K8s1.14 #292
K8s1.14 #292
Conversation
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
.gitmodules
Outdated
| [submodule "third_party/frameworks"] | ||
| path = third_party/frameworks | ||
| url = https://github.com/open-policy-agent/frameworks.git | ||
| branch = master |
There was a problem hiding this comment.
what happens if we have updates in master of frameworks but we haven't updated the dependencies in go.mod of gatekeeper? For example, a new spec update in frameworks/constraint/deploy.
There was a problem hiding this comment.
The submodule is only here to provide the CRD yamls for constrainttemplate (gomod doesn't let us sync non-go files).
Eventually we may want to cut release branches as it doesn't look like submodules can sync to tags.
There was a problem hiding this comment.
there is also this method to include non-source files: https://github.com/go-modules-by-example/index/blob/master/012_modvendor/README.md#vendoring-your-module-download-cache
There was a problem hiding this comment.
oh yea that sucks. so I guess we just need to make sure when we update go.mod for frameworks, we also run git submodule update --remote to update these yamls.
There was a problem hiding this comment.
@sozercan thanks for the modvendor tip, I've added a vendor target to the makefile that will let us update the yaml that way, while still having a minimal vendor directory.
|
Looks like side effect of moving to deployments, pod name is randomly generated now (like |
deploy/gatekeeper.yaml
Outdated
| name: gatekeeper-system | ||
| --- | ||
| apiVersion: apiextensions.k8s.io/v1beta1 | ||
| kind: CustomResourceDefinition | ||
| metadata: | ||
| annotations: | ||
| controller-gen.kubebuilder.io/version: v0.2.2 |
There was a problem hiding this comment.
There was a problem hiding this comment.
That will happen automatically once I am no longer overriding frameworks with my local copy. Currently it appears the modvendor "use the cache" solution doesn't respect gomod replace directives when pointing to local files.
Signed-off-by: Max Smythe <smythe@google.com>
|
Thanks for the feedback. I looked through the documentation. I could only find one mention of the controller-manager pod, but updated it to reflect the random name. |
Signed-off-by: Max Smythe <smythe@google.com>
…er-gen in Docker image Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
pkg/webhook/certs.go
Outdated
| func (cr *certRotator) writeWebhookConfig(certPem []byte) error { | ||
| vwh := &unstructured.Unstructured{} | ||
| vwh.SetGroupVersionKind(schema.GroupVersionKind{Group: "admissionregistration.k8s.io", Version: "v1beta1", Kind: "ValidatingWebhookConfiguration"}) | ||
| vwhKey := types.NamespacedName{Name: "gatekeeper-validating-webhook-configuration"} |
There was a problem hiding this comment.
What is the reason for changing the name of this webhookconfig to gatekeeper-validating-webhook-configuration
There was a problem hiding this comment.
Per our conversation this is for compatibility with controller-gen
| var ( | ||
| secretKey = types.NamespacedName{ | ||
| Namespace: namespace, | ||
| Name: "gatekeeper-webhook-server-cert", |
There was a problem hiding this comment.
Same here, is there a reason this secret name is changed? It was gatekeeper-webhook-server-secret
There was a problem hiding this comment.
Given that we already have breaking changes (webhook name, StatefulSet -> Service, etc.), we may as well make this conform to the new standards as well.
Also, the name of the certs within the secrets have changed, per #111, so this may be a good way to highlight that.
Signed-off-by: Max Smythe <smythe@google.com>
…g output Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
…guration Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
|
Waiting to give an opportunity for people to object to the changes introduced with: |
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
| scheme: mgr.GetScheme(), | ||
| ctx: context.Background(), |
There was a problem hiding this comment.
No need to make a change, but just commenting: to really make this code healthy WRT context, you would need to add a context as the first parameter of AddRotator(...) and so on all the way up to the cmd/ file that originates all of this code and call context.Background() there. However that is a much larger change, so...
There was a problem hiding this comment.
Ack, ya there is definitely a larger context cleanup to be done across the code base and maybe in core k8s libraries themselves. Calling this out-of-scope for now.
* Migrate libraries, no manifest/Makefile work Signed-off-by: Max Smythe <smythe@google.com> * Migration to Kubebuilder V2 that works on desktop build Signed-off-by: Max Smythe <smythe@google.com> * Use http submodule repo Signed-off-by: Max Smythe <smythe@google.com> * Fix e2e tests Signed-off-by: Max Smythe <smythe@google.com> * fix e2e tests Signed-off-by: Max Smythe <smythe@google.com> * Restore --pull flag in docker-build Signed-off-by: Max Smythe <smythe@google.com> * Use unstructured to inject CA cert to avoid clobbering unknown fields Signed-off-by: Max Smythe <smythe@google.com> * Fix encoding error + nits Signed-off-by: Max Smythe <smythe@google.com> * retrieve crd manifests from vendor cache Signed-off-by: Max Smythe <smythe@google.com> * Fix nits Signed-off-by: Max Smythe <smythe@google.com> * Fix location of CRD yaml in ConstraintTemplate test Signed-off-by: Max Smythe <smythe@google.com> * Use vendor directory exclusively for builds, cache making of controller-gen in Docker image Signed-off-by: Max Smythe <smythe@google.com> * More -mod vendor flags set Signed-off-by: Max Smythe <smythe@google.com> * -mod vendor not necessary for go fmt Signed-off-by: Max Smythe <smythe@google.com> * Switch to distroless Signed-off-by: Max Smythe <smythe@google.com> * remove extra parenthesis Signed-off-by: Max Smythe <smythe@google.com> * More build fixing Signed-off-by: Max Smythe <smythe@google.com> * Gomodules was disabled Signed-off-by: Max Smythe <smythe@google.com> * Need to copy go.mod Signed-off-by: Max Smythe <smythe@google.com> * Forgot copy destination Signed-off-by: Max Smythe <smythe@google.com> * Use committed version of framework; move manifest to gatekeeper_kubebuilder_v2.yaml Signed-off-by: Max Smythe <smythe@google.com> * Missed some files Signed-off-by: Max Smythe <smythe@google.com> * Cert deadlines moved to constants Signed-off-by: Max Smythe <smythe@google.com> * Avoid storing e2e commands in variables. This enables more legible log output Signed-off-by: Max Smythe <smythe@google.com> * Double e2e test timeouts Signed-off-by: Max Smythe <smythe@google.com> * Do not allow kubectl update to clobber cert in validatingwebhookconfiguration Signed-off-by: Max Smythe <smythe@google.com> * update comments Signed-off-by: Max Smythe <smythe@google.com> * Fix grammar on comment Signed-off-by: Max Smythe <smythe@google.com> * Simplify CA cert injection into validating WH into a pure reconcile loop Signed-off-by: Max Smythe <smythe@google.com> * Fix nits Signed-off-by: Max Smythe <smythe@google.com> * Fix nits, unreachable code Signed-off-by: Max Smythe <smythe@google.com> * Fix nits Signed-off-by: Max Smythe <smythe@google.com> * check for key membership in map Signed-off-by: Max Smythe <smythe@google.com> Signed-off-by: Kaleb Wade <kaleb.wade@newcontext.com>
* Migrate libraries, no manifest/Makefile work Signed-off-by: Max Smythe <smythe@google.com> * Migration to Kubebuilder V2 that works on desktop build Signed-off-by: Max Smythe <smythe@google.com> * Use http submodule repo Signed-off-by: Max Smythe <smythe@google.com> * Fix e2e tests Signed-off-by: Max Smythe <smythe@google.com> * fix e2e tests Signed-off-by: Max Smythe <smythe@google.com> * Restore --pull flag in docker-build Signed-off-by: Max Smythe <smythe@google.com> * Use unstructured to inject CA cert to avoid clobbering unknown fields Signed-off-by: Max Smythe <smythe@google.com> * Fix encoding error + nits Signed-off-by: Max Smythe <smythe@google.com> * retrieve crd manifests from vendor cache Signed-off-by: Max Smythe <smythe@google.com> * Fix nits Signed-off-by: Max Smythe <smythe@google.com> * Fix location of CRD yaml in ConstraintTemplate test Signed-off-by: Max Smythe <smythe@google.com> * Use vendor directory exclusively for builds, cache making of controller-gen in Docker image Signed-off-by: Max Smythe <smythe@google.com> * More -mod vendor flags set Signed-off-by: Max Smythe <smythe@google.com> * -mod vendor not necessary for go fmt Signed-off-by: Max Smythe <smythe@google.com> * Switch to distroless Signed-off-by: Max Smythe <smythe@google.com> * remove extra parenthesis Signed-off-by: Max Smythe <smythe@google.com> * More build fixing Signed-off-by: Max Smythe <smythe@google.com> * Gomodules was disabled Signed-off-by: Max Smythe <smythe@google.com> * Need to copy go.mod Signed-off-by: Max Smythe <smythe@google.com> * Forgot copy destination Signed-off-by: Max Smythe <smythe@google.com> * Use committed version of framework; move manifest to gatekeeper_kubebuilder_v2.yaml Signed-off-by: Max Smythe <smythe@google.com> * Missed some files Signed-off-by: Max Smythe <smythe@google.com> * Cert deadlines moved to constants Signed-off-by: Max Smythe <smythe@google.com> * Avoid storing e2e commands in variables. This enables more legible log output Signed-off-by: Max Smythe <smythe@google.com> * Double e2e test timeouts Signed-off-by: Max Smythe <smythe@google.com> * Do not allow kubectl update to clobber cert in validatingwebhookconfiguration Signed-off-by: Max Smythe <smythe@google.com> * update comments Signed-off-by: Max Smythe <smythe@google.com> * Fix grammar on comment Signed-off-by: Max Smythe <smythe@google.com> * Simplify CA cert injection into validating WH into a pure reconcile loop Signed-off-by: Max Smythe <smythe@google.com> * Fix nits Signed-off-by: Max Smythe <smythe@google.com> * Fix nits, unreachable code Signed-off-by: Max Smythe <smythe@google.com> * Fix nits Signed-off-by: Max Smythe <smythe@google.com> * check for key membership in map Signed-off-by: Max Smythe <smythe@google.com> Signed-off-by: Kaleb Wade <kaleb.wade@newcontext.com>
PR migrating to Kubebuilder V2. Needs to have the framework PR reviewed first:
open-policy-agent/frameworks#60
Then I will have to remove the following line from
go.mod: