Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow porch namespace in cert/webhook to be configured #26

Merged
merged 2 commits into from
Mar 5, 2024

Conversation

liamfallon
Copy link
Member

@liamfallon liamfallon commented Feb 28, 2024

This PR implements a straightforward fix for Issue 553. It allows the namespace that Porch uses for generation of the deletion validation webhook and certs to be configured by setting the new CERT_NAMESPACE environment variable.

Ideally we should allow the certs and the webhook to be externally specified and then passed to Porch in configuration as suggested in the issue description. However, this PR will allow deployment of Porch in namespaces other than "porch-system" for now.

This PR has been tested manually on a Kind cluster with Porch installed on the default "porch-system" namespace and on a different configured namespace porch-nstest. Below is a fragment of the 3-porch-server.yaml Deployment spec, note the new environment variable CERT_NAMESPACE. Deletion now works in both cases with the appropriate namespace configuration.

       env:
            # Uncomment to enable trace-reporting to jaeger
            #- name: OTEL
            #  value: otel://jaeger-oltp:4317
            - name: OTEL_SERVICE_NAME
              value: porch-server
            - name: CERT_STORAGE_DIR
              value: /etc/webhook/certs
            - name: CERT_NAMESPACE
              value: porch-nstest
          args:
            - --function-runner=function-runner:9445
            - --cache-directory=/cache
            - --cert-dir=/tmp/certs
            - --secure-port=4443

@liamfallon
Copy link
Member Author

/assign @johnbelamaric @tliron @efiacor

@liamfallon
Copy link
Member Author

/retest

Copy link
Collaborator

@efiacor efiacor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.
A few minor comments.

@@ -175,7 +175,7 @@ func createValidatingWebhook(ctx context.Context, caCert []byte) error {
}

var (
webhookNamespace = "porch-system"
webhookNamespace = webhookNs
validationCfgName = "packagerev-deletion-validating-webhook"
webhookService = "api"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks a bit odd also. Hardcoded svc name

Copy link
Member Author

@liamfallon liamfallon Mar 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, That and a number of other things need to be cleaned up. The aim with this PR is to allow the namespace to be changed, whihc is a blocker. I have raised another improvement issue which addresses these other hardcoded values. See nephio-project/nephio#554
The proposal is that rather than having a load of configuration in Porch, we allow users to specify their own webhook where they can specify what they want. The self-signed one here will be retained more for development and integration test. For in-service deployments we will recommend users create and configure their own webhooks.

pkg/apiserver/webhooks.go Show resolved Hide resolved
@liamfallon liamfallon force-pushed the issue-553-porch-namespace branch from 34d6949 to 1a7527b Compare March 1, 2024 10:09
@kushnaidu
Copy link
Contributor

/approve
Looks good

@liamfallon liamfallon force-pushed the issue-553-porch-namespace branch from d089956 to 717b3ea Compare March 4, 2024 20:05
@liamfallon liamfallon force-pushed the issue-553-porch-namespace branch from 717b3ea to 5ce3d0d Compare March 5, 2024 07:48
@nephio-prow nephio-prow bot added the approved label Mar 5, 2024
@efiacor
Copy link
Collaborator

efiacor commented Mar 5, 2024

/lgtm
/approve

@nephio-prow nephio-prow bot added the lgtm label Mar 5, 2024
Copy link
Contributor

nephio-prow bot commented Mar 5, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: efiacor, kushnaidu, liamfallon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@nephio-prow nephio-prow bot merged commit bf7be50 into nephio-project:main Mar 5, 2024
6 checks passed
@liamfallon liamfallon deleted the issue-553-porch-namespace branch March 6, 2024 09:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants