Rework cert generation so that it uses two deployments #96
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JPinkney
force-pushed
the
cert-deployments
branch
from
e21d0d7
to
1a9c8db
Compare
sleshchenko
reviewed
Jun 9, 2020
JPinkney
force-pushed
the
cert-deployments
branch
from
1a9c8db
to
f7f7e0f
Compare
amisevsk
approved these changes
Jun 9, 2020
JPinkney
force-pushed
the
cert-deployments
branch
from
2ab98f5
to
8190745
Compare
sleshchenko
approved these changes
Jun 16, 2020
JPinkney
force-pushed
the
cert-deployments
branch
from
8190745
to
8db8a1b
Compare
|
/approve |
JPinkney
force-pushed
the
cert-deployments
branch
from
8db8a1b
to
dc2e24d
Compare
Signed-off-by: Josh Pinkney <joshpinkney@gmail.com>
JPinkney
force-pushed
the
cert-deployments
branch
from
dc2e24d
to
3225a06
Compare
|
/approve |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: amisevsk, JPinkney, sleshchenko The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/ok-to-test |
|
/auto-cc |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Josh Pinkney joshpinkney@gmail.com
What does this PR do?
This PR reworks the way we do cert generation completely and has a few massive benefits:
The way it works is that when webhooks are enabled we deploy an additional deployment called
che-workspace-controller-cert-genthat has the sole responsibility of creating the configmap and service needed for the certs. Then, instead of mounting the configmap into the controller deployment later we mount the configmap in the controller deployment yaml right away. That way when the controller deployment is ready and started it already has all the certs available.Since the
che-workspace-controller-cert-genbinary is so small it actually finishes running before the controller deployment even finishes getting setup. In the worst case, the controller deployment will block for 1-2 seconds (this is only theoretical as I've never actually seen it happen). When the controller starts setting up the webhooks (and the certs are available) it will delete theche-workspace-controller-cert-gendeployment.Ideally, we'd use a Job for creating
che-workspace-controller-cert-genbut since OLM doesn't allow you to specify jobs in the bundle, we will have to use deployment.What issues does this PR fix or reference?
Part of eclipse-che/che#16980
Is it tested? How?
make docker_certmake dockermake deploywith both webhooks on and then webhooks off