-
Notifications
You must be signed in to change notification settings - Fork 373
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move mutable configmaps out of deployment manifest #1983
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1983 +/- ##
==========================================
+ Coverage 60.10% 66.78% +6.68%
==========================================
Files 197 197
Lines 17217 17259 +42
==========================================
+ Hits 10348 11527 +1179
+ Misses 5762 4543 -1219
- Partials 1107 1189 +82
Flags with carried forward coverage won't be shown. Click here to find out more.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about flow-aggregator-ca?
if !errors.IsNotFound(err) { | ||
return fmt.Errorf("error getting ConfigMap %s: %v", CAConfigMapName, err) | ||
} | ||
caConfigMap, err = c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Create(context.TODO(), c.createConfigMap(caConfigMapNamespace), metav1.CreateOptions{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why don't create the configmap with the desired content directly which can avoid an extra call?
Also feel there is no need to have another method to construct a configmap, it's just one line code that is not shared by others.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you plan to cover flow-aggregator-ca as @antoninbas suggested?
Yes. I'm working on it. |
1b96532
to
3a99782
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM overall
Namespace: a.clusterIdentityConfigMapNamespace, | ||
}, | ||
Data: map[string]string{}, | ||
BinaryData: map[string][]byte{}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to specify the two fields if they are not set
pkg/flowaggregator/certificate.go
Outdated
Namespace: CAConfigMapNamespace, | ||
}, | ||
Data: map[string]string{}, | ||
BinaryData: map[string][]byte{}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
3a99782
to
6226657
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks
/test-all |
- apiGroups: | ||
- "" | ||
resources: | ||
- configmaps | ||
verbs: | ||
- create |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I may be missing something obvious but why don't we just add the "create" verb to the list above:
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- antrea-ca
- antrea-cluster-identity
verbs:
- get
- update
- create
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wondered too, and thought maybe "create" does not work with resourceNames, but just checked and found it could. Then we should add create to the existing verb list.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added "create" to this verb list and I met the error
error when creating 'kube-system/antrea-cluster-identity' ConfigMap: configmaps is forbidden: User "system:serviceaccount:kube-system:antrea-controller" cannot create resource "configmaps" in API group "" in the namespace "kube-system"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I found it works. I will recommit the changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Specifying resourceNames for "create" verb doesn't work: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
Note: You cannot restrict create or deletecollection requests by resourceName. For create, this limitation is because the object name is not known at authorization time.
I did a test and it's consistent with the doc, how did you test?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I deleted and reapplied the yaml. And I found "antrea-ca" and "antrea-cluster-identity" was not deleted. and recreated. Maybe that's why I tested it with no error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, then the current yaml makes sense.
91285dc
to
6226657
Compare
} | ||
exists = false | ||
caConfigMap = &v1.ConfigMap{ | ||
ObjectMeta: metav1.ObjectMeta{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add the label as the previous one in manifest yaml, in case we need a way to filter all antrea resources later.
Moving "antrea-ca", "antrea-cluster-identity" and "flow-aggregator-ca" out of deployment manifest. Instead creating them in the code. Fixes antrea-io#1945
6226657
to
79cc8e4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/test-all |
/test-e2e |
Moving "antrea-ca" and "antrea-cluster-identity" out of deployment manifest.
Instead creating them in the code.
Fixes #1945