Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow halting (and restarting) pods on certificate errors #2854

Merged
merged 1 commit into from
Oct 25, 2023
Merged

Allow halting (and restarting) pods on certificate errors #2854

merged 1 commit into from
Oct 25, 2023

Conversation

skitt
Copy link
Member

@skitt skitt commented Oct 24, 2023
edited
Loading

General practice in Kubernetes is to restart pods relying on certificates when those certificates are changed. Because Kubernetes isn't aware of cross-cluster certificate changes, this doesn't happen automatically when the broker certificate (or trust chain) changes; this produces certificate errors and ultimately results in a broken setup.

To avoid this, provide a setting to set up gateway and Lighthouse agent pods to halt on certificate errors.

See submariner-io/submariner#2761 and submariner-io/lighthouse#1408.

@submariner-bot
Copy link
Contributor

🤖 Created branch: z_pr2854/skitt/halt-on-certificate-error
🚀 Full E2E won't run until the "ready-to-test" label is applied. I will add it automatically once the PR has 2 approvals, or you can add it manually.

@skitt skitt force-pushed the halt-on-certificate-error branch from 1a27fa3 to d938202 Compare October 24, 2023 15:24
@skitt skitt added the backport This change requires a backport to eligible release branches label Oct 24, 2023
@skitt skitt force-pushed the halt-on-certificate-error branch from d938202 to 2277453 Compare October 24, 2023 18:48
@skitt
Allow halting (and restarting) pods on certificate errors
bcfc312 
General practice in Kubernetes is to restart pods relying on
certificates when those certificates are changed. Because Kubernetes
isn't aware of cross-cluster certificate changes, this doesn't happen
automatically when the broker certificate (or trust chain) changes;
this produces certificate errors and ultimately results in a broken
setup.

To avoid this, provide a setting to set up gateway and Lighthouse
agent pods to halt on certificate errors.

Signed-off-by: Stephen Kitt <skitt@redhat.com>
@skitt skitt force-pushed the halt-on-certificate-error branch from 2277453 to bcfc312 Compare October 25, 2023 07:08
@submariner-bot submariner-bot added the ready-to-test When a PR is ready for full E2E testing label Oct 25, 2023
@skitt skitt mentioned this pull request Oct 25, 2023
Closed
@dfarrell07 dfarrell07 merged commit a088bf5 into submariner-io:devel Oct 25, 2023
43 checks passed
@submariner-bot
Copy link
Contributor

🤖 Closed branches: [z_pr2854/skitt/halt-on-certificate-error]

@skitt skitt mentioned this pull request Oct 25, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tpantelis tpantelis tpantelis approved these changes

@sridhargaddam sridhargaddam sridhargaddam approved these changes

@dfarrell07 dfarrell07 dfarrell07 approved these changes

@Oats87 Oats87 Awaiting requested review from Oats87 Oats87 is a code owner

Assignees
No one assigned
Labels
backport This change requires a backport to eligible release branches backport-handled ready-to-test When a PR is ready for full E2E testing
Projects
No open projects
Submariner 0.17
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@skitt @submariner-bot @dfarrell07 @sridhargaddam @tpantelis