-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automate TLS secrets generation for Kubernetes family infrastructures #220
Conversation
pkg/controller/che/che_controller.go
Outdated
@@ -265,6 +265,14 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e | |||
} | |||
} | |||
|
|||
// Handle Che TLS certificates on Kubernetes like infrastructures | |||
if instance.Spec.Server.TlsSupport && instance.Spec.Server.SelfSignedCert && !isOpenShift { | |||
shouldReturn, reconsileResult, err := HandleCheTLSSecrets(instance, r) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we return something like status structure?
Something like this
https://github.com/eclipse/che-operator/blob/master/pkg/deploy/deployment.go#L42
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Theoretically we can, but I am against it. We need to return 3 values from the method and we can do it using embedded in the golang mechanism. Why do we need to introduce new abstraction then?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should be consistent in the implementations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 About consistent implementation
pkg/controller/che/create.go
Outdated
@@ -132,6 +133,29 @@ func (r *ReconcileChe) CreateNewRoleBinding(instance *orgv1.CheCluster, roleBind | |||
return nil | |||
} | |||
|
|||
// CreateNewJob deploys new instance of given job | |||
func (r *ReconcileChe) CreateNewJob(instance *orgv1.CheCluster, job *batchv1.Job) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Create a syncJobToCluster
function with the same logic as for pvc, ingress, route ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is better to keep ability to create an object (in our case job) configuration and then separately flush it to cluster. Because we want to have universal methods, but we never know for sure which aspects of it we may want to change in the future. Changing the sync* method signature is not good as it will affect other consumers. Updating object in runtime is worse or even impossible.
I may move this method into job.go
and rename it to match sync*
pattern, but I don't want to loose the flexibility here.
pkg/controller/che/tls-secrets.go
Outdated
var shouldReturn = true | ||
|
||
// HandleCheTLSSecrets handles TLS secrets required for Che deployment | ||
func HandleCheTLSSecrets(checluster *orgv1.CheCluster, r *ReconcileChe) (bool, reconcile.Result, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's return status like this
https://github.com/eclipse/che-operator/blob/master/pkg/deploy/deployment.go#L42
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, please see my answer above. Moreover, inside internal function we behave the same as in reconcile loop.
Interesting, some day maybe we will have tls generation from the box https://github.com/operator-framework/operator-sdk/blob/master/doc/proposals/tls-utilities.md |
@AndrienkoAleksandr I've already seen that. Unfortunately current functionality they provide has only basic stuff which doesn't suite our needs. But thanks for commenting. |
pkg/deploy/job.go
Outdated
// NewJob creates new job configuration by giben parameters. | ||
func NewJob(checluster *orgv1.CheCluster, name string, namespace string, image string, serviceAccountName string, env map[string]string, backoffLimit int32) *batchv1.Job { | ||
labels := GetLabels(checluster, util.GetValue(checluster.Spec.Server.CheFlavor, DefaultCheFlavor)) | ||
labels["component"] = "che-create-tls-secret-job" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would keep `che component
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not possible due to conflicts with Che master. All Che related pods have lebel app=che
including this job.
pkg/deploy/job.go
Outdated
} | ||
|
||
// NewJob creates new job configuration by giben parameters. | ||
func NewJob(checluster *orgv1.CheCluster, name string, namespace string, image string, serviceAccountName string, env map[string]string, backoffLimit int32) *batchv1.Job { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can get namespace from checluster, not needed to pass it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we don't configure ttlSecondsAfterFinished,
backoffLimit, why do we need to configure it? let's use some default value for instance 5.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just for case when we need to start a job in different than Che namespace.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We indeed don't configure ttlSecondsAfterFinished
so I may leave it with default value. As for backoffLimit
, to me it may vary for different jobs, so I left it configurable. I would like to use some default values, but golang doesn't provide such ability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested, works Good.
|
@tolusha thanks. It was hard to reproduce the issue. So actually the only way I can see it is to:
This looks like artificial for me, but better to fix it. I can do it, when you let me know your thought about proposed approach. |
Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
…oCluster. Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
Signed-off-by: Anatoliy Bazko <abazko@redhat.com>
Signed-off-by: Anatoliy Bazko <abazko@redhat.com>
Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
af1c15f
to
e3625c0
Compare
Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
Signed-off-by: Mykola Morhun mmorhun@redhat.com
What this PR does
This PR adds checks into Che Operator reconcile loop for required for Che deployment TLS secrets on Kubernetes infrastructure, and if they are absent, it starts job to generate them.
Which issues this PR fixes or references
eclipse-che/che#16546
How to test
chectl
:local-debug.sh
:Copy default CR, and change following fields: