Webhook/certificate generation split from XDS control plane #1939

eduser25 · 2020-10-27T22:21:50Z

Some discussions suggested we could separate the XDS control plane to the webhook and certificate generation for envoy onboarding.

This would ease up and decouple the system into finer responsibilities, potentially simplifying the later scalability, possible sharding and fine tuning the individual components at scale.

This issue tracks potential conversation over this matter.

New Functionality [X]
Envoy Control Plane [X]
Certificate Management [X]
Sidecar Injection [X]

draychev · 2020-12-08T23:59:25Z

Could be positively impacted by #1974

… pkg Moves code related to bootstrapping the certificate manager/provider into a separate utility pkg. This utility pkg will be reused across osm-controller and the sidecar injector app. The sidecar injector component will be moved out of osm-controller as a part of openservicemesh#1939, and this change is required to reuse code across the two apps. Signed-off-by: Shashank Ram <shashr2204@gmail.com>

Moves code related to bootstrapping the certificate manager/provider into a separate utility pkg. This utility pkg will be reused across osm-controller and the sidecar injector app. The sidecar injector component will be moved out of osm-controller as a part of openservicemesh#1939, and this change is required to reuse code across the two apps. Signed-off-by: Shashank Ram <shashr2204@gmail.com>

Moves code related to bootstrapping the certificate manager/provider into to `pkg/certificate/providers`. This code will be reused across osm-controller and the sidecar injector app. The sidecar injector component will be moved out of osm-controller as a part of openservicemesh#1939, and this change is required to reuse code across the two apps. The change does the following: - Moves certificate provider related code that needs to be reused into `pkg/certificate/providers`. - Creates structs for the different cert provider options and validation methods for those options. - A `Config` struct to leverage to retrieve CA bundle secret information (currently used by tests). Thi will be leveraged by the osm-injector component to retrieve the CA bundle secret created by osm-controller. - Refactors existing cert provider initialization code for code reusability. Signed-off-by: Shashank Ram <shashr2204@gmail.com>

Moves code related to bootstrapping the certificate manager/provider into to `pkg/certificate/providers`. This code will be reused across osm-controller and the sidecar injector app. The sidecar injector component will be moved out of osm-controller as a part of openservicemesh#1939, and this change is required to reuse code across the two apps. The change does the following: - Moves certificate provider related code that needs to be reused into `pkg/certificate/providers`. - Creates structs for the different cert provider options and validation methods for those options. - A `Config` struct to leverage to retrieve CA bundle secret information (currently used by tests). Thi will be leveraged by the osm-injector component to retrieve the CA bundle secret created by osm-controller. - Refactors existing cert provider initialization code for code reusability. - Makes `--ca-bundle-secret-name` mandatory. The Helm charts always pass this option and this is required for issue openservicemesh#1939. Signed-off-by: Shashank Ram <shashr2204@gmail.com>

This change is a temporary workaround till issue openservicemesh#2481 is addressed. As a part of openservicemesh#1939, injector will be taken out of `osm-controller`, after which we will no longer get the list of expected proxies. Signed-off-by: Shashank Ram <shashr2204@gmail.com>

Moves code related to bootstrapping the certificate manager/provider into to `pkg/certificate/providers`. This code will be reused across osm-controller and the sidecar injector app. The sidecar injector component will be moved out of osm-controller as a part of openservicemesh#1939, and this change is required to reuse code across the two apps. The change does the following: - Moves certificate provider related code that needs to be reused into `pkg/certificate/providers`. - Creates structs for the different cert provider options and validation methods for those options. - A `Config` struct to leverage to retrieve CA bundle secret information (currently used by tests). Thi will be leveraged by the osm-injector component to retrieve the CA bundle secret created by osm-controller. - Refactors existing cert provider initialization code for code reusability. - Makes `--ca-bundle-secret-name` mandatory. The Helm charts always pass this option and this is required for issue openservicemesh#1939. Signed-off-by: Shashank Ram <shashr2204@gmail.com>

This change splits the sidecar injector component from osm-controller for scalability purpose as a part of openservicemesh#1939. Summary of changes: - injector is moved to a separate osm-injector app - Helm chart changes to deploy osm-injector - osm-controller changes to remove injector initialization - utility method on `providers.Config` to watch CA bundle secret - Makefile, dockerfile changes to build osm-injector - clanup of unused options for mutating webhook's reconciler Signed-off-by: Shashank Ram <shashr2204@gmail.com>

This change splits the sidecar injector component from osm-controller for scalability purpose as a part of openservicemesh#1939. Summary of changes: - injector is moved to a separate osm-injector app - Helm chart changes to deploy osm-injector - osm-controller changes to remove injector initialization - utility method on `providers.Config` to watch CA bundle secret - Makefile, dockerfile changes to build osm-injector - cleanup of unused options for mutating webhook's reconciler - update e2e tests to wait on osm-injector pod Signed-off-by: Shashank Ram <shashr2204@gmail.com>

shashankram · 2021-02-16T23:42:31Z

Resolved by #2505

eduser25 added size/XXL 40 days (2 months) improvement / feature request labels Oct 27, 2020

draychev mentioned this issue Jan 26, 2021

Milestone v0.8.0 planning #2168

Closed

draychev added size/M 7 days (~1.5 week) and removed size/XXL 40 days (2 months) labels Jan 26, 2021

shashankram self-assigned this Feb 4, 2021

shashankram added this to the v0.8.0 milestone Feb 4, 2021

shashankram mentioned this issue Feb 5, 2021

certificate: consolidate provider related config and helpers #2469

Merged

shashankram added size/L 14 days (~2.5 weeks) and removed size/M 7 days (~1.5 week) labels Feb 8, 2021

shashankram mentioned this issue Feb 8, 2021

Record expected proxy without relying on in-memory state shared between controller and injector #2481

Closed

shashankram mentioned this issue Feb 8, 2021

debugger: disable printing expected proxy list #2482

Merged

shashankram mentioned this issue Feb 10, 2021

injector: split sidecar-injector from osm-controller #2505

Merged

snehachhabria added the priority/P1 P1 priority label Feb 11, 2021

shashankram closed this as completed Feb 16, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Webhook/certificate generation split from XDS control plane #1939

Webhook/certificate generation split from XDS control plane #1939

eduser25 commented Oct 27, 2020

draychev commented Dec 8, 2020

shashankram commented Feb 16, 2021

Webhook/certificate generation split from XDS control plane #1939

Webhook/certificate generation split from XDS control plane #1939

Comments

eduser25 commented Oct 27, 2020

draychev commented Dec 8, 2020

shashankram commented Feb 16, 2021