Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow porch namespace in cert/webhook to be configured #26

Merged
merged 2 commits into from
Mar 5, 2024
Merged

Allow porch namespace in cert/webhook to be configured #26

merged 2 commits into from
Mar 5, 2024

Conversation

liamfallon
Copy link
Member

@liamfallon liamfallon commented Feb 28, 2024
edited
Loading

This PR implements a straightforward fix for Issue 553. It allows the namespace that Porch uses for generation of the deletion validation webhook and certs to be configured by setting the new CERT_NAMESPACE environment variable.

Ideally we should allow the certs and the webhook to be externally specified and then passed to Porch in configuration as suggested in the issue description. However, this PR will allow deployment of Porch in namespaces other than "porch-system" for now.

This PR has been tested manually on a Kind cluster with Porch installed on the default "porch-system" namespace and on a different configured namespace porch-nstest. Below is a fragment of the 3-porch-server.yaml Deployment spec, note the new environment variable CERT_NAMESPACE. Deletion now works in both cases with the appropriate namespace configuration.

       env:
            # Uncomment to enable trace-reporting to jaeger
            #- name: OTEL
            #  value: otel://jaeger-oltp:4317
            - name: OTEL_SERVICE_NAME
              value: porch-server
            - name: CERT_STORAGE_DIR
              value: /etc/webhook/certs
            - name: CERT_NAMESPACE
              value: porch-nstest
          args:
            - --function-runner=function-runner:9445
            - --cache-directory=/cache
            - --cert-dir=/tmp/certs
            - --secure-port=4443

@liamfallon liamfallon mentioned this pull request Feb 28, 2024
Closed
@liamfallon
Copy link
Member Author

/assign @johnbelamaric @tliron @efiacor

@liamfallon liamfallon mentioned this pull request Feb 29, 2024
Closed
@liamfallon
Copy link
Member Author

/retest

efiacor
efiacor reviewed Feb 29, 2024
View reviewed changes
Copy link
Collaborator

@efiacor efiacor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.
A few minor comments.

pkg/apiserver/webhooks.go
@@ -175,7 +175,7 @@ func createValidatingWebhook(ctx context.Context, caCert []byte) error {
}

var (
webhookNamespace = "porch-system"
webhookNamespace = webhookNs
validationCfgName = "packagerev-deletion-validating-webhook"
webhookService = "api"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks a bit odd also. Hardcoded svc name

Copy link
Member Author

@liamfallon liamfallon Mar 1, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, That and a number of other things need to be cleaned up. The aim with this PR is to allow the namespace to be changed, whihc is a blocker. I have raised another improvement issue which addresses these other hardcoded values. See nephio-project/nephio#554
The proposal is that rather than having a load of configuration in Porch, we allow users to specify their own webhook where they can specify what they want. The self-signed one here will be retained more for development and integration test. For in-service deployments we will recommend users create and configure their own webhooks.

pkg/apiserver/webhooks.go Show resolved Hide resolved
@kushnaidu
Copy link
Contributor

/approve
Looks good

@nephio-prow nephio-prow bot added the approved label Mar 5, 2024
@efiacor
Copy link
Collaborator

efiacor commented Mar 5, 2024

/lgtm
/approve

@nephio-prow nephio-prow bot added the lgtm label Mar 5, 2024
@nephio-prow Nephio PROW
Copy link
Contributor

nephio-prow bot commented Mar 5, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: efiacor, kushnaidu, liamfallon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@nephio-prow nephio-prow bot merged commit bf7be50 into nephio-project:main Mar 5, 2024
6 checks passed
@liamfallon liamfallon deleted the issue-553-porch-namespace branch March 6, 2024 09:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efiacor efiacor efiacor left review comments

@henderiw henderiw Awaiting requested review from henderiw

@s3wong s3wong Awaiting requested review from s3wong

Assignees

@tliron tliron

@johnbelamaric johnbelamaric

@efiacor efiacor

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@liamfallon @kushnaidu @efiacor @tliron @johnbelamaric