[kong] re-use admission certificates if present #256
Conversation
|
Hold because this change requires Helm 3 and cannot go in until we've removed support for Helm 2 in chart 2.x. It should otherwise be fine to review (and if anyone can figure out why the install/upgrade checksum thing happens or some neater way of working around that, I'd be quite grateful). As CI helpfully notes, we also need to upgrade CI to use Helm 3. |
It requires Helm 3. CI still uses Helm 2. |
rainest
force-pushed
the
stage/kong-2.x
branch
from
ce51431
to
b7f2d87
Compare
rainest
force-pushed
the
fix/lookup-cert
branch
from
4b911c7
to
54bde3d
Compare
|
CI now has a different problem!
https://github.com/rainest/charts has a PoC of the updated flow with a cheat: rainest@f4c7da0 This should work with a proper fix for Kong/kubernetes-ingress-controller#801. For roles, apparently just bumping the version is fine. CRDs require other changes, however. |
|
The checksum hack wasn't actually necessary--I thought about why we even had it, looked back in ancient history, and realized it was a workaround to intentionally redeploy the controller because we couldn't keep the certificate stable 🤦 helm/charts#20051 |
If admission webhook certificates are already present on the cluster, use them instead of generating a new certificate. Fix #253
On review of the history behind this, we don't need this checksum if we don't expect the certificate to change. We added it as a workaround for failures caused by the certificate rotating on update: helm/charts#20050
rainest
force-pushed
the
fix/lookup-cert
branch
from
7124cb2
to
644993c
Compare
|
Rebase following 2635265. CI is now happy/this is no longer blocked on KIC#801. |
What this PR does / why we need it:
Reuses admission webhook certificate Secrets if they are already present.
Which issue this PR fixes
Special notes for your reviewer:
We currently generate our checksum by using the entire admission webhook template output as input to SHA256. For some reason I cannot determine, the checksum still changes with the new lookup functionality between installs and upgrades, although a diff between the two shows no difference in the generated resources. Subsequent upgrades do not change the checksum.
To avoid this, I've modified the checksum generator to extract the
tls.crtlines from the template, concatenate those, and checksum that, since we shouldn't need to care about anything else. It's ugly, but it works.IMO this de facto solves #252 also: the certificate and CA Secret names are predictable, and if you create those Secrets in advance of the install, it should use them instead. Need to check to confirm. We'd only need additional changes for that if we want to make the Secret names user-selectable.
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]
nextbranch and targetsnext, notmain[kong])