Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: update manifests to have user certs mounted through configmap #300

Merged
merged 5 commits into from
Jan 14, 2025
Merged

fix: update manifests to have user certs mounted through configmap #300

merged 5 commits into from
Jan 14, 2025

Conversation

sanster23
Copy link
Contributor

@sanster23 sanster23 commented Jan 7, 2025
edited
Loading

Feat:

This change enables users to add certificates through configmap in the same directory as certs provided through values.yaml. This will also set the default value of env var SSL_CERT_DIR: /certs/.

Verify:

  1. Create a cert configmap

    cat << EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: myapp-config
data:
  ca.crt: |-
    -----BEGIN CERTIFICATE-----
    MIIBnDCCAUKgAwIBAgIRALt+/LEb2TdSeCVlVAFfucMwCgYIKoZIzj0EAwIwLDEQ
    MA4GA1UEChMHSG9tZUxhYjEYMBYGA1UEAxMPSG9tZUxhYiBSb290IENBMB4XDTI0
    QgAEqXGk4+Op8IpZo0bvVHp7/+bh2dUB0lsKS/s2k5sFnwDdn5U2dGuEf/ThphdY
    SM49BAMCA0gAMEUCIQDejznNXCMUfBo1eIrjiVFhwuJgyQRaqMI149div72V2QIg
    P5GD+5I+02yEp58Cwxd5Bj2CvyQwTjTO4hiVl1Xd0M0=
    -----END CERTIFICATE-----
  tls.crt: |-
    -----BEGIN CERTIFICATE-----
    MIIBnDCCAUKgAwIBAgIRALt+/LEb2TdSeCVlVAFfucMwCgYIKoZIzj0EAwIwLDEQ
    P5GD+5I+02yEp58Cwxd5Bj2CvyQwTjTO4hiVl1Xd0M0=
    -----END CERTIFICATE-----
EOF

  2. Use configmap in the values:

    ## values.yaml

[...]

customCACerts:
  - |
    -----BEGIN CERTIFICATE-----
    MIIBnDCCAUKgAwIBAgIRALt+/LEb2TdSeCVlVAFfucMwCgYIKoZIzj0EAwIwLDEQ
    MA4GA1UEChMHSG9tZUxhYjEYMBYGA1UEAxMPSG9tZUxhYiBSb290IENBMB4XDTI0
    QgAEqXGk4+Op8IpZo0bvVHp7/+bh2dUB0lsKS/s2k5sFnwDdn5U2dGuEf/ThphdY
    SM49BAMCA0gAMEUCIQDejznNXCMUfBo1eIrjiVFhwuJgyQRaqMI149div72V2QIg
    P5GD+5I+02yEp58Cwxd5Bj2CvyQwTjTO4hiVl1Xd0M0=
    -----END CERTIFICATE-----
  - |
    -----BEGIN CERTIFICATE-----
    MIIBxTCCAWugAwIBAgIRAMXl8L4i99gapX+WGdpqaJcwCgYIKoZIzj0EAwIwLDEQ
    EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUK+moK4nZYvpNpqfvz/7m5wKU
    zgYwHwYDVR0jBBgwFoAUAJRf7Lt7qOg1ZiCCwyjw77SZYtgwCgYIKoZIzj0EAwID
    SAAwRQIhAIzXZMW44l6XMf9Nf4TxTevK8vE4Ic6E8UFqsCcILdXjAiA7iTluM0IU
    aIgJYVqKxXt25blH/VyBRzvNhViesfkNUQ==
    -----END CERTIFICATE-----
# Name of a ConfigMap containing additional .crt files for CA certificates.
caCertsConfigMap: "myapp-config"

[...]

  3. Install chart with these values and see if all certs are mounted in the same directory.

NOTE: i have used ubuntu image for demonstrations, since operator image does not allow exec in pods.

After installing chart check the deployment

kubectl get deploy -o yaml
apiVersion: v1
items:
- apiVersion: apps/v1
  kind: Deployment
  metadata:
    annotations:
      deployment.kubernetes.io/revision: "1"
      meta.helm.sh/release-name: wandb
      meta.helm.sh/release-namespace: default
    creationTimestamp: "2025-01-13T11:34:11Z"
    generation: 1
    labels:
      app.kubernetes.io/managed-by: Helm
      control-plane: controller-manager
    name: wandb-controller-manager
    namespace: default
    resourceVersion: "599"
    uid: 346526e8-851d-47b2-839b-598f94bff844
  spec:
    progressDeadlineSeconds: 600
    replicas: 1
    revisionHistoryLimit: 10
    selector:
      matchLabels:
        control-plane: controller-manager
    strategy:
      rollingUpdate:
        maxSurge: 25%
        maxUnavailable: 25%
      type: RollingUpdate
    template:
      metadata:
        creationTimestamp: null
        labels:
          control-plane: controller-manager
      spec:
        containers:
        - args:
          - infinity
          command:
          - sleep
          env:
          - name: WANDB_MANAGER_SERVICE_ACCOUNT
            value: wandb-manager
          - name: OPERATOR_NAMESPACE
            value: default
          - name: SERVICE_ACCOUNT_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: spec.serviceAccountName
          - name: AIRGAPPED
            value: "false"
          - name: SSL_CERT_DIR
            value: /certs/
          image: ubuntu
          imagePullPolicy: Always
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 8081
              scheme: HTTP
            initialDelaySeconds: 15
            periodSeconds: 20
            successThreshold: 1
            timeoutSeconds: 1
          name: manager
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /readyz
              port: 8081
              scheme: HTTP
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            limits:
              cpu: "1"
              memory: 1Gi
            requests:
              cpu: 400m
              memory: 300Mi
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
          - mountPath: /certs/
            name: wandb-ca-certs
        dnsPolicy: ClusterFirst
        restartPolicy: Always
        schedulerName: default-scheduler
        securityContext:
          seccompProfile:
            type: RuntimeDefault
        serviceAccount: wandb-manager
        serviceAccountName: wandb-manager
        terminationGracePeriodSeconds: 10
        volumes:
        - name: wandb-ca-certs
          projected:
            defaultMode: 420
            sources:
            - configMap:
                name: myapp-config
            - configMap:
                name: wandb-ca-certs
  status:
    conditions:
    - lastTransitionTime: "2025-01-13T11:34:11Z"
      lastUpdateTime: "2025-01-13T11:34:11Z"
      message: Deployment does not have minimum availability.
      reason: MinimumReplicasUnavailable
      status: "False"
      type: Available
    - lastTransitionTime: "2025-01-13T11:34:11Z"
      lastUpdateTime: "2025-01-13T11:34:11Z"
      message: ReplicaSet "wandb-controller-manager-79bdcb6cf9" is progressing.
      reason: ReplicaSetUpdated
      status: "True"
      type: Progressing
    observedGeneration: 1
    replicas: 1
    unavailableReplicas: 1
    updatedReplicas: 1
kind: List
metadata:
  resourceVersion: ""
  1. Verify if all certs are available in pod dir:
image

@sanster23 sanster23 requested a review from flamarion January 7, 2025 09:27
@sanster23 sanster23 requested a review from PNarode January 7, 2025 09:27
@flamarion flamarion changed the title update manifests to have user certs mounted through configmap fix: update manifests to have user certs mounted through configmap Jan 7, 2025
@flamarion flamarion linked an issue Jan 13, 2025 that may be closed by this pull request
Add support for pulling Custom Certificates from configMap in W&B Operator #299
Closed
@flamarion flamarion merged commit ab80fad into main Jan 14, 2025
1 of 2 checks passed
@flamarion flamarion deleted the sanjay/cm-mount branch January 14, 2025 13:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mwhooker mwhooker mwhooker approved these changes

@flamarion flamarion Awaiting requested review from flamarion

@jsbroks jsbroks Awaiting requested review from jsbroks jsbroks is a code owner

@vanpelt vanpelt Awaiting requested review from vanpelt vanpelt is a code owner

@PNarode PNarode Awaiting requested review from PNarode

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for pulling Custom Certificates from configMap in W&B Operator
3 participants
@sanster23 @mwhooker @flamarion