconditionally sync CA cert for Controller webhooks #3421

Merged
merged 1 commit into from
Mar 9, 2022
Merged

Unconditionally sync CA cert for Controller webhooks #3421

merged 1 commit into from
Mar 9, 2022

Conversation

antoninbas
Copy link
Contributor

Webhooks are used by other features besided AntreaPolicy. At the moment,
if someone tries to disable AnteraPolicy and enable Egress for example,
the webhooks would not be using the correct CA cert and the Egress API
would not be usable.

Given that we unconditionally create these webhooks in the Antrea
deployment manifest, it makes sense to unconditionally sync the CA cert
for them.

Signed-off-by: Antonin Bas abas@vmware.com

@antoninbas antoninbas added kind/bug Categorizes issue or PR as related to a bug. action/release-note Indicates a PR that should be included in release notes. labels Mar 8, 2022
@antoninbas antoninbas requested review from Dyanngg and tnqn March 8, 2022 22:05
@antoninbas antoninbas mentioned this pull request Mar 8, 2022
Merged
@antoninbas
Unconditionally sync CA cert for Controller webhooks
7a5e3fe 
Webhooks are used by other features besided AntreaPolicy. At the moment,
if someone tries to disable AnteraPolicy and enable Egress for example,
the webhooks would not be using the correct CA cert and the Egress API
would not be usable.

Given that we unconditionally create these webhooks in the Antrea
deployment manifest, it makes sense to unconditionally sync the CA cert
for them.

Signed-off-by: Antonin Bas <abas@vmware.com>
@antoninbas antoninbas force-pushed the unconditionally-sync-cacert-for-webhooks branch from 033458e to 7a5e3fe Compare March 8, 2022 22:23
@codecov-commenter
Copy link

codecov-commenter commented Mar 8, 2022
edited
Loading

Codecov Report

Merging #3421 (3c7a058) into main (431291f) will increase coverage by 11.26%.
The diff coverage is 0.00%.

❗ Current head 3c7a058 differs from pull request most recent head 7a5e3fe. Consider uploading reports for the commit 7a5e3fe to get more accurate results

Impacted file tree graph

@@             Coverage Diff             @@
##             main    #3421       +/-   ##
===========================================
+ Coverage   42.41%   53.67%   +11.26%     
===========================================
  Files         200      239       +39     
  Lines       24296    34209     +9913     
===========================================
+ Hits        10305    18362     +8057     
- Misses      12929    14075     +1146     
- Partials     1062     1772      +710
Flag Coverage Δ
e2e-tests 53.67% <0.00%> (?)
unit-tests ?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/apiserver/certificate/cacert_controller.go 61.39% <0.00%> (+52.06%) ⬆️
pkg/controller/egress/controller.go 0.00% <0.00%> (-88.45%) ⬇️
pkg/controller/networkpolicy/endpoint_querier.go 4.58% <0.00%> (-86.85%) ⬇️
pkg/controller/ipam/validate.go 0.00% <0.00%> (-82.26%) ⬇️
pkg/agent/util/iptables/lock.go 0.00% <0.00%> (-81.82%) ⬇️
pkg/controller/ipam/antrea_ipam_controller.go 0.00% <0.00%> (-80.29%) ⬇️
pkg/agent/cniserver/ipam/antrea_ipam_controller.go 0.00% <0.00%> (-79.52%) ⬇️
pkg/controller/externalippool/validate.go 0.00% <0.00%> (-76.20%) ⬇️
pkg/agent/cniserver/ipam/antrea_ipam.go 3.47% <0.00%> (-75.70%) ⬇️
pkg/cni/client.go 0.00% <0.00%> (-75.52%) ⬇️
... and 259 more

@tnqn tnqn added this to the Antrea v1.6 release milestone Mar 9, 2022
tnqn
tnqn approved these changes Mar 9, 2022
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Dyanngg
Dyanngg approved these changes Mar 9, 2022
View reviewed changes
Copy link
Contributor

@Dyanngg Dyanngg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tnqn
Copy link
Member

tnqn commented Mar 9, 2022

/test-e2e
/test-networkpolicy
/test-conformance

@antoninbas antoninbas merged commit 4a0d68d into antrea-io:main Mar 9, 2022
@antoninbas antoninbas deleted the unconditionally-sync-cacert-for-webhooks branch March 9, 2022 19:18
GraysonWu pushed a commit to GraysonWu/antrea that referenced this pull request Mar 10, 2022
@antoninbas @GraysonWu
Unconditionally sync CA cert for Controller webhooks (antrea-io#3421)
a4a416e 
Webhooks are used by other features besided AntreaPolicy. At the moment,
if someone tries to disable AnteraPolicy and enable Egress for example,
the webhooks would not be using the correct CA cert and the Egress API
would not be usable.

Given that we unconditionally create these webhooks in the Antrea
deployment manifest, it makes sense to unconditionally sync the CA cert
for them.

Signed-off-by: Antonin Bas <abas@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tnqn tnqn tnqn approved these changes

@Dyanngg Dyanngg Dyanngg approved these changes

Assignees
No one assigned
Labels
action/release-note Indicates a PR that should be included in release notes. kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
Antrea v1.6 release
Development

Successfully merging this pull request may close these issues.
4 participants
@antoninbas @codecov-commenter @tnqn @Dyanngg