Automate TLS secrets generation for Kubernetes family infrastructures #220
Conversation
mmorhun
requested review from
l0rd,
nickboldt,
rhopp and
vparfonov
as code owners
pkg/controller/che/che_controller.go
Outdated
| @@ -265,6 +265,14 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e | |||
| } | |||
| } | |||
|
|
|||
| // Handle Che TLS certificates on Kubernetes like infrastructures | |||
| if instance.Spec.Server.TlsSupport && instance.Spec.Server.SelfSignedCert && !isOpenShift { | |||
| shouldReturn, reconsileResult, err := HandleCheTLSSecrets(instance, r) | |||
There was a problem hiding this comment.
Can we return something like status structure?
Something like this
https://github.com/eclipse/che-operator/blob/master/pkg/deploy/deployment.go#L42
There was a problem hiding this comment.
Theoretically we can, but I am against it. We need to return 3 values from the method and we can do it using embedded in the golang mechanism. Why do we need to introduce new abstraction then?
There was a problem hiding this comment.
We should be consistent in the implementations.
There was a problem hiding this comment.
+1 About consistent implementation
pkg/controller/che/create.go
Outdated
| @@ -132,6 +133,29 @@ func (r *ReconcileChe) CreateNewRoleBinding(instance *orgv1.CheCluster, roleBind | |||
| return nil | |||
| } | |||
|
|
|||
| // CreateNewJob deploys new instance of given job | |||
| func (r *ReconcileChe) CreateNewJob(instance *orgv1.CheCluster, job *batchv1.Job) error { | |||
There was a problem hiding this comment.
Create a syncJobToCluster function with the same logic as for pvc, ingress, route ...
There was a problem hiding this comment.
I think it is better to keep ability to create an object (in our case job) configuration and then separately flush it to cluster. Because we want to have universal methods, but we never know for sure which aspects of it we may want to change in the future. Changing the sync* method signature is not good as it will affect other consumers. Updating object in runtime is worse or even impossible.
I may move this method into job.go and rename it to match sync* pattern, but I don't want to loose the flexibility here.
pkg/controller/che/tls-secrets.go
Outdated
| var shouldReturn = true | ||
|
|
||
| // HandleCheTLSSecrets handles TLS secrets required for Che deployment | ||
| func HandleCheTLSSecrets(checluster *orgv1.CheCluster, r *ReconcileChe) (bool, reconcile.Result, error) { |
There was a problem hiding this comment.
Let's return status like this
https://github.com/eclipse/che-operator/blob/master/pkg/deploy/deployment.go#L42
There was a problem hiding this comment.
No, please see my answer above. Moreover, inside internal function we behave the same as in reconcile loop.
|
Interesting, some day maybe we will have tls generation from the box https://github.com/operator-framework/operator-sdk/blob/master/doc/proposals/tls-utilities.md |
|
@AndrienkoAleksandr I've already seen that. Unfortunately current functionality they provide has only basic stuff which doesn't suite our needs. But thanks for commenting. |
pkg/deploy/job.go
Outdated
| // NewJob creates new job configuration by giben parameters. | ||
| func NewJob(checluster *orgv1.CheCluster, name string, namespace string, image string, serviceAccountName string, env map[string]string, backoffLimit int32) *batchv1.Job { | ||
| labels := GetLabels(checluster, util.GetValue(checluster.Spec.Server.CheFlavor, DefaultCheFlavor)) | ||
| labels["component"] = "che-create-tls-secret-job" |
There was a problem hiding this comment.
I would keep `che component
There was a problem hiding this comment.
It is not possible due to conflicts with Che master. All Che related pods have lebel app=che including this job.
pkg/deploy/job.go
Outdated
| } | ||
|
|
||
| // NewJob creates new job configuration by giben parameters. | ||
| func NewJob(checluster *orgv1.CheCluster, name string, namespace string, image string, serviceAccountName string, env map[string]string, backoffLimit int32) *batchv1.Job { |
There was a problem hiding this comment.
we can get namespace from checluster, not needed to pass it
There was a problem hiding this comment.
we don't configure ttlSecondsAfterFinished,
backoffLimit, why do we need to configure it? let's use some default value for instance 5.
There was a problem hiding this comment.
Just for case when we need to start a job in different than Che namespace.
There was a problem hiding this comment.
We indeed don't configure ttlSecondsAfterFinished so I may leave it with default value. As for backoffLimit, to me it may vary for different jobs, so I left it configurable. I would like to use some default values, but golang doesn't provide such ability.
|
|
@tolusha thanks. It was hard to reproduce the issue. So actually the only way I can see it is to:
This looks like artificial for me, but better to fix it. I can do it, when you let me know your thought about proposed approach. |
Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
…oCluster. Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
Signed-off-by: Anatoliy Bazko <abazko@redhat.com>
Signed-off-by: Anatoliy Bazko <abazko@redhat.com>
Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
mmorhun
force-pushed
the
che-16546
branch
2 times, most recently
from
af1c15f
to
e3625c0
Compare
Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
Signed-off-by: Mykola Morhun mmorhun@redhat.com
What this PR does
This PR adds checks into Che Operator reconcile loop for required for Che deployment TLS secrets on Kubernetes infrastructure, and if they are absent, it starts job to generate them.
Which issues this PR fixes or references
eclipse-che/che#16546
How to test
chectl:local-debug.sh:Copy default CR, and change following fields: