-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MON-3701: clean-up injection of trusted CA bundle for main Alertmanager #2310
MON-3701: clean-up injection of trusted CA bundle for main Alertmanager #2310
Conversation
simonpasquier
commented
Apr 10, 2024
•
edited
Loading
edited
- I added CHANGELOG entry for this change.
- No user facing changes, so no entry in CHANGELOG was needed.
@simonpasquier: This pull request references MON-3701 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
820f3d8
to
fc13b53
Compare
/retest-required |
1 similar comment
/retest-required |
/skip |
fc13b53
to
b39666c
Compare
/test e2e-aws-ovn-upgrade |
CMO needed to inject the hashed version of the trusted CA bundle ConfigMap into the Alertmanager resource when OAuth proxy was used because it couldn't detect updates to the bundle and reload it. The trusted CA bundle is still required to be mounted into the pod for the Alertmanager container but it is declared directly in the static manifest instead of being injected at runtime by CMO since Alertmanager reloads the CA whenever it changes. Signed-off-by: Simon Pasquier <spasquie@redhat.com>
b39666c
to
ca92ea3
Compare
/skip |
@simonpasquier: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/skip |
/hold |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/hold cancel
factory: t.factory, | ||
prefix: "alertmanager", | ||
} | ||
trustedCA, err = cbs.syncTrustedCABundle(ctx, trustedCA) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool that we're simplifying code like this.
I had a question about a similar practice (generating secrets with hashes...) here #2293 (comment)
and it'd be great if we can get rid of the logic there as well and only use the "secret/config hash on Deployment's template" approach as simpler.
I have a question about the root CA hot-reloading though, I know KRP supports that, but I think it only concerns --tls-cert-file
and --tls-private-key-file
, I think root CA from /etc/pki/ca-trust/extracted/pem/
etc. are managed by Go itself (in the case of KRP) and according to golang/go#41888 they're not reloaded.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kube-rbac-proxy doesn't rely on the cluster CA bundle. Here is the CA bundle is mounted into the Alertmanager container because it may be configured to send notifications to 3rd party services that use certificates generated by the cluster CA.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, ok. I don't know if alertmanager supports hot-reloading then.
/hold |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: machine424, simonpasquier The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
8dc9c77
into
openshift:master