Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correct webhook-cert-manager-clusterrole to utilize the web-cert-manager podsecuritypolicy rather than connect-injectors when global.EnablePodSecurityPolicies is true. #1202

Merged
merged 3 commits into from
May 3, 2022
Merged

Correct webhook-cert-manager-clusterrole to utilize the web-cert-manager podsecuritypolicy rather than connect-injectors when global.EnablePodSecurityPolicies is true. #1202

merged 3 commits into from
May 3, 2022

Conversation

jmurret
Copy link
Member

@jmurret jmurret commented May 3, 2022
edited
Loading

Changes proposed in this PR:

  • add podsecuritypolicy use for webhook-cert-manager to the clusterrole.

How I've tested this PR:

  • will run acceptance jobs

How I expect reviewers to test this PR:
👀

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use present tense (e.g. Add support for...)

lkysow
lkysow reviewed May 3, 2022
View reviewed changes
charts/consul/templates/webhook-cert-manager-clusterrole.yaml
resourceNames:
- {{ template "consul.fullname" . }}-webhook-cert-manager
verbs:
- use
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the part below is a bug. It should be using the cert-manager policy.

thisisnotashwin
thisisnotashwin reviewed May 3, 2022
View reviewed changes
charts/consul/templates/webhook-cert-manager-clusterrole.yaml Outdated
resourceNames:
- {{ template "consul.fullname" . }}-webhook-cert-manager
verbs:
- use
- apiGroups:
- policy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can just rename the connect-injector to be the webhook-cert-manager. It being connect-injector is a bug!

@jmurret jmurret changed the title Nightly GKE Acceptance test failures - add podsecuritypolicy use for webhook-cert-manager to the clusterrole. Correct webhook-cert-manager-clusterrole to utilize the web-cert-manager podsecuritypolicy rather than connect-injectors when global.EnablePodSecurityPolicies is true. May 3, 2022
@jmurret jmurret marked this pull request as ready for review May 3, 2022 18:30
@jmurret jmurret mentioned this pull request May 3, 2022
Merged
2 tasks
lkysow
lkysow approved these changes May 3, 2022
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
thisisnotashwin
thisisnotashwin approved these changes May 3, 2022
View reviewed changes
Copy link
Contributor

@thisisnotashwin thisisnotashwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks so much for investigating this!!

@thisisnotashwin
Copy link
Contributor

We can still remove the controller from the sync test as the test does not actually require a controller to run!

@jmurret
Copy link
Member Author

jmurret commented May 3, 2022

👍 I'll merge that other PR tomorrow after we confirm the nightly tests are all set.

@jmurret @lkysow
Update CHANGELOG.md
3f128fa 
Co-authored-by: Luke Kysow <[email protected]>
@jmurret jmurret merged commit 4555758 into main May 3, 2022
@jmurret jmurret deleted the jm/web-cert-mgr-failure branch May 3, 2022 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thisisnotashwin thisisnotashwin thisisnotashwin approved these changes

@lkysow lkysow lkysow approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jmurret @thisisnotashwin @lkysow